The Target data breach is often discussed in relation to loss of cardholder data, but in terms of personally identifiable information like a Social Security number or home address, it’s also a cautionary tale about how much data a company might be collecting and tracking. When I read a Forbes article recently about how Target identified a pregnant girl before her own family heard the news, I was both impressed and disturbed.
Stores, banks, the government, and many other entities have a lot to gain from the business intelligence they derive by collecting and correlating data. But when that data is leaked there is often no way to know just what and how much has been exposed. With lost personally identifiable information (PII) criminals may know when I am most likely to fill up my gas tank or what my favorite flavor of ice cream is.
Worse yet, that information could be leveraged against me, with enough time and persistence, to gain access to something like a line of credit. I know from firsthand experience that small details, like children’s names and birthdays, are the key to securing critical information during social engineering assessments. Imagine what a criminal could accomplish with thousands of personal records.
To frame the issue better, when it comes to protecting information, many consumers believe that using debit cards with PIN numbers is the safer way to go. I recall talking with family members and hearing how most of them refuse to run their debit cards as credit when they have the choice.
If PIN data is encrypted from the moment it is entered, its loss might not be a huge issue, although it does raise the question of where the encryption key is being stored. The key should only be held at the payment processor, far away from the entry devices and point-of-sale systems. Of course, very few systems I have analyzed for potential cardholder data loss should have been storing credit card data, but so far everyone has. We also know that with time and effort encryption can be broken.
Many companies will attest that their encryption is “very strong,” contributing to the idea that PINs are safe. However, it’s not uncommon to find that many people say their security is strong, and it turns out to be WEP encryption or randomly generated complex passwords that are then stored on a sticky note in view of everyone in their office.
My crystal ball is in the shop today, but if I had to make a prediction I would say that the PINs and PII lost as part of so many data breaches are going to show up somewhere in some manner and cause serious damage. Unfortunately, the discussion about these types of information and, more importantly, why they are not stored securely has taken a backseat to credit card security and whether or not the US should adopt chip-and-pin technology.
An unexpected or unknown threat such as nebulous “personal information” loss is always worse than the threats you can identify and prepare for. It’s time for the conversation to shift. Given the variety of information that could be circulating about you at any given moment, what type of data loss keeps you up at night?
As a staff consultant on the SecureState Attack and Defense Team, Kerstyn works with a broad range of organizations across a variety of industries on security assessments including incident response, forensic analysis, and social engineering. View Full Bio