Mar 9, 2022
7 min read

Data theft: don't leave your PII exposed

Learn about the risks to PII and the measures you can implement to prevent and reduce the impact of such risks.

Data is often cited as the most important asset an organization holds. It can be argued that data, in its many varied forms, constitutes the quintessential element an organization needs to survive and thrive. We are not talking just about data that is directly related to money, such as financial data or banking details, but also data that falls under the category of intellectual property (especially trade secrets). 

More recently, the General Data Protection Regulation (GDPR) and the increase in the 'dissuasive' nature of the fines that can be imposed under the regulation has resulted in organizations paying more attention to the way they handle personal data and keep it secure.

However, it is not an easy task given the relative ease to perform some of the attacks and the disproportionate effort that organizations require to establish and maintain a healthy data protection scheme

Why is PII such a valuable target?

Getting hold of personal data is high on an attackers' list of priorities due to its versatility: a malicious actor can use personal data to either exploit it directly or as the base to launch further attacks. Take a look at the four uses of PII by attackers below:

PII can be combined to craft specific attacks

Lateral escalation to gain access to an account with higher administrative privileges, social engineering, and phishing attacks rely heavily on finding as much personal data as possible on the victim or individuals associated with the victim.

PII can be sold on the Dark Web

Depending on the data elements involved and the total volume present, this can be quite a lucrative avenue. Typically sold in bulk, a single set of credit card data can fetch $14-30.

PII can be used for nefarious purposes

Attackers can use the data stolen or illegally purchased for identity fraud, oftentimes opening bank accounts under the name of the victim, or forging driving licences, passports and other official documents. Here, the profit for the attacker raises considerably, ranging from hundreds to even thousands of dollars per forged document.

Learn about the consequences of not addressing data exposure

PII can be 'kidnapped'

One of the attack trends in recent years has been related to ransomware, where PII is encrypted by the attacker, who then demands a ransom to release the key. Without this key, data is rendered unreadable and to all effects lost to the organization. Paying the ransom is no guarantee the attacker will be faithful to their word and often ends up being an extra cost associated with the extortion. Then there is the issue of the money given to the attacker that may well fund other forms of crime.

Who are the attackers?

Traditionally, the classification of threat actors is made with motivation and skill level as the main two parameters. However, for the sake of simplicity, we can place them in the two categories below:

Internal attacker

Either infiltrated for malicious purposes, or disgruntled employees seeking to right some perceived wrong. They have gained insider knowledge on operations, and could form part of the IT team, which allows them access to systems and enough permissions to create serious damage. Being trusted within the organization means their actions may come up as a surprise, but often too late.

What happens when you give excessive access rights to employees?

External attacker

Externals form the majority of attackers. The distinguishing attribute is that they do not possess authentication credentials, or at least not any gained lawfully. Cyber criminals tend to commit to a life of crime for financial gain. They can create corporations, functioning like a (legitimate) enterprise would: with a CEO, HR, and even a help desk, operating from the Dark Web, and physically located in jurisdictions where cybercrime is not a top-notch concern.

What risks is my organization facing?

Broadly speaking, both data controllers and data processors are required to implement appropriate technical and organizational measures to protect the personal data they handle, be it from their customers, employees, or suppliers. Where your defensive stance proves inadequate, the repercussions can be quite severe, with legal and regulatory, financial and reputational effects that can alter the viability of your firm in the long run.

Experiencing a data breach is a distressing and resource-intensive event, with the need to notify the relevant supervisory authority and possibly all customers affected. A side effect of a data breach is the impact on the customer base due to reputational loss, with long, lingering effects even after the incident is adequately contained and mitigated.

Common attack vectors and countermeasures

As attacks are very diverse, the objective is to apply a multi-layered approach as the first line of prevention, where what is not avoided is at least detected as promptly as possible.

Some of the common ways to compromise systems as a prelude to a data breach include:

Lack of strong authentication controls

Here we are talking about:

  • Weak passwords
  • Weak encryption and hashing algorithms
  • Transmitting passwords in an unencrypted form
  • Not requiring authentication
  • Use of default usernames
  • etc. 

If an attacker can easily guess or crack passwords, then the accounts under such a system cannot be considered secure. To reduce this risk, password management tools can be deployed in the network, as well as multi-factor authentication (using tokens produced by an app or a separate, dedicated device). Frequent account reviews will ensure accounts are not being created without a business justification, and that no dormant accounts exist.

Removable media devices, laptops and BYOD

Limit these to what is strictly necessary and always use whole disk encryption (e.g. Bitlocker).

Social media websites

Email addresses, telephone numbers, the geolocation of your staff members, and much more can be gathered by potential attackers through social media. An effective way is to have a department to be in charge of all the content that gets posted, with strict guidelines to avoid leaking personal data inadvertently.

Negligent/accidental dissemination of information to unintended recipients

The classic example is an email sent to some person or organization in error, often due to the auto-fill feature, where several entities have similar names. According to analysis commissioned by the ICO in the UK, human error caused 90% of cyber data breaches in 2019. User education is critical here.

Your organization needs to work in unison

I once had a client that sought assistance with a strange case of a perceived data breach. They could not find indicators of compromise that would lead to the root cause, but were aware customers were raising complaints and raising concerns with the helpdesk asking whether their personal data was being sold. In fact, many customers had reportedly been contacted by third-parties with whom my client was not affiliated, trying to gain their custom towards some purchase. 

I tried to ascertain the common elements in those queries, finding that all customers affected formed part of a sub-segment within the customer base. I checked network logs, cookies, pixel technologies, SIEM records… but nothing. The next step was to review account settings as it could have been a case of internal attack. To my surprise, everything seemed fine until I found the account of a former employee who had left a few months ago, but his account had not been disabled. The IT team were adamant they had disabled the account on the same day the person had left the company, as per their JML (Joiners, Movers, Leavers) policy. 

Prevent personal data misuse

Receive alerts on potential violations & remediate fast with actionable insights.
Try for free

With a little more investigation, it became apparent the former employee had exploited a flaw in the process: one day after he left he had phoned the helpdesk asking them to enable his account, claiming he had forgotten his password and the system had enacted the lock-out policy, which needed manual override. Helpdesk sent this request to IT, and the account was enabled, granting the now illegitimate user access to resources, including customer data.

It was clear here that the fault was in the lack of communication: helpdesk had followed their process, relying on the fact that IT would pick up any issues, whereas IT assumed the request was genuine as it came from helpdesk, who would pick any issues.  

This example shows how security truly is an orchestrated effort if an organization is to withstand a motivated attacker.

Maintaining security across an organization and protecting the most precious data assets require an understanding of the attackers, what they are trying to accomplish and how. It takes a joint and rigorous effort from part of all employees to keep things afloat.

Experienced Principal Consultant and Associate Lecturer with an extensive academic background in Law, Information Security, and Engineering, including globally recognised certifications such as Fellow of Information Privacy (FIP), CIPP/E, CIPM, CIPT, CDPSE, and CISSP.

Receive helpful tips, practical content, and updates

Thank you! You have been successfully subscribed
Oops! Something went wrong while submitting the form.