What is PII and How to Protect Yours from Cybercriminals
Personally Identifiable Information
Personally Identifiable Information, or PII, is the personal data used to uniquely identify a specific individual. You may see the acronym PII used when talking about security, privacy, and data breaches. PII is usually sensitive and private information, such as your Social Security number, bank account number, driver’s license number, physical address, even your full name and your date of birth. The list is not exhaustive. It also includes medical, educational, financial, employment, and any other information that bad actors can use to identify you either by itself or when combined with other information.
If you’ve been keeping an eye on the news surrounding identity theft, data breaches, ransomware attacks, personal or online privacy, you have probably noticed Personally Identifiable Information is often referenced. While this term might seem straightforward, it’s more complicated than you think. And, having your PII compromised by scammers can be devastating to your personal and financial profile.
The National Institute of Standards and Technology (NIST) defines PII as information that can be used to distinguish or trace the identity of an individual directly or can be combined with other personal or identifying information that is linkable to a specific individual (e.g., date and place of birth, mother’s maiden name, etc.). That is, when two or more pieces of information are connected, they point to a single person.
PII is significant because, whether lost, stolen, or exposed, it is how identity thieves perpetrate their crimes. Sometimes all it takes is one or two pieces of information to compromise a person’s identity. Still, not all PII is considered equal.
What Information is Considered PII?
Some pieces of information are unique to you and you alone. PII in this context is often referred to as “sensitive.” These are the identifiers that identity thieves are most interested in capturing, and include your:
- Personal identification numbers: Social Security number (SSN), passport number, driver’s license number, taxpayer identification number, patient identification number, financial account number, or credit card number
- Personal address information: street address or email address
- Personal telephone numbers: home phones or mobile phones
- Protected health information (PHI): medical record numbers, medical histories, test results, health insurance beneficiary numbers, or payment information for the healthcare services
- Payment Card Industry (PCI) Data: credit card numbers, or other bank card or financial information
- Personal characteristics: photographic images (particularly of face or other identifying characteristics) or handwriting
- Biometric data: fingerprints, retina scans, voice signatures, or facial geometry
- Information identifying personally owned property: Vehicle Identification Number (VIN), home or vehicle title number
- Asset information: Internet Protocol (IP) or Media Access Control (MAC) addresses that consistently link to a particular person
Other pieces of data by themselves aren’t considered PII because they could be shared with other individuals. This information has become known as “linkable.” By combining them or linking to one of the above examples, they can be equally as appealing to fraudsters…and equally as harmful if exposed. PII may include your:
- Date of birth
- Place of birth
- Business telephone number
- Business mailing or email address
- Geographical indicators
- Employment information
- Medical information
- Education information
- Financial information
What Do Criminals Do with PII?
There are several malicious ways that cybercriminals and identity thieves use our PII. Through direct attacks, they can apply for loans or lines of credit, make purchases with our credit cards, steal our tax refunds, drain financial accounts, or more.
Another way that our PII is used is to commit synthetic identity theft. Synthetic identities are created when a fraudster combines someone’s Personally Identifiable Information with fake details and/or personal information from other individuals. For example, an individual’s Social Security number might be cobbled together with a fake name and address and another real person’s driver’s license to create a new identity. If the thief uses this identity to commit a crime, you will be implicated because your Social Security number was used. According to the Federal Reserve, synthetic identity theft is the fastest-growing financial crime in the U.S.
The third way criminals use our PII is to turn around and sell the stolen data on the Dark Web. Everything from social media credentials and credit card numbers to medical records and Netflix passwords can be sold by bad actors for criminal and financial gain on this underbelly of the internet. Hackers can make a pretty penny by capturing and offloading our data. In July of 2021, fashion retailer Guess notified affected customers of a ransomware attack and data breach that occurred in February 2021 that exposed several of their most sensitive identity credentials, including Social Security numbers, driver’s license numbers, passport numbers, financial account information. Similarly, in April of 2021, a total of 1 billion Facebook and LinkedIn records were exposed on the Dark Web, available for free to cyberthieves. The 533 million Facebook user records and 500 million LinkedIn user records include names, Facebook IDs, locations, birth dates, bio descriptions, LinkedIn account IDs, email addresses, phone numbers, gender, LinkedIn profile links, connected social media profile links, professional titles, and other work-related personal data.
How to Protect Your Personally Identifiable Information (PII)
There are a number of simple steps you can take to protect your sensitive data from cybercriminals:
- Update your account passwords. Your account credentials for various accounts may have been exposed, giving hackers access to your information and allowing them to take over your account to make purchases. Be sure to update your password to a strong sequence that you have not previously used.
- Use two-factor authentication. Requiring an additional level of security can often thwart hackers from gaining access.
- Use IT best practices at home. Although everyone hates getting a forced update, make sure to stay current with your operating system and security patches and be sure to have active anti-virus software running in the background.
- Store and transfer data cautiously. Encrypt flash drives or files — think about what would happen if they were left unattended or fell into the wrong hands.
- Watch out for phishing scams. Fake emails can look surprisingly real. So always be cautious when something doesn’t seem right. If you’re not sure of the validity of any email you receive, contact the requester directly and confirm the email was from them before sending files or clicking on links.
- Avoid over-sharing online. Social media isn’t private, no matter what settings you use. Facebook, Twitter, and LinkedIn have had massive data breaches in recent years, so be mindful of what you share and lock down your privacy settings.
- Eliminate the paper trail. Shred any papers with account information, Social Security numbers, and other identifying information, along with credit card offers, bank courtesy checks, and documents with your signature.
- Never provide login, personal or financial information on unsecured sites. Look for HTTPS:// at the beginning of the web address and the lock icon next to it to ensure you’re visiting a secured site.
- Keep up with the latest data breaches in the news: https://www.sontiq.com/breach-news-summary/ or https://www.identityforce.com/blog/2021-data-breaches.
- Invest in identity theft protection. It’s the easiest and most effective way to guard you and your family against cyber fraud.
By taking the above steps and being mindful of where and how you’re sharing your information, you’ll have mounted a strong defense against identity thieves today and in the future.