Cyber-Criminals Want Your PII — Is Your Data Secure?

Personally Identifiable Information (PII) is the most valuable information for the worldwide network of fraudsters. PII records generally sell for around $50/record on the black market, as opposed to around $5/payment account number (PAN). You can do the ugly math on the Anthem healthcare hack that exposed 78 million records. PII is hot commodity because it has a longer window of useful availability to a cyber-criminal, who can use it to create complete fraudulent personas to perpetrate additional crimes. Since PII is so valuable and thus a prime target for fraudsters, what steps are organizations doing to secure it? Are the long-term—and expensive—risks of exposing PII clearly understood? Most importantly, is your PII data secure?

Why PII is so Valuable

PII encompasses all types of personal information: name, date of birth, Social Security number, postal and email addresses, telephone number, member identification number, financial account information, healthcare records, and insurance claims information. While a stolen PAN can be cancelled, social security numbers can’t be changed, and prescription and healthcare records (PHI) are permanently attached to each person’s identity. By the time victims discover their PII is stolen, their credit can be wrecked, prescription accounts subject to fraudulent refills, and—perhaps most personally harmful—your private medical history exposed. All so a cyber-criminal can put a few thousand dollars in their bank account—literally thousands of times.

Federal Trade Commission Position Adds Complexity

Because PII is not something you can easily cancel or change, the Federal Trade Commission (FTC) now has the authority to penalize organizations that expose their customers’ PII. In addition, since a breach usually exposes millions of people’s PII, Class Action Lawsuits are a common result, which dramatically compounds the financial costs of the breached data holder. For example, in Remijas v. Neiman Marcus Group, LLC, No. 14-3122 (July 20, 2015), the Seventh Circuit found that the victims of a credit card data breach had alleged an injury-in-fact, which gave them standing to sue the retailer from whose computers the data were stolen. The lawsuit went forward primarily because PII was also exposed, not just payment data. With the FTC in the mix, judgments in data breaches will be even more expensive when poorly protected PII records are exposed in violation of stated privacy policies.

Healthcare Companies Setting a Bad Precedent

Healthcare organizations have increasingly been the focus of data breaches in 2015. Anthem, UCLA, Blue Cross Blue Shield—the list goes on and on. Why? Most healthcare providers have focused on protecting the perimeter of their data environment, so that when malware gets injected into the internal portions of the databases and personal computers, they are completely vulnerable. With common practices such as not encrypting data in transit, to storing massive amounts of unsecured PII records in their databases, it is no wonder healthcare and insurance organizations are a favorite target for fraudsters. The problem is that as breaches continue to occur with more frequency, the healthcare industry remains complacent in finding a data security solution that secures sensitive data. They need a security solution that rids their environment of toxic PII, in addition to PCI, without impacting their existing business processes.

Tokenization Secures PII

Companies have to rethink how to fight fraudsters. All of the warning systems on the planet will not save you from a data breach. While removing toxic PII, PCI, or PHI in your environment will not stop a breach, it will absolutely prevent the exposure of any of sensitive data and the resulting legal and financial pain. A true cloud tokenization platform removes the toxic PII completely from your environment, leaving only tokens that have meaningless value to cyber-thieves, since there is no way for them to reverse engineer the token to its original value. At the same time, the tokens are available to use in all existing business processes, just like the original data. Business as usual with layers of security to prevent data theft and break the cycle of fraud.

Why take the chance of losing PII, with the resulting class action lawsuits, FTC fines, and lots of ticked off customers, that can potentially destroy your business and cause you to spend more money than you ever thought imaginable as the result of a single data breach. Simply put—with cloud tokenization, hackers can’t steal what’s not there!

Visit or email for more information on how to secure PII in your data environment. Follow us on Twitter and LinkedIn.

Topic(s): payments , data security , HIPAA , PCI DSS , PII , tokenization