It’s Not Worth the Risk. Remove Toxic PII with Tokenization

It’s Not Worth the Risk. Remove Toxic PII with Tokenization

Sometimes the struggle with data security seems like a game of whack-a-mole. Just as you start to get a handle on preventing payment card data breaches, new worries pop up: malware injections, spear phishing schemes, ransomware and other nefarious hacks that seek out and steal Personally Identifiable Information (PII). What is it about PII that makes it so attractive a hacker target? How are cyber-criminals accessing PII? What are the options to remove toxic PII from IT systems?

PII is now center stage as the most valuable data set to steal. Using pilfered PII, a cyber-criminal can build a complete virtual identity. PII data sets—such as social security, date of birth, employment history—are used to create a fraudulent personas with which a fraudster can buy goods and services, open lines of credit, change bank account access, and a plethora of other illegal activities. The damage stolen PII can do to victims has caught the attention of the Federal Trade Commission, which has ruled that people can sue for long-term damages when their PII is stolen from an organization’s business systems. Legal firms are all too ready to work with groups of victims to file massive class-action lawsuits against organizations that are negligent in securing PII. This trend is a lot more expensive than just shutting off a credit card and offering credit reporting for a year. Class-action lawsuits can be potentially ruinous for organizations that are found guilty of violating their security and privacy statements when PII goes missing.

Self-Service Automation Has Security Pitfalls

The popularity of self-service portals that enable customers to create and update their accounts with organizations opens another attack vector. Self-service portals that are not properly secured with two-factor authentication are honeypots for criminals due to the massive amount of PII that can be revealed. The payroll company ADP was breached via a self-service W-2 portal, enabling cyber-criminals to create fraudulent accounts using PII. W-2 data is valuable because it contains much of the information needed to fraudulently request a tax refund from the US IRS in someone else’s name. Even though ADP stated that cyber-criminals were able to access PII data from its clients and not from internal ADP systems, the hackers found enough data to successfully create multiple accounts in an attempt to pilfer the ADP treasure chest. There is no real way to know with confidence where the exposed PII was acquired. Was it from the internal ADP environment or from the dark web? In the end, it doesn’t matter, because the damage was done, but it does demonstrate how interconnected PII is with fraud.


Even more worrisome, fraudulent account creation or takeover can be just the first wave of an attack. Financial companies like ADP are affiliated with multiple banks for payment processing, and once the crooks are able to make it past the initial authentication and create new accounts, malware can be injected and live inside these environments, just waiting to strike—potentially for years without discovery. The JP Morgan forensics team, for example, found that malware was sitting inside their environment for multiple years waiting for vulnerabilities to surface. Once those inevitable weaknesses surfaced, the malware was triggered, and all hell broke loose—the theft of names, addresses, phone numbers and email addresses of 83 million account holders.

Login Credential Database = Major Risk Point

You can read almost daily how the theft of PII credentials is affecting organizations—just ask Amazon. Over 80,000 Kindle credentials have been compromised, and the hacker is holding Amazon ransom to the (somewhat laughable) tune of $700, so they can see the “error” in their ways. The hacker even offered to give Amazon a vulnerability report, so they could see how lacking their security infrastructure is. Amazon did not acquiesce, so the generous hacker (insert sarcastic emoticon) has promised to either continue holding them hostage, or sell off their valuable data to the highest bidder. According to MIC, who interviewed the hacker, “When they first got Kindles and set them up, all their (customer) stuff was being logged and put into a database that includes a user’s email, password, city, state, phone number, zip code, user-agent, LastLoginIP, Proxy IP and street.” This hack is a prime example of how gaining access to one vulnerable database with PII puts tens of thousands of individuals at risk of having their personal information potentially sold for fraudulent use.

Remove Toxic Data Before Hackers Attack

As we’ve seen, the main impetus behind most modern cyber-attacks is the wealth of valuable sensitive data that organizations store on their customers, employees, and partners. From a data security perspective, organizations can take their risk to almost zero when they remove all sensitive data from their IT and business environments. Enter tokenization. With TokenEx’s unique cloud tokenization processes, any data type can be vaulted and tokenized, removing it from business systems. This flexibility gives organizations the ability to secure all types of sensitive data such as Social Security IDs, employee IDs, license numbers, and phone numbers, that are commonly stored in databases. Even non-public documents containing product information and electronic forms with health records in document management systems can be tokenized and securely vaulted.

 TokenEx - No Data. No Theft.

TokenEx protects PII by offering a controlled, auditable method for securely storing and interacting with sensitive information without altering business processes. In many cases, organizations need not interact directly with PII, but instead can use the tokens that represents the PII in their business processes. The actual sensitive data is stored in a TokenEx Secure Cloud Data Vault, enabling organizations to minimize the risk associated with handling PII.

TokenEx is the industry leader in cloud tokenization and encryption. To learn more about how TokenEx can secure your PII, email Follow us on LinkedIn and Twitter.

Topic(s): data security , PII , tokenization

Keep Up With Our PCI & Privacy Blog