Question

A finance company has a database of customer documentation, including application forms containing a substantial amount of personally identifiable information (PII). The database contains the records of over 10,000 customers. The database is only accessible from inside the network of the company – it is not directly exposed to the Internet.

i. Suggest a suitable data classification for this information held by this database and explain why this classification is appropriate.  

ii. Suggest one threat actor, and why they might want to compromise these data.

iii. Suggest one preventative security control that might be used to mitigate a threat against these data. Briefly explain how the control reduces the threat of the data being compromised.

Answer 1

1.) Personally Identifiable Information (PII) is widely characterised as "any information that could possibly identify a particular person" and may be sensitive or non-sensitive. Sensitive PII is information that may result in harm to the data subject when revealed to an unauthorised party. On the other hand, disclosure of non-sensitive PII would result in little or no harm to the data subject.

In combination with one or more of the following data elements, PII is specified as a person's first name or first initial and last name:
Number for Social Security
State-issued number for driver's licence
State-issued number of identity card
In combination with a security code, access code or password that would allow access to the account, the financial account number
Data on medical and/or health insurance

The aim of this Guideline is to create a structure for classifying institutional data as required by the University's Information Security Policy on the basis of its level of sensitivity, significance and criticality to the university. Data classification can help to define baseline security controls for data protection

In order to understand why PII is so valuable to hackers, it is good to provide some examples to better understand what constitutes it. PII is any information that is attributed to an individual that identifies them and distinguishes individuals from one another. Examples include:

• Social Security Number
• Address
• Phone Number
• Driver’s License Number
• Employer
• Personal Habits or Interests
• Biometric Data

.Any information that an individual provides – whether on an online form, a voter’s ballot or a retail transaction, etc. constitutes PII. In turn, this makes the stolen information even more useful for mounting highly targeted attacks on individuals for any number of purposes. For example, a hacker can take a person’s employee identification number and use it to uncover more sensitive information.

Any information that an individual provides – whether on an online form, a voter’s ballot or a retail transaction, etc. constitutes PII. In turn, this makes the stolen information even more useful for mounting highly targeted attacks on individuals for any number of purposes. For example, a hacker can take a person’s employee identification number and use it to uncover more sensitive information.

Types of PII-Related Data Breaches

There are multiple cybercrime scenarios that can involve PII. Bad actors may compromise direct consumer PII, target credit reports or conduct identity theft. Theft concerning PII can also serve as a means to another, greater end. For example, cybercriminals may target individuals who hold sensitive positions in corporate and government organizations for defamation, or to put their lives at risk.

Information that hackers steal can be used against targeted individuals in orchestrated attacks. Hackers may also leverage a PII-related cyberattack for other purposes, which just aren’t as obvious. For example, consumer’s PII can serve the purpose of monetary gain, such as a marketing commodity. For example, a hacker may infiltrate a computing system to gain access to PII, which s/he can repurpose as marketing lists to sell products. Cybercriminals may also be capable of harvesting and aggregating data, gaining more insights and painting a clearer picture of their target(s) through data points.

3.) Encryption is well known by security pros for preventing data loss. It’s a core tool for the strategies and tools within Data Loss Prevention (DLP). Encryption protects your business from cybercriminals accessing sensitive data or employees making an unintended mistake with your data.

Our data has a lifecycle – in use, at rest, and in motion. It’s considered best practice to encrypt across all these stages because data can be intercepted by threat actors at any stage.

Most commonly, organizations encrypt the following data:

Company Intellectual Property or Proprietary Data

Company Financial Reports

Personally Identifiable Information

Research and Development Data

Sensitive Customer Data

Upcoming Product Launch Details

The employees can even encrypt sensitive emails from their laptops, phones, tablets, or any other device used to send and store data to protect any critical data exposure or loss.