By Raj Ananthanpillai, Founder and CEO, Trua
When it comes to hackers stealing Social Security numbers and other personally identifiable information, even members of Congress aren’t safe.
So why would we think any of the rest of us are?
After hackers accessed a healthcare marketplace for DC lawmakers and residents in March, investigators
discovered Social Security numbers, birth dates, addresses, and phone numbers for lawmakers, their
families, and their staffers on the dark web.
Hackers are brazen and relentless. Most businesses, no matter how conscientious, aren’t equipped to
serve as a fortress against cyber criminals who are eagerly and cleverly attacking them in search of PII.
And so often, that’s exactly what they are after. A 2021 IBM report found that PII was included in 44% of
all breaches that were studied in the report, making PII the most common type of records lost or stolen.
Compare that to 28% of breaches when PII had been removed from customer data.
And the cybercriminals aren’t slowing down. In fact, they were busy in the first quarter of 2023 when an
estimated 89 million individuals in the U.S. were victims of data compromises, according to an analysis
by the Identity Theft Resource Center.
Clearly, hackers view PII as valuable. That’s why the less that information is kept and stored by a
business or government agency, the better. The question is: How do we put a stop to PII being spread
around so widely, making an enticing target for those bad actors?
At least a couple of options should be considered.
The first is that businesses should give serious reflection on what information they really need from
consumers, and whether they are collecting some of that data simply as a means to verify someone’s
identity.
For example, let’s say you’re the owner of a gym. Do you really need someone’s Social Security number
so they can complete the gym membership application? Or for health providers, do you need the SSN
when patients have insurance?
Because once you’re in possession of PII, you absolutely need to keep it as safe as possible. But as we
see time and again in the news, keeping data safe from determined and clever cybercriminals is no easy
task and businesses put themselves at risk of liability when there’s a breach.
Certainly, companies sometimes do have legitimate reasons for requesting PII. Employers, for example,
need that information from employees for payroll purposes. Banks are required to obtain Social Security
numbers when customers set up accounts.
But in many cases, the information just isn’t needed.
I like to advise consumers to ask questions whenever a business wants their Social Security number or
birthdate or any such information that those hackers crave. Why does the business need it? How will it
be used?
Businesses should ask themselves similar questions. Aren’t there better ways than gathering and storing
this information that you just needed for identity verification, but now must protect?
A second way this problem can be solved is through more widespread adoption and the use of verified digital
identification. With verified digital identification, people won’t need to provide their private personal
information over and over. They will provide it once to have it verified when their digital ID is created.
After that, when someone wants to verify who they are, they will present their ID rather than repeatedly
sharing their sensitive information.
With this system, the individual’s personal information is less likely to end up in the hands of
cybercriminals, which also decreases the likelihood of people losing trust in the business. Businesses, meanwhile, would know that the person’s identity is verified, but they wouldn’t have to take responsibility
for storing and protecting the information.
As it stands now, though, the use of these digital IDs hasn’t become prevalent. While many other things
we deal with have gone digital, trust verification and assurance are still in the analog world.
That is certain to change, though. Consumers will insist on it as more and more data is compromised,
and they learn there is an alternative to their information being stored in numerous places with
questionable defenses.
Businesses should prepare for and embrace such a shift.
After all, this will give those determined hackers fewer reasons to target them.
This article was taken as an excerpt from the Cyber Defense magazine’s June issue. To download the full magazine visit the official website here