What is PII Really?

PII (Personally Identifiable Information) broadly speaking is information that relates directly to the individual (you) and allows you to be individually identified, plus it is often of a sensitive private nature.

We explain in this article what it is and how to protect yourself against people trying to steal your identity through PII.

Why is PII so dangerous?

Such information can be often easily used to ‘steal’ your identity wholesale and then use the new identity to get up to all sorts of tricks, for instance:

  • Selling or mortgaging your house..
  • Draining your back accounts..
  • Setting up new Credit Cards and draining them too..
  • Getting government benefits..
  • Reputation leverage – basically pretending to be you.

Most of this, naturally, revolves around extracting money via your identity, so the more money you have the more you should be concerned about PII. Why so? Well PII hacking can take some effort, so they want to see a return for the effort, its a business for them, they are not doing it for fun.

What typically is PII?

PII is not a single in or out thing, rather its a combination of bits of information that together make an identity theft possible, for instance if someone had just your Name, there is not a lot they can do with that, but combine the name with your social security number, your home address and your date of birth and suddenly a wave of identify thefts become possible.

So I’m going to rank what is considered PII below, so you get an idea what to watch out for:

  • Name – Low
  • Your picture – Low
  • Your picture with Geo Location – Medium
  • Your email address – Low
  • Home Address – Medium
  • Home Phone Number – Low
  • Mobile Number – Medium
  • Work Address – Medium
  • Direct Work Number – Low
  • Date of Birth – Medium
  • Place of Birth – High
  • Age – Low
  • Social Security Number, tax file number, passport number or other government issued ID – High
  • Mothers Maiden Name* – High
  • Childhood Street Address* – Medium
  • Pet Name* – Medium
  • Bank Account Number – Medium

*These are usually used when changing a password or for additional security challenges.

Now there may be a few things you think are missing on there:

  • Credit Card Details – these are NOT PII, you are not your credit card, the only thing related to you on them is your name (and your money)
  • Other types of Cardsunless they encode something of Medium or High value in them (or provide access to) they are not PII.
  • Utility Bills – usually by the time they have got to these, they have the information on them already (unless they dumpster dive…)

The other type of PII is what I term Sensitive PII – basically information you would not want ‘escaping’ into the public domain, examples of this include:

  • Financial Records – bank statements, tax affairs, insurance, etc
  • Commercial Records – shopping activity
  • Legal Records – proceedings, notes, statements, case history, etc
  • Medical Records – anything medically related to you, such as Doctors records, hospital records, etc
  • Private Correspondence – could be of a emotional or directly sensitive nature.
  • Location Data – Where you have been and when.

What is often most worrying about such Sensitive PII is that it is often stored ‘as is’ either on computer disks as readable files or as text fields in a database; so once a system is hacked it is usually trivial to make off with the data, (this article for ways to protect such data).

How to use the PII ranking?

What you need to watch out for is when either one or more High ranks are used or when two or more Medium ranks are used. This could be enough to start ‘digging’ into your identity.. Remember, the hackers don’t need all the pieces at once, they use what they have to try to discover more personal information until they have what they need.

Once you understand this, it soon becomes clear that key ‘pieces’ to your identity are all over the place; which is why there is so much emphasis by governments on protecting PII and indirectly your privacy.

What you can do to protect your PII?

First off recognize what is sensitive PII and be alert to why someone is asking for it. You need to assess if you can opt out of providing sensitive information to a 3rd party you do not trust. Also be aware of ‘fly by’ attempts to get PII out of you, i.e. banks calling you blind and asking you to verify yourself by giving them you credit card and birth date details; too good to be true credit card deals in the post; once in a lifetime offers, etc. What they really want is your identity, its of far more value then what they claim to be peddling.

You also need to do some based PII awareness training with your relatives, to make sure they do not accidentally ‘ leak’ PII about you (sharing this article with them would be a good start), let alone protecting their own PII. BTW hackers often make good use of knowledge of your relatives to try to gain more pieces of your identity.

Also its a good move to get yourself a shredder, and shred any old paperwork before it goes into the bin. Also think about what sensitive information is on your own computers, especially laptops, do all the files that are on it need to be there?

What about my Passwords and PII?

It should, hopefully, go without saying that you should not be using PII sensitive information within your passwords, that just makes it easy to guess for the hackers once they have their hands on such info. Also please do not use the same passwords for social networks, email and financial services; they should each have their own distinct passwords.

Protecting PII & Privacy in computer systems

The other area where PII comes up is how it should be treated in business computer systems, most governments have policies or standards around how PII needs to be stored and the security that needs to be maintained. This is often backed up with PII/privacy leakage disclosure requirements and heavy fines enshrined in law. Essentially there needs to be a higher level of security and access control around PII and privacy sensitive data then for other general data, especially when that data is ‘at rest’, plus you need to know where the data is going and whom has access at all times. In essence such data needs special treatment, monitoring and architectural isolation compared to other data in your systems – its pretty much mandatory now.

Although beyond the scope of this article, we would be happy to discuss further with you any computer based PII issues you may be facing.