3 Scary Attacks that Exposed Personally Identifiable Information (PII)
The Internet is a double-edged sword with a set of good potential, but it does not come without its dangers.
With the real-world population increasingly opting for their digital avatars, the digital population is growing faster than ever. And it raises a heap of issues — especially for the security of the personal data.
Since personal data is an important asset for individuals and organizations, it is valuable for cybercriminals as well. Personally Identifiable Information (PII) is any personal data that can help identify an individual.
PII was initially restricted to unique personal data like Social Security Numbers in the US, email or mailing addresses, and phone numbers. In the digital age, the examples of Personally Identifiable Information now include IP addresses, login IDs, digital images, geo-location, biometric, and behavioral data as they can help identify a person in the digital world. Moreover, if some data can be mixed with some other data to correctly identify an individual, then this set of data is also considered as Personally Identifiable Information. For instance, the date of birth with gender and zip code may help identify a person, so these too are examples of PII.
According to RSI Security, “the public, and sometimes companies, provide this information freely without fully considering the consequences or without first determining that adequate protection measures are in place. Businesses and consumers alike need to understand the risks and recommended safeguards before releasing or storing private information.”
PII is one of the most sensitive and valued data hosted by organizations, however, they underestimate the security requirements of PII. That is why there had been various cyberattacks in the last decade that leaked the data of billions of people, thus proving the importance of a hardened security posture for organizations. That said, let’s check out some cyberattacks that further proves this point.
Once a technology behemoth, Yahoo! had been the talk of the town in recent years. A web services company founded in 1994, Yahoo! had provided numerous services over the decades including Yahoo! Mail, Yahoo! News, Yahoo! Search, and a lot more. Even more interestingly, Yahoo! Search was the premier search engine in the 1990s before the title was earned by Google in the 2000s.
In December 2015, Yahoo! announced that it was breached in 2013 affecting 1 million accounts. Later in October 2016, Yahoo! corrected its old statement to state that the breach in 2013 affected 3 million accounts — all accounts that were present at that time.
The breached data included names, email addresses, phone numbers, hashed passwords, birthdays, and security questions and answers in encrypted and unencrypted forms. After announcing the breach in December, Yahoo! took protective measures for all users like resetting passwords.
In the history of cyberattacks, the 2013 attack on Yahoo! is the worst attack seeing the number of records leaked in a single attack. Also, Yahoo! took almost three years to discover the data breach and disclose it to the public, which further increases the impact of the cyberattack disclosing PII of 3 million people.
Marriott – Starwood
Starwood Hotels and Resorts was one of the largest hospitality companies which got acquired by Marriott International in September 2016. It owned, operated, and franchised hotels, residences, resorts, spas, and vacation ownership properties in 100 countries. Starwood had numerous popular brands including Westin and Sheraton and owned, operated, or franchised 1200+ properties.
In December 2018, Marriott International announced a data breach related to its Starwood subsidiaries affecting more than 500 million people. In one of the worst breaches of time, attackers had access to the reservation systems of its Starwood subsidiaries right from 2014 — for four years. The breached data included names, addresses, phone numbers, and credit card numbers along with rare information such as passport numbers, travel dates, and locations, etc.
In this attack, a very sensitive form of Personally Identifiable Information (PII) got exposed. Through the reservation systems, attackers extracted data of people’s travel history — when and where people traveled and with whom. With such information, attackers could have been tracking the movements of popular persons like business executives, diplomats, military officials, and others.
FriendFinder Networks is another internet company that was founded during the early-Internet era of the 1990s. It mainly provides social networking, online dating, and adult entertainment services. Some of its popular online dating sites include FriendFinder, Adult FriendFinder, Amigos.com, BigChurch, Cams.com, and Penthouse. It also features numerous dating services targeting regions.
In November 2016, a breach notification website called LeakedSource disclosed that six databases of FriendFinder Networks were leaked, affecting 412 million accounts.
The data included usernames, email addresses, and passwords with poor security — they were either plainly stored or masked using SHA-1, a very easy hashing algorithm. LeakedSource told that 99% of the leaked passwords were crackable, allowing attackers to hijack those accounts and extract extra data from them. Also, the leaked data included controversial data including data of deleted accounts and Penthouse.com, which was sold in February 2016.
In this attack, the originally leaked data is usual per the definition of Personally Identifiable Information (PII). However, the biggest issue was the passwords were not stored securely, allowing attackers to extract more sensitive data by hijacking those accounts, raising the issue of the importance of securing PII. For example, individuals usually have their personal photos, sexual preferences, and past meetups info in their online dating account — supersensitive data.