One Defense Against Data Breaches: Don’t Have the Data to Begin With

By Raj Ananthanpillai, Founder and CEO, Trua

When it comes to hackers stealing Social Security numbers and other personal identifiable information, even members of Congress aren’t safe.

So why would we think any of the rest of us are?

After hackers accessed a healthcare marketplace for DC lawmakers and residents in March, investigators discovered Social Security numbers, birth dates, addresses, and phone numbers for lawmakers, their families, and their staffers on the dark web.

Hackers are brazen and relentless. Most businesses, no matter how conscientious, aren’t equipped to serve as a fortress against cyber criminals who are eagerly and cleverly attacking them in search of PII.

And so often, that’s exactly what they are after. A 2021 IBM report found that PII was included in 44% of all breaches that were studied in the report, making PII the most common type of records lost or stolen. Compare that to 28% of breaches when PII had been removed from customer data.

And the cybercriminals aren’t slowing down. In fact, they were busy in the first quarter of 2023 when an estimated 89 million individuals in the U.S. were victims of data compromises, according to an analysis by the Identity Theft Resource Center.

Clearly, hackers view PII as valuable. That’s why the less of that information is kept and stored by a business or government agency, the better. The question is: How do we put a stop to PII being spread around so widely, making an enticing target for those bad actors?

At least a couple of options should be considered.

The first is that businesses should give serious reflection to what information they really need from consumers, and whether they are collecting some of that data simply as a means to verify someone’s identity.

For example, let’s say you’re the owner of a gym. Do you really need someone’s Social Security number so they can complete the gym membership application? Or for health providers, do you need the SSN when patients have insurance?

Because once you’re in possession of PII, you absolutely need to keep it as safe as possible. But as we see time and again in the news, keeping data safe from determined and clever cybercriminals is no easy task, and businesses put themselves at risk of liability when there’s a breach.

Certainly, companies sometimes do have legitimate reasons for requesting PII. Employers, for example, need that information from employees for payroll purposes. Banks are required to obtain Social Security numbers when customers set up accounts.

But in many cases, the information just isn’t needed.

I like to advise consumers to ask questions whenever a business wants their Social Security number or birthdate or any such information that those hackers crave. Why does the business need it? How will it be used?

Businesses should ask themselves similar questions. Aren’t there better ways than gathering and storing this information that you just needed for identity verification, but now must protect?

A second way this problem can be solved is through more widespread adoption and use of verified digital identification. With verified digital identification, people won’t need to provide their private personal information over and over. They will provide it once to have it verified when their digital ID is created. After that, when someone wants to verify who they are, they will present their ID rather than repeatedly sharing their sensitive information.

With this system, the individual’s personal information is less likely to end up in the hands of cybercriminals, which also decreases the likelihood of people losing trust in the business.  Businesses, meanwhile, would know that the person’s identity is verified, but they wouldn’t have to take responsibility for storing and protecting the information.

As it stands now, though, the use of these digital IDs hasn’t become prevalent. While many other things we deal with have gone digital, trust verification and assurance are still in the analog world.

That is certain to change, though. Consumers will insist on it as more and more data is compromised, and they learn there is an alternative to their information being stored in numerous places with questionable defenses.

Businesses should prepare for and embrace such a shift.

After all, this will give those determined hackers fewer reasons to target them.

About the Author

Raj Ananthanpillai is Founder and CEO of Trua, that provides privacy-preserving identity and risk-screening platforms that assure trust and safety in digital environments, sharing economy, employment and workforce screening.

Raj can be reached online at https://www.linkedin.com/in/raj-ananthanpillai-endera/, and at our company website http://www.truame.com/.