The risks of relying on “private” information that cannot be kept private?

Author

  • Stefan Frei

Abstract

Modern commerce is increasingly conducted online, allowing vendors to offer a wide variety of goods and services around the clock and from any location. As a result, hundreds of millions of users are registered with dozens of diverse online services.

For authentication, users typically rely on only a small number of unique personal information attributes. The same information attributes are used in several places and inevitably are lost, in large numbers, through data breaches. Cyber criminals have built comprehensive profiles of millions of users, which they constantly refine with each new data breach. Once lost, breached data cannot be taken back. This rapid erosion of security (and also privacy) presents huge challenges as this same information, which many still consider “private,” is used across diverse services, both online and offline, While users can change login and password information after a breach, social security numbers (SSNs) and date of birth (DOB) information cannot be changed after such an event.

Enterprises that conduct any part of their business online should bear full responsibility for the consequences of data breaches. Those consequences are not purely financial, but involve ongoing risks posed to individuals and society as a whole because of the loss of static personal information such as DOB and SSN.


Download