Summer is coming to an end, vacations taken, and family time well spent. Now what? Most people will take this opportunity to post their special moments with families and friends on social media. Some may even order special keepsakes like photo albums and customized mugs from various brick-and-mortar stores or online retailers. These are normal events that occur after fun-filled times spent with loved ones. We are eager to share these events with those around us to bring some joy into their lives. There is no harm in that. Is there?
In the past couple of weeks, seeing these familiar events set off alarm bells in my head.
A friend shared pictures and memorabilia of their vacation with me. The pictures were absolutely wonderful and I enjoyed seeing their fun-filled adventures. The memorabilia included an item with their family name printed at the bottom, and lovable stuffed animals representing each of their family members with their names printed on them and the vacation spot they visited. It was great, so far so good.
I was on social media and saw an ad for customized images of street signs for sale. Instead of street names, it had family member names and each person's date of birth. The comments on the ad showed that many people were interested in purchasing this.
Parents with school-age kids have no doubt been busy with back to school shopping. For younger children, many parents will typically label everything with their children’s names, including backpacks and lunchboxes.
These events are pretty normal, so why was I concerned about them? In the first situation, the memorabilia had the first and last names of each family member and where they last vacationed. In the second situation, the street signs had every family member’s name and date of birth. In the third situation, young children are out and about with their names and possibly home addresses on backpack labels. That’s a lot of information freely shared.
Most of us have been taught to not share our personal information with people we don’t know. You and I would never knowingly post these things on the internet. We know better. Is the information in the scenarios described earlier enough to really identify us and our family members?
What is Personally Identifiable Information?
Personally Identifiable Information or PII is any information about a specific person that can be used to discover that person’s identity. Some of the common information types are:
Full name
Date of birth
Sex
Address
Place of birth
Social Security Number (SSN)
Family members’ names
Race
Residential Zip code
Credit card information
Driver’s license information
Financial information
For more information on this topic, our partner, Malwarebytes, has a great write-up explaining more about PII (Personally Identifiable Information).
As the internet brings us closer together, it also brings information about each of us to the surface. How many organizations are each of us a member of? I can hardly keep track myself, from grocery stores, movie theaters, convenience stores, gas stations, streaming services, and so forth. Each of these organizations holds a piece of our information. One organization may not have all our information, but if even some were to merge, or if some were to experience a data breach/leak, potential threat actors could have an almost or even complete picture of each person.
A trained threat actor has skills that can capture identity information from the above scenarios and go out to the internet to search for our existing data footprint that is already on the internet to uncover additional data points about each of us, and potentially assume our identity, sell our information on the dark web, or hold the information captive while demanding a ransom payment. According to an IBM’s report, Cost of a Data Breach Report 2024, 40% of breaches involved information from multiple environments resulting in the highest average cost at $5.17 million.
Fixing it isn’t easy. It takes a lot of time and effort. It’s frustrating, stressful, and often times, will put the victim in financial hardship. The Federal Trade Commission has put together a guide to assist in the recovery process, Recovering from Identity Theft.
Our team at Polito has compiled some tips to help protect you against threat actors who are prowling on the internet to steal your identity. While it’s not possible to 100% completely protect yourself and your information, we suggest the following tips to get you started:
Make yourself into a smaller target by sharing less information
Keep identifiable information secure
Check your credit report regularly
Register with Equifax, Experian, and Transunion for fraud alerts and freeze your accounts with each credit bureau until you actually need to have a credit check performed (Note - remember to re-freeze your credit with each bureau when done with credit checks)
Shred documents containing PII before throwing them out
Make sure to remove all PII information before discarding devices
Make sure your devices and WiFi passwords are not common passwords that can be easily guessed
This is by no means a complete list, but a great start to protect your and your family's identities on the world wide web.
Polito offers a wide range of security consulting services including penetration testing, vulnerability assessments, red team assessments, incident response, digital forensics, threat hunting, and more. If your business or your clients have any cybersecurity needs, contact our experts and experience what Masterful Cyber Security is all about.
Phone: 571-969-7039
E-mail: info@politoinc.com
Website: politoinc.com
Comments