Understanding the Risks: Data Aggregators and Personally Identifiable Information
In today's digital age, where vast amounts of personal information are generated and shared online, understanding the risks associated with data aggregators in regards to personally identifiable information (PII) is necessary for cybersecurity. Data aggregators play a significant role in collecting, analyzing, and monetizing PII from various sources, ranging from public records to online activities. While often used for legal means such as targeted advertising, market research, and personalized services, the popularity of PII data aggregation is also raising significant concerns about the potential misuse of this sensitive data. By gaining a deeper understanding of these dynamics, we can better navigate the digital landscape and protect our privacy and security.
To get started, let’s review the basics of what defines personally identifiable information (PII), and what data aggregators are. PII can is any information connected to a specific individual that can be used to establish or uncover the individual's identity. This includes but is not limited to social security numbers, full names, email addresses, phone numbers, birthdates, or biometric data. A data aggregator is a service or platform that collects, organizes, and consolidates data through various techniques and sources into a unified database. This PII is then used to create comprehensive profiles of individuals for a variety of purposes, including market research and analytics, targeted advertising, risk assessments, personalization of products and services, customer relationship tracking, and regulatory requirements.
PII is generally classified into two kinds of information; sensitive and nonsensitive.
Nonsensitive information, also known as indirect information, is PII that includes things such as zip code, race, gender, date of birth, religion, etc. This type of information is often on commonly used people-search sites, which are known for using data aggregation to collect information on individuals including their name, date of birth, age, location, current and previous addresses, emails, phone numbers, and family/friend associations. The people-search sites will then display this information partially, and charge a fee for further access to the full data report. Although termed “nonsensitive” this data can be used to format spearphishing, social engineering, SIM swap, and other types of cyber and physical attacks.
Sensitive information is PII data that could result in harm to the individual if there was a breach of access to it, and often needs to be in an encrypted form when being transmitted. Sensitive PII includes medical information, social security numbers (SSNs), passport numbers, employer identification numbers (EIN), banking information (accounts/card numbers), and so on. This sensitive information is typically harder for a threat actor to gain access to, and is often the primary target of data breaches and social engineering attacks. According to Statista, in 2023 there were 3,205 compromises of personal information and consumer data, impacting a total of 353 million total victims. This is 2,365 more than the previous record.
Data aggregators are able to obtain PII through a surprisingly wide and highly available array of means. Currently, the most common sources are;
Public Records: Sources such as government records, property records, court documents and voter registration lists often contain PII such as names, addresses, birthdates and marital status.
Apps and Mobile Devices: Many of the apps on your phone or tablet use default privacy settings that, unless changed, allow for collecting and transmitting of user data to third-party data aggregators. This data often includes location information, contact lists, device identifiers, and usage pattern identification.
Online Activity Tracking: Activity tracking usually includes technology such as cookies, web beacons, and device fingerprinting. This technology is used to monitor individuals' online activities, including recent website visits, search queries, social media interactions, and online purchases. PII available also often includes email addresses, phone numbers, and credit card details.
Data brokers: Like their name suggests, data brokers buy and sell consumer data in bulk. In addition to previously listed sources, they also use surveys and contest entries, loyalty programs, and other third-party data providers to compile comprehensive consumer profiles, and then sell them to businesses and organizations.
Publicly Shared Information: Data aggregators can search social media platforms, forums, blogs, and other online communities for PII in all forms, including personal details, financial information, photographs, interests, and connections.
Threat actors often initiate their attacks by obtaining seemingly innocuous data, such as a user's email, from publicly accessible sources such as people-search websites or public social media profiles. They may scour breached data forums on the dark web to check if any sensitive details, such as passwords and usernames, are linked to the acquired email. Upon successful retrieval of the sensitive PII, threat actors would potentially be able to infiltrate various accounts associated with the email.
Knowledge is power, and having a basic understanding of what PII is and how a threat actor could use that information can enable you to best protect yourself and your accounts. By making your public information more challenging to access online, you decrease the likelihood of having your personal data exploited, and in turn minimize the risk of identity theft.
To address the challenges associated with the unwanted or unauthorized public availability of PII, Du-Zel’s highly qualified team routinely helps clients through our Personally Identifiable Information (PII) Monitoring and Suppression Service.This service enables our analysts to monitor for and request removal of the presence of PII on the internet. Using PII monitoring and suppression can help to protect against both physical and cyber attacks.. If you or your organization have any questions related to PII that were not addressed in this article, or if you would like to learn more about how our team at Du-Zel can serve your needs, we would love for you to get in touch with us.