Thales Blog

Show Me The Money... And The Data! Or What's Your PII Worth?

April 15, 2016

As we approach Tax Day, we have yet another reason to be concerned about our personal information. In just the past few weeks, the IRS announced that the Get Transcript hack was even worse than originally thought, with more than 700,000 people’s information now compromised. Cyber criminals used Personally Identifiable Information (PII) stolen from other sources to access the Get Transcript application and claim money that wasn’t theirs.

The IRS reports that, between 2011 and 2014, it detected and prevented $63 billion worth of fraudulent tax refunds. However, the agency paid identity thieves $5.2 billion in 2011 alone. So, whether or not you were directly affected by this data breach, you’re most likely paying for it anyway.

Also recently announced was the ability of criminals to use stolen Social Security numbers to obtain 100,000 fraudulent PINs in an attempt to file fraudulent electronic tax returns to generate tax refunds.

The examples above underscore just how important it is to keep our PII confidential. Government agencies, organizations and businesses have a mandate to keep our information secure and confidential – but the examples above demonstrate that it’s not always the case. As I have said before, it’s easy to change your credit card information, but you can’t change your Social Security number or your date of birth.

Stolen PII is a worst-case scenario; it could impact you for your whole life. You certainly don’t want to be responsible for this happening to your customers! And it doesn’t have to happen. If the data that the criminals used to commit tax fraud had been encrypted, they never would have been able to use it. The data would have been worthless to them.

Increasingly organizations are realizing this fact and putting a new emphasis on data security, rather than focusing on perimeter security alone. As I work with customers, I recommend encrypting all sensitive data. Furthermore, I recommend encrypting the data every place it lives in motion, at rest and in use – not just in a particular area. If the data isn’t protected everywhere, it might as well not be protected.

Just turning on encryption to protect your data, however, is not enough. It’s how well you protect it and how strong those protection mechanisms are. With what level of assurance is the data being protected? At its most basic level, high assurance means greater security implemented through procedures and technology – more checks and balances, more physical security to protect systems from tampering, and improved auditing.

There is also misconception that organization need to trade off high assurance against ease of use or increased bottlenecks. Today, with the right security and encryption strategies organizations can protect their data with minor impacts to the business, at a relatively low cost, while still maintaining a positive customer experience. And in the end what is the costs of telling your customers their PII has been stolen?