In June 2022, Massachusetts-based a global ERP solution provider announced it had been hacked. The data security breach, where hackers accessed personal data that included names, addresses, birth dates, Social Security numbers, diagnoses, and insurance information, had reportedly affected two million people and more than 50 other companies.
The same month, in China, a hacker put up for sale on a popular underground forum 23TB of personally identifiable information (PII), belonging to 1 billion people in China. It was data reportedly accessed from an unsecured Shanghai police database and included names, addresses, and national IDs. Reports are that the leak happened because the dashboard for the database was left open to the Internet, without a password.
In recent years, and especially since the onset of the pandemic, there has been a significant increase in cybersecurity breaches across sectors from healthcare, banks, insurance, and education. These range from random viruses to ransomware, and theft of data.
While there are several strategies to prevent the hijacking of data, in this blog we take a look at why it is important to secure Personal Identifiable Information (PII) data for privacy and compliance.
PII is information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information. Not all personal data can identify an individual, so only data from which a person’s identity can be derived comes under the umbrella of PII data.
What is the PII your company collects and processes? Once this is identified, a privacy strategy can be planned.
Is the PII stored on the cloud, in servers, or on employee laptops? One of the best ways to do this is to perform a data discovery or mapping to locate PII within your network and other environments and see its path throughout your organization. Once this is done, one can understand how to isolate those systems. PII needs to be identified, located, and prioritized in terms of which data and systems to protect first.
An effective way to protect PII and reduce the risk of data exposure is to limit access to only specific individuals within the organization with authorization. Employees also need to be trained regularly on evolving threats.
One of the most effective solutions to protect PII is tokenization. Tokenization replaces sensitive data with unique identification symbols that retain essential information without compromising privacy.
Tokenization also ensures compliance with international standards in data privacy such as GDPR (a regulation that requires businesses to protect the personal data of EU citizens for transactions that occur within EU member states); HIPAA (regulation to prevent data breaches in personal health information); and PCI (regulation to protect against card data theft).
Let’s take the case of a credit card transaction. Here, a ‘token’ usually contains the last four digits of the card number, while the rest of the token consists of alphanumeric characters that represent miscellaneous information about the cardholder and the transaction underway. When an authorization request is made to verify the transaction, the card number is used only in the initial request. For the remaining transaction, only the token and not the card number is used. The token is stored in the point-of-sale system but the credit card number is not.
As you can see, tokenization would thus be the right technology to address the transfer of sensitive information over public or private networks as it exchanges original sensitive information for randomized tokens, which have no direct relationship to the original data, and which are stored in a cloud outside of the tokenized environment. It virtually eliminates the risk of data theft.
If you are looking to protect your sensitive data, Blue Star E&E offers a wide range of products and solutions, which not only can help you secure and manage data but also meet regulatory compliances through encryption, advanced key management, tokenization, and privileged user control.