How to protect your customers' personal identifiable information

Personal identifiable information (PII) was the leading type of data breach in 2018, accounting for 97% of all breaches, according to a ForgeRock report.

How SMBs can protect themselves from hacks and data breaches Identity Guard SVP Jerry Thompson shares cybersecurity tips for budget-constrained startups and SMBs.


Customer information is the most critical type of data held by many organizations. All it takes is one major breach of such data for your customers to lose faith in your company, and for your business to suffer as a result. Any type of customer information is a tempting target for hackers and cybercriminals. But the holy grail among criminals is personal identifiable information (PII) such as social security numbers, names and physical addresses, and usernames and passwords, as described in a Tuesday study from ForgeRock.

In 2018, more than 2.8 billion consumer data records were exposed in 342 data breaches, hitting an estimated total cost of more than $654 billion. Among these, personally identifiable information was the leading type of data exposed, comprising 97% of all breaches.

Dates of birth and/or social security numbers were the most frequently compromised type of PII in 2018, exposed in 54% of the recorded breaches. This number is cause for alarm, as the exposure of dates of birth and SSNs are prime ways cybercriminals can take over critical accounts such as bank accounts and lines of credit.

Customer names and physical addresses were the second frequently compromised PII type, exposed in 49% of breaches. Next on the list was personal health information at 46%. Other types of PII exposed in breaches last year were usernames and passwords, payment and banking information, and names and email addresses.

What methods did hackers and cybercriminals employ to gain access to personal customer data? Unauthorized access was the most popular type of attack in 2018, comprising 34% of all breaches. Ransomware and malware were the second most common, especially given the appeal of ransomware attacks in the healthcare industry. Phishing attacks, misconfiguration problems, and API abuses also proved fertile ways for criminals to steal personal information.

Among all industries, healthcare proved the most vulnerable, hit in 48% of all the breaches recorded last year. This unwanted status is caused by a few different factors, according to ForgeRock. First, healthcare organizations store a great deal of PII, so they're an appealing target for cybercriminals. Second, the healthcare sector has often lagged behind other industries in modernizing its IT infrastructure due to the strict regulations imposed on it. Third, a focus on usability improvements to appeal to non-technical users has sometimes outshined security measures. However, this trend is slowly shifting to focus on security as a result of new guidelines for electronic health records and a greater awareness by consumers around data breaches.

Other sectors affected by data breaches in 2018 include banking and insurance, government agencies, education, technology, travel, and communications/mobile.

What can organizations do to better protect themselves against the theft of personal identifiable information? ForgeRock offers a few pieces of advice.

First, and most obviously, businesses should consider identity and access management a critical part of securing their customer data. That means creating a framework for identifying, authenticating, and authorizing the proper access for sensitive information.

Second, examine where opportunities intersect with user trust risks. As one example, a location-based service might require a user's location while it's being used. But any such access beyond that point might be a risk that needs to be mitigated. "Be clear with why certain pieces of personal data are being collected and how they will be used," ForgeRock said in the report.

Third, look at personal data as a joint asset and consider the mindset within your organization. Not every unit or department within your business will have the same incentive to be mindful of customer data.

Fourth, lean in to consent. As one of the six lawful bases for processing personal data defined by the GDPR, consumer consent gives your organization the freedom but also the responsibility to build trusted and transparent relationships with your customers.

Also see

By Lance Whitney

Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books—one on Windows and another on LinkedIn.