Compromised PII: Facilitating Malicious Targeting and Fraudulent Activity

What is PII?

According to the National Institute of Standards and Technology (NIST), Personally Identifiable Information (PII) is defined as any information about an individual, including:
(1) Any information that can be used to distinguish or trace an individual's identity, such as name, Social Security number, date and place of birth, mother's maiden name, or biometric records; and
(2) Any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

A subset of PII is Sensitive Personally Identifiable Information (SPII), which if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.

New Jersey defines PII broadly to include name, address, telephone number, Social Security number, driver’s license number, and passport number as well as height and weight, biometric information, race, religion, sexual orientation, health information, and commercial or financial information.

N.J.S.A. 56:8-161 et seq., applies to any company or person conducting business in New Jersey, which compiles or maintains computerized records that include personal information. "Personal information" is defined as "an individual's first name or first initial and last name linked with any one or more of the following data elements:
(1) Social Security number (SSN);
(2) driver's license number or state identification card number; or
(3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

The freedom from unauthorized intrusion or disclosure of information about an individual is known as privacy. The purpose of privacy policies implemented by organizations and agencies is to protect PII that they collect, store, and transmit.

PII Compromise, Identity Theft, and Fraud

PII may be accessed and stolen without your knowledge or permission. Most data breaches involve the loss, theft, or compromise of PII, which may expose Social Security numbers and account credentials. The frequency, risk of compliance and regulation violations, and costs associated with data breaches continue to increase each year. Data breaches are typically financially motivated and can originate from outside or inside the organization, conducted with malicious intent or accidental, and can result in unauthorized access to systems as well as exposure or publishing of data online. Data breaches conducted by cyber threat actors are often executed via phishing attacks, impersonation scams, credential-stuffing attacks, brute-force attempts, malware attacks, misconfigured or unpatched systems, or other methods to further compromise vulnerable people, accounts, systems, and networks in order to access and exfiltrate data.

If a breach occurred today and your PII was compromised, it could be used or sold for identity theft schemes right away, tomorrow, next month, or years later. Dark web marketplaces, forums, and websites offer a spectrum of products and services that monetize stolen personal and financial data, corporate and social media account details, as well as counterfeit documents and money. The dark web also provides an arsenal of malicious tools and malware that, combined with this personal information, can allow cyber-criminals to create official documents or identities to commit identity theft or launch cyber-attacks. Fraudulent activities include draining your bank account, running up charges on your credit cards, opening new accounts, and filing a tax refund in your name to steal your refund. Threat actors can also use compromised PII to launch cyber-attacks in social engineering attempts via phishing emails, vishing, smishing, compromised websites, and social media scams in order to steal additional PII or financial information, access computer networks and resources, and perform additional cyber-attacks.

Recommendations

The NJCCIC recommends the following to reduce the risk of PII compromise and identity theft, and provides resources for reporting fraudulent activity:

• Monitor all personal and financial accounts (including banking and credit institutions) and report any suspicious activity or fraudulent charges immediately.
• Use a resource, such as haveibeenpwned.com, to determine if your information was exposed and what data was included in the breach.
• Safeguard sensitive electronic files using encryption and keep offline backups of important files.
• Reduce your digital footprint and the likelihood of being targeted by minimizing your online presence and PII exposure, checking privacy and security settings, exercising caution when uploading sensitive PII to websites or social media, and deactivating or deleting accounts that are no longer in use.
• Conduct internet searches of you and your family’s PII and take action to remove the information where found.
• Enable password locks on devices to prevent unauthorized physical access to device resources and data.
• Change compromised passwords for every account to protect against account compromise, refrain from using the same password for multiple accounts, and enable multi-factor authentication (MFA) where available.
• Sign up for free online alerts offered by your financial institutions to help detect fraudulent activity.
• If identity theft has occurred, file a police report with your local police department, as it may be required by financial and credit institutions, and visit identitytheft.gov to file a report and receive a recovery plan.

Credit Freezes

Credit freezes are an effective way to reduce your risk of identity theft. They do not protect PII, but they do protect against its misuse if PII is compromised. Consider placing a credit freeze on your credit profile, which restricts access to your credit report and prevents anyone from opening a new credit account using your information. A credit freeze does not affect your credit score, prevent you from getting a free annual credit report, or prevent fraudulent transactions on existing accounts.

To freeze your credit at no cost with the three major credit bureaus, visit the links or call the numbers detailed below. You will need to provide your name, address, date of birth, Social Security number, and other personal information.

• Equifax
  Equifax.com/personal/credit-report-services
  800-685-1111
• Experian
  Experian.com/help
  888-EXPERIAN (888-397-3742)
• Transunion
  TransUnion.com/credit-help
  888-909-8872
• Each credit bureau will provide you with a unique PIN or password, which will be required if you need to lift the freeze permanently or temporarily when opening a new account. Be sure to keep the PIN or password in a safe and secure place.

If freezing your credit is not an option at this time, contact the national credit bureaus (via the contact information above) and request a free fraud alert to be placed on your credit file. These alerts notify you of suspicious activity when new credit accounts are opened in your name or changes are made to existing accounts. Fraud alerts do not proactively prevent fraudulent activity on existing accounts, so it is important to continue to monitor your accounts for suspicious activity.

• There are three types of fraud alerts:
• Fraud alert: credit protection for one year.
• Extended fraud alert: credit protection for seven years.
• Active duty military alert: credit protection for one year while deployed and can be renewed for the length of deployment.

Multi-Factor Authentication

Some data breaches can occur as a result of unauthorized user account access. Data breaches can also result in unauthorized account access when user credentials are exposed as part of a breach. One of the ways to protect online accounts from unauthorized access is multi-factor authentication (MFA), which includes an additional level of authentication during the login process. Authentication factors included in MFA are something you know – such as a password or PIN, something you have – such as a badge or one-time code, and something you are – such as biometrics. MFA is an effective measure to protect users from account compromise via credential theft or exposure. Even if a threat actor gains access to an account password, they will not be able to access the associated account without the user’s second factor of authentication.

Additional recommendations

• Exercise caution with unexpected or suspicious communications, including phone calls, text messages, and emails.
• Avoid responding to requests for PII, login credentials, or financial information received via email.
• Refrain from divulging personal or financial information without verifying the requestor via a separate means of communication before taking any action.
• Do not click on links or open attachments that come with unverified emails as they may be used to download malware or direct you to malicious websites to steal credentials.
• Navigate to websites directly by manually typing the URL into a browser, instead of clicking on links delivered in emails, to ensure you are visiting the legitimate website.
• Keep all software and hardware up to date. Only download and install software from known and trusted sources.
• Install and update anti-virus/anti-malware software on all devices.

Reporting

The NJCCIC encourages recipients who discover signs of malicious cyber activity to contact the NJCCIC via the cyber incident report form at www.cyber.nj.gov/report. 

Additional Resources

• NJCCIC - Tax Scams and Identity Theft: What You Need to Know
• FTC Identity Theft Consumer Information
• National Cyber Security Alliance (NCSA) StaySafeOnline
• Identity Theft Resource Center (IRTC)
• Cybersecurity and Infrastructure Security Agency (CISA): Security Tip on Preventing and Responding to Identity Theft
• Social Security Administration: Identity Theft and Your Social Security Number
• New Jersey State Police: Identity Theft Victim’s Reference Guide
• New Jersey Division of Consumer Affairs: Preventing Identity Theft