Thursday, September 26, 2013

LexisNexis Data Breached - But Your Unique Identity is Much More Than Data Stolen Over the Internet

In light of this week's LexisNexis Data Breach report, it's worthwhile to explore the true value and usefulness of this kind of data that might be stolen from you.

Sensitive, personal data (PII, or "Personally Identifiable Data") is usually protected, but no protection is guaranteed if outside your complete control in any way – most people should assume their most-used data reflecting their personal identity (like SSNs, tel #s, DOB) is already public, if not already being used illegimately.  Where you drive, what you buy, who you meet with, your outwardly-visible or audible physical characteristics – this information is already public in many ways, as well as captured through commercial or government systems to some degree. This is particularly true the older you are, or the more active you are using this information on the Internet (regardless of standard firewall, encryption, VPN, password or other security and privacy protections leveraged).

However, a person's "Unique Identity" is not simply this data, but also the context around this data, and its derivatives (or "information packages").

Your unique identity includes the data and patterns that reflect "Observations" of you – what you do, say, when, where, with what device, aligned with what other events, etc.  Observations can be hard to dispute, but also can easily be recorded or interpreted wrong.  Or they might be falsified (like hair color), or simply mis-typed. Some observations are typically indisputable, especially in combination (like iris color, retina pattern and voice pattern) – but this data still requires validation.

Your unique identity also includes "Assertions"; this includes most common PII data that's been provided by the user (you) or a verified 3rd-party, or auto-generated by computer systems (like IDs).  "Strong" assertions are nearly indisputable, like verified biometrics (i.e. validated fingerprints) or your personal work or bill-paying history – but it's usually expensive and difficult to collect and properly validate all of these. However, since these assertions are usually historical and are just another form of static data - this kind of data or knowledge may be easily obtained through fraudulent means. 


"Weak" assertions include information provided by the individual or others, as user-entered or system-generated data. These assertions are only as good as the controls and auditing devised to validate and verify the encounter (i.e. how the data was entered) and the data itself.  Data can be bad, very bad.  The LexisNexis data thieves certainly stole a lot of data (weak assertions) - but some of it might actually be quite useless.

Therefore, the fact that your common PII data has been stolen or hacked isn't necessarily cause for critical concern.  The concern lays more so with the systems and services you use, or that are used on your behalf, that rely on this data to perform.

If critical information and services valuable to you are protected by security systems that take into account your holistic "unique identity", as described above – you're still, probably, well-protected (but obviously that's not guaranteed).  These kind of systems offer multiple, overlapping capabilities such as:

  • Multi-factor authentication
  • Identity Proofing
  • Progressive Authentication
  • "Defense in Depth" multi-layer information and system assurance (accredited/certified)

If you are gaining access to, and supplying, very sensitive information about yourself (or others) – and the only information requested from you is this kind common PII data – then avoid doing this if possible; i.e., avoid sharing too much you're not comfortable with. Fraudulent access to your information by others is quite feasible.  Or - avoid supplying the very most sensitive information, including:
  • Information about your personal habits, travel, relationships
  • Photos or videos of you, your friends & family, where you live or work
  • Any medical or mental status
  • Your work status, role, access to system, people or information

No comments: