Questions tagged [pii]
The pii tag has no usage guidance.
44 questions
1
vote
2
answers
106
views
Extraction of sensitive data out of down- scaled images
Our system produces preview images of A4 documents, which contain sensitive data (email, phone numbers, social networks and adresses) of our users. We would like to save those preview images in our ...
1
vote
0
answers
36
views
Envelope Encryption: KEK management in Auto- Login case
We are currently implementing an envelope encryption scheme in order to securely store PII data in our database. That means we will have a user- specific DEK (data encryption key), and a KEK, which ...
2
votes
0
answers
84
views
Searchable encryption for phone numbers
I have a table in Postgres that stores phone numbers. Since phone
numbers are considered PII, I cannot store them as plaintext.
For other PII fields, I use AES-256-CBC. However, the requirements are ...
1
vote
0
answers
116
views
Help me securely store and retrieve Social Security numbers [closed]
I am on the very last functionality to implement before launching my app. I have the same requirements someone like Fanduel or Draftkings does. When my users cross the $600 threshold for prizes in the ...
0
votes
1
answer
3k
views
My personal info was leaked on the dark web through my Gmail Account; is it still safe to continue using said Gmail Account?
I have been using my personal Gmail Account for years to create accounts on a wide range of websites like evite.com and Instagram.
Google conducted a dark web scan and created a report of instances ...
0
votes
3
answers
424
views
Is it a security issue to include postcode and/or last name in a GET request query string?
I'm currently designing an API endpoint to validate a customer, and they can either pass in their postcode or their last name, as well as their customer ID (plus some other irrelevant data).
I've ...
0
votes
1
answer
649
views
Is Google mining the content of emails I send to people who use gmail? Could they?
If I sign up for Gmail I probably agree to give Google the right to use all my content for whatever purposes they want. We know they have incredible research going on into data mining and machine ...
2
votes
0
answers
117
views
What are the main PII data brokers? (How do certain online companies get accurate age verification?)
A long time ago, I signed up for Apple Pay Cash. After a bit of using the service, I was asked to input my name and birthdate to continue using the service. At the time, I was underage. I input ...
0
votes
2
answers
172
views
Secure data (+ private key) storage in an insecure public cloud environment
We are trying to encrypt files in a manner that they can be completely secure in an insecure environment (like a public cloud). We're talking about military grade secure.
The data should be so secure ...
0
votes
0
answers
134
views
What metadata could be stored in the IPFS network and what could be collected by modified nodes?
I'm guessing uploading to IPFS also uploads some metadata, which gets shared as well, does this assumption hold any truth? According to this only content identifiers and node identifiers are in the ...
1
vote
0
answers
183
views
How do I make sure the information I collect on a person does not constitute personal data/PII?
I'm building an application that may involve the storage of certain information pertaining to potentially millions users of a popular social media platform for analytics purposes, making the obtaining ...
0
votes
1
answer
185
views
Which is the preferred way of encrypting Personal Identifiable Information?
What is the preferred way to implement personal information encryption / decryption?
After some reading, the main options appear to be:
Encrypt/Decrypt it at the database level
Encrypt/Decrypt it at ...
1
vote
1
answer
390
views
Choosing the right salt to pseudo-anonymize data and be GDPR compliant
In my company, numeric user IDs are considered PIIs and therefore need to be pseudo-anonymized to be GDPR compliant.
To do so, we populate a lookup table where to each ID is assigned a monotonically ...
0
votes
4
answers
429
views
How to protect email addresses in a customer database when you and other third parties must be able to send emails?
I am wondering what methods are used by big companies to protect customer email addresses in their databases. They usually have salespeople all over the world and multiple third-parties (Salesforce, ...
1
vote
0
answers
140
views
How to protect PII data from being sold or exposed by employees
For PII, we capture mostly emails, mobile and name of users who signup on our website. Along with this purchases made by users are also a sensitive data. Protecting this data for users privacy is as ...
0
votes
1
answer
183
views
How do applications which are integrated using a javascript client side sdk, secure their data or disallow spam?
Take an example of google maps. google maps provides a javascript client SDK, which means any web app running javascript can access the google maps sdk. You need to use an API_KEY so that google can ...
2
votes
1
answer
877
views
PII Data Masking rules - what's acceptable and what's not
Is there a security rule on correct masking for sensitive information? Let's say we want to use prod data in our UAT environment. We're thinking of creating a masking logic when we transfer prod data ...
1
vote
0
answers
162
views
What would be the logical approach in breaking down the following scenario in regard to CISSP Domains?
I'm currently doing my Cyber Security Certification program, I along with my fellow classmates are in Beginner stages. Over the past few weeks we have been writing up variety of Discussions using ...
3
votes
2
answers
248
views
Encryption as bijective data masking function
Context
I'm building data lake from scratch within a small team (3-6 data engineers). I want to mask PII data when copying data from prod to dev/test environments.
I'm particularly interested in the ...
1
vote
2
answers
546
views
AWS KMS Getting Data Key using AWS Encyption SDK
I am exploring the AWS KMS as a vault for storing the encryption keys. Now I am trying to encrypt the database fields like email.
So, issue whenever there is a read/write for email, I don't want to ...
2
votes
3
answers
2k
views
Is an email domain name considered PII?
For example, can you reference a customer by their domain in an email?
Each customer in a system can be associated with a domain, and some domains are associated with a single customer.
2
votes
1
answer
113
views
Implications re security practices of full account access granted to third parties
I'm working with a company (say, Acme) that does some ongoing data collection and processing for me. The data in question is private but not all that sensitive. Part of Acme's service has password-...
1
vote
0
answers
807
views
How have you secured production data (PII) on non-prod environments?
Data protection laws including GDPR state:
“Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that ...
1
vote
5
answers
2k
views
Username in browser history (url) - is this a security problem?
We have a client complaining that there is PII in the browser history (as in the persistent history you get to through your browser's menu - Ctrl + H in Chrome). For example, the URL for editing a ...
2
votes
2
answers
631
views
What's the danger of an online resume (a CV)?
I was talking with someone about my resume, and on the subject of my posting it online they said,
just be careful with PII ... for your own good :)
My reaction to that is How bad can it be? -- and,...
0
votes
0
answers
159
views
How to Ask for More Transparency from Companies Handling Our Personal Data
A company's asked me to submit a scan of my passport claiming KYC (Know Your Customer) and AML (Anti-money Laundering) purposes. In times of daily data breaches, what can we ask for a company to be ...
1
vote
1
answer
198
views
Why should relatively-public personal identifying information be kept secret online if at all?
I don't want to get hung up on technical terms, just laying out basics for this question: I understand personal identifying information (PII) as that info which is not apparent to people who cross ...
6
votes
2
answers
6k
views
Documentation for GDPR best practices for partially masking email addresses
I must give certain employees access to a report which contains email addresses. I would like to redact or partially mask these email addresses, but I am having trouble finding official guidance on ...
1
vote
1
answer
153
views
How we can PoC our product that needs training data for our machine learning algorithm of the the bank clients?
Recently, we have had a challenge with potential future clients which are the bank. Our product requires to gather static data (e.g. address, loans, last 50 transactions, etc) of banks clients. These ...
2
votes
1
answer
386
views
Information leakage through json response
I am testing a product survey website. As a response to getSurveyResults() call, the following details of all survey participants shall be displayed to all website users.
Nick name
Location
Rating
...
3
votes
2
answers
3k
views
How can I encrypt messages sent over AWS PrivateLink?
I am working on a project where I need to send messages to a partner via AWS PrivateLink. Because these messages contain PII, the data needs to be secure. I have been unable to determine from internet ...
0
votes
0
answers
106
views
Do security breach victims have any meaningful recourse?
OPM Breach
Anthem Health Care
Equifax
The list goes on... If we define meaningful as non-monetary compensation (e.g. services) to protect victims from further victimization stemming from loss of ...
1
vote
1
answer
241
views
Can you tell me if my design is secure?
I'm designing a database interface for a system that could store PII. My first focus is on making sure all the data is secure, to do this I have designed the system as follows.
I'm running three ...
3
votes
4
answers
13k
views
Are employee or badge numbers PII?
We're looking at implementing an Identity Management/Lifecycle system. We're looking at aggregating all our authentication into this system. However, one area of concern is same-name employees, so ...
1
vote
0
answers
104
views
Do S3/Azure/GCS bucket names/keys represent personally identifiable information
We have an event-sourced system that uses a forward-only immutable event store.
If we store personally identifiable information in this store, we'll be in trouble with regards to GDPR, as deletion ...
38
votes
6
answers
28k
views
Is a standalone phone number considered Personally Identifiable Information?
Personally Identifiable Information (PII) is defined (the example below is from NIST) as (emphasis mine)
Information that can be used to distinguish or trace an individual's
identity, such as ...
0
votes
1
answer
330
views
Tokenization - Is it bad practice to reuse tokens?
If I am implementing a tokenization system for PII within a database, is it considered bad practice, or riskier, to reuse tokens?
For example, if I am storing the name "Richard" multiple times, and ...
19
votes
2
answers
16k
views
Is gender considered PII (Personally Identifiable Information) under the GDPR?
Since GDPR is shaking everything up at the minute I'm working on a few changes to our website/process.
I work in eCommerce in UX (UK based) and support marketing teams with certain activities.
My ...
0
votes
1
answer
609
views
How to securely collect email addresses through a third party website
I would like to collect email addresses through a third party website and subscribe them to a Sendgrid mailing list.
Flow:
User goes to a website hosted by unbounce.com that uses my website's ...
2
votes
1
answer
299
views
Secure, Portable Bookmarks
A constant bugbear is my bookmarks being synced to my Google accounts, meaning access to them outside that Google account requires various manual steps.
So it got me thinking of a roll your own way ...
-1
votes
1
answer
118
views
DLP Tool for requirement [closed]
Is there any DLP tool with default policies to comply with south african laws and regulations on PII ?
3
votes
1
answer
175
views
How can I prove that I adhere to stated privacy policy? What audits are effective for voluntary compliance?
I have a website and mobile app that doesn't store data or PII.
Suppose I'm not subject to any special privacy laws. How can I voluntarily submit myself to an audit to ensure that I'm acting true to ...
0
votes
1
answer
829
views
Data Masking in a database [closed]
Background
The development team is receiving production data (as Database backup files) in order to fix bugs and application enhancements. The Development team restore these backups in their ...
1
vote
3
answers
1k
views
Girlfriend just sent personal info over email
My GF just told me she just sent some of her personal info over an email. She was trying to send her folks some documents. I guess the documents had some sensitive info on them, like her full name, ...