Skip to main content

Questions tagged [pii]

The tag has no usage guidance.

Filter by
Sorted by
Tagged with
1 vote
2 answers
106 views

Extraction of sensitive data out of down- scaled images

Our system produces preview images of A4 documents, which contain sensitive data (email, phone numbers, social networks and adresses) of our users. We would like to save those preview images in our ...
oleg_zh's user avatar
  • 347
1 vote
0 answers
36 views

Envelope Encryption: KEK management in Auto- Login case

We are currently implementing an envelope encryption scheme in order to securely store PII data in our database. That means we will have a user- specific DEK (data encryption key), and a KEK, which ...
oleg_zh's user avatar
  • 347
2 votes
0 answers
84 views

Searchable encryption for phone numbers

I have a table in Postgres that stores phone numbers. Since phone numbers are considered PII, I cannot store them as plaintext. For other PII fields, I use AES-256-CBC. However, the requirements are ...
Stefan van den Akker's user avatar
1 vote
0 answers
116 views

Help me securely store and retrieve Social Security numbers [closed]

I am on the very last functionality to implement before launching my app. I have the same requirements someone like Fanduel or Draftkings does. When my users cross the $600 threshold for prizes in the ...
T M's user avatar
  • 11
0 votes
1 answer
3k views

My personal info was leaked on the dark web through my Gmail Account; is it still safe to continue using said Gmail Account?

I have been using my personal Gmail Account for years to create accounts on a wide range of websites like evite.com and Instagram. Google conducted a dark web scan and created a report of instances ...
lcd12375's user avatar
0 votes
3 answers
424 views

Is it a security issue to include postcode and/or last name in a GET request query string?

I'm currently designing an API endpoint to validate a customer, and they can either pass in their postcode or their last name, as well as their customer ID (plus some other irrelevant data). I've ...
HazNut's user avatar
  • 1
0 votes
1 answer
649 views

Is Google mining the content of emails I send to people who use gmail? Could they?

If I sign up for Gmail I probably agree to give Google the right to use all my content for whatever purposes they want. We know they have incredible research going on into data mining and machine ...
Ben's user avatar
  • 9
2 votes
0 answers
117 views

What are the main PII data brokers? (How do certain online companies get accurate age verification?)

A long time ago, I signed up for Apple Pay Cash. After a bit of using the service, I was asked to input my name and birthdate to continue using the service. At the time, I was underage. I input ...
Mave's user avatar
  • 21
0 votes
2 answers
172 views

Secure data (+ private key) storage in an insecure public cloud environment

We are trying to encrypt files in a manner that they can be completely secure in an insecure environment (like a public cloud). We're talking about military grade secure. The data should be so secure ...
Munchkin's user avatar
  • 264
0 votes
0 answers
134 views

What metadata could be stored in the IPFS network and what could be collected by modified nodes?

I'm guessing uploading to IPFS also uploads some metadata, which gets shared as well, does this assumption hold any truth? According to this only content identifiers and node identifiers are in the ...
Sir Muffington's user avatar
1 vote
0 answers
183 views

How do I make sure the information I collect on a person does not constitute personal data/PII?

I'm building an application that may involve the storage of certain information pertaining to potentially millions users of a popular social media platform for analytics purposes, making the obtaining ...
moonman239's user avatar
0 votes
1 answer
185 views

Which is the preferred way of encrypting Personal Identifiable Information?

What is the preferred way to implement personal information encryption / decryption? After some reading, the main options appear to be: Encrypt/Decrypt it at the database level Encrypt/Decrypt it at ...
Jan Vladimir Mostert's user avatar
1 vote
1 answer
390 views

Choosing the right salt to pseudo-anonymize data and be GDPR compliant

In my company, numeric user IDs are considered PIIs and therefore need to be pseudo-anonymized to be GDPR compliant. To do so, we populate a lookup table where to each ID is assigned a monotonically ...
Vektor88's user avatar
  • 111
0 votes
4 answers
429 views

How to protect email addresses in a customer database when you and other third parties must be able to send emails?

I am wondering what methods are used by big companies to protect customer email addresses in their databases. They usually have salespeople all over the world and multiple third-parties (Salesforce, ...
C.Card21's user avatar
1 vote
0 answers
140 views

How to protect PII data from being sold or exposed by employees

For PII, we capture mostly emails, mobile and name of users who signup on our website. Along with this purchases made by users are also a sensitive data. Protecting this data for users privacy is as ...
Abhinav's user avatar
  • 179
0 votes
1 answer
183 views

How do applications which are integrated using a javascript client side sdk, secure their data or disallow spam?

Take an example of google maps. google maps provides a javascript client SDK, which means any web app running javascript can access the google maps sdk. You need to use an API_KEY so that google can ...
gaurav5430's user avatar
2 votes
1 answer
877 views

PII Data Masking rules - what's acceptable and what's not

Is there a security rule on correct masking for sensitive information? Let's say we want to use prod data in our UAT environment. We're thinking of creating a masking logic when we transfer prod data ...
lecarpetron dookmarion's user avatar
1 vote
0 answers
162 views

What would be the logical approach in breaking down the following scenario in regard to CISSP Domains?

I'm currently doing my Cyber Security Certification program, I along with my fellow classmates are in Beginner stages. Over the past few weeks we have been writing up variety of Discussions using ...
0111010001110000's user avatar
3 votes
2 answers
248 views

Encryption as bijective data masking function

Context I'm building data lake from scratch within a small team (3-6 data engineers). I want to mask PII data when copying data from prod to dev/test environments. I'm particularly interested in the ...
VB_'s user avatar
  • 225
1 vote
2 answers
546 views

AWS KMS Getting Data Key using AWS Encyption SDK

I am exploring the AWS KMS as a vault for storing the encryption keys. Now I am trying to encrypt the database fields like email. So, issue whenever there is a read/write for email, I don't want to ...
Ankit Bansal's user avatar
2 votes
3 answers
2k views

Is an email domain name considered PII?

For example, can you reference a customer by their domain in an email? Each customer in a system can be associated with a domain, and some domains are associated with a single customer.
G SB's user avatar
  • 23
2 votes
1 answer
113 views

Implications re security practices of full account access granted to third parties

I'm working with a company (say, Acme) that does some ongoing data collection and processing for me. The data in question is private but not all that sensitive. Part of Acme's service has password-...
Barney's user avatar
  • 121
1 vote
0 answers
807 views

How have you secured production data (PII) on non-prod environments?

Data protection laws including GDPR state: “Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that ...
Architect 's user avatar
1 vote
5 answers
2k views

Username in browser history (url) - is this a security problem?

We have a client complaining that there is PII in the browser history (as in the persistent history you get to through your browser's menu - Ctrl + H in Chrome). For example, the URL for editing a ...
jbyrd's user avatar
  • 149
2 votes
2 answers
631 views

What's the danger of an online resume (a CV)?

I was talking with someone about my resume, and on the subject of my posting it online they said, just be careful with PII ... for your own good :) My reaction to that is How bad can it be? -- and,...
ChrisW's user avatar
  • 203
0 votes
0 answers
159 views

How to Ask for More Transparency from Companies Handling Our Personal Data

A company's asked me to submit a scan of my passport claiming KYC (Know Your Customer) and AML (Anti-money Laundering) purposes. In times of daily data breaches, what can we ask for a company to be ...
Faxopita's user avatar
1 vote
1 answer
198 views

Why should relatively-public personal identifying information be kept secret online if at all?

I don't want to get hung up on technical terms, just laying out basics for this question: I understand personal identifying information (PII) as that info which is not apparent to people who cross ...
cr0's user avatar
  • 373
6 votes
2 answers
6k views

Documentation for GDPR best practices for partially masking email addresses

I must give certain employees access to a report which contains email addresses. I would like to redact or partially mask these email addresses, but I am having trouble finding official guidance on ...
MeMyselfI's user avatar
  • 163
1 vote
1 answer
153 views

How we can PoC our product that needs training data for our machine learning algorithm of the the bank clients?

Recently, we have had a challenge with potential future clients which are the bank. Our product requires to gather static data (e.g. address, loans, last 50 transactions, etc) of banks clients. These ...
Filipon's user avatar
  • 1,294
2 votes
1 answer
386 views

Information leakage through json response

I am testing a product survey website. As a response to getSurveyResults() call, the following details of all survey participants shall be displayed to all website users. Nick name Location Rating ...
Jaya's user avatar
  • 401
3 votes
2 answers
3k views

How can I encrypt messages sent over AWS PrivateLink?

I am working on a project where I need to send messages to a partner via AWS PrivateLink. Because these messages contain PII, the data needs to be secure. I have been unable to determine from internet ...
Daniel's user avatar
  • 133
0 votes
0 answers
106 views

Do security breach victims have any meaningful recourse?

OPM Breach Anthem Health Care Equifax The list goes on... If we define meaningful as non-monetary compensation (e.g. services) to protect victims from further victimization stemming from loss of ...
gatorback's user avatar
  • 1,553
1 vote
1 answer
241 views

Can you tell me if my design is secure?

I'm designing a database interface for a system that could store PII. My first focus is on making sure all the data is secure, to do this I have designed the system as follows. I'm running three ...
Will's user avatar
  • 11
3 votes
4 answers
13k views

Are employee or badge numbers PII?

We're looking at implementing an Identity Management/Lifecycle system. We're looking at aggregating all our authentication into this system. However, one area of concern is same-name employees, so ...
Nathan Goings's user avatar
1 vote
0 answers
104 views

Do S3/Azure/GCS bucket names/keys represent personally identifiable information

We have an event-sourced system that uses a forward-only immutable event store. If we store personally identifiable information in this store, we'll be in trouble with regards to GDPR, as deletion ...
spender's user avatar
  • 121
38 votes
6 answers
28k views

Is a standalone phone number considered Personally Identifiable Information?

Personally Identifiable Information (PII) is defined (the example below is from NIST) as (emphasis mine) Information that can be used to distinguish or trace an individual's identity, such as ...
WoJ's user avatar
  • 9,096
0 votes
1 answer
330 views

Tokenization - Is it bad practice to reuse tokens?

If I am implementing a tokenization system for PII within a database, is it considered bad practice, or riskier, to reuse tokens? For example, if I am storing the name "Richard" multiple times, and ...
Marc's user avatar
  • 141
19 votes
2 answers
16k views

Is gender considered PII (Personally Identifiable Information) under the GDPR?

Since GDPR is shaking everything up at the minute I'm working on a few changes to our website/process. I work in eCommerce in UX (UK based) and support marketing teams with certain activities. My ...
sclarke's user avatar
  • 301
0 votes
1 answer
609 views

How to securely collect email addresses through a third party website

I would like to collect email addresses through a third party website and subscribe them to a Sendgrid mailing list. Flow: User goes to a website hosted by unbounce.com that uses my website's ...
Chris Hansen's user avatar
2 votes
1 answer
299 views

Secure, Portable Bookmarks

A constant bugbear is my bookmarks being synced to my Google accounts, meaning access to them outside that Google account requires various manual steps. So it got me thinking of a roll your own way ...
TrickyDupes's user avatar
  • 2,859
-1 votes
1 answer
118 views

DLP Tool for requirement [closed]

Is there any DLP tool with default policies to comply with south african laws and regulations on PII ?
Loki's user avatar
  • 3
3 votes
1 answer
175 views

How can I prove that I adhere to stated privacy policy? What audits are effective for voluntary compliance?

I have a website and mobile app that doesn't store data or PII. Suppose I'm not subject to any special privacy laws. How can I voluntarily submit myself to an audit to ensure that I'm acting true to ...
makerofthings7's user avatar
0 votes
1 answer
829 views

Data Masking in a database [closed]

Background The development team is receiving production data (as Database backup files) in order to fix bugs and application enhancements. The Development team restore these backups in their ...
user3496510's user avatar
  • 1,317
1 vote
3 answers
1k views

Girlfriend just sent personal info over email

My GF just told me she just sent some of her personal info over an email. She was trying to send her folks some documents. I guess the documents had some sensitive info on them, like her full name, ...
Jeff Meigs's user avatar