信息安全杂志 infosecurity-magazine

Identity Theft Isn’t a Hacking Problem, It’s a Data Problem – Here’s H – Infosecurity Magazine

Identity theft is often framed as a cybersecurity issue, but at its core, it’s a data problem. That’s because identity thieves rely almost entirely on personal information—whether to steal your identity or trick you into giving up more data (so they can steal your identity).

The problem is—no matter how careful you are with physical documents, your personal information is still readily available on the internet with a thriving data broker industry build around its collection and sale.

To understand how to fight identity theft, we need to look at the data economy enabling it.

First, What Data Do Identity Thieves Actually Need?

To effectively protect yourself from identity theft, it’s important to understand what data points are the most sensitive and how criminals can exploit them.

This data can be organized into a pyramid, with each tier representing the risk level:

Tier Examples of Data How It’s Used Risk Level
Tier 1: Direct Identity Theft Data
  • SSN
  • National ID or passport
  • Driver’s license
  • Date of birth
  • Bank/credit card numbers
  • Medical insurance or tax ID numbers
 Directly used to commit fraud: open accounts, apply for credit, file false tax returns, take over identity Critical
Tier 2: Gateway Data
  • Phone number
  • Email
  • Previous addresses
  • Mother’s maiden name
  • Account usernames
  • Security question answers
  • Biometric data
 Used to reset passwords, bypass 2FA, verify identity in support calls, or access more sensitive information High
Tier 3: Contextual Compromise Data
  • Social media activity
  • Family member names
  • Hobbies/interests
  • Relationship status
  • Travel plans
  • Professional affiliations
 Used to craft convincing phishing attacks, impersonation, or social engineering Moderate
Tier 4: Targeting & Delivery Data
  • Name alone
  • City/ZIP code
  • Public phone number
  • IP address
  • Browser/device fingerprint
  • Ad profiles or voter registration info
 Helps attackers identify you, reach you, or categorize you as a valuable or vulnerable target

Low

(Enabling)

Identity Theft Rarely Requires Hacking: Your Information Is Often Publicly Available Online

That information is easier to get a hold of than you may think. Yes, even your Social Security number (SSN).

For starters, we actually put a lot of our own personal information online—through social media posts or your personal sites and blogs.

A lot more data ends up online in more insidious ways:

  • Email tracking pixels reveal when and where you open emails
  • Cookies and device logs track your browsing and app usage
  • Loyalty programs and online purchases feed third-party data collectors
  • Mobile apps harvest location, contact lists, and usage patterns
  • Public records (like property ownership or voter registration) are scraped and aggregated

The more places your personal information lives online, the higher the risk of it being exposed. Companies can experience data breaches, leaking your personal information to the dark web. They may also sell that information to data brokers and people search sites, no breaches required.

Once data brokers have your information, they package it into personal profiles (possibly containing hundreds of data points) and publish them on people search sites or sell them to marketers, insurance companies, or anyone willing to pay. Some data brokers have even been found knowingly selling data to scammers.

So, How Do You Protect Yourself?

Since they rely on data, the best thing you can do is starve identity thieves of your personal information:

  • Remove your info from data broker and people search sites. You can send opt out requests to each broker individually, or use a data removal service like Incogni.
  • Be selective about what you share online. Avoid posting any sensitive details (refer to the table above) on public profiles.
  • Use email aliases and masked phone numbers when signing up for websites or apps to keep your primary contact info private.
  • Enable fraud alerts with major credit bureaus to prevent new accounts from being opened in your name.
  • Monitor your accounts and credit reports regularly for suspicious activity or unfamiliar changes.
  • Use two-factor authentication (2FA) wherever possible to protect your accounts from unauthorized access.
  • Limit the number of services that have access to your data. Unsubscribe from unused accounts, apps, and loyalty programs and ask them to delete your data.
  • Adjust privacy setting to limit data collection on apps, browsers, and online accounts.

We Need to Treat Data Exposure as a Security Risk

Protecting your identity today means being both vigilant and proactive. It also requires ongoing effort.

With the current (lack of) data privacy laws, your data will continue to be collected, traded, and sold online, putting a target on your back. To keep it out of circulation, you’ll have to continue monitoring and sending removal requests to data brokers. You can also invest in a data removal service like Incogni to handle this on your behalf. 

If you suspect you’ve already fallen victim to identity theft, visit IdentityTheft.gov for official recovery resources and support.