What is PII and how do you keep it private?

Identity theft is a very real and significant issue in today’s interconnected world. The amount of personally identifiable information (PII) stored on servers across many organisations is larger now than it ever has been in the past.

There are more types of PII floating around than most people realise. The obvious ones being name, date and place of birth, National Insurance and tax numbers, vehicle registration, etc. but they aren’t the only thing the bad guys are trying to get. Mother’s maiden name, for example, is often used as a security question for phone banking or to reset passwords, yet many people will disclose it with very little persuasion.

Why should I worry?

Now, you might be wondering why you should worry if someone finds a piece of your information here or there. Granted, on its own that data isn’t worth a lot, but build up enough information about someone and a lot of previously locked doors will open.

Nowadays there are far more intrusive collections of your PII. Biometrics are increasingly being used as authentication – retina scans at airports and even in schools and workplaces, fingerprints to unlock your phone, even some public restrooms in China are using facial recognition to prevent people stealing toilet paper. The problem with biometrics is that once you’ve given up this data it can’t be rescinded. You can’t exactly change your retina or fingerprint if a company is hacked. What’s more, retina scans can reveal the subject’s age and whether they smoke, as well as the presence of diseases such as AIDS, diabetes, and malaria, and those at risk of heart attacks. This isn’t the kind of information most people would be comfortable sharing with their employers or school.

Even the biggest companies can lose data

As we’ve seen time and time again, even the biggest companies can lose this data, with the recent Marriott breach where attackers stole 5M unencrypted passport numbers, or Quora losing data from 100,000,000 user accounts including names, emails, and data linked from connected networks (do you use Facebook to quickly login to other sites? Don’t!).

This data is valuable, often fetching thousands of pounds for a complete package of a person’s details (that could be used to apply for credit cards or open bank accounts). Now, someone posing as you and stealing all the money from your bank sounds like bank robbery, but it’s actually you who will lose out.

Social Engineering

Whilst data breaches are a worry, they aren’t the only occasions in which your PII could be stolen.

Social engineering, for example, uses manipulation to obtain sensitive information from a victim and has become one of the most common techniques for stealing data. Social engineering attacks happen to individuals and businesses alike and you should retain a healthy level of scepticism whenever someone you don’t trust is asking for any personal details.

There are well-known methods of social engineering such as phishing, where an attacker might send an email containing a file that, if downloaded, installs malware on the victim’s computer, or a malicious link to a forged login page of the victim’s bank or social media account – which is scarily easy to set up. However, there are far more subtle social engineering practices that precede larger attacks, such as learning which websites a target uses frequently, then infecting that site with malware to obtain the data. This is even easier if you connect to a malicious Wi-Fi hotspot when you’re not at home, which is why it’s always a good idea to use a VPN to connect to any unfamiliar network.

Then there are the less obvious social engineering attacks, such as walking into an office building with large boxes in your hands and asking someone to open the security gate with their keycard, or dropping a USB drive that contains malware and waiting for someone to connect it to their computer, or even just walking up to the front desk and telling the receptionist that you need to quickly use their account to install a new security patch. These tactics work so well it’s scary.


Use strong passwords

Just about every article on this subject will advise you to use strong passwords, but this advice never becomes redundant. It’s just not safe to use your pet’s name with a couple of letters subbed for numbers and an exclamation mark! Use a password manager such as LastPass or KeePass to create and store cryptographically secure passwords. Of course, you have to use a secure master password or the whole thing is pointless.

Nowhere is a strong password more important than on your email. Imagine how many accounts an attacker could access if they can get into your email and reset the passwords.

Don’t use Facebook as authentication

Now, just because you have a strong password on your Facebook account, that doesn’t mean you should start using it as authentication for all your other accounts. Why? Because Facebook simply can’t be trusted with the keys to all your accounts. Again, use a password manager from a company whose sole purpose is to provide secure passwords.

Properly dispose of documents and drives

You should be completely destroying any paperwork with anything more personal than “Dear Homeowner”. Whilst going through a stranger’s bin is illegal, people do it, and it can give attackers the first bits of information to get started with a larger attack, such as your ISP, where you bank, which sites you shop at, etc. It’s all useful information to someone putting together a profile of your information. So get a decent shredder.

The same goes for old hard-drives. Even if you think they’re wiped, they’re probably not. Hard-drives are so inexpensive that it’s very easy to get a new one, format the old and throw it away, but anyone with basic data forensics skills could get all that data back in about ten minutes. The only way to be sure is with complete destruction. I’m talking magnets, shredders, and fire.

Don’t use random thumb drives you find

If you find a thumb drive in starbucks, never, ever, put it in your computer. Even if it has “saucy pics” written on the label. Plugging it into your USB port can fill your computer with malware faster than you can say “d’oh!” – although you probably won’t even notice it’s there as most malware is designed to be difficult to detect.

Encrypt your internet connection

Nowhere is this more important than when using public Wi-Fi, but attacks can also happen at Airbnbs, or even in your own home. The best solution is to use a VPN whenever you’re not at home, and perhaps even a VPN router to encrypt all your home traffic and IoT devices.

Don’t automatically trust people

It’s a sad fact that it’s not always in our best interests to be trusting of strangers. Nowhere is this more relevant than with your PII, especially as we consider social engineering attacks, which rely on a person disclosing information. Technology can’t protect you from social engineering, you just have to be aware of the people around you and what they’re asking you to do or disclose.


In 2017 there were 175,000 cases of identity fraud recorded in the UK according to CIFAS, costing millions of pounds to UK businesses and individuals. Whilst credit card fraud is actually declining as authentication measures are getting stronger and cards more difficult to counterfeit, new account fraud is rapidly increasing.

New account fraud is only possible by using personal information such as those described in this article. It’s never been so important to keep your data private.

Joe Robinson is a cyber security and data privacy expert at VPNTeacher, a site dedicated to keeping your data secure.

In partnership with