The Effects of Compromised Personally Identifiable Information

November 12, 2019 at 2:42 pm by Paul Falcone

Today more than ever, data security is a hot-button topic, with serious data theft and data breaches seemingly occurring on a daily basis. Since storing sensitive personally identifiable information (PII) is now the norm for virtually all businesses, it is incumbent on those businesses to consistently ensure the integrity of that information.

Around the world, consumers are justifiably growing more concerned about data privacy. The European Union and countries such as Canada and the United States work to protect their individual and corporate citizens by enacting and enforcing regulations that restrict the use and flow of PII, as well as mandate how PII is stored, disseminated, and destroyed.


Although organizations subject to PII regulations incur steep fines for noncompliance, the consequences can be significantly more severe for the individuals whose PII is breached. For example, compromised data can be exposed to manipulation and illegal transactions that ultimately lead to wholesale identity theft. In 2017 alone, identity thieves pilfered $16.8 billion from 6.64% of U.S. consumers, or approximately one of every fifteen people.

Within an organization, it is critical that your data storage and data end-of-life destruction processes are invariably sound and thorough and executed error-free. As the following real-life examples demonstrate, any instances of irresponsibility or lapses in oversight—such as discarding paper without proper shredding or disposing of still-readable hard drives—can have dire consequences, particularly to individuals’ livelihoods and reputations.

2017: Medical Records in Public Trash Bins in Hawaii

An anonymous resident of Palolo, Honolulu, found a stack of approximately 50 residents’ personal and medical information while using a public-access trash bin. Evidently, a local therapy center discarded the paperwork without taking the necessary security measures. The documents contained a “fraudster’s treasure trove,” including complete social security numbers, pictures of driver’s licenses and extensive medical information. Thankfully, the documents fell into the right hands; otherwise, lives could well have been ruined.

2019: Used Electronic Storage Devices Contained PII

Companies relying on a data removal plan rather than a data end-of-life destruction plan should reconsider their strategy. A recent study conducted by Blannco analyzed 159 used storage drives purchased from eBay. The data removal company discovered that an astounding 42% of the drives (66) still contained data. More disturbingly, more than fifteen percent of the drives (25) still contained PII. Furthermore, one of those drives came from a software developer that had been granted government security clearance.

In another recent study, a Rapid7 researcher procured 85 discarded hardware components from businesses, including old computers, flash drives, phones, and hard drives. Of the 85 devices, only two had been properly wiped and only three were encrypted. In total, the researcher collected 611 email addresses, 50 birth dates, 41 social security numbers, 19 credit card numbers, six driver’s license numbers, and two passport numbers.


2010: Australians Have Identities Stolen by Hit Squad

Imagine being six-months pregnant, living in Israel, and yet somehow being wanted for murder in Australia. In fact, it’s a real-life nightmare for a former Melbourne resident. In 2010, she was one of three Australian citizens living in Israel who had their identities stolen and used by members of the Mossad hit squad while carrying out an assassination. In each case, the three individuals’ PII was swiped and used to forge passports in their names with the perpetrators’ photos. It has never been definitively determined how their PII was compromised.

2016: Albuquerque Man Arrested for Fraud—When He Himself Was the Victim

In 2016, a dispatcher for the Kirtland Air Force Base Fire Department and military veteran with a security clearance and no prior arrests was pulled over, detained, and booked in Las Vegas, New Mexico, on an outstanding fraud and forgery warrant. Subsequently, it was determined that a younger man had obtained the individual’s personal information in the fall of 2015. This younger man used the stolen ID to cash a check and was seen on camera. Despite marked differences in the two men’s physical appearances, the Albuquerque Police still issued a warrant for the dispatcher, resulting in a highly traumatic experience (which, by the way, led him to file a suit against local law enforcement).

2019: Woman Arrested After Identity Thief Steals Car Using Her Name

A 25-year-old Indiana woman was recently arrested and booked on charges of auto theft when an impersonator used her driver’s license to test drive and steal multiple vehicles. The woman did not know she was being investigated until she was detained two weeks after an incident. While she believes the identity theft was likely the result of a stolen purse, the exact circumstances are unknown since no arrests have been made.


Although it’s often impossible to know whether compromised data is the result of inadequate end-of-life procedures, faulty storage protocols, illicit cyber activity, or everyday petty theft, an overriding theme emerges from the above examples: given the extreme sensitivity of PII—and the dire consequences for individuals when PII is compromised—it is the legal and ethical responsibility of all businesses possessing PII to protect it. The onus is on them to ensure all reasonable measures and precautions are taken to ensure its absolute security and integrity, and, ultimately, its utter, irreversible destruction at end-of-life.

Companies like SEM provide state-of-the-art data end-of-life solutions that ensure PII is destroyed to the point of non-recovery, thereby mitigating the attendant risks of data theft and compromises for both individual and corporate citizens alike.