In an analyst brief, “Why Your Data Breach Is My Problem,” for NSS Labs, Stefan Frei and Bob Walder discuss the wider effect of data security breaches on the use of identifiers such as Social Security Numbers and birth dates. Here’s an excerpt from the overview:
For authentication, users typically rely on only a small number of unique personal information attributes. The same information attributes are used in several places and inevitably are lost, in large numbers, through data breaches. Cyber criminals have built comprehensive profiles of millions of users, which they constantly refine with each new data breach. Once lost, breached data cannot be taken back. This rapid erosion of security (and also privacy) presents huge challenges as this same information, which many still consider “private,” is used across diverse services, both online and offline, While users can change login and password information after a breach, social security numbers (SSNs) and date of birth (DOB) information cannot be changed after such an event.
Enterprises that conduct any part of their business online should be prepared to bear full responsibility for the consequences of data breaches. At present, that responsibility is typically limited to a financial burden, whereas the true consequences of modern breaches are more far reaching than that implies. The loss of what is known as “unique” or “static” personal data, that which is truly personal (such as DOB or SSN), is far more serious than the loss of “transient” personal data (such as pass codes, security questions, and credit card numbers) that is more easily changed following a security event or that is readily discernible in the public domain.
While end users themselves must bear some measure of responsibility for personal information they voluntarily place into the public domain (such as DOB, place of birth, or home address on their Facebook page), the requirement by some online web sites to enter unique personal data is something they cannot, at this point, easily avoid. […]
The continued loss of unique data, which should never be used for simple authentication purposes, threatens to erode confidence in the ecommerce system. As the realization dawns that not only are users not adequately protected by corporate security systems, but they are also at increasing risk of serious identity theft, there is the potential for backlash. Ecommerce enterprises that recognize the need to minimize the amount of truly unique personal data being held, and that work to improve the methods by which they authenticate users, could be in a position of advantage. Regardless, it is inevitable that enterprises wishing to continue to do business online will eventually be forced to change the way they enroll users to their services and subsequently authenticate them.