The internet has made human lives so convenient. Want to go shopping? Go to Amazon or eBay and fill up your cart. Need to send money but don't want to drive to the bank? Use your banking app or PayPal.
But all this convenience has a dark side. There's a new identity fraud victim every 22 seconds, and 33% of the US population has faced a form of ID theft at some point in their lives.
It's impossible to avoid this risk 100%.
If you use the internet in any way – to send emails, watch videos on Facebook, check your bank account balance, etc. – your personally identifiable information (PII) is at risk.
Keep reading to learn what PII is vs. your basic personal data and how ID thieves can steal it. We also share advice from government sources, data protection companies, and security forums about protecting your PII and what to do in case of a data breach.
Later on, we identify the most vulnerable PII that, when stolen, ID thieves can use to do anything under your name.
Find that out when you read until the end, or risk becoming one of this year's millions of ID theft victims.
What is PII?
PII is short for Personally Identifiable Information.
As the term suggests, PII is any data that can uniquely identify an individual.
This data may be direct identifiers, like your social security number (SSN), passport information, or driver's license number. Other direct identifiers are:
- Your fingerprints
- Your retina or iris scans
- Your DNA
- Your full name
- Other IDs like your employee number, student ID, or license plate
- Your financial data like your bank account number or credit card details
PII may also include quasi-identifiers. These are attributes that, on their own, don't identify you. But when combined with other quasi-identifiers, they can lead to your identity.
For example, race and date of birth are quasi-identifiers. If someone reads “French citizen” or “African-American” on a form, they can't know who you are. Even reading “French citizen born on January 1st, 1980” doesn't uniquely identify you.
But combine that with other data like your gender, name, address, and email, and anyone can find out who you are.
Other examples of quasi-identifiers
- Your zip code
- Your maiden name or mother's maiden name
- The schools you've attended
- Your previous addresses
- Your birth city
- Your license plate
In short, any information that can uniquely identify you, separate from all other people, is PII.
Sensitive vs. non-sensitive PII
All PII is not created equal. Some data is more sensitive than others and, when stolen, can do more damage. That's why PII is further classified into two categories:
Sensitive PII (SPII)
Personal information that, if leaked or stolen, could lead to identity theft, fraud, or financial loss. This data includes your SSN, driver's license number, passport information, bank account and credit card details, and so on.
Non-sensitive PII (NSPII)
Information that's still personal to you but is less likely to lead to identity theft or fraud. An example is your name, address, and birthdate. While this data can still be used to target you with marketing material or spam, it's not as dangerous as SPII.
PII vs. personal data
All PII is personal data, but not all personal data is PII. Sounds confusing? Let's break it down.
Personal data is any information that's related to you. This includes the basics (name, gender, address, DOB, etc.). It also includes data like:
- Your IP address
- The cookies on your devices
- Your search history
- Your purchase history
- Your social media posts
- Your fitness tracker data
- Your medical records
As another example, let's say you use a Fitbit. Today, you took 5,000 steps, and that data is recorded on your Fitbit account.
That's personal data because it's linked to you. But it's not PII because it can't uniquely identify you.
How ID thieves can steal and use your PII
Now that you know what PII is and why it's valuable, let's look at how criminals can steal it. They can use a variety of methods, but these are the most common:
1. Hacking into databases
This is how Equifax, Yahoo, and Marriott lost millions of records. Hackers breach a company's security, then make off with all the PII they can find.
2. Skimming devices
These are placed on ATMs and gas pumps, then used to collect credit and debit card numbers. How these devices work depends on the type of card being used.
For example, skimmers on magnetic stripe cards collect data from the stripe as the card is swiped. But chip cards are more difficult to skim, so criminals often place fake keypads over the real ones. They then capture your PIN as you enter it.
3. Phishing emails
Phishing is one of the oldest and most effective methods for stealing PII. The term “phishing” comes from the idea of bait (a lure) and fishing (trying to catch something).
In this case, criminals send emails that look like they're from a legitimate company. They might say there's a problem with your account or that you need to update your information.
But when you click the link in the email, you're taken to a fake website. There, you're asked to enter your login details, financial information, or other PII, which they then use to commit fraud.
4. Pretexting
This is when a criminal pretends to be someone else to get your PII.
For example, they might call pretending to be from your bank. They'll say there's been suspicious activity on your account and that they need to verify some information.
Or they might send an email pretending to be from the IRS. They'll say you're due a refund and ask for your bank account details so they can deposit the money.
5. Dumpster diving
This is exactly what it sounds like. Criminals go through the trash looking for receipts, bills, or other documents with PII on them. They might also find discarded devices that still have PII stored on them.
6. Social media fraud
Hackers can use information like your birthdate, mother's maiden name, or hometown to answer security questions and take over your Facebook, Instagram Twitter, and other social media accounts.
They can also pretend to be you and dupe your friends into giving them even more information or even hack into their accounts.
Once ID thieves hack your PII, they can do massive damage, such as the following:
- Apply for credit cards and loans in your name
- Make purchases in your name
- Open new utility accounts in your name
- File for tax refunds in your name
- Get a job or rent an apartment using your identity
- Commit crimes while pretending to be you
They can also take over your existing bank and investment accounts and drain all of your savings and retirement accounts. They can order new credit cards and checks in your name and destroy your credit score.
Likewise, they can give your child a bad credit rating before they're even old enough to have one.
Making matters worse is that they don't even need all of your PII to do all of these.
In fact, they only need one: your social security number, aka the most vulnerable PII of them all. Why? Because it's the key to your financial life. Once ID thieves have your SSN, they automatically have a lot of other PII, such as your:
- Name
- Address
- Birthdate
- Driver's license number
- Mother's maiden name
And that's just the start. Either way, you don't want ID thieves getting their hands on any of it.
How to protect your PII, and what to do if it's already been compromised
First, only give out your PII when absolutely necessary. And when you do, make sure you're dealing with a legitimate organization or person. Here are a few other tips for protecting your PII:
- Shred or tear up receipts, bills, and other documents with PII on them before you throw them away.
- Don't carry your Social Security card or any document with your SSN on it in your wallet or purse.
- Don't give out your SSN, credit card number, or bank account number over the phone unless you initiate the call and you're sure you're dealing with a legitimate organization.
- Never click on links in emails or text messages, even if they look legit. Hackers can fake email addresses and text messages. Go to the organization's website directly and log in from there.
- If you're unsure whether an email or text is from a legitimate source, call the customer service number on the back of your card or on the organization's website.
- Monitor your credit report for free at AnnualCreditReport.com to look for any red flags, such as new accounts you didn't open or inquiries from companies you've never heard of.
- Consider putting a fraud alert or credit freeze on your credit report. This will make it more difficult for ID thieves to open new accounts in your name.
- Know your PII protection laws. For instance, the FTC Act prohibits deceptive practices that affect commerce. The Fair Credit Reporting Act protects your credit report data. And the Gramm-Leach-Bliley Act requires financial institutions to protect your nonpublic personal information.
If you think your PII has been compromised, do the following ASAP:
- Change the passwords on your online accounts immediately.
- Contact your financial institution and let them know what's going on.
- File a police report.
- Contact the Federal Trade Commission and file a complaint.
- Place a fraud alert or credit freeze on your credit report.
Final Thoughts
There's no way around it: we all have PII. And the more interconnected our lives become, the more of our PII will be exposed to others.
Knowing how to use, protect, and limit the amount of PII you share is critical to keeping yourself safe from ID theft and fraud – all while enjoying the convenience of living in the digital age.
Aidan has been writing about personal finance for over 6 years. Prior to this, he worked as a Corporate Finance Analyst where he specialized in Due Diligence, Company Valuations and more. He is a CFA charterholder.
