By now, the story of Wired’s Mat Honan epic hack is all over the web. Hackers were able to use publicly available information about Mat to socially engineer both Amazon and Apple’s security system to gain access to his whole digital life. Slashing and burning as they went, the hackers destroyed Mat’s digital life on there way to his twitter account. This story brings up an important issue of “level of risk” or sensitivity as it relates to PHI or PII. Too often we think of name, e-mail address, mailing address, etc, as non-sensitive information unworthy of protection. Mahmood’s has a blog post on the risks of unauthorized information disclosure.
“even this seemingly innocuous set of PHI/PII can be used to trigger a malicious attack. Mat’s entire digital life was wiped out remotely once the hackers used his limited PII (name, billing address, last 4 digits of credit card, and email) to exploit security gaps in the Amazon and Apple privacy and security policies and customer service practices.”
Mat was already a public figure, so protecting his “non-sensitive” information was/is much harder, but for the general populace this “non-sensitive” may not already be public. The next time you think of the risks from data breaches of PHI and PII only relating to social security numbers, credit card numbers, or medical ID numbers, think of Mat Honan and his digital warning story.
You can read all of Mahmood’s piece here: The Risk Posed by Unauthorized PHI & PII Disclosure is Contextual.