Keeping criminals from exploiting personally identifiable information

As specialists in human attack surface protection, we at Picnic know all too well the importance of preventing the exploitation of exposed personally identifiable information (PII) by cyber criminals. While we handle this problem for enterprises, individuals need resources to proactively protect themselves, too. That’s why we’re fans of FrozenPii.com, a website published by former federal prosecutor Thomas O’Malley that helps make it easy for people to take control of their identity for free, before or after criminals attempt to use their stolen identities to commit identity fraud.

In this blog post, we detail the risks associated with our exposed personal data and how Picnic helps enterprises and how Frozen Pii helps individuals gain control over their personally identifiable information and keep it out of the hands of the bad guys.

I. The extent of our exposed personal information and its value to criminals

It is difficult to overstate the serious risk that our exposed personally identifiable information (PII) poses both to us as individuals and to the organizations we work for.  All of us have information about ourselves that is readily available to cyber criminals on the open, deep, and dark web, including email addresses, phone numbers, usernames, passwords, financial data, and other sensitive personal information. Some of this data we provide on our own and some of it is taken without our knowledge

Many of us provide our company name, job title, location, contact information, people and groups we are connected to, and other personal information on LinkedIn and social media. Data brokers obtain information on us including our name, age, address, family members, email, phone, and demographics from tracking cookies, websites, other data brokers, and credit bureaus. Breach repositories hold our usernames, passwords, emails, and subscriptions.  Our most important personally identifiable information, worth billions to lenders and criminals, is collected and stored in our credit reports. And to top it off, we must all operate under the assumption that our social security numbers have been compromised and are available on the dark web.

Most of us are unaware of how much exposed personal information there really is, or where it is all stored, let alone what to do about it to keep cybercriminals from leveraging this information to target us and the organizations with which we are associated, or to steal our identities. But the dangers associated with our exposed PII necessitate a proactive response.

The exploitation of exposed personally identifiable information is the single largest threat to companies and their people today. It’s how nearly all cyber-attacks begin and is at the root of all manner of human and organizational compromise. Threat actors leverage this data for social engineering and credential stuffing attacks in nearly all breach cases- leading to financial losses, IP theft, brand and reputational damage, and legal consequences.

Criminals also use our exposed PII to steal our identities, open new accounts or take out loans in our name, steal social security benefits and income tax refunds, wreck our credit, and make it much more difficult to qualify for home mortgages, auto loans, student loans, credit, insurance, employment, or housing rentals. 

In recent years, fraudsters have even been using exposed PII to create synthetic identities that blend our real personal information with fake information. Synthetic identity fraud is popular amongst skilled fraudsters because it results in large profits with little risk of getting caught. Synthetic identity schemes most often use real social security numbers combined with a fake name, address, and other information. The stolen social security numbers typically belong to those who don’t use credit such as children, dead people, prisoners, the homeless, recent immigrants, or lower-income older adults who don’t use credit cards. Criminals use the synthetic identities to build a credit score and eventually max out the lines of credit and disappear. Victims are often unaware that their information has been associated with a synthetic identity until they apply for their first loan or credit card and realize there is a record of a previous default.

To effectively mitigate these risks posed by our exposed PII, organizations and individuals need to take the right proactive measures, including neutralizing sensitive data before it can be leveraged by criminals and locking down or ‘freezing’ our credit reports. Picnic and Frozen Pii make doing these things easy so criminals can’t exploit your personally identifiable information.

II. How Picnic works to protect enterprise customers against the exploitation of personally identifiable information connected to their VIPs, HVTs, and employees

Managing external human attack surface data is crucial for preventing attacks on organizations. Exposed personal, corporate, and third-party data powers credential stuffing, impersonation, and phishing attacks that lead to organizational compromise. Nearly all breaches today begin with attackers leveraging exposed data tied to the human element. It should come as no surprise that generative AI is also fueled by public data, and those LLMs that are fed PII create powerful lures that trick even the most well-trained employee. Companies concerned about generative AI need to hinder this capability by sharpening their focus onto required PII fuel because without it generative AI is largely useless to social engineers.

Until recently, however, cyber defenders have lacked not only a holistic and comprehensive cybersecurity framework that specifically helps them manage at scale the risks associated with exposed data and social engineering, but also the technological capabilities required to see and remediate human attack surface vulnerabilities. This security gap is the reason the exploitation of exposed personal data remains the single largest source of breaches.

Created and backed by the experience and knowledge of human intelligence specialists, social engineering practitioners, threat researchers, and reverse engineers in consultation with leading military, cybersecurity, and academic subject matter experts, Picnic has stepped in to fill the defensive gap with the capabilities necessary to proactively, effectively, and continuously protect the human attack surface of enterprises.

Picnic works by automatically emulating attacker reconnaissance on the external digital footprint of an organization and its people at scale, identifying human attack surface vulnerabilities, and remediating them. This process includes finding and assembling the exposed personally identifiable information of HVTs, employees, and contractors exactly as an attacker would, identifying the types of attacks that this data enables, identifying high value and highly accessible human targets, and disrupting an attacker’s ability to compromise human targets and gain initial access by removing and neutralizing key exploitable data before it can be used in an attack.

Picnic thus takes external attack surface protection programs to a whole new level by providing an enterprise-wide layer of prediction and prevention against attacks that leverage not only corporate domain and intellectual property information but also personal VIP, employee, and supply chain contractors’ personally identifiable information. Picnic prevents human-centric attacks such as phishing, impersonation, and credential stuffing at scale, and prioritizes protection by focusing on the most valuable and accessible individuals first, the data and infrastructure most likely to be used for social engineering and initial access, and imminent risks to employees informed by relevant and timely threat intelligence.

With Picnic, organizations not only have full visibility of their human attack surface data and its vulnerabilities from the perspective of a threat actor, but are also able to shift from detection and response to a prevention stance with no effort on the part of the organization, no software to deploy, no integrations to set up, and no human capital required to leverage the platform. Picnic works continuously outside the corporate perimeter and handles all the remediations.

To date, Picnic has detected 11.2 breaches per person on average from a global population with more than 110B+ records and detected an average of more than 14 PII attributes per employee that social engineers can leverage. Picnic’s preventative remediations break the reconnaissance chain linking attacker plans with exposed data and human targets, continuously reduce the human attack surface, and dramatically reduce the risk of human-centric attacks involving social engineering and credential stuffing.

The result for enterprises who employ Picnic is a workforce that is less accessible and more difficult for attackers to compromise, either at work or at home, because the public information making up their personal attack surface is dramatically reduced. By extension, the entire human attack surface of the enterprise is diminished and the human risk that most often leads to organizational breaches is proactively remediated, leading to fewer attacks, reduced cybersecurity operational costs, and an improved security posture.

III. How Frozen Pii helps you protect against the exploitation of your personally identifiable information by criminals

When it comes to protecting yourself from identity theft, there are plenty of services that promise to catch problems early and alert you, but at that point the damage is already done – someone’s already opened up an account in your name and wrecked your credit.

The only way to truly protect yourself is to freeze your credit. When you freeze your credit, you restrict access to your credit report to only authorized parties. Federal law allows you to order a free security “credit freeze” on your credit reports. A credit freeze prohibits credit reporting agencies from releasing your credit reports to new lenders without your express authorization. Without access to your credit reports, responsible lenders will not give criminals fraudulent loans and credit cards in your name.

Federal law also allows parents and guardians to order free “security credit freezes” for children under 16 years of age. It is extremely important to freeze your child’s credit, which can be impacted if your child’s social security number becomes linked with a synthetic identity. By freezing your child’s credit, you can protect their credit score from being ruined before they become adults. When you order a child credit freeze, credit reporting agencies are legally required to create and freeze a minor child’s credit file. A child credit freeze prohibits credit reporting agencies from releasing your child’s frozen credit reports to lenders. Without credit report access, responsible lenders will not give criminals fraudulent loans and credit cards using your child’s identity.

Freezing and thawing your credit report has no negative impact on your credit report whatsoever. It in fact improves your score because if no one can use your credit report to get credit in your name or a version of you through a synthetic identity, then you’re going to have a clean credit report.

Frozen Pii is the gateway for you to collect, correct, and freeze your credit reports, and keep criminals and corporations from exploiting your personally identifiable information (PII). Built by a data breach victim, for data breach victims, Frozen Pii’s mission is to help make it easy for people to take control of their identity for free, before or after criminals attempt to use their stolen identities to commit identity fraud. No other website gives you information and vetted links for quick, easy and free protection from criminals trying to use your stolen identity for fraudulent new credit and loan accounts. 

Today, Frozen Pii serves as a gateway to help consumers protect their financial identity by exercising their legal right to: 1) get free credit reports, 2) dispute and correct credit-report errors, 3) freeze and unfreeze credit reports (including those of children) and 4) claim and control their government identity with the Social Security Administration, the United States Postal Service, and the Internal Revenue Service. Frozen Pii’s credit freeze links include not only the Big-3 credit reporting agencies (Equifax, Experian, & TransUnion), but also 3 additional freezes for Innovis (a privately-held national CRA), NCTUE (utilities, TV, phone service), and ChexSystems (bank accounts), and a link to the CFPB 2023 report listing dozens of specialty CRAs. Frozen Pii also provides consumers with a free 100MB secure cloud vault for safely storing and transmitting sensitive documents, and provides identity fraud victims with links to free help from the non-profit Identity Theft Resource Center, which has live chat and call services, and online help from the Federal Trade Commission.

Frozen Pii helps you and your family protect your personally identifiable information in your credit reports, guard against criminals using your stolen PII for new-account credit and loan fraud, and secure your taxpayer identity to stop fraudsters from stealing your social security benefits and income tax refunds.

While Picnic protects enterprises from attacks that leverage exposed PII, Frozen Pii makes it easy for individuals to control and protect their sensitive personal information from exploitation by cybercriminals. We recommend everyone take advantage of the resources FrozenPii.com has to offer and start protecting yourselves today!


Become a Subscriber to receive timely articles on human-centric security issues:

Scroll to Top