It’s Not Just About Your SSN — It’s About Protecting Your PII

samsung corporate building

TL;DR Tech giant Samsung suffered two major data breaches this year. It alerted those customers who were affected. Now there’s a class-action lawsuit against the company.

On Sept. 6, 2022, a class-action lawsuit was filed against Samsung Electronics America, Inc. (hereinafter “Defendant” and/or “Samsung”). Plaintiff Shelby Harmer and thousands of individuals (hereinafter referred to as “Class Members” or collectively as the “Class”) claim that Samsung failed to safeguard their confidential personal identifying information (PII).

The private information was stolen in early August, which was actually the second major Samsung security incident of 2022, but only the first PII breach. Let’s rewind back in time about six months …

Early in March 2022, Samsung confirmed that the hacker group Lapsus$ had stolen code for the Galaxy line of phones, including the source code for trusted applets in the TrustZone environment. The TrustZone is what some would call Samsung’s Secure World, “reserved for highly sensitive computations [and] protecting enterprise confidential data”. The same hacker group claimed responsibility for attacking Nvidia. Anyway, back to our spring 2022 flashback …

Samsung said the March attackers did not steal any customer data, only company data and Galaxy source data, but that source data was regarding the Galaxy’s secure sandbox, the TrustZone environment. Samsung claimed to have “implemented measures to prevent further such incidents” and “[did] not anticipate any impact to […] business or customers.”

Fast forward six months, err … actually five months. In early August 2022, a group of hackers accessed Samsung servers containing the personal information of its customers. Much of the personal information was gathered in the registration process for Galaxy devices and — wait for it — the firmware updates issued by Samsung, including security updates to the Galaxy devices, were only available after user registration. I can hear the ads now: Sign up to get security patches and get a data breach for free!

Samsung did not notify the affected users until Sept. 2, 2022, approximately four weeks after the breach. Moreover, the company apparently did not beef up its security enough between the March attack and the August data breach to protect its customers’ data, at least that is what the lawsuit claims.

What’s PII?

Let’s face it: By now at least half of Americans have suffered some form of data breach (many due to the Equifax breach alone). There is a good chance your SSN is being passed around the dark web, and sadly, there is little you can do about it because your SSN is not like an email, login or password you can simply change. Those nine digits are sort of like a digital set of fingerprints that belong to you and only you.

Your birthday is similar in that it is not something you can update, but it is something that is not unique. Others were born on the same day as you, but chances are, those people don’t have your exact name.

Sometimes, it’s the combination of your name and your birthday that is unique, personally identifiable information, basically equal to your SSN. Moreover, it could be more valuable than SSN, because it’s a combination that only you should know, much like your mother’s maiden name and your birthplace. Neither of those pieces of information alone is unique data, but the combination of them is your PII.

So, what can be done about all of this PII data floating around servers? According to the lawsuit:

The FTC has issued a publication entitled “Protecting Personal Information: A Guide for Business” (“FTC Report”). The FTC Report provides guidelines for businesses on how to develop a “sound data security plan” to protect against crimes of identity theft. To protect the personal sensitive information in their files, the FTC Report instructs businesses to follow, among other things, the following guidelines: 

  1. Know what personal information you have in your files and on your computers; 
  2. Keep only what you need for your business; 
  3. Protect the information that you keep; 
  4. Properly dispose of what you no longer need; 
  5. Control access to sensitive information by requiring that employees use “strong” passwords; tech security experts believe the longer the password, the better; and 
  6. Implement information disposal practices reasonable and appropriate to prevent an unauthorized access to personally identifying information.

I personally believe that 4. and 6. above are the most important changes an organization can make. Get used to getting rid of old data properly and systematically. Stop archiving everything in a giant server folder. When a project is completed, send the files to the client, archive off-site and then systematically delete them from your servers within a year. Each department should have a proper data steward who is in charge of the integrity of the folder’s contents, and when the data should be disposed of.

Regarding 3., find ways to encrypt data at rest (on server) and in transit (emailed or otherwise shared). Use Role-Based Access Control and apply the Principal of Least Privilege to all users.  Only allow access to data as needed, and when the folder access is no longer needed, remove the access.

Getting back to Samsung and the data breach, the Samsung community is not happy with the response:

Security Breach September 2022 – Samsung Community – 2367705

That being said, I can think of other breaches where poor incident response actually made things worse:

Some states like Massachusetts are very clear about what you should include in your public response:

It’s important to follow the guidelines for your state because they can vary greatly from state to state. For instance, Massachusetts does NOT want the nature of the breach nor the number of residents affected by the breach publicized. Other states do require that the number of people affected be made public.

What if you have multiple offices in multiple states? Here are some basic guidelines for public notice:

  1. Your corporate HQ likely has the most data, so the HQ state guidelines should be the default.
  2. If the incident happens in another state, then those guidelines should also be followed.
  3. If two state guidelines do not agree, it is best to use the follow the more stringent guidelines
  4. Don’t mix and match state guidelines; chose which one is best, and then follow it strictly.