200 million-record breach: Why collecting too much data raises risk

If you don’t collect it, no one can steal it.

Sometimes the best way to secure customer data is not to collect it in the first place. While it can be tempting to “collect it all” just in case, most enterprises need far less data on their users to market to them effectively. Reducing the amount of data collected means that in the inevitable event of a breach, the repercussions will be far less severe.

“One of the things we’re hearing from consumer brands is that they’re doing less,” Gerry Murray, director of marketing and sales technology research at IDC, says. “They’re becoming more thoughtful about ‘what do we want to know about you?'”

“For most commercial purposes you don’t need to know that many things about a person, and sometimes you’re better off not knowing,” he adds.

The apparent breach of a 200 million-record direct marketing list that appears to originate from a 2015 opt-in list puts the issue into focus.

What we know about the breached data

The breached records, which contain 42 fields, including address, phone, marital status, income, financial net worth, race, gender and religion, appear to have been originally collected by Experian (although Experian denies this) and licensed to thousands of direct marketers around the world, meaning the breach could have happened at any one of them and not necessarily at Experian.

The files do not contain social security numbers, driver license or passport numbers, or credit card numbers and are thus not as sensitive as other breaches, such as the United States Office of Personnel Management (OPM) breach that exposed detailed personnel files of US government employees. Taken in aggregate, however, the information paints a profile of American society at large and could be joined to other breached data by criminals or nation-state adversaries.

This kind of direct marketing data ages rapidly, and a list like this that might have fetched hundreds of thousands of dollars in license fees in 2015 is today worth almost nothing to legitimate direct marketers, sources familiar with the industry tell CSO.

The files all contain the word Experian in their name, and the fields match a direct marketing list advertised by a third party, Data Monster. (That list has since been removed from the Data Monster site.) Experian told CSO the data was not theirs, writing in an email, “We’ve investigated and this is not Experian’s data.” Data Monster also denied being the source of the breach, pointing out that such lists are licensed to thousands of call centers, and the breach could have originated from any one of them.