Should ICCID be considered as PII?

How can one decide if SIM card’s [ICCID][1] should be treated as PII?

My understanding is that ICCID similar to MAC address. It’s clear why the second is PII – sniffing a LAN one can see which traffic belongs to a specific card. But I’m not sure if there is a way to use ICCID to compromise an individual.

How to show that $sum_{i=1}^n 1-e^{-n p^i/i} = Omega(log n)$ for $0 < p < 1/2$?

Let $0 < p < 1/2$. How can I show the following lower bound?

$$ sum_{i=1}^n 1-expleft(- frac{np^i}{i}right) = Omega(log n) $$

hipaa – How to block duplicate accounts without leaking PII?

We need to block multiple accounts from being created using identical PII without leaking any information regarding the original account. What is the best way to:

  • Inform the person trying to create an account that they cannot
  • While not telling them why
  • While also enabling the original account to recover their account if they were accidentally attempting to log in?

Is there a standard/best practice way to handle this?

My thoughts are that you simply say “We are unable to create an account at this time. If you have a previous account, reset your password here.” Followed with the standard “if you have an account, you will receive a password reset email”

This is not related to this previous question Detect duplicates without exposing underlying data, although that has a really great answer that’s well worth reading and actually may help solve the backend part of the issue. It is also not specifically related to password resets. It has to do with account creation only.

Is a domain name considered PII?

Unless your stupid enough to make a link between a person and a domain will a domain not be a PII.

making it a PII would make it impossible for you to effectively use it since the DNS system requires caching of the data by design (e.a. making copies of the data)

A domain also is always at least partly shared with other parties. (the TLD for example… and the ROOT)

in short what are you trying to design that operates like that.

How to report PII leaks from a small business? [closed]

An HR consultancy I know has a big data protection issue. They company provides resume editing and interview coaching services. Some of the clients include Federal employees with active security clearances.

When loading a specific URL to access the site, and then stopping the page load process, one can access user name, email, phone number, and resume drafts, as well as last 4 digits of social for the clients. Pressing the "X" icon in chrome while the page is loading literally bypasses the login requirement and shows a page with all of the client data. The resume drafts contain PII like address, phone number, linkedin, email address, in some cases even active security clearance status. This is an issue that was reported 6+ months ago, but the company doesn’t care.

The URL needed for the exploit doesn’t come up when trying to do a URL fuzzer or an XML sitemap, but is still relatively generic. I guess, technically, in order to use the exploit a person needed to have been logged in at some point. Or have the URL shared. I’m sure there’s other ways to find the URL, since it’s quite generic, but I have not been able to do so since I’m not a security professional.

This seems like a giant security issue that should be fixed, but I don’t know whom to inform, and don’t want to be involved any more than necessary.

Any advice?

Cookies: have advertising platforms started to monitor and share emails and PII?

I was in a webmaster forum and I saw an ad that made a disturbing promise. They claimed that if a person makes a casual visit to their website, they can obtain that person's email address and send emails on their behalf or provide them with the email address.

I have been fighting spam since & # 39; 91 and I sat for the first time in a web browser at & # 39; 95. My first thought was "Wow, what would a webmaster do if he could get a visitor's email address!" But of course, web browsers I didn't have exactly a configurable HTTP header field of "Email:" (You can imagine!)and, in fact, a lot of attention was paid to try to preserve user privacy, such as cookie sandboxing.

But then, I thought, (using Doubleclick as a paper villain here)

Retailer X receives a banner ad from Doubleclick has its own cookie, p. DC1234567, and doubleclick also gets a Referer that gives away what page / product you are browsing, and has been tracking your activities in this way throughout the web, all the time.

But then, Retailer X (at DoubleClick's request) integrates its Retailer identification number X X56789 into the URL of the Doubleclick image … so DoubleClick can link DC1234567 to X56789. Do not too dangerous yet.

It turns out that I do business with retailer X and they have my email, mail, phone, credit card, etc. Whether by gift, sale or acquisition, retailer X Doubleclick hands your customer list which links X56789 to, John Doe, 123 Main Street, Anytown, USA. UU. What Doubleclick Matches DC1234567.

It has been tracking the "DC1234567" navigation activity for years, and now boom! You can go back to all the sites I've visited and say "We have your visitor's PII!" Retailer Y (whom I just casually searched and never gave my information) could literally buy that from DoubleClick and send me a custom postal mail with a coupon for the exact things I looked for. Hell, a magazine could just close a subscription and start sending me bills.

But then, for 20 years, something like this never happened. I never received a single postal mail. I didn't even receive emails that I didn't sign up for. I could not understand a technical reason why it was not happening. It seemed to be a gentlemen's agreement or a "not doing that" taboo. I thought that the privacy law as GDPR sealed your destiny.

Has anything changed?

Now I see this company openly announces this. And now that I think about it, I recently had a couple of incidents of receiving emails or tickling that I didn't expect. Has my fear finally become something after 25 years?

How does your offer technically work? Is it different from what I originally assumed in & # 39; 96?

Y Why only now?

pii – Request a security audit report from a company

A company asked me to send a scan of my passport in order to be completely "transparent" to them. I was wondering if I could ask your latest security audit report to convince me that they are also transparent. So you can verify how well the company is classified safely …

I understand that I may not have access to all the details of the report, but if they performed a pentest, they could at least provide me with a conclusion, a score, etc. Although it is not a "normal" request made by a regular customer, to be fair, it would be good if the company could be transparent about how they handle PII information. What you think?

In summary, if a company was genuinely transparent about how they are classified in terms of security, don't you think it would be fair for them to share the conclusion of this report (made by an independent company, of course) when a random customer asks for it? . At least, there would be evidence to support his opinion. By the way, I do not understand why a company would not do that, since the client would greatly appreciate that transparency, including those who think that all companies around the world say they take the privacy of their customers very seriously … right after that a violation occurred !!!

So, I contacted the company to learn a little more about how they handle PII information. They just say, that's all. For me, just saying is not enough when it comes to handling passport scans …

Do Ingenico credit card readers store PII or merchant data?

One of my classmates came to me regarding the card readers we use. Specifically, an Ingenico iPP320.

He asked: "Do you store this data that requires us to destroy the storage medium" and, honestly, I don't know.

Obviously they have to have some way of knowing what organization we are, but what other information is there about these things? How do you normally, out of these types of devices?

I tried to search for articles, support documentation of the company and send them their support by email, but I didn't find any answer.

complexity theory: would $ Sigma_i ^ P neq Pi_i ^ P $ imply that the polynomial hierarchy cannot collapse at the $ i $ level?

Yes $ Sigma_i ^ P = Pi_i ^ P $, then it follows that the polynomial hierarchy collapses to the $ i $-th level.

What about the case? $ Sigma_i ^ P neq Pi_i ^ P $?
For example, consider the case of $ NP neq coNP $. From what I understand, this would imply that the polynomial hierarchy cannot collapse to the first level, since if $ PH = NP $, then in particular, $ coNP subseteq NP $, meaning $ NP = coNP $. Can we extend this idea to prove the general case:
$ Sigma_i ^ P neq Pi_i ^ P $ it implies $ PH $ can't collapse to $ i $-to level?

python: generation of a false number for a 25-digit PII number in a file containing millions of rows

I have to expose some confidential data that contains a PII column that has a 25-digit number. The rest of the columns are not PII data. This is done in such a way that data can be shared securely for a wider audience without the data from the original PII column. but if necessary, I need to verify the original value, therefore, I need a search file that assigns the PII with its pseudo number.

How do I generate a unique pseudo number so that we can then map back to the original data if necessary?

Currently there are around 22 million rows. There could be a maximum of 50 million such rows of data later as the data keeps coming.

I was thinking about UUIDs, but they are not really friendly with humans and UUIDs would be bad at indexing later if we move to a database (do we think too much?). Also joining two data boxes based on indexing could be slow.

My current thinking process using pandas (for the first file containing 22 million rows)

  1. shuffle the lines with pandas (assuming it fits in memory)
  2. add a column with an automatic increment field (for example, Psuedo_number)
  3. add another column with uuids (UUID4)
  4. Create a search file with our new pseudo_number, UUID, original PII number

Now, when new PII data arrives

  1. reads the highest value of the pseudo_number from the search file
  2. use that (+1) as the starting number for the previous process in the new data

tldr I need to generate unique random numbers for the PII column in a file that contains 22 million rows and maintain a search file. Later I would need to import into a database once the system grows.

some initial code

# fictitious list
>>> l = [('C0000005', 'RB', 'C0036775', '')] * 27000000
# create a sample data framework to represent our data from more than 22 million rows
>>> df = pd.DataFrame (l, columns = list (& # 39; abcd & # 39;))
# let the next column & # 39; sensitive_col & # 39; represent our 25-digit number for now
>>> df['sensitive_col'] = df.index + 123456789

>>> df.head ()

a b c d sensitive_col
0 C0000005 RB C0036775 D185368 123456789
1 C0000005 RB C0036775 D185368 123456790
2 C0000005 RB C0036775 D185368 123456791
3 C0000005 RB C0036775 D185368 123456792
4 C0000005 RB C0036775 D185368 123456793

# current code !!
# shuffle the rows
>>> df = df.sample (frac = 1) .reset_index (drop = True)
>>> df['New_ID'] = df.index + 123
# create the UUIDs
>>> df['uuid'] = [uuid.uuid4() for _ in range(len(df.index))]

>>> df.head ()

a b c d sensitive_col New_ID uuid
0 C0000005 RB C0036775 D185368 132571068 123 8c1974cf-49ff-4b87-bfac-b791156d1b1b
1 C0000005 RB C0036775 D185368 130859684 124 2a170f08-43a9-4a1d-acf5-b537a229c7e9
2 C0000005 RB C0036775 D185368 135318849 125 5b265c8e-35ea-4100-bac0-c77f4d3f85ea
3 C0000005 RB C0036775 D185368 145963082 126 77e2e78c-c72a-4738-907a-9e4851a328d2
4 C0000005 RB C0036775 D185368 141664707 127 de73b056-6c5e-4276-8b93-db44cd9990ba

Any suggestions?