Personal identifiable information, or PII, plays a vital role in providing additional information or context to make informed decisions. Because of this, PII is one of the most sought-after and targeted pieces of information on the modern battlefield we call the Internet.

PII can be as simple as an individual’s name or address and can expand to biometric records. Protecting this vital information is crucial for any organization, especially with global regulations such as GDPR enforcing hefty fines that can reach up to 10 million euros.

What is PII masking?

PII masking has had center stage in masking and anonymizing personally identifiable information to make it safer for this sensitive information to be shared and used by organizations.

Many techniques are used to mask PII, such as tokenization, anonymization, and shuffling, which disassociate the individual from the actual data, making it difficult for anyone to trace the individual back to the dataset.

Can PII masking be reversed?

Even though masking techniques are used in almost most processes that handle PII, it is not a guaranteed mechanism to secure data since, just like any other system, this, too, can be cracked and broken to trace the data back to an individual or group of individuals.

Even though there are ways to break PII masking techniques, some practical challenges arise during the process of reversing PII masking on a specific dataset. Some commonly faced challenges include:

  1. Complex masking algorithms
  2. Data volume and diversity
  3. Data fragmentation
  4. Lack of contextual information
  5. Resource intensiveness

Techniques For Reversing PII Masking

While overcoming the common challenges that can arise during the process of reversing PII masking, the following techniques are some of the common approaches being used.

1. Data Re-Identification

This involves re-identifying masked data using additional details or algorithms. The masked PII can be reverse-engineered using probabilistic matching, machine learning, or correlation analysis techniques.

  • Probabilistic matching: This approach involves comparing masked data to external datasets or known patterns in order to probabilistically derive the original PII. Algorithms determine the chance of a match based on similarities between masked and unmasked data, accounting for criteria such as data quality and uniqueness.
  • Machine learning algorithms: Advanced machine learning models may be trained on both masked and unmasked data to discover patterns and correlations that aid in reidentification. Deep learning and neural networks can capture complicated associations, enhancing re-identification accuracy.

2. Pattern Recognition

Analyzing patterns in masked data can disclose identifiable information. For example, specific trends in dates (e.g., birthdates or event dates) or incomplete information (e.g., phone numbers) may provide information about the original PII. Statistical methodologies and data mining techniques can aid in successfully identifying and interpreting these patterns.

3. Statistical Analysis

Statistical methods can derive the original PII from masked data by examining distributions, frequencies, or correlations between data points. Techniques such as regression analysis, clustering, and principal component analysis (PCA) might reveal underlying patterns or correlations that help in re-identification.

4. Collaborative Attacks

Combining multiple data sets or working together with other sources may offer additional information that can be used to reverse masking. Attackers might increase their chances of success by utilizing external knowledge or data breaches to supplement the information available for re-identification. However, this strategy poses ethical and legal questions about data sharing and privacy.

5. Social Engineering

Social engineering techniques, such as phishing or pretexting, can be used to obtain additional information to supplement the disguised data. Attackers might improve their re-identification efforts by exploiting human weaknesses or convincing people to give sensitive information. This strategy is based on psychological manipulation and deceit rather than technical competence.

6. Manual Inspection

In rare circumstances, manually inspecting the masked data or related metadata may reveal important insights into the underlying PII. Analysts may discover hidden information that allows for re-identification by carefully examining trends, inconsistencies, or abnormalities in the data. However, manual inspection is time-consuming and may not be possible for large datasets or complicated masking tactics.

Wrapping Up

Just as there can be flaws in every system or process, there can be flaws in PII masking techniques used within an organization. This could be caused by the dataset, partial separation of the data, the type of data being masked, or even the masking technique or algorithm itself.

Following best practices and guidelines is a way to ensure that no additional vulnerabilities are introduced into the systems that mask or use this data. However, with the increasingly complex methods that are used to mask PII, equally complex methods can be employed to reverse these efforts.

It is crucial to understand that legal and ethical issues may arise from attempting to reverse PII masking; however, this does not stop malicious attackers from employing advanced techniques to reverse PII masking. Therefore, it is always advisable to stay up-to-date with the latest trends and findings so that appropriate actions can be taken to mitigate any risk that may arise.