Terbium Labs Study Finds a Mere 11 Percent of IT Professionals Deem Employee Social Security Numbers to be High-Risk, In Stark Contrast to Customer Social Security Numbers (38 Percent)


October 15, 2019 – Baltimore – Identity theft and fraud have become commonplace in the digital-first environment we live in today, with 3 million identity theft and fraud reports received in 2018 by the Federal Trade Commission. More often than not, identity theft and fraud occur when sensitive data, including social security numbers, have been stolen, exposed and shared online. Despite these statistics, employee social security numbers fall alarmingly low on IT’s risk barometer for online exposure, according to The Underrated Risks of Data Exposure study released today by Terbium Labs.

The study, which surveyed over 300 IT professionals in the United States and Canada, reveals a major disparity that exists between the level of exposure risk associated with employee data, compared to customer data. For example, 38 percent of the respondents believe customer social security numbers to be at a high risk of exposure. This finding isn’t all that surprising given the fact that the 2019 Capital One data breach and the 2017 Equifax breach resulted in the theft of social security numbers for many consumers. However, it’s both surprising and disheartening to see that employee social security numbers are deemed to be at far lower risk of exposure – a mere 11 percent. This disparity may be a symptom of a larger industry problem: a lack of understanding about the true value of and risks to employee data.

According to Emily Wilson, VP of Research at Terbium Labs, this flawed comprehension of employee data’s value could, in turn, result in apathy and a subsequent failure to monitor and detect exposure of employee data. As Wilson explains, “The fact of the matter is that employee data is often the skeleton key to all of the sensitive data organizations hold – including highly confidential customer data. The IT industry’s apparent lack of concern when it comes to the risks facing employee data will inevitably carry serious consequences for organizations. This will unfortunately add fuel to the flames by increasing the likelihood of identity theft, fraud and data theft aimed at their employees, their organizations and their customers.”

Key findings from the study include:

  • Walking the data breach tightrope: online login credentials, social security numbers and credit card numbers are deemed high-risk customer data. When we asked the survey respondents to specify which types of customer data they believe to be at high risk of exposure, online login credentials came in as the number one response, at 52 percent. Additionally, customer social security numbers and credit card numbers came in at 38 percent and 30 percent, respectively.
  • Phishing is the chief instigator of data exposure, made worse by uninformed employees. 33 percent of the surveyed IT professionals cited phishing as the most likely security incident to result in data exposure. Despite this reality, 27 percent of the respondents admitted they are not confident in their employees’ ability to recognize phishing scams and avoid suspicious or fraudulent emails.
  • Repeat offenses of data exposure are a matter of a fact, not fiction. 41 percent of the respondents believe sensitive corporate data could be exposed, shared and even sold on the Internet – across the open, deep and dark web – between two and seven times. Plus, another 35 percent believe re-exposure is a foregone conclusion and could occur more than 10 times.
  • Apathy is clouding IT’s judgement about the necessity and value of dark web monitoring. Despite the fact that 23 percent of the surveyed IT professionals admitted that their organization has had sensitive corporate data exposed in the last 12 months, 16 percent indicated they don’t know whether or not their organization has had information exposed. Worse yet, 6 percent of the respondents said they don’t currently take any steps to monitor and detect data exposure, while 17 percent said they aren’t sure if their organization implements any detection measures.

Wilson concludes, “Despite the majority of respondents claiming their organizations had not been breached within the last year, research from IBM indicates that breaches go undetected and uncontained for 279 days, on average. This means many organizations who responded saying they had not been, or were unsure if they had been breached, may very well have been successfully infiltrated by bad actors. And with 4.1 billion records already exposed in the first six months of 2019, organizations are sitting on a tinderbox of risk, unaware of the security and privacy dangers surrounding them. To stay one step ahead of these risks, organizations must be proactive and diligent in monitoring and detecting for data exposure to minimize the negative consequences to their organizations, their customers and their employees.”

About Terbium Labs

Terbium Labs empowers organizations to reduce the risk of inevitable data exposure. Matchlight, the company’s comprehensive digital risk protection (DRP) platform features continuous digital asset monitoring, robust analytics, and actionable intelligence, to quickly identify and minimize the impact of exposed data across the Internet – whether it’s the open, deep, or dark web. Featuring its patented data-fingerprinting technology that ensures private data stays private, unique fusion of data science and machine learning, and dedicated analysts, Terbium Labs provides pinpoint accuracy for early detection and remediation of data exposure, theft, or misuse across the digital landscape. Learn more about Terbium Labs’ unique approach to DRP by visiting www.terbiumlabs.com or on Twitter @TerbiumLabs.

Media Contact:

Method Communications for Terbium Labs (US)

Sarah Riley

O: 415.891.4908

E: terbiumlabs@methodcommunications.com