PII Disclosure¶
Overview¶
There are many types of sensitive information that products must protect from attackers, including system data, communications, configuration, business secrets, intellectual property, and an individual's personal (private) information. Private personal information may include a password, phone number, geographic location, personal messages, credit card number, etc.
Private information is important to consider whether the person is a user of the product, or part of a data set that is processed by the product. An exposure of private information does not necessarily prevent the product from working properly, and in fact the exposure might be intended by the developer, e.g. as part of data sharing with other organizations. However, the exposure of personal private information can still be undesirable or explicitly prohibited by law or regulation.
Some types of private information include:
- Government identifiers, such as Social Security Numbers
- Contact information, such as home addresses and telephone numbers
- Financial data - such as credit card numbers, salary, bank accounts, and debts
- Health - medical conditions, insurance status, prescription records
- Account passwords and other credentials
PII disclosure detection is currently limited to detecting credit card numbers.
Recommendation¶
Avoid returning sensitive information, like PII, unless absolutely necessary for API operation.