What is personally identifiable information (PII)?
Led by experts behind major reports like The Mother of All Breaches, our team of information security professionals, tech journalists, and data analysts delivers unbiased, real-world testing of identity theft protection services.
We stay current with industry trends and maintain full transparency by openly sharing our testing methodologies, ensuring readers receive accurate, up-to-date, and unbiased recommendations.
Learn more
Personally identifiable information, or PII for short, refers to any type of online data that can lead back to you. And while these details enable you to get a job, travel, instantly send and receive money online, and even unlock your phone, they can also fall into the wrong hands.
In fact, more than 50% of all data breaches include some form of PII, be it emails, phone numbers, or residential addresses.
Fortunately, you can also protect your PII from these situations, and the Cybernews research crew and I dug deep to find out how. We investigated the most common ways malicious players can get access to your PII, as well as what you can do to prevent that from happening.
Our team combines cybersecurity experts and consumer protection specialists who rigorously test each identity theft protection service. All findings undergo verification from our fraud prevention experts to ensure accuracy and relevance. We maintain complete transparency about our testing methodology and regularly update our reviews as services evolve or when new threats emerge. Our testing includes a detailed examination of monitoring capabilities, alert systems, and recovery services across multiple scenarios. Learn more about our testing process.
What is personally identifiable information?
The US Department of Labor describes PII as "information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual."
Meanwhile, the UK’s Information Commissioner’s Office (ICO) simply defines it as "information that relates to an identified or identifiable individual."
While there are various definitions of it online, PII generally refers to any information that can identify an individual. This also brings us to our primary division of PII.
First of all, you have direct identifiers, which include any pieces of information that can trace back to you on their own.
On the opposite side are indirect identifiers, also known as quasi-identifiers. These are factors that you share with thousands of other individuals, so they can’t lead back to you directly. Use them in conjunction with other details, however, and they become quite dangerous.
Sensitive vs. non-sensitive PII
Besides the direct vs. indirect division, PII can also be categorized as sensitive or non-sensitive.
The former refers to any type of data that, if disclosed, could potentially harm you. As such, this type of information should be encrypted while at rest and during transmission.
Sensitive PII includes emails, passwords, biometrics, passports, social security numbers (SSNs), employer identification numbers (EINs), employee personnel records, school identification numbers, bank accounts, credit and debit card numbers, personally identifiable financial information (PIFI), and medical data covered by HIPAA.
Non-sensitive PII, on the other hand, typically revolves around ZIP codes, age ranges, birth dates, genders, races, and religions. It’s also usually freely available to the public. Thus, you’ll often find it in phone books, corporate directories, and other sources that anyone can access.
Since it can’t harm you on its own, it’s usually transmitted without encryption. However, bad actors can still use these details against you by relying on data triangulation. For instance, someone could use the ZIP code in the background of your social media picture to narrow down your location. If they have anything else on you, they can easily narrow down their search.
Types of PII
Personally identifiable information comes in the shape of names and numbers, but also biometrics and demographic data. Nonetheless, all of these items can be classified as one of these types:
- Direct identifiers. Your name, SSN, phone number, driver’s license number, credit or debit card information, residential address, email address, and biometric data like fingerprints or facial scans can all identify you on their own. As such, they all fall under the direct identifiers umbrella and should be protected at all costs.
- Indirect identifiers. Also known as quasi-identifiers, these include your age, date of birth, gender, race, geographic location, and passport number. On their own, they can’t do much. However, malicious players can use them in conjunction with other data points to identify you.
- Inferred data. Any information that isn’t explicitly provided by you but is instead derived from other data points is considered inferred data. This could be anything from your political stance to your musical preference based on Spotify history or your creditworthiness based on purchases. And since it’s generated by analysis, inferred data isn’t always correct.
Why is PII important?
Almost everything you do today depends on personal information. From opening an account in your local bank or applying for a job to buying a movie ticket online, every modern system requires PII to quickly verify your identity.
However, this convenience also puts your data at risk of exposure. If it leaks, the consequences could be severe. That includes anything from fraud and financial loss to full-on reputational harm and even identity theft.
Say a scammer came across your PII on some random dark web forum. They could use that data to run an elaborate scheme on you and trick you into giving them your hard-earned money.
And can you even imagine the type of destruction a stolen identity would bring? From potential employers finding false info when they look you up to you ending up in jail for something you didn’t do; anything could happen.
How PII gets exposed
These are the most common culprits behind the ever-increasing number of sensitive information-related incidents:
- Data breaches. As seen in the infamous Equifax incident of 2017, data breaches can lead to millions of private records being exposed.
- Public data leaks. Human errors and server or cloud misconfigurations can also lead to incidents related to sensitive information.
- Phishing. Scammers can also trick people into revealing their private data. They do that by sending email links that lead to legitimate-looking but ultimately fake sites.
- Social engineering. Attackers can gain your trust and, thus, your login credentials by pretending to be tech support or even someone you know.
- Device theft. Your phone and laptop probably have tons of saved login credentials. Having these devices stolen is like handing the thief the keys to your entire digital life.
- Unsecured networks. Ever signed into an unprotected airport or coffee shop Wi-Fi? If you did, someone could have easily intercepted your sensitive info.
- Insider threats. It’s not uncommon for someone who has been laid off to deliberately leak company data. Careless employees also do this, albeit unintentionally.
How to protect your PII
Although bad players are getting more creative by the day, proper digital hygiene can still help. That’s why I’ve compiled a list of tips that can help make your private data significantly safer:
- Use long and complex passwords with special symbols whenever you’re registering for something.
- Take advantage of encryption, either by using BitLocker on Windows PCs or by adding a PIN or a password to your phone.
- Enable two-factor authentication (2FA) or multi-factor authentication (MFA) on any account that supports it.
- Limit the amount of data points you share online by using temporary emails, numbers, or full-on alternative IDs.
- Make your devices more secure by keeping them up-to-date and installing a reputable antivirus and firewall.
- Take advantage of identity theft protection tools like Aura and Coveron (previously known as NordProtect) to continuously monitor for your sensitive data online.
- Minimize your digital footprint by deleting any accounts you no longer use and limiting the number of services you sign up for.
- Adopt PII leak prevention policies and implement safe data handling practices across your organization.
- Practice safe disposal by completely wiping any devices you might be selling or giving away.
What to do if your PII gets compromised
Regardless of how careful you’ve been, things can always go south, and your sensitive data may end up in the wrong hands, in which case you’ll have to act fast:
- Monitor your accounts. Keep an eye out for your bank statements and email logins.
- Change your passwords. Update any account that may have been affected by changing its password to something you’ve never used before.
- Notify relevant authorities. Report the incident to the police and data protection agencies.
- Freeze your credit. Get in touch with the 3 bureaus and block any new credit lines in your name.
You can also contact dedicated identity protection services and get professional help if you’re not confident about handling these tasks yourself.
Conclusion
Personally identifiable information runs our world, and we rely on it for almost everything we do today. From registering on job-hunting sites and paying for services to ordering food and entering giveaways, all of our current systems use PII.
However, these data points also hold the keys to our identity. If misused, they can also impact our finances and reputation. With even the smallest bits being capable of leading to serious problems like fraud or identity theft, protecting your PII becomes paramount.
A good way to go about it is to be proactive with safe password and account monitoring practices. This also includes limiting what you share online and with whom. Using identity theft protection software like Aura and Coveron can make a real difference. After all, these tools continuously monitor for data leaks and instantly alert you to breaches.
Other guides from Cybernews:
10 most common elder fraud scams and how to prevent them
Facebook Marketplace scams: how to spot them, avoid them & what to do if you’re a victim
How to replace a social security card: simple guide 2026
Identity theft prevention tips: 11 actionable strategies
FAQ
Is my email address considered personally identifiable information?
Yes, your Gmail/Hotmail accounts qualify as PII. Even if they don’t include your full name, email addresses can reveal other information that attackers can use against you. Sometimes, they’ll link straight back to you, in which case they’re direct identifiers.
Can non-sensitive information still be used to identify me?
Unfortunately, it can. Even something as harmless as your date of birth can play a crucial part in tracing back to you. Attackers can use a technique called "data triangulation", which essentially boils down to employing non-sensitive PII in conjunction with other details to identify you.
Is PII protection required by law?
It is, but not everywhere. For instance, organizations that collect and store PII of EU citizens are bound by the GDPR. California has something similar called the CCPA. It essentially gives the state’s residents the right to control their PII.
Can I remove my PII from the internet completely?
Not quite. Obviously, you can significantly decrease your digital footprint and remove yourself from search engines via software like Aura or Coveron. You can also opt out of data brokers. But keep in mind that if you go for Coveron, you won't be able to enjoy its identity and cyber protection perks if you're a New York resident. Yet, full PII removal remains challenging, and deleted data may also resurface after a while.
