After finishing up some research on personally identifiable information I thought, mistakenly, that I was familiar with the most exotic forms of PII uncovered in recent years, including zip code-birth date, movie ratings and other consumer preference information, social network relationships, and facial images. And then I came across an article in Forbes that forced me to add one more to the list: pictures of automobile license plate numbers.
License plate numbers are themselves, of course, obvious identifiers. In theory, you can make a license plate request to a state’s department of motor vehicles—my home state of NJ lets you do just that—to request personal information, including the vehicle’s owner. But you will need a valid reason—court case, insurance, background checks, and also, interestingly, market research purposes.
What has made license plate numbers an even deeper source of personal information are networks of cameras and roving camera-equipped vehicles, good character recognition software, and large databases of license data. Not surprisingly, data brokers have entered this market. One of those brokers claims to have hundreds of millions of vehicle sightings in its databases—i.e., combinations of a license numbers and geo-coordinates.
Adam Tanner, the write of the Forbes article and also a Fellow at Harvard’s Government Department, used a license plate data broker to track the movements of two of his relatives—with their permission.
In effect, the license plate number unlocks a range of sensitive data about the individual, say medical information if the car is parked at a center specializing in cancer treatment, financial if the license number is frequently found at a company specializing in credit problems, or just merely shopping preferences based on stores or malls visited.
As we’ve seen with other types of next-gen PIIs, technology has made it possible to draw unlikely and non-intuitive connections with existing data. With a birth date and zip code, for example, a data broker can tell you name and address. Now with license plate numbers, they can provide highly granular day-to-day activities, and, as we’ve just seen, this can include very private information.
I strongly suspect that future regulations will take these results into account, and likely place stricter data privacy and security obligations on companies holding consumer data. So the question we always ask around here—“do you know your data?”—should continue to yield surprising results as researchers and others find new ways to pull personal data from what was thought to be anonymous or fairly benign information.
Image credit: Dickelbers
What should I do now?
Below are three ways you can continue your journey to reduce data risk at your company:
Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.
See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.
Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.
