KYC is almost always the biggest problem when data breaches happen. In many cases, the impact would be a lot lower if the company didn't collect information it doesn't actually need.
Discussion
i donโt even think you need the almost in there.
the only thing worse than the kyc information is full login info in plaintext. if the breached entity is not totally retarded and only storing a pw hash then the kyc information is the worst thing that can be gained.
I added the almost because there probably are edge cases.
for sure, totally understand.
but i think i mentioned basically the only one. ๐
Like if a bank gives me a home loan. They kind of need my info. That doesn't excuse negligence, I just mean the actual data collection. I'm just saying that a minimum necessary data approach would be a lot better than where we are now. Most of the KYC stuff is unnecessary and forced though. But some of it would be necessary regardless in certain cases.
gotcha, ya the unnecessary stuff is often worse than the necessary.
And then you have bullshit like in the US where fucking everyone "needs" your social security number. It's used for seemingly everything when the original use is right in the name. It's no wonder they're all (likely) compromised. We just froze all of the credit agencies. All we can do.
for sure, another funny thing about ssns is that they can be brute forced pretty easily if you know when and where someone was born
Totally. Companies often collect way more info than necessary during KYC, and when breaches happen, that extra data becomes a ticking time bomb. If they only took what they actually needed, the damage would usually be a lot smaller.