Please Email Us Your PII

piiNo, we are not asking you to email us your PII (Personally Identifiable Information), but we are seeing other companies asking customers to do so more and more often when it comes to e.g. making online purchases, and it is a worrying trend.

We ourselves have experienced suspect requests like this a few times. A customer support representative at the Danish branch of Lebara, a telecommunications company based in UK, once asked us to email a copy of a Visa credit card to validate it, when their website kept throwing errors (we declined). One of our employees was asked by customer support at Thai Airways to email a copy of his passport to reset an account password (also declined). Now, just last week, we encountered it yet again when attempting to purchase electronics equipment for our research lab from Mouser Electronics, a major US-based company owned by TTI and thus Berkshire Hathaway.

A few minutes after completing an online purchase, we received the following email:

Thank you for your order with MOUSER Electronics!

As this is your first order placed with our company, we would like to accurately set up your account parameters with Mouser. Your future orders will therefore be processed timely and efficiently.

In order to validate the credit card in regards to the billing and shipping address, would it be possible to send us a copy of any identification means (ID, passport, driver license etc.?) We want to make sure to take this extra precaution in order to protect our customers from any potential misuse of their credit card by a third party.

Should this not be a preferred option for you, the offered alternative is to prepay for the order. We can send the proforma invoice including the bank details for processing the wire transfer.

Let us make it clear: Asking anyone – regardless of how legitimate the company may be – to email a copy of their credit card information, ID, passport, or driver license is suspect and unacceptable. Never comply! Providing PII via email is widely considered bad practice and both agencies like the FTC and companies like Google discourage responding to emails asking for personal information.

At Risk Based Security we process information about data breaches every single day. There are so many reasons why a company asking customers (or would-be customers) to email PII is a very bad idea.

First off, email is not considered a secure method of transferring PII. In many cases, it should be considered similar to sending a postcard in regular mail; anyone intercepting it can read it. Email servers are also not the best place to store it, as it is usually unencrypted and not well secured. There is often a lack of control of where the emails may end up, and it is easy for employees to forward the sensitive information to other employees or external parties. We see data breaches due to compromised email servers all the time. In fact, there have been more than 80 breaches in 2016 arising solely from inappropriate email usage, compromising more than 785,000 personal records. These happen not only for small companies, but also large organizations and public institutions.

Second, PII should not be accessible to “random” employees like customer account representatives or customer support. While the companies may have faith in their employees, customers should not and cannot trust them with their PII. Unfortunately, the majority of a company’s customer base do not understand the full risk of emailing PII. That is why companies should have strict policies in place to never ask for it. In the case of Mouser Electronics, they offered an alternative if emailing the PII was not the preferred option. It is good they offer an alternative, but it should be the only option; not an alternative.

More importantly, while these companies may claim they are doing this to protect you, like Mouser Electronics did, they are not only subjecting you to more risk if complying, but they are also being disingenuous. Most Western countries have legislation in place to protect consumers against online credit card fraud. Consumers simply need to contact their bank, inform them of the fraud, and the bank will take steps to prevent further misuse and restore the customer’s account.

The real reason for companies asking about proof of identity is to protect themselves, and they will apparently happily gamble with their customers’ sensitive personal information in order to do so.

Ironically, these suspect policies not only put the consumers at risk, but also expose the companies to greater liability risk; especially if operating in the USA and soon EU with the upcoming GDPR (General Data Protection Regulation). Companies like Mouser Electronics are setting themselves up for more liability and potential failure to comply with regulations that could result in severe financial penalties if the sensitive data is mishandled or part of a data breach.

It is quite simple: This is a worrying trend and any companies with policies to ask for PII via email or similar unsafe manner should disband this practice immediately. Both in their own interest and that of their customers.

For consumers the advice is equally clear and simple: Never provide PII or similar sensitive information via email to companies even if you’ve validated that the request is not a phishing attack, but actually from a legitimate company you are trying to do business with.

Update Regarding Mouser Electronics

After discussing our concerns with Mouser Electronics, they confirmed the policy indeed was in place to protect their company against credit card fraud and not just customers. However, they clarified that they do accept customers sending a copy of their ID with sensitive information blackened out. Mouser Electronics just need to see the name and optionally address on the ID. We advised Mouser Electronics that while we still do not recommend asking customers to email copies of their IDs, they should at minimum clearly in their email template advice customers to redact sensitive information before emailing it. Mouser Electronics has confirmed they will make such a change.