Techrecipe

Make data de-anonymizable A poor US my data company

It is said that Yodlee, an American my-data company, had a vast amount of bank data and credit card transaction data for one million people in the United States without anonymizing it. Reportedly, internal documents suggest that Yodley customers can turn off anonymity if they find it to download a huge text file.

An internal document in 2019 explains how Yodley gathered data from partners such as banks and credit card companies. It is said that the data included identifiers related to the bank or credit card owner, the number of transactions, the date of purchase, the store where the transaction was made, and other metadata. It also has data on several retailers, such as restaurant orders via delivery apps. When Yodley customers access the data, it is downloaded in the form of a text file rather than the interface operated by Yodley.

The internal document also explains the data organization structure that Yodley creates text files. It means hiding account numbers, phone numbers, and social security numbers in XXX characters. When performing data cleaning, you can hide financial transaction data, payroll, and bank or credit card company names at the same time.

However, data cleaning is to discard the identifier assigned to each account as it is. Several studies have pointed out that even anonymized data can be identified by reverse engineering and is surprisingly simple without general information.

According to experts, if the information on which a specific person has purchased something is confirmed, other transaction data can also be de-anonymized using the same identifier. For example, if you can figure out the time and location for 3 or 4 purchases, an attacker could de-anonymize the account with a high probability. It will also be de-anonymized, allowing individuals to obtain other transaction data.

One expert pointed out that Yodley’s data cleaning only rewrites the data under pseudonyms, so if you get your hands on the dataset, the rest will be able to identify your data by knowing when and where you bought it.

Yodley and parent company Envestnet say consumer privacy is preserved by anonymizing personal financial data. However, researchers explain that data that have been anonymized over several years can be de-anonymized based on some information. Experts say consumers don’t understand how much of the risk Envestnet has exposed their information. The concern is that Envestnet does not mandate banks or credit card companies to notify consumers that this is happening. Says. Related information can be found here .

lswcap

lswcap

Through the monthly AHC PC and HowPC magazine era, he has watched 'technology age' in online IT media such as ZDNet, electronic newspaper Internet manager, editor of Consumer Journal Ivers, TechHolic publisher, and editor of Venture Square. I am curious about this market that is still full of vitality.

Add comment

Follow us

Don't be shy, get in touch. We love meeting interesting people and making new friends.

Most discussed