🚀 Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney .

Inadequate Privacy Controls

Privacy controls focus on safeguarding Personally Identifiable Information (PII), such as names, addresses, credit card details, e-mail and IP addresses, and sensitive information about health, religion, sexuality, and political opinions. PII can be compromised in several ways, leading to violations of confidentiality (leakage), integrity (manipulation), or availability (destruction or blocking).

Remediation

  • Minimise the collection and storage of PII, retaining only what is essential for functionality and compliance.
  • Encrypt PII both in transit and at rest using strong encryption standards such as AES-256.
  • Implement strict access controls to ensure that only authorised personnel can access PII.
  • Use anonymisation or pseudonymisation techniques to reduce the sensitivity of stored data.
  • Apply data retention policies to securely delete PII that is no longer needed.

Metadata

  • Severity: low
  • Slug: inadequate-privacy-controls

CWEs

  • 359: Exposure of Private Personal Information to an Unauthorized Actor

OWASP

  • M6:2024: Inadequate Privacy Controls
Try it yourself

Find, Hack and Fix Your First Vulnerability

Reading about security bugs is one thing — fixing one is how the skill sticks. Play a free challenge from the wargame, no setup required.