Study: “Anonymous” Credit Card Data Is Actually Completely Identifiable

We all kind of know that credit card data isn’t terribly secure, and that the payment information is likely to get swiped eventually. But that information is all theoretically anonymous. Without a name, address, or ZIP code attached, our credit card information doesn’t say much about us personally, right? Wrong.

A study released by researchers at MIT this week shows just how easy to spot almost all of us our just by our spending, the AP reports.

The research team wanted to know: how much “anonymized” data would it take to identify you? If your ZIP code and name and all other identifying information are stripped away, how many records does someone need to figure out who you are?

The answer is: four. At most. Three, if at least one price is included.

That’s all it takes to pick you out of a crowd with over 90% accuracy, the research team found.

Any three or four transactions can give you away, and it doesn’t have to be anything fancy like air travel. Kleenex, coffee, and a sandwich? If the researchers could see the price for any one of those items, they could figure out who it was doing the spending.

The researchers looked at transaction information from 10,000 retailers (not in the U.S.), with each piece of data time-stamped. They were then able basically to reverse engineer identities from spending:

As an example, the researchers wrote about looking at data from September 23 and 24 and who went to a bakery one day and a restaurant the other. Searching through the data set, they found there could be only person who fits the bill – they called him Scott. The study said, “and we now know all of his other transactions, such as the fact that he went shopping for shoes and groceries on 23 September, and how much he spent.”

The study also found that it was easier to identify women than men by their spending alone, though did not determine why that is.

The complete lack of anonymity in “anonymized” data is a major area of concern for privacy experts and even the FTC. The ability for “non personally identifiable” data to in fact personally identify basically everyone is, at best, a hazard to privacy and, at worst, downright menacing. If you buy things less innocuous than a muffin — like medical supplies — you probably don’t want every company in the world able to follow your digital breadcrumbs and figure out who you are.

‘Anonymized’ credit card data not so anonymous, study shows [Associated Press]