Simulating data breaches: Synthetic datasets for depicting personally identifiable information through scenario-based breaches

Abstract

With hackers relentlessly disrupting cyberspace and the day-to-day operations of organizations worldwide, there are also concerns related to Personally Identifiable Information (PII). Due to the data breaches and the data getting dumped on the clear web or the dark web, there are serious concerns about how the different threat actors worldwide can misuse the data. Also, it raises the question of how hackers can create a profile of an individual starting from one data leak and getting more details on individuals with the help of Open Source Intelligence (OSINT). Furthermore, there is a dilemma in utilizing data breach datasets dumped on the clear web or the dark web because of the sensitive nature of the information. There can be issues related to ethics, law enforcement, and legal use of data. Thus, to tackle this, we will construct synthetic datasets that will allow researchers and professionals to understand how data leaks can be dangerous and how hackers can connect the dots further by creating complete profiles of individuals. We have programmatically generated a synthetic master record of 4 million unique individuals with complete profiles of their PIIs, and then using the master record, we have further generated 16 scenario-based datasets by creating a fictitious narrative of data breaches covering different industry types. These datasets will facilitate researchers and industry professionals in understanding the distribution of PIIs across data breaches. The data classes represent the nature of PIIs sourced from ‘Have I Been Pwned?’ to create synthetic records. The synthetically generated records are shared with the code in this paper to facilitate future researchers and practitioners to generate customized synthetic records according to their requirements, enabling transparency in terms of reusability, reproducibility, and replicability.