Anonymous credit card transactions can be used to identify specific people, a new study has revealed.
The report, titled Unique in the Shopping Mall: On the Reidentifiability of Credit Card Metadata (published this month in Science magazine), was compiled by a group of researchers who analysed credit card transactions made by 1.1m people in 10,000 stores over a three-month period. All payments were made in one country but that country has not been revealed.
The raw data was provided by a “major bank” and did not contain names, credit card numbers, shop addresses, or exact times of the transactions. All that remained was the metadata, ie the amounts spent, shop type and a code representing each person.
Yet by using computer algorithms, this information was enough to identity 90pc of the shoppers as unique individuals and to uncover their entire transaction history.
According to researchers, the results highlight the need for new safeguards to be put in place. “The message is that we ought to rethink and reformulate the way we think about data protection,” said Yves-Alexandre de Montjoye, a graduate student in computational privacy at the MIT Media Lab and lead author of the study. “The old model of anonymity doesn’t seem to be the right model when we are talking about large-scale metadata.”
Data security image via Shutterstock