Anonymous’ Credit Card Data Can Still Give You Away

A security researcher has shown it's possible to identify the owner of a credit card from among millions of "anonymized" charges by knowing just a handful of that person's purchases. MIT's Yves-Alexadre de Montjoye explains in a new study that databases of credit card records, even stripped of personal information like card number, name and address, contain more than enough information to "re-identify" individuals.

Figure from Montjoye's paper shows how a card identified only by a random string of letters and numbers can be tied to a series of known purchases, identifying the rest of that person's purchases. MIT / Yves-Alexandre de Montjoye et al

Such databases are used by stores and cities to track commercial activity. Montjoye showed that patterns emerge even when only the location and time of purchases are available. In 90 percent of cases, it only took four known data points to tie an "anonymous" card to a real person — and sometimes less. For instance, if you know Jane went to the museum on Wednesday and gassed up her car Thursday, then compare that to the anonymous records, you may find that only one card made purchases in those order. That means it's Jane's card — and now you can look up all the rest of her purchases. Not so anonymous now!

The study appears in this week's issue of the journal Science, which has a special feature on privacy and anonymity.



—Devin Coldewey