Personally Identifiable Information, or PII, is any data that can identify a specific person, either on its own or when combined with other details. Common examples include names, email addresses, phone numbers, postal addresses, account IDs, and payment or profile data linked to a real individual. In security work, PII is treated as sensitive because exposing it can enable fraud, phishing, identity theft, and account takeover.
PII often becomes the main target in web application breaches, especially in customer portals and online shops that store profiles, saved addresses, order histories, or account credentials. Attackers may steal it through credential stuffing, session theft, weak access controls, or abuse of administrative interfaces. Defenders reduce risk by collecting less data, encrypting stored records, limiting access, logging retrievals, and using strong authentication for users and admins. Good PII handling also helps with incident response, because teams can quickly determine what was exposed and which customers may be affected.