ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Default Polish Social Security Number data identifier allows false positives

book

Article ID: 169453

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

The built-in Polish Social Security Number (PESEL) data identifier allows false positives for strings that are not valid PESEL numbers.

Resolution

To resolve this, we recommend that you create a new custom data identifier (DI) to use in conjunction with a custom policy.

  1. In Enforce, go to Manage -> Policies -> Data Identifiers.
  2. Click Add Data Identifier.
  3. In the Details section, enter a name for this custom DI.  The description is optional, but recommended.
  4. In Patterns, enter the following string:
    • \d{11}
  5. Under Data Normalizer, select "Do nothing".
  6. Under Validation Checks, click Exclude beginning characters.
  7. In the Description and Data Entry box, under Exclude beginning characters, enter the following:
    • 0000
  8. Click Add Validator.
  9. Under Validation Checks, click Polish Social Security Number Validation Check.
  10. Click Add Validator.
  11. Click the Save button at the top of the window.  This will create your custom DI.

Now, let's create the custom policy to detect PESEL numbers.

  1. In Enforce, go to Manage -> Policies -> Policy List.
  2. Click New.
  3. Select Add a blank policy and click Next.
  4. Enter a name for your policy.  You can also enter a description, but this is optional.
  5. Select the policy group this policy should be in.
  6. Click Add Rule.
  7. Select Content Matches Regular Expression, then click Next.
  8. Enter a name for the rule.
  9. In the Regular Expression field, enter the following string:

 

\d{2}(0[1-9]|1[0-2]|2[1-9]|3[0-2])(0[1-9]|[1-2][0-9]|3[0-1])\d{5}

 

 

  1. Click the pull-down for Also Match: and select the custom DI we created earlier.
  2. Click Add.
  3. Click OK.
  4. Click Save.

 

At this point, you have a policy that will correctly detect PESEL numbers while excluding invalid numbers.  You can edit this policy to add other rules, exclusions, and response rules as needed.

 

Additional Information

PESEL numbers are in YYMMDDXXXXX format, however, the month is adjusted based on what year people were born.  People born from 1900-1999 has no adjustment, 2000-2099 is the month +20, 2100-2199 is +40, 2200-2299 is +60.  For example, if someone was born December 16, 2016, their PESEL would be 163216XXXXX.

Customers have found the stock DI will allow numbers through that have 00 (not possible) for the month or the day.

Due to earlier versions of the PESEL, it is best practice to include this custom DI as an OR statement in the same policy with the DI version included in the DLP release.

Powered by Wolken Software