I wonder if tokenizing all PII for storage, with a special lookup server accessible only to a small group, would reduce the threat of these kinds of attacks.
Obviously some things like SMS or sending of email need to manipulate this data, but rx/tx of eg sms given a placeholder token could also be similarly siloed, so most technical staff would never have or need access to raw PII like IP, phone, or email.
Unfortunately geolocation for ad targeting and other customization features is still probably going to make a “what country is this user in right now?” possible for most devs/SREs, which is itself a bit of a physical location change traffic leak, but making it near-impossible for most devs or SREs to view untokenized user PII would probably be a huge step in the right direction.
Obviously some things like SMS or sending of email need to manipulate this data, but rx/tx of eg sms given a placeholder token could also be similarly siloed, so most technical staff would never have or need access to raw PII like IP, phone, or email.
Unfortunately geolocation for ad targeting and other customization features is still probably going to make a “what country is this user in right now?” possible for most devs/SREs, which is itself a bit of a physical location change traffic leak, but making it near-impossible for most devs or SREs to view untokenized user PII would probably be a huge step in the right direction.