What is the sensitive information and Why it should be protected?

Not all information is created equal. Some information which may cause loss, damage to a person or business when it used by unauthorized persons are called Sensitive Information.

Examples of sensitive data

Financial Information

Protected health information (PHI)

Credential Data

Customer Information Data

Trade, proprietary, and government information

Financial Information

Information about an individual or organization's financial details such as bank details, credit/debit card numbers, PIN , tax records. If exposed, it may cause huge financial loss.

Protected health information (PHI)

Any information covered under the Health Insurance Portability and Accountability Act (HIPAA)—including a person's health status, medical conditions, treatments, care details, and health insurance information—is considered protected health information (PHI). This would threaten the individual's privacy.

Credential Data

Any information regarding the access to specific application , device or physical location such as Usernames, passwords, Identity card number, biometric and personal identification numbers (PINs) can lead to data breaches and misuse of system. For example, LinkedIn Data Breach (2021) over 700 million LinkedIn users data were sold on hackers forums.

Customer Data  

This includes basic information like names, addresses, browsing activity, and contact details such as phone numbers and email addresses. If this kind of data isn’t properly protected, businesses could face fines or legal action for violating customer privacy.

Trade, Proprietary, and Government Information  

This information includes intellectual property, military secrets, or business intelligence. If this information falls into the hands of a competitor or adversary, it could lead to a loss of market position or even impact national security in geopolitical or military contexts.

Why it should be protected in test automation?

Test Data are used to validate the software capabilities, and it is important to make sure that test data mimics real scenarios. At times, sensitive information is included as the part of business requirements and if not handled in the right way, it leads to legal and financial issues.

For instance, The disclosure of Yahoo data breach over 3 billion user accounts , severely affected the reputation of Yahoo.

How to hide the sensitive data in Test Automation?

There are several effective techniques available to safeguard the sensitive information.

• Data Masking

• Encryption

• Generating Dynamic Data

Data Masking

Data masking is a one of the useful method to protect sensitive test data. During test execution, data masking helps to substitute manipulated characters. For instance, you can create masked values that mimic real information but cannot be linked to specific people or account details in place of real email address or credit card numbers. This helps that sensitive data is not misused.

Benefits:

• Protects personal data in logs and reports

• Enables safe sharing of test data with teams

• Reduces the risk of accidental misuse

Example: Masking a credit card number 1234567812345678 as ************5678.

Encryption

Encryption is one of most robust and widely used techniques, it takes a plain text and converts into unreadable format knows as ciphertext using cryptographic algorithms, this encrypted data can be stored and transfer safely, and it can be decrypted. We use same secret key to encrypt and decrypt the data.

Best practices:

• Store encrypted data in properties files.

• Never print or log actual passwords.

• Use AES keys of correct length (16, 24, or 32 bytes) to avoid errors

Example: Encrypt a password before storing it and decrypt it at runtime for login.

Generating Dynamic Data

Generating dynamic data programmatically is another technique widely used in automation testing. This ensures that each time distinct test data are used rather than using static test data.

Popular Java libraries:

• JavaFaker – for realistic fake names, addresses, and emails

• Podam – for generating complex object data

• DataFaker – a lightweight alternative for random test data

Benefits:

• Reduces dependency on sensitive production data

• Makes tests more robust and repeatable

Let’s explore more about Encryption with actual code snippets

In this example, let’s try to login the DSALGO portal “https://dsportalapp.herokuapp.com/home" with encrypted password.

Step 1 : Create the Secret Key. We can access the encrypt and decrypt methods by using secret key and AES requires the key should be of specific lengths:

16 bytes

24 bytes

32 bytes

If key is not given in specific length you will encounter “java.security.InvalidKeyException” exception.

Step 2 :First, get the encrypted text of actual password by using Cipher class in Crypto package in javax. And don’t store or print the actual password after retrieving the encrypted text of actual password.

Step 3: Store the encrypted data in properties file or excel instead of actual password.

Step 4: Use the decrypt method to read the encrypted text

Step 5: Use the decrypted password directly in the sendKeys() method, without hardcoding the actual password in plain text.

By integrating encryption and decryption into your test automation framework, you protect sensitive information like passwords and personal data being exposed in plain text. This approach not only enhances security but also makes your scripts more reliable, reusable, and easy to maintain. Additionally, it helps teams comply with data protection regulations, reduces the risk of accidental data leaks, and ensures that your framework can handle test data in different environments. Overall, adopting these practices makes your automation more robust, professional, and ready for continuous testing at scale.