In AP Cybersecurity, sensitive data is information that would cause loss, harm, or legal trouble if accessed by the wrong people, such as PII, PHI, financial records, or data governed by laws and regulations.
Sensitive data is any information that needs protection because exposing it causes real damage. Think personal records (PII), health information (PHI), payment card data (PCI), or proprietary designs like the next jet engine a company is building for the Air Force. If an adversary gets it, someone gets hurt, sued, or robbed.
The key idea from EK 5.1.C.1 is that protecting sensitive data means guarding all three parts of the CIA triad. Confidentiality is compromised when unauthorized people can read it. Integrity is compromised when someone alters it. Availability is compromised when it gets destroyed or encrypted so the real owner can't reach it. EK 5.1.C.2 adds the part that matters most for risk scoring: data governed by laws or regulations counts as highly sensitive, so a likely exploit against it is a high risk, not a minor one.
Sensitive data is the payoff target in Unit 5: Securing Applications and Data, specifically topic 5.1. The whole unit makes more sense once you realize attacks like SQL injection or directory traversal aren't the point. They're the path to the sensitive data at the end. Learning objective AP Cybersecurity 5.1.C asks you to assess and document risks from data vulnerabilities, and you can't do that without judging how sensitive the data is. The more sensitive the data and the more likely the exploit, the higher the risk score. That's the core reasoning move the CED wants from you.
Keep studying AP Cybersecurity Unit 5
Visual cheatsheet
view galleryPII, PHI, and PCI (Unit 5)
These three are the named, regulated categories of sensitive data. PII is personal info, PHI is health info, PCI is payment card info. They're examples of the 'governed by laws or regulations' data that EK 5.1.C.2 calls highly sensitive, so a breach of any of them automatically scores as high risk.
Data at rest, in transit, and in use (Unit 5)
Sensitive data exists in three states, and each needs different protection. EK 5.1.A.1 warns that an adversary can read any unencrypted file at rest if they reach the drive, which is exactly why encryption matters for sensitive data.
SQL injection and directory traversal (Unit 5)
These are application attacks that exploit vulnerabilities to reach sensitive data. SQL injection tricks a database into handing over records, and directory traversal lets an attacker climb to files they shouldn't see. The vulnerability is the door; sensitive data is what's in the room.
Confidentiality, integrity, and availability (Units 1, 5)
The CIA triad is the lens you use to describe what went wrong with sensitive data. Reading it without permission breaks confidentiality, altering it breaks integrity, and locking or destroying it breaks availability.
Expect sensitive data to show up inside risk-assessment and attack scenarios rather than as a standalone definition question. Multiple-choice stems describe an attack (a phished login that opens a gradebook, a script that steals session tokens) and ask you to name the attack or the security property that was compromised. Your job is to connect the attack to the sensitive data it exposed and decide which part of the CIA triad failed. On free-response, you'd assess and document risk: rate how sensitive the data is, estimate how likely the exploit is, and explain why regulated data pushes the risk to 'high.' Lead your reasoning with the data's sensitivity, then the likelihood of the exploit.
PII is a type of sensitive data, not a synonym for it. Sensitive data is the broad umbrella for anything harmful to expose, including health records, payment data, and proprietary designs. PII specifically means personally identifiable information like names, Social Security numbers, and addresses. All PII is sensitive data, but not all sensitive data is PII.
Sensitive data is any information that causes loss, harm, or legal trouble if the wrong person accesses it, and data governed by laws counts as highly sensitive.
Protecting sensitive data means defending confidentiality, integrity, and availability, since an attacker can read it, alter it, or destroy it.
Per EK 5.1.A.1, an adversary can read any unencrypted file at rest if they reach the device, which is why encryption is the baseline defense.
High risk comes from highly sensitive data plus a likely exploit, so you weigh both factors when documenting risk under AP Cybersecurity 5.1.C.
Attacks like SQL injection and directory traversal are the path to sensitive data, not the goal itself.
It's information that would cause harm, loss, or legal problems if exposed, such as PII, PHI, payment data, or proprietary designs. The CED treats data governed by laws or regulations as highly sensitive, which raises its risk score.
No. PII (personally identifiable information) is just one category of sensitive data. Health records (PHI), payment card data (PCI), and trade secrets are also sensitive but aren't PII. All PII is sensitive, but sensitive data is the wider umbrella.
The CIA triad describes what an attacker can do to it. Reading it without permission breaks confidentiality, changing it breaks integrity, and destroying or encrypting it breaks availability. EK 5.1.C.1 ties all three to data security risk.
Because EK 5.1.C.2 says high risks often involve highly sensitive data, like data governed by laws or regulations. If that kind of data faces a likely exploit, you'd document it as a high risk, not a minor one.
Those attacks are the method, and sensitive data is the prize. SQL injection and directory traversal exploit application vulnerabilities to reach files or database records the attacker shouldn't have, which is why they appear in the same Unit 5 topic.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.