Credit cards and other forms of digital payments may be convenient to use but of course, they leave a digital trail that can easily be traced back to the owner. Such is apparently also the case even when personally-identifiable information like names and phone numbers are removed from the equation.

In a recent study titled “Unique in the Shopping Mall: On the Reidentifiability of Credit Card Metadata,” researchers at Massachusetts Institute of Technology’s Media Lab analyzed credit card transactions from 1.1 million people over the course of three months.

Personal information like names, phone numbers and account numbers had been removed but even still, the team – led by graduate student Yves-Alexandre de Montjoye – was able to reidentify 90 percent of shoppers by using just four random bits of information.

Even more frightening is the fact that, when combined with public data from social networks like Instagram and Twitter, researchers were able to link real names to the “anonymous” credit card transactions.

De Montjoye said the takeaway is that we really need to rethink what it means when something is “anonymized.” When the possibility of reconnecting personal information exists, he noted, it needs to be taken into account when releasing or sharing large data sets.

If you think you may not be at risk, think again. As The New York Times points out, many companies, hospitals and government agencies use standard methods to “anonymize” their records.