Seems like there is a new data breach announced every few days lately. Some new massive number of compromised accounts is regularly splattered across article headlines, emails, tv segments and more. But what do these data breaches actually mean for you?
A quick primer on data breaches
A data breach is when an organization’s private data (either belonging to the organization itself, its employees, or far too common, its customers) is leaked or exposed to the public or to hackers. Data breaches come in all shapes and sizes. The data can vary but is usually some combination of username and passwords, credit card information, purchase history, messages, and personal information like addresses, date of birth, social security numbers, etc.
While this might be the result of direct attacks by hackers or by having hackers exploit some kind of vulnerability, it’s often just the result of sloppy data management. And sometimes a ‘data breach’ isn’t data that has been breached, but data that could have been breached. It’s common to see reports that are from security researchers who found data on a public server or an easily accessible place and announce it because there is no way to tell if anyone had previously accessed or stolen the data.
Here are a few headlines of recent data breaches that were the results of hackers.
- Capital One leaks personal details from over 100M users – A former Amazon Web Services employee obtained access to a server owned by Capital One that contained a trove of personal details including Social Security Numbers, addresses, email addresses, and even linked bank account numbers.
- A hacker has dumped nearly one billion user records over the past 4 months – Affecting over 40 companies, a hacker has dumped user data that includes emails, passwords, full names, birthdays, addresses, IP addresses and more. In addition to selling the data, the hacker seems to be motivated by fame.
- Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years – This is one of the circumstances where Facebook engaged in very poor data management. Brian Krebs, a security researcher discovered that unencrypted passwords were stored in plain text but Facebook claims that no employee (or other third party) abused access to the data in question.
- Microsoft reveals hackers accessed some Outlook.com accounts for months – a support agent’s credentials were compromised, allowing a hacker to access account emails, folder names, and subject lines. It later admitted hackers may have been able to access email content.
- New Toyota Data Breach Exposes Personal Information of 3.1 Million Customers – this is an ongoing problem. Seems like Toyota is being targeted by hackers as they’ve continued to suffer from security problems over the last several months.
Until corporations step up their cybersecurity and place a priority on securing their customers’ data, these data breaches won’t stop. Depending on what kind of attacks and vulnerabilities are found by hackers, these problems may become more frequent.
This sounds pretty scary but there’s good and bad news.
The good news: The latest data breach likely won’t affect you.
The bad news: It’s (probably) because your information was already leaked before.
There’s probably nothing new in the latest data breach
At this point, so much personal data has leaked in earlier breaches, that few people do not have their credit card numbers, usernames, email addresses, passwords, banking info, addresses, names, birthdates, and social security numbers already out on the dark web, being sold and bought by hackers.
So a new data breach exposing millions of instances of the same information isn’t likely to change anything. Think about your address or social security number: Will any additional harm come from the fact that the data is leaked a second or third time? Probably not.
The one exception is passwords, but if you follow best-practices and never re-use passwords across different accounts or sites, then even password breaches don’t matter beyond the account that was compromised.
Still, the rash of data breaches occurring and the way in which they’re breathlessly reported makes it feel like an emergency, and like there must be something you should do in response.
But the best reaction is not to treat it like an emergency, but instead to treat it like the new normal – which it is. You need to take actions every day that assume your data will regularly be stolen and circulated.
Take the data breach we mentioned at the top of the article. A leak of nearly 1 billion records is huge but if you change your password, avoid reusing passwords, and leverage two-factor authentication (2FA) to sign into accounts, you’re less likely to get hit by a hacker.
Remember, hackers and bad actors look for the easiest way of compromising an account or getting away with something. If you make it easy for them, you might become a victim. But there are ways to make yourself less vulnerable, whether or not your information is already on the Dark Web.
Protecting yourself from data breaches
Data breaches leak a lot of varied information but there are actions available for most leaked data that makes you less likely to become a victim.
- Check haveibeenpwned.com. This is the simplest and the first step you should check. The website is a free service that tells you whether or not your email address and other data has been part of a data breach. Remember to check each different email address you use. Verify that you’ve changed passwords on the accounts that suffered a breach. If you’re using the same password on a different account or site, change that as well.
- Consider using disposable or temporary email accounts. There are various services that allow you to create email addresses that exist temporarily or only exist to forward email to your main address. In the case of a data breach, a hacker is only given this email address, limiting the amount of information they have on you.
- Use long and unique passwords on all of your accounts. Using common passwords and reusing passwords is an easy way for a hacker to get into your accounts. It’s embarrassing that year after year, ‘password’ is still the most commonly used password.
- Use a password manager. Password managers ensure that you’re always using strong and secure passwords and never reusing them. It requires a little bit of upkeep but the payoff is worth it.
- Start using ‘Two Factor Authentication’ or 2FA. By requiring a different level of authentication (say for example, sending a code to your phone), you’re making sure that even if your password is known, your account is safe. This is the most effective change you can make to your important accounts.
- Place a credit freeze. A credit freeze stops anyone from opening a new account in your name. It’s one of the most important things you can do and prevents a lot of hackers from impersonating you. A credit freeze costs nothing and when you do need to open up a new account, you can just un-freeze your credit.
- Request your annual credit report. You can do this once a year and look through your credit report to see if there are any bad or suspicious entries that may indicate you’re being targeted or hacked.
- Be selective about using your debit card. Your debit card is the easiest way for hackers to reach your bank. That’s why malware on PoS (point of sale) systems continue to be a major problem for retailers, restaurants, and hotels. Credit cards are safer options since you can always cancel and dispute fraudulent charges.
- Consider mobile payment options such as Apple Pay and Samsung Pay. These services allow you to register your card on your mobile device so you can use your mobile device moving forward whenever making a purchase. It provides two benefits – it reduces the risk of your details getting stolen by a compromised machine and you have to authenticate the purchase using a different factor.
- Consider virtual cards. Designed for more secure online shopping, virtual cards allow you to shop online with a minimal risk of getting your financial details stolen.
This problem is a little trickier. Unfortunately, when it comes to information like birthdate and social security numbers (and to a lesser extent, addresses), there’s nothing you can do in terms of changing the information. Once it’s leaked, the information is out there. However, you’re not without options. Here are a few ways to limit your vulnerability.
- Consider a privacy protection service. Even if you’ve never been the victim of a data breach, chances are, your information is still out there. Either data brokers have bought it, or directory services have compiled the information, making it legally accessible to anyone who wants to purchase it. However, you can use services offered by Brand Yourself or DeleteMe to delete as much information about you that is publicly available. This will make it harder for hackers to piece together enough information about you if they wanted to target you.
- Use virtual/fake phone numbers. This is just like using a disposable email address. Whenever you’re asked for your phone number, you can use a temp or disposable one so if the service or product is hacked, your real phone number isn’t compromised. We like MySudo, which offers virtual phone numbers and email addresses for privacy purposes.
- Close unused accounts. Have a Myspace, LiveJournal, or old dating apps? If you’re not using them anymore, it’s worth deleting the account (and ensuring that the company will delete all your associated data). Any data that’s out there (publicly or not) can be used against you so make sure you’re limiting it whenever possible.
To be clear, the avalanches of constant data breaches are terrible – each one represents private data being compromised by cyber criminals who have only bad intentions. But the reason most of us have heard about all of these breaches and not experienced much direct impact, is that much of the security and financial world already assumes that data is not hard to access.
You can’t do anything to prevent one of your service providers from being breached. And the chance of not having your data included future breaches is low. So the only smart move you can make is to expect them, prepare for them, and take the precautions and actions we suggested so they won’t hurt when they occur.