What do Equifax, Marriot-Starwood, Adobe, Facebook, Capital One, and Yahoo all have in common? They’ve each suffered at least one major data breaches in the past couple of years. They are also the corporations we feel we have no choice but to trust with our most sensitive personal and financial information.
But they are by no means the only ones. For every Equifax breach, there are dozens of others that could affect you. They just don’t make headlines.
The first half of 2019 saw over 4 billion records exposed as a result of over 3,000 data breaches, a 54% increase compared to the year before. But not every data breach is created equal, and they happen so often it’s hard to know which ones are worth reacting to.
The action plan below will cover you in most scenarios and make sure you’re neither overreacting or under-preparing when the next data breach occurs.
1. Were you caught in a breach?
Whenever you hear there was a data breach, you need to ask yourself four fundamental questions. The first one is this: Are you a customer of the breached company? Because if not, you can likely move on with your life and never worry about it again—until the next big data breach.
If you answered yes, you’re not out of the woods. And in some cases—for instance, the Equifax breach—it’s possible that literally everyone, from you to your children to anyone with a social security number—is affected. Move on to question 2.
2. If so, were you impacted?
Some breaches only affect people who were customers during a specific time frame. For example, Doordash suffered a data breach of 4.9 million customer accounts who joined on April 5, 2018, or earlier. No customers who joined afterward were affected. Some data breaches may disclose what the relevant time frame was, which impacts whether or not the data breach would have leaked your data.
3. Was it a “hack” or an “exposure”?
This is an important distinction, and it’ll help you understand the severity of the breach. A hack means that the breach was the result of the actions of a bad guy, and the information stolen is likely to be used or sold.
An exposure means the breach was accidental and likely discovered by a security researcher (or white-hat hacker—that’s one of the good guys) before any real damage was done. This was the case at Adobe, where 7.5 million customer accounts were accessible without a password via an unsecured server. The hole was discovered and patched in October 2019. Usually, data breaches like these are publicized sometime after the company has solved the problem. When your information was exposed, did any bad actors access the data for a malicious reason? Oftentimes you never know?
4. What, exactly, was leaked?
A few months ago, in-app game company Zynga was hacked, resulting in a data breach of 218 million user accounts. According to SC Magazine, the info included named, emails, log-ins, partially protected passwords, phone numbers, and Facebook IDs.
Because the passwords were partially protected, it would take a lot of effort to actually ‘crack’ them. Otherwise, much of the other leaked information can be found publicly or in a variety of other ways. Even though this was a large hack, the data leaked wasn’t that sensitive, relatively speaking.
The Marriot-Starwood breach, however, involved crucial data of 300 million guests, including date of birth, mailing address, account numbers, and encrypted credit card numbers. It also included passport numbers, which aren’t the kind of information easily found online or via social media. In this case, the level of sensitivity of the leaked data is quite high.
5. Ok. You’ve been hit. Now what?
Good news. There are steps you can take that will minimize the impact.
- Change your passwords. This one’s pretty clear-cut. If a company got breached, you’re saving yourself a headache by changing the password on the breached account as soon as you can. If you used the same password on any other account (shame on you), change those too. It’s a common tactic for hackers to try stolen passwords on other common accounts using stolen email addresses.
- Get a new credit card. If your credit card data was leaked in a data breach, your card provider will often send you a new card automatically, but if they don’t you may want to request a new credit card just to be safe.
- Request a credit freeze. Contact each of the three major consumer credit bureaus to prevent identity theft and keep criminals from opening new lines of credit in your name—especially if the breach involved “fixed information,” such as social security numbers and date of birth.
- Enable two-factor authentication. This is something you should do anyway on all important accounts, but if you haven’t use the scare to finally take this step. This technology adds an extra step when you try to log into your accounts – usually sending you a code by text message – making it impossible to log into your account with a stolen password alone. 2FA is a smart pre-emptive action to defend your accounts.
This was originally a newsletter email published in November 2019. To sign up for our newsletter, click here!