Companies that hold your data are being hacked left, right, and center. It’s becoming such a common occurrence that it is likely some of us will find ourselves on the ugly side of a data breach. What can we do if our data is compromised because of service companies’ inadequate security and it falls into the hands of hackers? How can we protect ourselves?
Clearer understanding of what constitutes a data breach
Organizations are required to process personal data in a secure manner — in order to avoid personal data being placed at risk from unauthorized or unlawful access and processing, accidental loss, destruction, or damage. All such situations constitute a breach of personal information.
When we hear that data has been breached, our initial thoughts turn to a hacker with malicious intent targeting and infiltrating systems to steal our data. This is often the case but it is important to remember that this is not the only way in which our data can be breached.
We are finding more and more that service companies are storing and processing our personal data without the necessary security measures in place, meaning our data is being breached through the company’s inadequacies a lot of the time rather than direct malicious attempts to get the data.
Data is also placed at risk through employee error, sending incorrect data to the incorrect recipients, or losing devices that contain data in an unsecured form, for example. A less dramatic breach may be someone viewing data without permission. In cases such as these, there is still a risk to our personal data, but the breach is due to the company inadequacies rather than a direct malicious attack. These could be seen as an opportunistic attack, one where the company is “facilitating” the breach and making the hackers jobs so much easier.
Other causes of a data breach could be through weak or missing passwords, not patching or updating software and systems, misconfiguring services or failing to implement proper access controls, or viewing data on rogue wireless networks (where your login credentials can be captured). There’s also social engineering, manipulated emails, phishing, and targeted attacks to worry about. And insider and outsider threats (both malicious and not). All of these scenarios can end in a breach of personal data.
While hackers and cybercriminals are often the cause of a data breach, there are also incidents where organizations or government agencies unintentionally expose sensitive or confidential data online.
No matter how the breach of personal data occurs, it impacts the person whose data has been breached significantly. Those of us who are aware of what is going on are concerned — and rightly so! There is regulation to ensure this personal data is secure, yet the occurrence of large data breaches at major companies and well-known organizations are still happening. Why are companies not taking data protection seriously? Why are companies not implementing the appropriate measures to protect our data? This leaves us in a situation where we (as the data subject) feel we need to look out for ourselves and take security into our own hands.
What can we do to protect our data?
There are situations where you as an individual user can be proactive when it comes to your data security. When sending emails and documents electronically, for example, do so securely (technologies, such as encruption, do exist for individual use). Before storing your data, with a third party in the cloud, secure it before uploading — again, technologies are available to achieve this. You can control and protect a lot of your data. Don’t offer personal data unnecessarily, if it is optional — don’t give it out! Be cautious when it comes to posting details and information on social media.
However, at times, we need to entrust our data to third-party organizations and we believe that they are treating it securely. When we shop online or do our banking, for example, our bank details are handed over. Our medical details are kept in electronic files along with other personal details like our Social Security number, address, phone number, gender, passport, ID numbers and photos — the list is endless. This data is processed by many organizations on multiple systems (local and in the cloud) for various reasons.
It only takes one organization to not protect it, one employee mishap, or one vulnerability in a system for our data to be compromised and breached. Once this has happened it is too late to secure. The damage is done.
Many companies are taking the necessary steps to improve their security posture and better protect our personal data, but this will take time to reach all organizations. Data breach incidences will continue to happen, so what can we do to protect ourselves?
Data breaches: We just don’t seem to learn from them
Let’s consider a few of the major breaches. The Equifax data breach immediately comes to mind. It was a big one that impacted 143 million consumers. Equifax, one of the largest credit bureaus in the U.S., had a vulnerability on one of their websites that led to the data breach. It is thought to have started in May 2017 and went unnoticed until the end of July 2017. During that time, personal data including social security numbers, birthdates, addresses, driver’s license numbers, and credit card details of its customers were exposed.
Yahoo had an incident between 2013 and 2014 compromising the information of 500 million users and 3 billion user accounts (revised to this number in 2017). User’s names, email addresses, dates of birth, and telephone numbers were compromised.
Many health-care-related breaches occur. Anthem, for example, the second-largest health insurer in the United States, was breached in 2014, impacting 80 million current and former customers. The attack exposed all personal details needed to steal an identity. It is thought that it all started with a phishing email (which could easily have been avoided if technical measures to secure the data were used). The British NHS has been breached on numerous occasions and just recently almost half of Norway’s population had their personal details compromised when Health South-East RHA had their systems breached.
Then there have been breaches at large retailers like Home Depot, Target and Forever 21, where loyal shoppers have had their personal data compromised. Many of the breaches resulted in credit card data breaches via access to the payment card systems, which were accessed because technical measures were either not in place or not working — which really is the same as not existing!
Other notable breaches are Uber, Dropbox, VeriSign, Sony, eBay, JP Morgan Chase … the list goes on and on. There have been breaches across all industries, all sectors, and companies of all sizes and varied value. You quickly realize that no company is immune and that even the companies of high worth that have the resources to protect our data often are not doing it adequately.
Your data’s been breached, now what?
You see it in the headlines when it happens to someone else. But what happens when your personal data has been compromised. What should you do? Take a deep breath… Do what you can to protect yourself and try to avoid the theft of your identity. The likelihood is that you have an understanding of the type of data that has been exposed. Think of the varied scenarios where the data can be used separately and how it can be used combined with other data that was stolen. Don’t be complacent about it. You must take action and remain vigilant. A lot of the time you may not notice immediate anomalies. It may happen months or even years later, so remain cautious and remember that if your data has been breached, it is out there and can be used at any time.
Steps you can take include:
- Keep up to date on data breach incidents.
Follow them like you follow the news or the weather! Get into the habit of following breach activity. At least once a week, research the breach incidences and stay on top of what is going on. This way you can be quickly alerted if something is amiss in your own accounts.
- Determine what’s been stolen.
Find out what data was lost in the breach. A lot of the time, a single piece of information won’t cause much impact, but the combination of personal details increases the risk substantially. A street address (alone) or a name (alone) cannot be used for much, but with a combination of an email address, date of birth, bank card details, Social Security number, insurance number, and passwords, a lot more damage can be done. With a name and Social Security number, it’s possible someone can pose as you.
- Change all your passwords
If an account is compromised, change the password as soon as you become aware. Additionally, change the passwords of other accounts, as many people use the same password for multiple accounts, even though this is not good practice. Ideally, you want to use different passwords for each account — if you can’t remember them, use a password management tool to help (and use different credentials for that too!).
- Know the state of your money affairs
Most of us get our bank statements online and do not look at them as often as we should. Study them on a regular basis so that you can pick up on any fraudulent activity and take the necessary actions. You may be able to set up alerts so that whenever your card is used you are notified. You should have a good idea of the transactions and the money coming in and leaving your accounts.
- Contact relevant financial establishments
If your bank details have been compromised, contact your bank as soon as you are aware. This way they can see if fraudulent activity has occurred. The card can be canceled and a new one issued.
- Credit rating and reports
Consider using fraud alerts. These will make it harder for an identity thief to open an account in your name as verification will be required. Review your credit report/rating on a regular basis.
No one wants to be a victim of identity theft
It’s so important that you keep, protect, and control your data on your terms whenever possible. Use appropriate data protection technologies to protect your data whenever it’s possible for you to do so. Use two-factor authentication when available. Be cautious. Be vigilant. Only entrust your data to reputable organizations. Ask questions and make sure you get the answers that you need and guarantees that you need to warrant the safety of your data.
Remember that your personal data is yours, it is valuable and you should treat it that way. No one values your data as much as you do. You wouldn’t leave your physical valuable items unprotected, your house open, or your car unlocked, would you? Knowing the risks, keeping track of the every data breach that occurs and the impact that they have on so many individuals, this should be high on your security to-do list. It’s difficult to comprehend why so many of us are so complacent in terms of protecting our data and our privacy, our most valuable asset.