The Size and Scope of Data Breaches
First, data breaches happen to organizations ranging from mega-corporations to your local health care provider. They are the work of malicious actors, not the fault of individual internet users. (Individual users can be unwilling participants, primarily by leaving their home networks unsecured. More about that in a later post.) Data breaches do, however, pose a direct threat to individual users.
In the Identity Theft presentation, slides 12-14 summarize a few of the most egregious data breaches as of early this year. They are widely reported in the news. I’ve always used the Privacy Rights Clearinghouse as an authoritative list of all known breaches. This chart summarizes the astonishing total.
 |
| Privacy Rights Clearinghouse |
 |
| https://blog.barkly.com/biggest-data-breaches-2018-so-far |
Here is information from an interesting list of large breaches so far in 2018. I was aware of the
 |
| https://blog.barkly.com/biggest-data-breaches-2018-so-far |
The largest breach occurred in India and the Barly (a security resources firm) blog tells the story in a way that makes clear just how easy it is to get personal data all over the world these days. India is the second largest internet market in the world (China is the largest) and has a connected population of approximately 500 million. For comparison, the US has about 275 million users. Aadhaar is an agency funded by the Indian government that gives out supposedly-secure identification numbers, so the number of individual data records exposed, 1.1 billion, is considerably larger that the internet-using population.
What Can Users Do To Protect Against Data Breaches?
So enough of the mind-boggling statistics. What can we, as individuals, do? Sadly, we cannot prevent data breaches from occurring. Happily, though, we can take a number of simple steps to ensure that our data is not stolen or, if it is, that it is hard for the thieves to use.
I don’t recommend that individuals obsessively track data breaches, although there are good alert and newsletter publications like the one maintained by the Privacy Rights Clearinghouse. The national press will chronicle the large ones. The more local ones—and there are a surprising number of those—will be covered by local news outlets. The problem is that companies sometimes wait months, or even years, to make a breach public. That’s a huge disservice to their customers, but again there is no real penalty. When the breach is made public, many businesses notify their customers by email and also perhaps by letter.
The question really is what should I do if I learn of a breach at a business where I have accounts or where data is stored about me?
What To Do If a Site Has Been Breached
As in the Experian breach covered in the presentation, sites will usually provide steps to be taken after a breach. They will announce a page to be visited, hopefully within a few days. You should go there and follow the instructions, just as I did. The site will usually follow up with you in some way, offering anything from reassurance to free credit monitoring for a period of time. I hope they will not do what Experian did. Its actions can only be described as monetizing the potential damage from the leak they themselves allowed to happen
1. Change Your Password. The first step, which you should always follow whether the site tells you to or not, is to change your password. If you have multiple accounts on the site, be sure you change all the passwords. Make them as strong as possible. Passwords are the first line of defense and they should be treated seriously.
2. Change Your Security Questions. The security questions strengthen the protection around your data.
3. Enable Two-Factor Authentication. We are all familiar with two-factor authentication even if we don’t use it as often as we probably should. Your mobile phone offers the opportunity to sign on with a pass code each time you turn it on. When you sign in from your new computer sites that have active account protection will say they don’t recognize the user. This requires that a verification code be sent to another device, your land line or mobile phone for example. When the verification code is entered, the account becomes available.
How Far Should You Go?
These steps assume breach of a site that has information about you but that does not transfer funds on the site. That is essentially the lowest level breach from the user perspective. It is not good, but it is not the same as potential access to, say, credit card information.
If the data is otherwise publicly available—name and street address, for example—potential theft is not particularly threatening. Email addresses are a little more problematic, in part because you may get increased spam. Credit card information is sensitive, but credit cards have low limits for user liability, so the danger is not large. Account numbers for other financial services, banks in particular, may open the user to greater potential loss.
Most dangerous of all is the Social Security number or other national identification number. It only takes a name and SSN for a thief to begin opening accounts in the user’s name.
So take as many steps as the situation warrants. You can monitor news about the breach and the firm’s website to get current information.
You can sign up with a credit monitoring service if the situation seems to call for it. There are, however, other—free—ways to find out if there is suspicious activity fluttering around your accounts. I will concentrate on free steps if they are available and strong. If you sleep better at night by having a credit monitoring service, then by all means sign up for one.
Breaches vs. Hacks
This post has dealt with breaches, the theft of data from organizations. That does not necessarily mean that individual users. That is usually referred to as a hack. Hacks can occur as a result of breaches but also as a result of data theft from other sources, both online and offline.
I will soon deal with how to recognize hacks and the steps that should be taken in light of their more imminent threats.
Until then, stay safe!
No comments:
Post a Comment