Data breaches have never been a more significant threat. Do you know what to do if your information has been compromised?
Quick Overview of What We'll Cover
What’s a Data Breach?
A data breach refers to any event in which company or consumer information is exposed. As more and more information is being stored digitally, the risk of data security breaches is rising. If your information is compromised in such a breach, there could be significant consequences, including identity theft and account takeover fraud.
Over the past few years, data breaches have become more common – and more effective. According to Information is Beautiful, the biggest data breach back in 2007 was TJ Maxx. This breach compromised 45 million customer records. There wouldn’t be another breach of this size until the 2009 breaches of Heartland and the US Military, and then again until the 2011 Sony PSN breach.
Fast forward to 2016, and you’ll see a massive increase in data breaches, many of which compromise hundreds of millions of consumer records each. Affected companies include big names such as LinkedIn, Marriott International, Twitter, Microsoft, Facebook, Capital One, Yahoo, and so many more. This trend has continued well into 2020, and there’s no reason to think that it will stop anytime soon.
So let’s take a closer look at the lifecycle of a data breach, from the security vulnerabilities that make them possible to the aftermath that can cost victims so much.
What Causes Data Breaches?
While the term data breach brings to mind pictures of hackers breaking into company databases, breaches aren’t always the result of nefarious activity. Sometimes, they’re caused by simple mistakes or undetected vulnerabilities.
Among the most common causes of data security breaches experts list:
- Human error: According to CompTIA, human error could account for up to 52% of data breaches. This could include employees accidentally emailing company information to the wrong email address, falling for phishing scams, sharing a password or account, using weak passwords, and plenty more. Company-wide cybersecurity training could help curb these common mistakes.
- Back doors: In terms of cybersecurity, a “backdoor” refers to a security vulnerability in a program that lets a bad actor bypass regular security measures to access sensitive data. Hackers look for these loopholes so they can break into company networks and steal data without being discovered.
- Social engineering: Some hackers use social engineering to have employees of a company inadvertently open up a backdoor for them. Sometimes these attacks are sophisticated, emulating an email from an employee’s superior. Other times, they’re pretty easy to spot – such as poorly written emails offering money or sending strange attachments.
- Insider threats: In some cases, an employee or contractor may have been assigned a high level of digital permission so they can access sensitive company data. A data breach could come from a rogue employee duplicating, stealing, or leaking this information.
- Targeted hacking: Of course, data security breaches are also caused by bad actors who want to break through company securities to steal valuable customer data. Read on to find out how hackers accomplish this.
How Do Data Breaches Happen?
There is no shortage of ways that sensitive data can be leaked to the public. While sometimes this occurs by accident, hackers can also steal this data using more direct means. Here are some of the most common methods they use to conduct data breaches:
- Phishing: This method involves hackers pretending to be real employees or clients, gaining trust of workers to attain confidential information that may aid in a data breach, gaining advanced permissions, opening a backdoor, or even getting the data itself.
- SQL injection: Structured Query Language (SQL) is a programming language that is used to manage data in databases. SQL injection is the act of planting malicious code into a program and fooling the system to execute it. This is often done in the login or search fields of websites or web apps. If the code executes, it can begin stealing data from the database.
- Malware: Hackers can identify weak spots in your operating systems, hardware, or servers and then attempt to plant malware in a spot where no one can find it. Malware programs could then begin siphoning out private data undetected. Spyware is a particularly troublesome form of malware that can infect a computer and regularly report confidential information about computer activity to the hacker.
- Keylogging: If hackers can load malicious keylogging software onto employee computers, they can track all of the characters that are typed on that device. From this information, they can discover company passwords and access sensitive data.
- Broken access controls: Websites often store information in private backend folders of the website. These folders should be private so they cannot be accessed by the public, but if a developer misconfigures the access controls, these folders or their subfolder may be accessible to hackers.
What are The Risks of Being Compromised in a Data Breach?
The consequences of your information being compromised in a data breach can vary from insignificant to severe. Sometimes, leaked information is encrypted, so it’s still fairly secure. Other times, only “hashes” of credentials are released, so hackers can only see how many characters a password is. As long as you’ve used strong passwords and two-factor authentication, you’ll probably be able to secure your affected accounts before hackers can access them.
However, it’s not always that easy. Sometimes, highly sensitive information like Social Security numbers, debit card numbers, passwords, and more are directly exposed. Worse yet, the company may not know that there was a data breach for weeks, months, or longer. That means bad actors have a lot of time to abuse your compromised information – before you have a chance to protect yourself.
Some common consequences of exposed information include:
- Stealing your identity – 65% of data breaches result in identity theft.
Synthetic Identity Theft: Exploring the Fastest-Growing Type of ID Theft
Child Identity Theft: All There Is to Know to Protect Your Children
Senior Scams: The Rise of Identity Theft Among the Elderly
- Selling your personally identifiable information (PII) on the dark web.
- Opening up lines of credit in your name with stolen SSNs.
See also: How Do I Find Out if Someone is Using My Social Security Number?
- Filing fraudulent tax returns with the IRS.
- Committing medical identity theft.
- Stealing money from your bank accounts.
What to Do After a Data Breach
If you’ve received a notice that your information was exposed in a data breach, you should immediately begin securing your accounts and services. Here are some of the most important steps that you can take to deal with the aftermath of a data breach and avoid further issues:
- Find out what data was compromised: The first step is to figure out what was stolen. Read the data breach notice that you received for information regarding compromised data. The Federal Trade Commission (FTC) has a great guide that will walk you through what steps you should take based on what type of information was exposed.
- Change your passwords: To play it safe, update the login credentials for any accounts that were compromised. As an added layer of security, you may want to update the credentials of your sensitive accounts, such as passwords to bank accounts or password managers. Make sure you’re using complex, randomized passwords. (For more information on creating strong passwords, see our guide!)
- Lockdown compromised bank accounts or cards: Contact your financial institution to see what your options are. If card information was breached, you should cancel the affected card and have a new one sent to you. If fraudulent charges are already appearing on your account, talk to your financial institution to dispute them and get help.
- Opt out of people-search sites: If a data breach puts your name and information out there, expect some attention from bad actors. They may begin searching for more information on you to crack more of your passwords or answer security questions, such as your hometown, your birthday, and more. A lot of this information can be found on hundreds of people-search sites. Opting-out of these sites manually is tedious (but you can use our guide to help), so we made OneRep. Our privacy protection tool removes your information from about 100 people-search sites – automatically.
- Monitor your accounts: Breached data might not be used immediately – it may remain dormant until it’s found or bought by a bad actor. Because of this, it’s important to monitor your accounts for suspicious behavior long after the data breach is “over.”
How to Avoid Data Breaches
While you can’t exactly check to see if services you use have security vulnerabilities that may lead to a data breach, you can make sure that you don’t give them too much data. This will ensure that, even if a breach does occur, the damage will be minimized. Here are a few of the most effective ways that you can do this:
- Research the company: While it’s not feasible to do cybersecurity research on every website and business that you make an account for, it’s a good idea to check company data breach histories if you need to provide high-stakes information. Before you cough up SSN or payment information, use a search engine and enter inquiries similar to “data breach [business name].”
- Minimize service privileges: It’s in a service’s best interest to get as much information about you as possible – they want your email for newsletters, your address for promotional mail, your phone number for service updates, and the list goes on. Services may ask for this information by requesting privileges, such as asking if they can receive data from your Google account or even connect to your bank account (as opposed to a debit card). If the services don’t need these high-level privileges to operate, don’t approve them. This will make sure that data breaches won’t give up important financial or personal information that the service didn’t need in the first place. In the cybersecurity world, they call this the principle of least privilege (PoIP).
- Minimize your digital footprint: Try not to share too much information on social networks. Anyone can find the information that you share publicly, including people-search site operators. They’ll collect your personal information to build out your profile, and then sell it to anyone willing to pay. The consequences of this could be as minor as getting more promotional material or as severe as becoming the target of identity theft, doxxing, or more. Because people-search sites update their databases regularly, it’s important to monitor re-appearance of your information on sites like Spokeo, Whitepages, Mylife, and others. This could be done manually, if you have some time on your hands. Otherwise, you can try OneRep’s automatic profile monitoring and removal solution that will take the burden off your shoulders.
Check if people-search sites expose your info
OneRep’s algorithm scans 104 data broker sites
for your profiles, then makes sure your private information is removed
FAQ About Data Breaches
Should I report a data breach?
If a consumer learns about a data breach through a company notice, then it has already been reported. If you’ve had your information exposed and need to report signs of fraud, identity theft, or other crimes, then you can file a report with the FTC.
What is data breach insurance?
Despite what it sounds like, data breach insurance is mostly a service for organizations rather than consumers. This relatively new form of insurance essentially covers costs related to a data breach or tries to protect organizations from liability. The best data breach insurance for consumers is maintaining cybersecurity best practices and minimizing the amount of information you give companies.
Can I get compensation for a data breach?
Typically breached companies provide a relief package for affected customers. This often involves an annual free membership with an identity theft or other cybersecurity service. However, paying affected customers directly isn’t likely. Monetary compensation is often the result of a successful lawsuit.
How much can a company be fined for a data breach?
Fines related to data breaches will vary depending on the severity of the breach and the size of the company. Further expenses to breached companies often come in the form of lawsuits.
Can you sue for a data breach?
Yes, suing is an option for a data breach. Of course, filing a lawsuit against an anonymous hacker isn’t an option. That’s why most data-breach related lawsuits involve holding the breached company responsible for not protecting information. This gives consumers a chance to gain compensation for the damages that resulted from the breach.
Even as security programs are becoming more sophisticated and widely used, data breaches are dramatically increasing. While you can’t control how responsibly companies secure your data, you can determine what data is safe to give them and secure your important accounts with strong passwords and two-factor authentication. If you always follow cybersecurity best practices, you can minimize damages and rest easier knowing that your information is safe.