We outline a data breach check process to follow upon a data breach event, but more importantly, actions to take preventively
What is a data breach?
Per Wikipedia, which in turn credits the US Department of Health and Human Services, "A data breach is a security violation in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so." The actors causing and/or exploiting the breach could be criminals using sensitive data for illegal financial gain such as identity theft (e.g., opening new accounts in your name, taking out loans in your name, or illegally accessing your accounts), criminals using ransomware extorting money, spies stealing intellectual property or trade secrets, or hackers motivated by personal reasons. The breaching methods vary. The breaches can be caused by hacking, poor security, leaked data, content by an inside job, espionage, accidental publication, or stolen media.
Hardly a week goes by without some kind of data breach showing up in headlines. This past couple of weeks, for example, we saw the following headlines:
Blackbaud breach hits nine more universities (plus some non-profit organizations they serve)
A partial list of known data breaches has been compiled on Wikipedia, but the actual list is probably much larger as some entities may have not disclosed data breaches.
On a more personal level, a data breach can result in the discovery of your personal data such as your name, address, telephone, email address, or, worse yet, your social security number (or other national ID number), login credentials (user name and password), date of birth, account numbers, or credit card data.
Reactive actions to take upon a data breach
When you hear of a data breach, first determine if you were affected. For example, if the company whose data was breached is one that you have used online, it is more urgent to find out more. Next, find out what was breached, and take the corresponding action as follows:
Name, address, and telephone: if this is all that was leaked, then there is relatively low risk, as that data by itself does not lend itself to a lot of damage, and it is usually in the public domain anyway.
Email address: This is a somewhat more serious breach, particularly in combination with other personally-identifying data. Not only is your privacy affected with possibly more spam mail, but because email addresses are often used as your user ID for logging into some sites, that combined with cracking weak passwords could give a hacker access to your accounts. To check if your email address was leaked as part of a data breach, check HaveIBeenPwned.com. If leaked, then a) immediately change your email password as well as the password on the breached site to a very strong password, employing password management best practices; if the same password was used on other sites, then change each one to a unique password, and preferably use a password manager; b) on sites where your user ID is your email address, if the site allows a different user name, change it; c) if you suspect potential more severe damage, get a new email address and change it at least on sensitive sites. Some people practice “compartmentalization” – one email address for personal communication, another for sensitive sites such as financial or healthcare sites, another for e-commerce, yet another for subscriptions, etc. To manage a single inbox, you can forward email messages from one to another or use “email aliases” that some secure email services provide.
Credit/debit card numbers: This is serious on the scale of items. If leaked, notify your financial institution immediately, and follow up with written communication, and they will send you a new credit card number. Watch for any suspicious charges, and if they are not yours, notify your financial institution.
Date of birth and social security number (or the equivalent national ID number outside the US): These are among the most serious items to be leaked, as together with your name and address, they may enable identity theft: that is, open a credit card account, file tax returns in your name with the goal of redirecting a refund, or take out a loan in your name. If you suspect identity theft, notify the credit reporting agencies (in the US, Experian, Equifax, and TransUnion and in other countries your respective credit reporting agencies), and place a “freeze” on your account (see further details below). Also, notify tax authorities. For a checklist of actions if you were actually a victim of identity theft, see this US government site. The site also includes letters that should be sent to the financial institutions that issue the fraudulently established accounts.
Passwords: If you suspect your password(s) were compromised, change them to a strong password and take this opportunity to use a password manager, if you have not done so already (see further below).
Other private data: there are other private data items that could be breached, including passport numbers, account numbers, healthcare data, and others. In each case, notifying the issuing entity in writing and where possible, get a replacement.
Other actions: Responsible companies will offer some assistance after a data breach. If so, then take them up on it. They may provide information on what data was breached, they may offer a package of identity theft and credit monitoring services at their cost for a period of time, or they may provide a hotline for questions and help.
Data breach check: defensive actions to take now without waiting for a data breach
Passwords: Review your site passwords and change them to a strong one, unique to each site, employing password management best practices. In addition, use a password manager. Finally, for sites that offer it, employ “two-factor authorization” which requires a separate identifying factor to access your account beyond your user name and password.
User name, not email address: Where sites allow an arbitrary user name, switch to something unique rather than using your email address
Email address: periodically check HaveIBeenPwned.com to see whether your email address was leaked as part of a breach; if so, see the checklist in the section above.
Credit/debit card statements: Review these regularly, and notify your financial institution immediately if you see suspicious charges.
Credit reporting agencies: These are agencies, such as Experian, Equifax, and TransUnion in the US, and others in other jurisdictions, that collect data and report creditworthiness to those applying for credit, a loan, or rental. We recommend a) applying a “freeze” on your account. That means for anyone to check your credit report, you must first temporarily “unfreeze” the account with a password assigned to you by the credit reporting agency; there is a slight inconvenience when you apply for a loan yourself (unfreeze beforehand and refreeze afterward), but it prevents others from opening accounts in your name. b) periodically checking your credit report to make sure nobody has stolen your identity (i.e. there are no accounts listed that you did not open and no defaults on bills due or loan repayment that are not yours). In the US, you can read about getting a truly free credit report annually from each of the credit reporting agencies at AnnualCreditReport.com.
Communicating sensitive data: never send sensitive data via regular email or text messaging. That would include your social security number in the US (or equivalent national ID elsewhere), your credit card numbers, your account numbers, etc. Unencrypted email or messaging is not secure. Instead, use secure email services or encrypted instant messaging, or communicate it on the phone.
Minimize the data you keep on web sites: Give web sites the minimum information you need to in order to fulfill a transaction, avoiding storing sensitive data in your “profile” that could potentially be breached. For example, don’t store your passport number in your permanent profile of your airline account. Enter it for each international flight instead. Where possible, do not store the credit card number with an e-commerce site, but rather re-enter it with each purchase. It is slightly less convenient, but there is a principle that the less private data in the cloud, the less there is to steal or misuse.
Beware of “phishing”: Phishing email or phone messages are communication attempts to trick you into providing personal information or install some kind of malware. For example, a serious-sounding message with a legitimate-appearing logo asks you to confirm your social security number. Do not reply to these attempts. If you think the message may be serious, then contact the site or phone the entity directly based on a URL or phone number that you look up, not the one in the phishing message. Learn to recognize and stop phishing.
Do you need an identity theft monitoring and protection service? There are services, such as Norton’s LifeLock, IdentityGuard, PrivacyGuard, and others, that monitor (with your consent) every account you register and alert you to designated transactions based on your settings, and moreover monitor your credit reporting accounts to check for new accounts being opened in your name, and other monitoring services. Some provide an insurance package to assist you in restoring your online identity in case of identity theft. Our view on these services is mixed: on the one hand, they offer peace of mind and some added convenience; on the other hand, if you check your account statements regularly, freeze your credit reporting accounts, check your credit reports periodically, and follow the other guidelines in this post, you can save the premium on these packages, which range typically from $100 to over $200 annually.
Act quickly upon a data breach check that reveals that you have been affected by the leakage of your personal data. Equally importantly, inoculate yourself with preventive actions to minimize the damage if your private data is ever breached.