Data Breaches – What Do I DO?

Data Breaches – What Do I DO?

2018-07-25 0 By SecureSteve

To put a spin on a children’s rhyme:

“Breaches Breaches are no fun. Breaches Breaches hurt someone.”

I’d like to add a second line:

“They happen often, I don’t think twice. But they can really mess with your life”

 

Doesn’t it seem like we are inundated with “Breach Alerts” and data loss, either in the news, or our Twitter feeds, or in our social and professional circles? They happen so frequently that many of us don’t give them a second thought. I’m definitely guilty of this, and I’m a cybersecurity professional. In fact, there’s evidence that many cybersecurity professionals don’t follow their own advice.

However, with a recent Malaysian breach affecting 10M records (nearly one third of their population), the US Equifax breach affecting 146M records (nearly half of the US population), and the Yahoo breach affecting 3B records (about 40% of the world!), we should stop a give a thought around what to do.

So, wait, what do I do?

I’m glad this question was asked. Let’s explore the topic.

 

What is a “breach”?

The important noun here is “A Gap in Wall,

Barrier, or Defense”. The applicable verb is to “Make a Gap in and break through (a wall, barrier, or defense)” An attacker has found a way to view data they should not have access to. Note that not all breaches are ‘maliciously exploited’, as some are found by threat researches or other professionals.

 

Some Examples of Breaches include:

  • Hacking (unauthorized intrusion into a computer or a network)
  • Credit or debit card numbers are stolen online or at a point-of-sale terminal
  • Documents or devices containing sensitive information are lost, discarded or stolen
  • Sensitive information is posted publicly on a website, mishandled or sent to the wrong party

You should also note that a data breach does not necessarily mean that you will become a victim of identity theft. If you are a victim of a data breach, you are at greater risk of identity theft, but until your information is misused, you are not considered an identity theft victim.

An identity theft victim is a person whose personal information not only has been exposed, but also has been misused.

A second important consideration is “What kind of breach is it?”

Tom’s Hardware does a good job breaking this down into Least, More, and Most Sensitive:

Least sensitive:

  • Names
  • Street addresses

Such information was pretty harmless when it was printed in the phone book. Today, a name typed into a search engine can yield data useful to online marketers and nosy neighbors, but probably not enough to cause serious trouble.

More sensitive:

  • Email addresses
  • Dates of birth
  • Payment-card account numbers. (Payment cards include debit cards, credit cards and charge cards like an American Express card.)

A stolen email address may result in increased spam; a stolen credit card will often result in fraudulent charges, but the card holder is generally protected from liability (see below). A date of birth by itself is useless, but when combined with a name, it’s more valuable than an address, because it never changes and is often used to verify identity.

Most sensitive:

  • Social Security numbers, Social Insurance Numbers(in Canada), or Government Identity Numbers
  • online-account passwords
  • Financial-account numbers
  • Payment-card security codes (the three- or four-digit number printed on the front or back of payment cards).

An online-account password, combined with an email address, can be used to hijack online accounts.  A card security code lets a thief use a stolen card number for online and telephone shopping.  A bank account number lets snoops track your financial history and even move money into (but probably not out of) an account.

With your Social Security number and your name, almost anyone can pose as you.

The company that suffered the breach may tell you that even though email passwords or credit-card numbers were stolen, those items were encrypted and hence “safe.” Don’t take their word for it — hackers and cybercriminals can “crack” many forms of encryption. If your password was less than 10 characters long or used words that can be found in the dictionary, consider it stolen.

Possibly the worst piece of personal information to have stolen is your Social Security or Social Insurance number. With that and your name, almost anyone can pose as you. Unfortunately, it’s very difficult to replace an old Social Security or Social Insurance number with a new one. For more on what to do, read our primer on what to do if your Social Security number is stolen.

So What Do I DO?

TIME actually summarized some good information:

If the Data Lost was your…

…Email address

Watch your inbox for messages requesting information or requesting you to click on a link. If you receive a suspicious email from a company you do business with, call the sender to verify that they did indeed send it.

…Credit card number

Call the creditor and ask for a new card with a new number. Some creditors will automatically reissue cards to affected customers in wide-scale breaches. Know however that because the number rather than the card itself was stolen, you are not liable for any authorized purchases under the Fair Credit Billing Act.

…Debit card number

Since the card was not lost, you are not liable for any unauthorized transactions if you report them within 60 days of receiving your statement. Still, you should cancel the card and change your pin. If the bank account number was also exposed, close the account and open a new one with a new number. Consider asking for a verbal password, too, which prevents bank personnel from discussing your account with anyone unable to provide that password.

…Password

Change your password for that account immediately. If you use the same code for other accounts, change those as well. In fact, this is a GREAT time to change your password for everything!! <<insert blog links around passwords>>

…Social Security number

Contact one of the three major credit reporting agencies and have them place a fraud alert on your account. That agency will then be legally bound to notify the other two agencies to do the same. An alert lets lenders know to take extra care verifying personal information before issuing credit and entitles you to a complimentary credit report from each agency. Review this for suspicious activity. You should also place a credit freeze on your account, which will prevent a credit reporting company from releasing your credit report or score without your consent.

Sometimes the letters from breached companies also contain offers for free credit report monitoring provided by the company. While these programs are not generally worth paying for—since you can monitor your own credit for free—you may as well accept it if it’s being handed out. Monitoring services will alert you to some uses of your SSN quicker than you may be able to spot through your credit report, meaning you can resolve any problems quicker.

 

So what more can I do if my Social Security number is affected by a breach and I suspect fraud?

Considering the Equifax breach affects so many of us, Tom’s Hardware gave us more detailed information around what to do with breached SSN data.

  • Note that some of this may be more applicable if you suspect fraud has happened.  The information above describing a credit freeze may be more appropriate, especially if you don’t expect major credit actions to take place in the near term:

First, contact one of the three major credit-reporting agencies — Equifax, TransUnion, or Experian — to place a fraud alert on your credit file.

  • To speak to Equifax, call 1-888-766-0008 or visit this Web page.
  • To contact Experian, call 1-888-397-3742 or go here.
  • For TransUnion, the phone number is 1-800-680-7289 and the link is here.

The agency you place a fraud alert with will contact the other two. Renew the fraud alert every 90 days (it’s free to do so) until you’re satisfied the matter has been settled; it could take years. Contact the Social Security Administration only to get a replacement card or replacement number (see below).

Second, tell each of the three agencies that your SSN has been stolen. They’ll give you free copies of your current credit reports. Review those reports for unfamiliar accounts and unknown inquiries from companies.

Third, report the theft of the Social Security number to the IRS at http://www.irs.gov/uac/Identity-Protection. You can also call 1-800-908-4490. That will prevent tax-fraud thieves from filing tax returns in your name — and collecting your tax refund.

Fourth, report the identity theft to the Federal Trade Commission at http://www.idtheft.gov. You can also call 1-877-IDTHEFT.

Fifth, file an identity-theft report with your local police. The police report will help clear your records and your name, and is necessary if you want to apply for a new Social Security number.

Sixth, keep track of, record, report and close all fraudulent accounts by contacting both the companies holding the accounts and the credit-reporting agencies. This will keep your credit as clean as possible. The only way to get a new SSN from the government is to prove without a doubt that someone has used the old number, and records of fraudulent accounts can provide that evidence.

And Finally, report the theft of your Social Security number to the Internet Crime Complaint Center at http://www.ic3.gov/. The report will be distributed to the relevant federal, state and local authorities.

The Federal Trade Commission offers a good resource on what to do in case of identity theft at http://www.consumer.ftc.gov/features/feature-0014-identity-theft.

CategoryPersonal Security

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.