It feels like every time we turn around, there’s another data breach report on the news—and there’s no rhyme or reason to these breaches, either. Some organizations are giant, like Yahoo and the Internal Revenue Service (IRS), while others are local hospitals, schools, and nonprofits. The causes can even vary greatly—some companies suffer data breaches because they are directly targeted by cyber attackers, while others have to admit to the public that their systems were breached due to their own incompetence.
Like most people, you likely don’t want your personal information to be compromised in a data breach. But why? What happens to that stolen data once it falls into someone else’s hands?
The Federal Trade Commission (FTC) wondered the same thing and decided to track the use of stolen consumer data. The organization posted its findings in a recent report—and their discoveries provide fascinating insights into what happens when consumer credentials are made public.
Tracking the Use of Stolen Consumer Data
The researchers created approximately 100 fake consumer profiles with passwords, and each contained a false name, address from a national database, a phone number and email set up for the study, and a form of payment (either online payment account, a bitcoin wallet, or credit card). They wanted their phony database to look legitimate—like it could have come from any random small business.
When criminals get their hands on databases filled with consumer information, they will sometimes post all or some of the information on the dark web. The FTC chose a website they knew hackers often used and posted their counterfeit database for the first time on April 27, and again on May 4 (in a different format, at a different time of day); on May 10, they ended their data collection and analyzed the results.
How long do you think it took for other cyber criminals to jump on the stolen data and log their first unauthorized access attempt? For the first post, it took 1.5 hours—the second post, however, logged an illegal attempt within nine minutes.
In the first week, there were 119 unauthorized access attempts; that number jumped to 1,108 in the second week. They tried to break into email accounts, payment accounts and made credit card purchases.
Helping to Protecting Yourself from Identity Theft
The FTC’s main conclusion from this study? “If you post it, they will use it,” they wrote in their report. This means that if your personal information is stolen in a data breach and posted online, your credit card could see fraudulent charges within minutes. So, what can you do to help decrease your risks?
- Monitor your accounts daily. Consider setting up alerts for suspicious transactions with your banks and credit cards, so that if something looks fishy, you’ll receive notification right away. In addition, you may want to consider automating this process by signing up for an identity theft monitoring service.
- Be proactive rather than reactive. Instead of telling yourself “I’ll worry about protecting myself if my information gets stolen,” take steps now to seal up what you can. For example, change all of your account passwords and choose complex combinations of letters and numbers. You could also place a free fraud alert on your file with the three credit reporting agencies so that lenders must verify your identity before issuing credit.
- Be selective about who you give information to. There are going to be situations where you need to provide personal information, but there are others where giving up your sensitive data may not be that important. Instead of just trying to fill out paperwork as quickly as possible, take a few extra moments to pause and ask yourself if the organization actually needs everything you’re giving them (you’ll be amazed by how many people ask for your social security number when it’s not necessary at all).
Remember—identity thieves act quickly. It’s impossible to prevent identity theft altogether, but by taking preventative measures, you’ll have a much better chance of keeping your personal information just that—personal.