Data breaches, the intentional or unintentional release of secure personal or confidential information into an untrusted environment, seem to be making news lately on a massive scale. We’ve not even reached the halfway mark of 2021, hackers have already hit a new mother lode, releasing 3.2 billion user credentials online (email and password combinations) as part of a massive data breach dubbed the Compilation of Many Breaches, or COMB.
Meanwhile, while the big data breaches capture the most attention, we have observed that the smaller, less-publicized breaches tracked in the BreachIQ breach database actually have the highest risk of identity theft. Whether the data breach is large or small, it is very difficult for victims to assess the level of risk and understand what they should do.
There are many forces that influence a person’s behavior around data breaches, but some of the biggest are confusion and misinformation. The following Q&A explains what a data breach is, how each one can uniquely affect your financial security, and how you can take personalized action steps to guard against the fallout.
What is a data breach?
A data breach, or data leak, is a security event in which sensitive, protected, or confidential information is exposed, transmitted, stolen, making it ripe for exploitation by hackers for personal gain. Such incidents create the ripe environment for identity theft, scams, and fraud, which add up to more than $50B per year in the U.S. alone.
Data breaches are happening more frequently than ever before, the volumes of data accumulated by organizations are growing exponentially. In the lucrative world of cybercrime, compromised data enables criminals to falsely impersonate individuals, steal money, access financial accounts, or sell Personally Identifiable Information (PII) over the Dark Web. Preventing sensitive information from being leaked to unauthorized people has become one of the more pressing security concerns for enterprises and individuals.
What are some of the primary ways that a data breach can occur?
“Black hats,” or hackers who seek to acquire data without permission, typically conduct targeted attacks in one of six ways:
- Stealing data through insider leaks. A trusted individual within a company or a person with access privileges may commit cyber theft.
- Exploiting software or hardware vulnerabilities. Out-of-date software can create porous holes that allow fraudsters to sneak “malware” (malicious software) onto a computer and exfiltrate data. Some successful credit card fraudsters have been able to install phony readers at point-of-sale terminals and controllers that capture and transmit sensitive credit card information. Restaurants and small businesses are reporting increased fraud activity in this area.
- Tricking you, or companies you work with, into releasing private data. Often working under the guise of a fake emergency, (a fraudster may use bits of previously breached data to appear more legitimate and try to entice you into giving them even more sensitive information. Examples might include a phishing email purporting to be from your bank asking you to confirm your account or Social Security number, a phony humanitarian effort collecting funds for charity, or someone impersonating law enforcement.
- Breaking into lost or stolen devices. Personal devices and items such as laptops, smartphones, office computers, portable drives or thumb drives, and physical file folders can be exploited for valuable personal data.
- Guessing at weak passwords. Hackers can guess at less secure passwords, especially if the password contains simple number sequences or whole words or phrases. (The most common password over time has been 123456.) To exploit the common consumer practice of reusing the same password at multiple sites, cybercriminals use credential stuffing, which takes a large database of stolen usernames and passwords and uses automation to attempt to “stuff” the credentials into other applications.
- Instigating malware attacks. Data thieves have become notoriously adept at using spam and phishing emails to trick recipients into downloading malware attachments or visiting compromised websites equipped with exploitative programs that automatically prey upon vulnerabilities on your computer while you are on the site.
- Capitalizing on “drive-by downloads.” Web surfers can unintentionally download a computer virus or malware by simply visiting a compromised web page. This can victimize users who may be using a browser, application, system extension, or operating system that is out-of-date or has a security flaw.
What information is typically exposed in a data breach?
Any sensitive personal information that is stored digitally is at risk. At the basic level, a name and email address are the most common types of information exposed by a data breach. Add to that dates of birth, phone numbers, email, or website passwords; SSNs (including children’s tax information), home mailing addresses and tax ID numbers; credit card/bank account numbers and PINs; health insurance, investment, or utility account information; or airline miles program accounts, and hackers can eventually amass enough combinations of PII to commit identity theft, fraud, or scams in your name.
How are companies responding to the data breach problem?
Though data breaches are an unfortunate fact of life today, there is still much that can be done to reduce risks. In light of their increasing stores of data and more government regulation, companies today are attempting to harden security measures and procedures to protect stakeholders’ personal information. That said, data breaches are still a common and serious problem.
Federal laws require businesses to take specific steps in the event of a data breach or other security incident, and most states require them to notify consumers when PII may have been compromised. But, data breach notification laws are anything but consistent, and often don’t provide victims with important or timely information to help them understand the risks.
In the event that a company experiences a data breach, there are important steps they can take to help the people who are impacted.
- BEFORE a breach ever happens, an organization should have a data breach response plan in place. This will help guide leadership through appropriate action steps during the often turbulent breach aftermath.
- Victims should be notified quickly and provided clear information about what personal information was exposed, risks created, and the recommended protective action steps.
- Breached entities should conduct an artificial intelligence-driven analysis of the data breach, using a sophisticated tool such Sontiq’s BreachIQ, that can assess the unique fraud risks created by the breach.
- Those impacted by the breach should be offered identity security services. This provides far more appropriate protection than simply advising victims to (for example) monitor their credit.
How can I prevent a data breach from making me an identity fraud victim?
Restoring the privacy of your personal information after it’s been leaked is a bit like trying to put toothpaste back into the tube.,. But, when it happens, (on average two times annually for most consumers) you can and should take steps to stop any new breach from making you a fraud victim.
There is no universal safety prescription because everyone has a unique data breach history. As part of our BreachIQ capability, we offer personalized recommendations to reduce an individual’s risk. But, here are a few fundamental precautions that benefit almost everyone.
- Use strong, secure, and unique passwords and keep them stored in a password manager
- Monitor your bank and other financial accounts regularly to identify unusual or unfamiliar charges. If your financial institution offers mobile alerts, sign up for them!
- Similarly, if your financial provider offers advanced security methods such as two-factor authentication and digital account controls, start using them now.
- Check your credit report regularly (or better yet, sign up for a credit monitoring service that will push notifications to you.)
- Delete, or hang up on, communications that “just don’t seem right.” Often, scam artists will create a fake emergency and demand an urgent response.
- Back up your computer files, either on a local external drive or in the cloud (or both).
- Secure your mobile phone with a password and a mobile security app
- Inspect website URLs to ensure they are reputable and secure before entering any sensitive PII (look for the lock symbol in your browser and double-check company spellings in the URL).
- Use an identity theft protection service and remain vigilant to stay ahead of the data breach curve
Can I prevent myself from becoming the victim of a data breach?
Nearly every organization collects and stores data digitally today, making data breaches an unfortunate fact of modern life. Though data breaches are here to stay, you can take steps to reduce your risk of fraud. The best defense is a good offense, which means being alert and diligent about monitoring your online life and being cautious about how and with whom you share your PII. If you happen to become a victim of a data breach, you should follow these 10 tips:
What are some of the biggest data breaches that have occurred? What about data breaches that have occurred so far in 2021?
Data breaches continue to expose consumers’ PII at an alarming rate, putting close to the entire U.S. population at risk of identity theft and fraud. Here is a short list of some of the most significant breaches over the past decade:
- Target | 2013, 110 million Target customers’ credit and debit card data were stolen, limited to a few days following the retailer’s Black Friday sales
- Equifax | 2017, 143 million consumer records of SSNs, driver’s license numbers, and other data)
- Marriott International | 2018, 328 million records of reservations were breached from the chain’s central database covering Sheraton, Westin, and St. Regis and other eight other hotel brands)
- Capital One | 2019, 100 million Capital One customers’ accounts and credit card applications when a previous employee of the tech company that hosted the data in cloud-based servers gained access by exploiting a misconfigured web application firewall, according to court filings.
- Facebook | 2020, 82 million Facebook user profiles were “scraped,” or extracted, by Chinese social media platform startup SocialArks)
IdentityForce maintains and continuously updates a list of data breaches, going back to 2014, in our latest 2021 Data Breaches | The Worst so Far blog. In this post, you can also learn about the most recent 2021 data exploits, including Parler, Instagram, Pixlr, U.S. Cellular, California Dept. of Motor Vehicles (DMV), and Experian
In addition to data protection tips discussed earlier in this blog, obtaining identity security services may be in your best interest. The unfortunate reality is that anyone can become a victim of fraud. The good news is that identity theft protection works on your behalf 24/7, and in the worst-case scenario, pairs you with expert resolution support to guide you through the remediation process.