How do data breaches occur and how do I go about handling one?
With the dawn of online communication rising to prominence in the last 20 years, personal data is being shared via the internet more than ever before. This personal data can include everything from social media usernames and passwords to more important information such as social security numbers and bank account details. With this influx of personal information being shared online every day, data breaches are an unfortunate but inevitable reality. A data breach is defined as the theft of information from a data source that exposes some form of confidential or protected information. Data breaches can occur in a number of different ways.
The first way is in the case of an accident or error on the part of an employee who is in charge with maintaining the privacy of personal information as a part of their job functions. For example, an employee who misplaces a thumb drive or sends an email containing personal information to the wrong recipient. Conversely, data breaches can also be deliberate actions taken by hackers or criminals looking to pillage personal information for the purposes of identity theft or other forms of illicit or illegal activity. Cyberthieves can employ a variety of means to steal the personal information of consumers. One of the primary means that can be used to steal personal information online is through crimeware.
Crimeware is a form of malware or malicious software and can take on any of the following forms.
- Ransomware – this form of malware effectively holds a users computer files hostage until the victim of the attack pays a ransom, although even this does not always guarantee the return of said files.
- SQL Injection – In this type of attack, an online hacker starts by entering an arbitrary code into an online user webform. If the online form is not properly handled and directed when passed through the backend of the website, it can go on to corrupt said website.
- Phishing attempts – Phishing is a form of online social engineering attack in which a cyberthief poses as a trusted or legitimate source and contacts the victim through means such as emails or an online chat feature. The goal of these attacks is to trick the victim into giving them access to their personal information or having them download a malware program that will automatically gather their personal information.
In addition to forms of crimeware, cyberthieves can also steal the personal information of everyday consumers in these alternative methods:
- Web application attacks – Consumers will often have to share some form of personal information when signing up for web applications. When a cyberthief attacks a website, they will be able to access this personal information, ranging from names to addresses and phone numbers.
- Payment card skimmers – Criminals can place card skimmers on credit card readers located in public spaces such as ATM machines or gas stations. As these card skimmers can be very difficult to notice, consumers will be giving away their personal information without being aware of it.
- Cyber-espionage – This is another form of malicious email that is often linked to state-affiliated actors. The goal of these attacks is to pierce an online system and steal information over time as opposed to all at once in the initial attack.
- Point-of-sale-intrusions – Cyberthieves can also attack point-of-sale terminals and controllers and steal the financial details of a consumer directly. This form of attack is growing increasingly common amongst restaurants and other small businesses.
- Compromised accounts – Similar to phishing attacks, cyberthieves can also steal the email account information of a company CEO or other high ranking official within a business or corporation and obtain the personal information of employees under the guise of standard business operations or functions.
What can cyberthieves and criminals do with the information they steal online?
Once a cyberthief has gained access to the personal information of an online consumer, they can go about leveraging it in a number of ways. This can include:
- Open and use credit cards under the consumers name.
- Steal and use the credit cards rewards of a consumer, such as cash back options or airline miles.
- Withdraw money from the consumers bank, investment, or mobile pay accounts.
- File a tax return under the consumers name and then collect said tax return money.
- Get medical treatment using the credentials of the consumer.
- Apply for government benefits using the credentials of the consumer.
- Open a utility or telecom account using the consumers personal information.
- Various other forms of identity fraud.
A final way that cyberthieves can go about leveraging the stolen information of consumers is to sell their documents on the dark web. Due to the inherent dangerous nature of the black markets such as the dark web, this can prove particularly disastrous to consumers. To give an example of the kinds of prices that certain forms of personal information can fetch on the dark web, social security numbers can be sold for as little as $1, while credit card numbers and U.S. passports can sell for $110 and $200 respectively.
How can consumers protect themselves from data breaches and cyber attacks?
While consumers are always advised to keep their personal information safe at all times, the reality of our current society can make this task extremely difficult. From social media websites to point of sale transactions for everyday items, consumers exchange some form of personal information nearly everyday. While the websites, platforms, and businesses who collect and use this information are also obligated to protect it, this does not always happen. As such, the following steps can be taken to reduce the chances of falling victim to a data breach or cyber attack:
- Shred documents before discarding them.
- Use secure websites whenever possible.
- Only give out your social security number when it is absolutely necessary.
- Create strong and secure passwords by using a combination of upper and lower case letters, special characters, uncommon phrases, or non-sequential numbers.
- Use a unique password for all accounts. This will greatly help reduce the damage that can result from having a password leaked in a data breach.
- Ensure that you are using the most updated version of operating systems and web or mobile applications at all times.
- Frequently monitor all online transactions and monthly statements to ensure that their are no inconsistencies.
- Regularly check your credit report to ensure that a cyberthief has not taken out a line of credit in your name.
What can consumers do once their personal information has been exposed in a data breach?
While all of the above steps will undoubtedly help consumers avoid having their personal information leaked in data breaches, these breaches are inevitable due to the unregulated nature of the internet. While a data breach will often cause immediate damage to a consumer, there are a variety of steps that can be taken to mitigate or minimize this damage. These steps include:
- Find out exactly what data was compromised or stolen – U.S. businesses and companies are required to inform consumers when their data has been compromised or breached. After receiving such notifications, you can try to pinpoint which specific accounts have been compromised and take up any assistance that the company involved in the breach may offer, such as free credit monitoring.
- Contact your financial institution – Whether it’s an investment account or credit card, contacting your financial institution after learning about your involvement in a data breach can go a long way in securing the money contained within such accounts. From changing your credit card number to cancelling or disputing fraudulent transactions, there are a variety of ways that your financial institution can help you combat a data breach
- Change and strengthen all passwords on your online accounts – As mentioned previously in this article, keeping the same password for multiple accounts will greatly increase the damage that will be done if this password is compromised. To avoid this, you can use a password manager to ensure that you are both using different passwords for all accounts and have a centralized location to access all of these passwords.
- Look for suspicious activity and other inconsistencies – Monitoring your account can also go a long in way combating a data breach, such as a bank account withdrawals that you did not authorize or new accounts that may appear on your credit report.
Data breaches can prove to be a very stressful experience for consumers. As we have placed an increasing level of trust in online technology over the past 20 years, many online hackers and cyberthieves have developed new ways to take advantage of this trust. Just like the pirates and robbers of the past have preyed upon the weak throughout history, cyber attacks have taken up this same approach in an online context due to the unregulated nature of the internet. As such, it is imperative that consumers take preventative measures and steps to avoid having their information leaked in a data breach. Nevertheless, there are still avenues of recourse should a consumer have their information compromised.