Information security / What do you do after a data breach?
What do you do after a data breach?
5 August 2019
Security experts say data breaches will continue to happen as cyber criminals and state-backed hackers target the protected information held by companies and government agencies.
Such attacks leave consumers vulnerable to fraud and identity theft. Here are some steps you can take to assess the severity of the breach and better secure yourself:
What was compromised?
Breaches often cover a wide range of data. Information which is already publicly available, such as your name or email address, is seen as less of a concern.
Other details, however, can be extremely sensitive and need to remain private. For example, full credit card numbers, which could be used to make fraudulent purchases in your name, or passwords for your online accounts.
Even if stolen, the data may still be protected by encryption. Hacks by foreign governments are also usually seen as less dangerous for general consumers compared to data thefts by financially-motivated criminal gangs because most spy agencies do not sell or trade such information.
Much of the information stolen from Capital One was already public, including names and addresses of over 100 million people in the United States and Canada. But the breach also included 140,000 Social Security numbers which could be used to steal people's identities.
To assess the severity of the breach, try and determine what information was compromised and in what format it was stolen.
Am I affected?
Try to establish if your data is likely to have been compromised in the breach. Are you a customer of the affected company? Do you know what data they hold on you? Does the breach only concern data collected in a specific time period?
Answering those questions will allow you to judge the level of risk, but remember some organisations may hold your data without you being aware. Those include credit-reporting companies such as Equifax Inc <EFX.N>, which suffered a breach in 2017 that affected 147 million people.
Breached companies are usually obliged to notify the people who are impacted, but this does not always happen immediately. Affected companies will typically post guidance for consumers on their own websites about data breaches.
Under the European Union's General Data Protection Regulation (GDPR), companies have to inform victims of severe data breaches "without undue delay." They must then describe in "clear and plain language" the nature of the breach, the likely consequences and what measures being taken to deal with it.
Is this a scam?
If you think your data was compromised, be on high alert for scams and fraud.
Watch your bank account balances and payment card statements carefully, especially if you believe your financial information has been compromised. If you spot any unusual activity, contact your bank or card provider immediately and inform the appropriate law enforcement agency.
Be aware of so-called "phishing" websites purporting to offer information about the breach, or even compensation, but actually set up by criminals to try and trick you into revealing more personal details or making a payment to the wrong account.
Fraudsters may also contact you directly, by phone or email, and could now be armed with large amounts of detailed personal information which will make them harder to spot. If you're unsure about someone's identity, find the affected company's contact information and contact them independently.
Experts recommend changing passwords frequently and using a combination of letters, characters and symbols to maintain a complex passphrase that is less likely to be guessed.
Source: Reuters, UK Business, 31 July
Reporting: Jack Stubbs and Christopher Bing