How Could a Data Breach Affect Me?
by Neil J. Rubenking, pcmag.comDecember 13th 2013
It seems there’s a new data breach in the news every few weeks, with personal details expose for thousands or millions of victims. Just how could such a breach affect you?
Let’s play a game. Try to make a list of all the businesses and other entities that have your personal information stored in their databases. Well, there’s your city, county, state, and federal government organizations, probably many at each level. Every credit card and bank account provider necessarily has your information, and any online merchant with whom you’ve set up an account. Don’t forget schools, discussion forums, social media… Hmm, making this list isn’t such a fun game after all.
If any one of these entities suffers a security breach, your private data could be exposed, and they do get breached. Tumblr, Google Glass, and Apple all suffered breaches just this July. More recently, the Finnish government reported a serious and long-standing breach.
Why Should I Care?
Let’s suppose your cash-strapped county government uses an antiquated system to store property tax records. No encryption; they didn’t have that when the system was installed years ago. Crooks who penetrate security and capture the county’s data now have your full contact information, SSN, and other personal details. With this information in hand, they could register a credit card in your name, or open a line of credit secured by your house.
If a merchant or bank suffers a breach, your account and credit card information could be exposed. Yes, if the crooks make fraudulent transactions using your credit card, the issuing agency won’t make you pay, but you’ll have to go through the pain of dealing with a new card number.
Possibly the worst situation would be a breach that exposes your email username and password. With this information in hand, a crook could lock you out of the account by changing the password. The next step would be to take over more of your accounts—any that use a simple email reset for “Forgot password” are vulnerable.
Of course, all of these institutions should be keeping your important data in encrypted form. Passwords in particular shouldn’t be stored at all. Rather, they should run the password through a hashing algorithm and only store the result. To verify you’ve entered the right password, the site simply hashes what you entered and compares it with what’s stored.
Hashing is like encryption, but it’s a one-way street. Even if a cyber-crook knows exactly which algorithm was used, there’s no way to go from the hashed value back to the password that it came from.
Or is there? Yes, hashing isn’t reversible, but if you guess a password, hash it, and find that it matches a stolen data record, you know you’ve discovered the password. The hackers who breached LinkedIn last year posted millions of hashed passwords on a public forum. One white-hat researcher cracked 900,000 passwords in four hours simply by hashing a huge number of potential passwords and checking the results with the exposed list.
A simple technique called salting adds a random factor to the hash algorithm that makes this kind of discovery-by-guessing impossible, but you can’t know for sure if those entrusted with your data are using this technique.
Minimize Your Exposure
In a very real sense, there’s nothing you can do to protect against the fallout from a data breach that exposes your personal information. You don’t have control of the data, or the way it’s stored. Even so, you can minimize your exposure.
For starters, you need to become a personal data miser. Never enter more than the required minimum on any website. If they seem to want too much, consider whether what you’re doing on the site merits the risk. And if you stop using a particular website, delete your profile. Don’t leave your data sitting there, potentially exposed. (How long since you logged into MySpace? Right. Delete that profile now!)
If you’re the kind of person who uses and re-uses the same password, a breach that exposes that password can be catastrophic. Yes, it’s nearly impossible to remember a different strong password for every website, so get a good password manager and use it to generate and store unguessable passwords. LastPass and Dashlane both include a feature that rates your existing passwords and helps you improve them. Use it! You’ll be glad you did.
Watch for Evidence
Keep an eye on your credit scores and details; you can get a free report from each of the three major scoring agencies once a year. Don’t request them all at once; space them out equally. If a crook uses your personal data to set up a new credit account of some kind, you’ll see it in the report. Note that LastPass will notify you if your data turns up in a known breach and will also warn of changes in your credit report status. To automatically get details about credit changes, you’ll need the dollar-a-month LastPass 3.0 Premium.
Check every line of every credit card bill. It’s not uncommon for fraudsters to make a few small charges first, just to see if you’re paying attention. If you’re not, they’ll go whole-hog, ordering up all the goods and services they can, right up to your credit limit.
If, despite your best efforts, the bad guys compromise your identity, don’t panic; help is available. Visit the Federal Trade Commission’s Identity Theft page and follow the instructions there.
Data breaches happen, and big breaches make the news. Any time you see a breach reported, stop and think. Does the victim organization have any of your data? If so, take the time to read all the details and determine what, if any, action you can take.