Security Tips Weekly

– [Instructor] Leaks of personal information can happen to anyone, and for most of us, it’s beyond our control. Leaks take many forms, but by far the most common is the kind where an organization that stores your personal information is compromised. Wide-scale compromises of personal information happen almost constantly. We usually only hear about the big ones, where millions of people’s sensitive information is accessed without authorization, but you don’t have to be part of a huge, newsworthy data breach in order to be affected. All kinds of organizations store all kinds of information about all kinds of people, from credit rating agencies and banks that store some of your most personal information to social networks, where people voluntarily upload information, all the way to interest communities and online retailers and political organizations. While we hope that all of these organizations use best practices and secure data the right way, not all of them do and vulnerable information is bound to leak. So what do you do if or more likely, when your personal information is involved in a data breach? The first step is to try to understand as much as you can about what information was compromised. And then the next step is to determine what action you need to take based on the information that was leaked. Usually, when an organization alerts people that their information was accessed by some unauthorized person, they’ll provide a list of the pieces of information that were accessed. This could include your name, email address, phone number, password used on the site, payment information, and all kinds of other content. Information stolen from organizations is usually stored in databases, which are traded and sold online. The uses of this information can vary. Sometimes, information is used to try to open financial accounts or to transfer money out of the accounts of people whose information was stolen. Sometimes, the information is used for other kinds of fraud. And commonly, the information is used to try to gain access to other online accounts. So if your information on one site is compromised, you’ll need to take a look at what pieces of information you need to be concerned about and make plans to act accordingly. One of the most important pieces of information to act on is your password. It’s a best practice for sites to store passwords, or rather, password hashes in a secure way. But that doesn’t always happen, and it’s very common for passwords and their associated user names or email addresses to be leaked by the thousands. Many people reuse passwords across many sites because it’s easier than remembering different passwords for different sites, but this means that if your password for one site is compromised, the same combination of email address or username and password might work on other sites, too. And if those sites are important, like your bank or your email or something like that, having your password floating around on the internet is a bad thing, as hackers would be able to access your accounts on these other sites. So while everyone should use strong, unique passwords on different sites and keep them in a password manager, it doesn’t always happen. If your password is compromised on one site and you know that you use the same password on other sites, you should change the password everywhere it’s used. Change the password on the site that was compromised, because obviously, that information is out in the world now, and change the password on other sites, as well, to help prevent an attacker from accessing your other accounts. This is an excellent opportunity to take the time to set up unique passwords for each site you use and to record those passwords in your password manager. Unfortunately, not all sites that have a breach are conscientious about notifying affected users. If you’re curious whether a password you use has been compromised, take a look at the website haveibeenpwned, run by Troy Hunt. The site will tell you if a password has been included in previous breaches, and what breach or white site is responsible. And of course, if your password has been listed as compromised there, you’ll need to change it wherever you’ve used it. Another category of information you should take action on is financial information. If your credit card number was included in a breach, you should start keeping a close eye on your credit card statements, looking for any transactions that you don’t recognize. Credit card numbers frequently aren’t use immediately after they’re stolen, and so you’ll need to pay attention for a while. You should report to your bank that your card number was compromised. They may issue you a new card with a new number and they may watch your account more closely for fraudulent transactions. Other personal information, like your name, address, birthday, phone number, and IDs, like a passport or government identification, can be used to open accounts in your name. You can protect yourself to some degree with a credit freeze and periodic checks of accounts in your name. Or by otherwise paying attention to indications that someone has used your information to fraudulently open accounts or to take out loans. Again, this isn’t something that might happen immediately after a breach. Remember that after a breach, the compromised information lives basically forever online, being sold and resold, accessed by different people over and over again. In most cases, data breaches aren’t about targeting a specific individual. They are meant to collect a broad amount of information from many people, either in order to sell the information to criminals or to use the information to steal money, open accounts, or take control of accounts for spamming and other purposes. And as individuals caught in these broad attacks, all we can really do is try to clean up the damage done to us by the mishandling of our data. We can take steps to reduce the impact of a breach by limiting the information we share with third parties, by using different usernames and passwords on different sites, and by paying attention to notifications about information breaches at organizations that have our data on file. If you notice anything out of the ordinary on your accounts, spend some time investigating. But the fact is, breaches of information will continue to happen and they’re beyond our control. So it’s important to know what steps to take when your information is leaked.


Leave a Reply