Here are recent headlines:
“AT&T Says Hacker Stole Cell, Text Data on Nearly All Its Wireless Customers;”
“Change Healthcare Grinds Through Massive Breach Probe;” and
“Every American’s Social Security Number, Address May Have Been Stolen in Hack.”
The three data thefts headlined above were unusually large, but smaller-scale incidents of unauthorized access happen all the time. The nonprofit Identity Theft Resource Center (ITRC) reports that nearly 10% of publicly traded U.S. companies acknowledged data breaches last year, affecting more than 140 million customers.
Even more unsettling, most “data compromise” incidents involve industries with treasure troves of sensitive data: financial services and healthcare.
Contrary to the stereotype, the hackers behind these growing cybercrimes aren’t “lone individuals hacking for fun,” according to the ITRC’s most recent Data Breach Report. Instead, large-scale data thieves typically are part of “highly sophisticated groups” operating overseas, often from Russia or China.
“What – me worry?”
With theft incidents on the increase, business professors from four U.S. universities got together to find out how average Americans would react to learning their data may have been compromised. Their survey findings were disconcerting: Most respondents to the small-scale survey said they would take only minimal action after learning of a data breach. A substantial minority said they would take no action at all.
“Almost a quarter of the roughly 200 people we surveyed said they would return to [a] compromised website with no changes to their behavior,” noted Rochester Institute of Technology researcher Rajendran Murthy, writing in The Wall Street Journal. About two-thirds of respondents said they would take what Murthy called a “bare minimum” of precautions, such as changing passwords.
With so many websites being affected by data incidents, many survey respondents seem to believe that increasing personal cybersecurity precautions is a losing battle. This is a mistaken assumption.
Don’t stick your head in the sand
The reality is that doing nothing — or the bare minimum — in response to a data breach ramps up the risk of a hacker taking advantage of your compromised data. For example, a cybercriminal may be able to use stolen information to open accounts in your name, access existing accounts, or steal your tax refund by filing a fraudulent return in your name.
When notified of a data incident, it’s wise to take the following steps.
Learn more about what kind of breach is involved. A hack that accesses your Spotify playlist is likely not as serious as one that compromises your financial data or personally identifiable information such as date of birth, phone number, email, or Social Security number.
Still, don’t treat any “data compromise” lightly. “Even seemingly innocuous breaches of social-media networks may reveal data that can be used to impersonate you,” wrote Professor Murthy in his Wall Street Journal piece. “Hackers might be able to figure out your ‘forgot password’ questions on websites by learning where you grew up, the names of your pets and more.”
Change passwords. It’s understandable that you might like using the same password (or slight variations) across multiple websites. That makes life easier. But if a hacker steals your password, accessing those sites will be easier for him, too. To protect yourself, switch to unique passwords that use combinations of letters, numbers, and symbols. A password generator (a feature now built into many web browsers) can help.
Enable two-factor authentication on your accounts. To be sure, having to request a temporary security code each time you want to sign in to a particular website is a hassle. However, an identity theft situation is a hassle of much greater proportion. Resolving an ID theft can take months — and cost money. Helpful hint: Using an “authentication app” can make the multi-factor authentication process less cumbersome.
If offered, take advantage of free credit monitoring and identity-protection services. Companies that have experienced a data breach often placate affected customers by offering a year or two of free credit monitoring and other fraud protection services. Sign up.
Activate “push notifications” for credit card transactions. If a card transaction exceeds a specific dollar amount, your credit card issuer can send you an automatic text or email alert. By taking advantage of push notifications, you’ll immediately know if someone else has used your card number. (You can set up alerts via your credit card’s website.)
An ounce of prevention
There’s no need to wait until your data is compromised to take several of the actions listed above, such as improving your password security, enabling two-factor authentication, and signing up for push notifications for credit card transactions.
Another preventative step is to “freeze” your credit-information files. Credit-reporting agencies are legally required to place a security freeze on your credit file if you request it. A freeze prevents anyone — such as a cybercriminal who has your Social Security number — from opening accounts in your name. (If you need to open a credit account later, you can “thaw” your files temporarily.)
Unfortunately, you can’t make a “blanket” freeze request. A separate request is needed for each of the three major agencies: Equifax, Experian, and TransUnion.
With the increasing incidence of cybercrime, it seems wise to protect yourself as soon as possible. Doing so could make your data less accessible to those seeking to steal it.