The main problem with data breaches is that you never know, when your personal data were exposed and who is responsible for that. The majority of data breaches occur a long time before they are noticed, and most small companies will never notify their users about the incident, even if they have knowledge of it. Furthermore, certain companies willingly share your personal information to third parties.
Recently there was a large number of public incidents, involving data breaches in many EU and American companies and agencies (Twitter, Comcast, FBI, Touchnote). As a result, certain amount of otherwise confidential information appeared on the Internet or in private possession of cybercriminals. The stolen information varies according to reports and may contain your full name, date of birth, email address, hashed password, physical address, phone number etc. In the age of social networking and people willingly sharing a bunch of stuff to everyone, an attacker can easily collect needed information from different sources based on previously leaked data.
There are plenty of scenarios, in which your personal data might be valuable to attackers. You may fall victim to either random hack or targeted attack. Description of these two categories are beyond the scope of this article, but we will focus on common things that cybercriminals might do:
1. Extend leaked information
Even the most insignificant leak can lead to major losses. For example, information that you do not consider secret (e.g. your phone number, email address) can reveal your identity and make you a hacker’s target. Hackers can google your identity based on your phone number, or use, for example, Facebook search to find your profile using your phone number or email address. If you have a Facebook page, an attacker will know your real name, how you look, who you have friended, what your real home address is (especially if you own a business).
Based on your phone number cybercriminals already know your name, home address, names of your friends, etc. And they also know, which services you are interested in based on the source of the leak.
If your password (or password hash) was also leaked, the attacker will try to access popular online services using your password and possible account names, in case you are using the same password on different websites.
As a result, the attacker has a complete victim’s profile. It can be sold for a reasonable price on the black market.
2. Sell complete profile
Personal information buyers can use collected information to send you spam messages and try selling you some products (“legal” marketing), try to scam you, access your bank account, access other services, attack your employer, etc.
I will provide some basic advice how to minimize possible losses, when your personal information is already exposed.
1. Use password manager to store your passwords
Never use the same password for different websites. Instead, use password manager that will keep your passwords safe. Modern password managers use password generators, so you do not need to come up with a new password every time, just generate one and store it.
2. Always access your bank account from a trusted computer
Do not use public computers, networks (public Wi-Fi) to access your bank account. Never use your phone to access bank account, especially if the bank sends you an SMS to access the account or make the transaction.
3. Always use unique answers to secret question
Secret questions are used to restore access to your account, when your email or phone is not accessible. A lot of online services and even banks rely on them. Never use common answers to typical questions, such as your mother’s maiden name, your favorite football team, or your pet’s name, because attackers can google them. Instead, use password generator to generate a random and unique answer. This way attackers will spend a lot of time trying to restore password and most likely will not succeed.
4. Access your corporate resources from a trusted computer
Never use your corporate addresses, phones, flash drives for personal use. Never access corporate resources from public computers or public networks. If you work from home, demand a secure VPN connection to corporate network.
5. Regularly change passwords to online services
Change passwords to online services on a regular basis at least once in 2 months. Please, do not follow advice of UK’s spy agency GCHQ on recommended password policy!
6. Monitor exposure of your personal information on the Internet
You can use free Google Alerts service to monitor exposure of your personal data. Just subscribe for results, which contain your name, address, phone number, email. If Google is able to spot this information, this means data leak has occurred.
7. Trust no one :D