What to do if you are the victim of a data breach
Due to the sheer prevalence of major data breaches, if you ask the average person whether he or she has been the victim of a data breach, there are two realistic answers: “Yes” and “Probably.”
In this post, we’ll give you some tips on how to figure out whether you’ve become the victim of a data breach and, if so, what steps you can take to make a recovery.
Data breaches
For every person looking to sell your personal data to third parties, there are hundreds of others in line to buy, resell, or, in the event of a data breach, illegally obtain it. Cybercriminals will jump at the opportunity to sell or take advantage of your personal data. While personal attacks aren’t unheard of, what’s much more common are attacks targeting companies, due to the troves of data they host.
When cybercriminals take aim at a company, they typically do so in one of two attack methods: network or social.
Network attacks involve cybercriminals exploiting weaknesses in company infrastructure, systems, or applications to infiltrate a network.
Social attacks occur when cybercriminals manage to fool employees into providing the attacker access to the company’s network. Phishing is an extremely popular type of social attack.
Once attackers gain access to a company’s network, they collect any available personal information—names, passwords, email addresses, social security numbers, financial records, and more—depending on what the company has stored. Attackers can turn that data into profit by using it for fraud, identity theft, blackmail, or selling it in bulk to willing buyers.
Past examples
The scope of companies affected by data breaches is immense and includes companies like Target to government agencies such as the Hong Kong Department of Health. With such a wide array of potential victims, it’s impossible to be 100% certain that you’re safe from a breach. Here are a few stats on the largest data breaches in recent years:
Yahoo (2013): 3 billion user accounts
Data Compromised: Names, email addresses, dates of birth, telephone numbers.
Facebook (2019): 540 million records
Data Compromised: Comments, likes, reactions, account names, passwords, Facebook IDs, interests, login timestamps, and more.
Marriott (2014-2018): 500 million customers
Data Compromised: Names, contact information, passport numbers, loyalty account numbers, travel information, credit card numbers.
All kinds of sensitive information can be made available to attackers. If one manages to get ahold of your data, the best thing to do is act quickly. Usually companies will notify their users as soon as a data breach occurs, but they don’t always catch an attacker right away. Luckily, there are other methods of finding out whether your data has been illegally obtained.
Have you fallen victim?
Services like haveibeenpwned.com make it easy to assess where your personal data has been exposed. Simply type in your email address to find out whether one of your accounts has been compromised in a data breach and, if so, which one(s).
If you’re one of the lucky winners [read: losers] and your data’s been compromised, here’s what you can do to repair the situation.
Steps for recovery
1) Change affected passwords
Whether or not the breached company notifies you that your password has been stolen, a password change is a vital step that’s quick to accomplish. If you used the same password across other accounts, changing those should be your next step to prevent further damage. We recommend using a password manager like 1Password of LastPass to generate and store stronger passwords.
2) Figure out what was stolen
Things like names or dates of birth might seem less sensitive, but a quick Google search of your own name should show just how much you’re linked to, and a birth date paired with your name can be used to falsely verify your identity.
Email addresses, credit card numbers, government-issued identification numbers, and passwords should all have you dropping everything to salvage the situation, if compromised.
3) Contact relevant financial institutions
After changing affected passwords, your next step should be to contact any relevant financial institutions. If your credit card number was compromised, immediately reach out to the issuing bank and notify them of the potential fraud. Depending on your credit card’s terms, you’re likely covered of any fraudulent charges over $50.
Next, contact your consumer credit bureau and ask them to place a fraud alert on your name. This makes it so that if the thief tries to open another credit card in your name, you’ll be notified. Depending on which country you’re in, you may also be able to request a credit freeze, which bars anyone from running a credit report on you or opening an account in your name without your explicit authorization.
4) Report identity theft if needed
If an attacker does pretend to be you, you should file a formal report of identity theft with the federal government. It may not be ideal, but an official government report will be most helpful in clearing up the issue. In the U.S., having filed this report makes you eligible for an extended fraud alert that lasts up to 7 years, instead of the standard 90-day period.
5) Re-evaluate your operational security (OpSec)
Once you’ve taken care of the most pressing steps, you should take time to audit and reevaluate your OpSec. We’ve put together a list of 7 ways to step up your crypto OpSec, and many of those practices apply to non-crypto users too. We recommend running through that article in addition to researching more ways to tighten up your personal security.
Ready to improve your Bitcoin security?
With Casa Multisig, you'll have the best.
Casa's Diamond membership includes our industry-leading multisig security, a dedicated client service representative, 24/7 support, and much more.
For more information or a free look at Casa multisig,
email membership@team.casa and ask for a demo.