Data Breaches Everywhere - What you Need to Know

Despite the most recent user data leaks on Facebook and LinkedIn, which of course, get pretty serious news coverage, there are often other minor leaks that don’t get as much attention or are announced months after they occur.

The truth is, it’s likely that if you use the internet, your data has been leaked at least once.

What is a data breach?

In a nutshell, it’s a cybercrime incident that exposes private, confidential information by stealing that information via how it’s stored. So it could be the loss or theft of anything from your username and password to more sensitive information such as social security numbers, birth dates, bank information, or even health information.

Cybercriminals look for weaknesses in a company’s security and then make “the attack.” A network attack happens at the infrastructural level and involves an infiltration into what’s supposed to be the most secured layer of that system. This can happen via a hack, or even by an employee being duped into giving their login credentials (say, via a phishing email), or being fooled into opening a malicious email attachment.

Once this happens, the criminal can get into one computer and then attack the network from the inside, scraping confidential company data. Once that’s done, the attack is considered successful.

Many data dumps are carried out by scraping sites like LinkedIn and Facebook. In a recent blog post by Mike Clark, Director of Product management at Facebook, "Scraping is a common tactic that often relies on automated software to lift public information from the internet that ends up being distributed in online forums.” 

Then what?

Next, these criminals usually do one or more heinous things. They either use the data in an attempt to blackmail the company into paying them not to share it publicly, or they share it publicly. They either sell the data on the black market or share it publicly so that others can use the data to duplicate credit cards, identity theft, fraud, and even blackmailing the individual directly!

For example, the personal data of over 533 million Facebook users was recently posted in a hacking forum. The list includes phone numbers, full names, locations, email addresses, and biographical information. Bad actors, or hackers, can now use that data to impersonate people and commit fraud, open up credit cards and loans, and much more, and Facebook has chosen not to notify those individuals whose information was compromised. 

So, what should you do if your information is compromised?

Everyone should regularly take precautions to protect their business accounts and their own data. A few important tips:

• Change your passwords associated with any account you may have on any site you’ve seen there’s been a breach on.
• Create a strong, random, unique password, and store it in a password manager such as Keeper. The browser add-on also has an app for your phone and can generate passwords of ridiculous combinations on the fly, making them way harder for hackers to crack.
• Whenever possible, enable two-factor authentication or 2FA. 2FA means that anytime someone tries to log into the account, you’ll receive an email, text message, or a push, which is a notice from the relevant application asking you to approve the login. Sure, it adds a few seconds here and there when you use a non-cookied device to attempt to log in, but the alternative could be far worse. Despite the extra time most small businesses should be making this a security requirement.
• Be wary of messages and connection requests from unknown people and even new accounts with familiar names. Always ask a question that only the actual person would know the answer to before agreeing to connect.
• Learn to identify phishing emails and text messages that can trick you into giving away your login information.
• Don’t open links to websites from an email. Instead, go to the site manually and log in there. If you do open websites from links, glance at the URL (web address) and make sure it appears as expected—for example, www.cats.com vs. www.catz.com.
• Install and use robust anti-phishing and anti-malware tools on your computers.Talk to your IT provider about Secure Email. 
• Your company should be providing regular Cyber Security Awareness Training to help protect your data, your co-workers’ data, and of course, your customers’ data.  

How do I find out if my data has been leaked?

There is an organization that monitors and analyzes hundreds of database dumps containing information from billions of leaked accounts. It’s called The HaveIBeenPwned Project, and you can enter your phone numbers and email addresses to find out if your data’s ever been dropped in a breach. Consider yourself rare and lucky if you’re not in at least one. If there is a match, the site gives you as much info as possible so you can secure the affected accounts. 

If your information does surface in a Have I Been Pwned search, it's crucial to take action now using the above security tips. It’s not a bad idea to check this for leaked information regularly, kind of like a credit report.