How do data breaches happen?
Most data breaches happen when a hacker gains unauthorized access to a system or network and compromises the information stored within it. Cybercriminals can bypass data breach security measures in a variety of ways. But data breaches don’t necessarily involve hacking and malicious intent. Sometimes, data breaches can happen by accident..
Here are some of the most common causes of data breaches:
Malicious outsiders: These are classic hacking attacks in which security vulnerabilities are exploited by external actors to gain access to a computer or network and steal information.
Malicious insiders: Sometimes, malicious data breaches can come from within when an employee abuses their access to data to handle it in nefarious ways.
Accidental insiders: Honest mistakes that result in unauthorized access still constitute data breaches, even if there was no intent to cause harm.
Hardware loss: Physical loss or theft of devices containing sensitive data is a major risk, especially when those devices lack encryption or remote wipe capabilities.
You can’t stop data breaches
They’re kind of inevitable.
We know, it’s not a very nice thing to say, but it’s true. The second you hand any data over to a website or online service, you’re surrendering any control you have over it. These websites can — and frequently will — sell your data to other businesses in the best case. And in the worst case, their lackluster cybersecurity will lead to hackers and other bad actors taking a hold of it and using it for themselves.
And if you think that by not using a service like Google or Facebook you can avoid being at risk, you’re mistaken. Remember: the services you do use can and will sell your data to other companies, whom you don’t know anything about. If those companies have a breach, your data might be mixed in with what’s exposed, and you might never even know it. In fact, that was part of the reason why the aforementioned Equifax breach was so devastating: even people who had never used the service had their data leaked because their banks had given it away without telling them.
By the way, there was recently a settlement with Equifax, and if you were affected in the breach, you can get some money out of it. It’s not as much as originally claimed, but you can still get a few bucks for the trouble of filling out a form.
Anyway, outside of completely disconnecting from modern society, there’s always going to be some risk, however small, that your personal data will be compromised.
Why do breaches even happen?
Simple. Data is valuable, companies have a lot of data, and a lot of ways to get it.
Even the smallest websites that require you to have an account to log in have data that hackers or other unethical sorts want. Whether it’s passwords that might be reused to gain access to other accounts or active emails that bad actors can use for spamming or phishing, there’s plenty that can be done to harm you. Bigger websites, which could have anything from your credit card to your social security number, are obviously even more appealing to hackers, since that data is basically a signed check. Even something like medical records or credit history can be useful to cyber criminals, who could use it to craft extremely convincing “spear-phishing” emails to con people out of their money.
As for how these breaches happen, well, there are as many ways to get at these treasure troves of data as there are stars in the sky. Hackers could:
Send out a wave of phishing emails — if even one employee is gullible enough to click the link, they have their in.
Sneak infected USBs into an office building.
Take advantage of the frequently outdated software these companies rely on.
Bribe or convince a former or current employee into giving them access.
Discover vulnerabilities in their security infrastructure.
Pretend to be business partners and ask to see data.
And that’s just the tip of the iceberg. Hackers are endlessly creative in their quest to make money. But there is good news in all this...
You can minimize the risk
While you can never fully erase the risk of having your data leaked, there are steps you can take to ensure if you are ever caught in a data breach, the consequences won’t be disastrous… or at least, as disastrous.
1. Clean up your loose data
There’s a lot of data out there on the net about you, some of which you may know about and volunteer — like an email address or your full name when you make an account on Linkedin, for example — but even more you probably have no idea exists. Google, Facebook, and countless data conglomerate companies make their money gathering data about you in the most unusual and unexpected ways: everything from your shopping habits to your medical records can be found with their tracking tools and tricks.
The good news is that a lot of this data is anonymized: more often than not, companies don’t care about you, they care about data and trends and demographics. They want to know what percentage of their audience may have diabetes, not if you specifically have it. There’s not a hacker in the world that cares about that, so if that data leaks, you’re fine. The bad news is that before that data is anonymized... it’s not. So if there’s a leak at that stage, you’ve got an issue.
Fortunately there’s a way to keep this “loose data” at a minimum. Using a VPN and an anti-tracking service will render many (but not all) of the tools that these websites and companies use to follow you around and pick up your data useless. So on top of just generally making you more private when you browse, it will ensure that if some random service online gets breached (which you may or may not hear about — many companies are not forthcoming with their cybersecurity mishaps), you probably won’t have data you don’t know about in the leak.
It’s not a guarantee by any stretch of the imagination, but it’s a start.
2. Use 10MinuteMail when making accounts
10MinuteMail is a free service that creates a valid but temporary email address that will only exist for 10 minutes.
Not great for swapping emails with mom, but perfect for setting up and validating online accounts while keeping your real email address a secret. You’ll still be able to log into the account you set up after your 10MinuteMail address has expired, and if the service or website you’re using has a leak, then all hackers will get is a worthless, dead email account that can’t be linked to anything else.
It’s also a great way to avoid spam. Just saying.
3. Try using a digital card for online shopping
It’s a problem when any of your data leaks, but there’s no denying some data — like your credit card number or banking details — is more problematic (and valuable) than others.
Unfortunately, you need to put this data at risk if you want to enjoy online shops or services… right?
Maybe not. Services like Privacy.com offer an appealing alternative that can keep your credit card or debit card information safe if the website you’re shopping on should suffer a leak or a breach. These services create a unique “digital credit card” for each site you want to shop on. You can pre-load these cards with a certain amount of money, and whenever you shop, you use these cards rather than your real, authentic card. In the event of a leak, your real details will be safe and sound, while the digital fake that was leaked can be easily destroyed and replaced with a brand-new, 100% safe card.
It’s a good way to ensure at least some of your most valuable information is kept safe.
4. Set up a Google Alert
While you can’t do anything to ensure the services and websites you use will remain secure, you can be on-guard to react when and if these leaks inevitably occur. A good way to do that is to set up a Google Alert for “Data Leak” or “Data Breach” — you’ll get a lot of news and links on the subject, but you’ll also be warned within 24 hours if a new service or website has suffered a breach as well.
Read those articles. Even if you’ve never heard of the place suffering the leak and you’re 100% sure you’ve never visited it, there’s a chance, however small, that they still might have data about you. At least read up until you know what was lost, or who might be affected. You might be surprised at how much of it is pertinent to you.
If you have heard of the place suffering the breach, then it’s extremely important you determine what was leaked so you can take the appropriate security measures. But one thing you should always do, by default, is change your password for any account linked to the breached site… and any other account that might share that same password.
If we’ve said it once we’ve said it a million times: don’t reuse passwords, people.
5. Act fast
So you found out that there's been a data breach and some vital information, be it your credit card numbers or your passwords, was leaked.
Don’t hesitate to start making calls and changes. Act now.
If companies were forthcoming and admitted to breaches the moment they happened, you would probably have some breathing room. After all, most of the time, data that’s been leaked is encrypted, and hackers will need time to decrypt it before they can actually use it. But typically by the time companies discover that there’s been a breach (or get around to admitting it), a few months have passed, which means you’ve lost all chances to slack off or procrastinate.
That means canceling your credit card, signing up for credit monitoring, updating your passwords… do it the same day you get the news and you determine if you’ve been affected. It might be annoying, but once your data is exposed it’s not a question of if you’ll be attacked, but when. Take steps as early as possible to make that when window as tiny as you can to avoid whatever machinations criminals had in store for your data — from a simple spam campaign to stealing your entire identity.
As long as companies make money collecting and using your data, breaches aren’t going to go away. It’s an unavoidable consequence of our connected, technology-reliant world. Outside starting your own security company or becoming a white-hat hacker, there’s not a lot you can do to stop that from happening. Treat it like a natural disaster: you can’t control or predict it, all you can do is be ready and react quickly. It might not save your life, but it’ll definitely save you money and stress.