Tips & Advice

The Data Breach Survival Guide

Charlotte Empey, 3 September 2018

Here’s what you need to do if you’ve been involved in a data breach.

Over the past year, have you done any online shopping at Macy’s, Sears, Kmart, or Adidas? How about any in-store shopping at Lord & Taylor, Forever 21, or Saks Fifth Avenue? Have you eaten at Panera Bread or Whole Foods? Bought electronics at Gamestop or Best Buy? Purchased airline tickets from Delta? Made cryptocurrency trades using Atlas Quantum cryptocurrency platform?

Every one of those companies suffered a data breach over the last year, and that’s only a partial list. In addition to the victims affected by all those breaches, the notorious Equifax breach reportedly put the information of 143 million people at risk, and the Exactis breach affected a whopping 340 million. What? You haven’t heard of Exactis? You’re not alone.

The Exactis breach exactly demonstrates a key problem in these rampant data breaches. Not only do we have to worry about every business we patronize, but we need to be aware of all those data aggregators out there like Exactis. The sole purpose of these aggregators is to collect (legally) as much data on as many people as possible, and then sell that info to legitimate businesses. There’s big money in data collection, buying, and selling. The e-commerce world wants to know your habits, your likes, and your wants, as well as your finances, your contact info, and your friends. Businesses like Exactis collect this data. When hackers infiltrate that kind of database, they get the motherlode.

What is a data breach?

A data breach is when protected information is infiltrated. It’s that simple. A breach is an opening that is not supposed to be there — a hole in the bottom of a boat, a tear in a protective wall, or an exploitable crack in online security, to name a few. A data breach is when that unlawful opening leads to sensitive online information.

What kind of information gets compromised in a data breach?

Really, it varies depending on the breached company’s infrastructure and the nature of the breach itself, but it could be anything and everything you’ve shared with the company in question, which can include your:

  • Username
  • Email address
  • Password
  • Address
  • Phone numbers
  • Birthdate
  • Driver’s license info
  • Credit card number
  • Purchase history
  • Bank account details
  • Social security number
Blog_Avast_MWC_Equifax_RGB_1920x1000px

How do I know if my data was breached?

Good question. If any of your sensitive info gets compromised, hopefully the breached company would alert you right away, reporting when the breach happened and what data was exposed. Historically, this hasn’t always been the case. Equifax, for instance, sat on the news for a couple months before alerting their client base. Whether out of embarrassment, quiet damage control, or just poor management, some other breached companies have also waited before announcing they’d been breached. This practice is unacceptable, as consumers have a right to know the moment a bad actor may have your info in hand. Click these links to see if any of your emails have been involved in a data breach and if any of your passwords have been exposed in a data breach.

have-i-been-pwned

Because you don’t know what you don’t know, it’s a good idea to stay vigilant in your digital world. We will continue to report the larger data breaches in these blog pages, but you should watch your finances and accounts closely to make sure they’re behaving normally. Question anything that looks suspicious. If everything looks okay, it doesn’t necessarily mean your data hasn’t been breached, it just tells you it hasn’t been used yet, breached or not.

GDPR and data breaches

The General Data Protection Regulation is a new code of law in the EU that focuses on digital privacy and security. It took effect in spring 2018 and applies to each and every company that keeps digital data on EU citizens, regardless of where that company is located. It protects consumers by mandating that these companies maintain certain high-security standards and divulge any breach info within 72 hours of the discovery. If any company breaks these rules, they are fined up to 4% of their annual revenue or 20 million pounds, whichever is larger. 

Avast-GDPR-3

Many companies griped and groused as the new regulations required them to update and/or upgrade their networks. But their financial investment in better security will ultimately benefit everybody — their business as well as their customers. The updated security measures should help cap the growing number of data breaches in the world, and the transparency of public disclosure within 72 hours of a breach should mitigate some of the potential damage by allowing victims to act quickly.

What can cybercriminals do with the data they steal?

Cybercriminals often will sell the info to other cybercriminals and also exploit the information themselves to:

  • Withdraw money from your bank accounts
  • Send emails on your behalf
  • Sign up for utilities and run up bills
  • Get new credit cards and accrue debt by buying expensive items
  • Ruin your credit score
  • Mess with your tax filings
  • Lock you out of your accounts, e.g bank accounts, social media accounts
  • … and more

What if I’m the victim of a data breach?

The businesses listed at the top of this article all experienced data breaches in 2017-2018, and if you were one of their customers, someone with less-than-noble intentions may be holding your username, password, social security number, credit card numbers, name, birthdate, and anything else you may have shared directly or indirectly with those companies. If your personal information has been compromised, use this data breach response checklist to restore order and sanity to your life:

Determine what info was breached

The shortcut to this answer is to learn exactly what happened from the company that was breached. If they are not providing all the details, take stock yourself of everything you’ve shared with that company and, to be safe, assume it has all been compromised.

Change all passwords

Create new, strong passwords and avoid reusing any. Use a unique passphrase for each account login, and to make sure it’s as uncrackable as possible, use a password manager (Avast Passwords is a great one. A password manager will not only generate complex passwords, but will remember them all for you too.) It is highly recommended to use 2-factor authentication wherever possible, and stick with strong password ideas when you set up new accounts.

Beware of links in emails or texts - cybercriminals could be phishing you

If you receive any emails or texts claiming to be related to the breach and providing a link to click or a file to download, step away and do not click. These are often phishing attacks, cybercriminals attempting to capitalize on your confusion. Instead of falling for it, call the company directly to confirm whether or not the email or text is from them.

For credit/debit card theft, contact your bank

If your credit card or debit card numbers were stolen, contact your bank to get the card canceled and a new number issued. Also change your PIN. Keep an eye on your monthly statements for any strange charges/purchases/withdrawals until the stolen card number has been canceled.

For social security number (SSN) theft, contact a credit reporting agency

Your SSN allows cybercriminals to open new accounts in your name. To prevent this new account fraud, put a fraud alert on your name at one of the major credit bureaus below. Sometimes the company that is breached offers free fraud alerts.

Equifax fraud alert

Experian fraud alert

TransUnion fraud alert

Periodically check your credit report over the next several years to make sure nothing suspicious pops up. Also consider getting a security freeze. It prevents anyone from seeing your credit report without your authorization. While this can delay some of your purchases (car loans, home loans, etc.), it does help prevent identity theft.

For driver’s license/personal ID theft, call the issuing governmental office

In the US, this is the DMV. Ask the office for their recommendations and best practices to protect you. They may decide to issue you a new ID number or perhaps have certain fraud protection practices they recommend you follow.  

Use an antivirus software

To protect you from malicious spam, infected links, and any type of malware, install an antivirus. If any intruders try to breach your defenses, the antivirus will stop it in its tracks before it can do any damage. Download Avast Free Antivirus for a powerful defense that will block out the bad so you can enjoy the good.

Download Avast Free Antivirus