Given the deftness of malicious hackers, the bar-lowering impact of easily accessible markets for automated cybercriminal kits, and the increasing number of online services and people connected to the Internet, it is not surprising that more and more data is finding its way off corporate servers.
If you haven’t received a data breach notification yet, hold tight, because you will. One of these days, you’ll open that inbox or browse to the home page of your favorite online deals site only to find an announcement stating that someone broke into the servers and made off with the data.
Breaches are among the prices paid for operating online in the information age. Breach notifications inform users that a criminal hacker has compromised and pilfered data from a database belonging to one of the users’ online service providers. Such notifications often list the kinds of data that were stolen, which frequently includes names, dates of birth, encrypted passwords, email addressed, phone number, and various other personally identifiable information. In severe cases, hackers break into corporate servers and steal proprietary data, social security numbers, medical records, state secrets, payment data, and other sensitive information. Some companies offer free credit monitoring in the wake of breaches that may have spilled financial or other information that could enable identity theft. Almost all companies attempt to downplay the incident, ironically taking pains to mention how important your personal data is to them and how seriously they take security.
The first response should be to read the notification letter and analyze potential effects of the data exposed. If highly sensitive or financial information like payment data or social security numbers were compromised in the breach, then you’ll want to enroll in some sort of credit monitoring service. The industry standard is that breached services will generally offer a year or so of free credit monitoring after a serious breach. In addition to that, you’ll want to keep an eye on your credit card and bank statements. Breaches that compromise financial data are somewhat rare; breaches that compromise unencrypted financial data are even rarer. If it turns out that a company has been storing payment or other highly sensitive data in plain-text, then you should probably jump ship, because nothing says “I don’t care about my customers” more clearly than the storage of plain-text payment data.
Breached financial information is really the worst case scenario for most consumers. Businesses and governments have the added dread of losing proprietary data, state secrets, or embarrassing email spools in data breach incidents. We’re going to focus on the consumer-side here, but our friends at Threatpost have a wonderful, enterprise-focused, breach response article if you’re interested.
The majority of notifications will inform users that the breach in question exposed hashed passwords. Breaches of plaintext passwords occur far less frequently. Plaintext means just what you think it means. Those responsible for the data breach have an exact copy of your password. If the breach notification says that the passwords were hashed, then that means that the attackers have an encrypted version of your password. If the passwords were stored in plain-text, then you should change your password for the affected service – and any services on which you used the same password – immediately. Again, you should also think twice about maintaining an account with a company that stores passwords in plain-text. If the passwords were hashed, you should still update that and any shared passwords as soon as possible, but understand that it would be quite difficult, though not impossible, for a hacker to make sense of a password hash.
It’s best to operate under the realistic assumption that data breaches occur far more often than reported and change your account passwords every couple of months. The longer a particular password is in use, the more likely it is to be compromised, especially if you are sharing it across multiple logins. For every company like Evernote or Dropbox that fesses up to a compromise, there is at least one that sweeps a breach under the rug.
Furthermore, data breaches can’t be undone. Once the information is out there it is out there forever. It’s best to practice vigilance all the time, but much of the data gleaned is breaches are bait for phishers, so be on the lookout for phishing attempts following breaches. Social engineers use names, email addresses, dates-of-birth, and other seemingly innocuous breach data in order to craft phishing, spear-phishing, and watering hole campaigns that target individuals or groups of individuals.
Following certain breaches, online service providers will implement new security features like two-factor authentication or “HTTPS everywhere” to their services. Keep an eye out for these, and always make an effort to apply the most stringent security features available, especially on accounts that contain sensitive information. Keep an eye on the big software vendors, browser maintainers, and operating system controllers like Google, Microsoft, Apple, Adobe and others. In response to certain incidents, the big software companies will publish security updates or recommendations designed to lessen a breach’s blow.