If someone started listing companies like Capital One, LinkedIn, Facebook, Marriott, Twitter and Yahoo, you might think they were talking about the Fortune 500 companies on the New York Stock Exchange.
Well, they might, but they could also be talking about companies that suffered significant data breaches that cost those companies millions and millions of dollars, and compromised their customers’ personal and financial data as well.
The sad truth is that no company is immune, no organization can avoid a breach, and no person or government agency can assume they’re safe from having their personal or financial information stolen. Billions of customers were put at risk from the data breaches on the companies mentioned above, and the companies suffering the data breaches are still dealing with the financial and legal fallout that was caused. Let’s take a closer look at how so many people could be put at risk and how so many of the country’s top companies could become victims of a data breach.
So, what exactly is a data breach? It’s when any organization or entity has its data compromised, through error or deliberate attack by a cybercriminal who is searching to steal financial information, Social Security numbers, medical information or simply steal money. It can be secretive company information or clients’ personally identifiable information that is compromised, and it all takes you down the road to identity theft, tax and Social Security fraud and more.
How can a data breach happen? It could be from a simple human error, like when an employee accidentally left their laptop exposed for prying eyes to see, or insert malwareб or obtain a password.
It could be from a targeted cyberattack, when a cybercriminal sends a phishing email to senior executives, from an “official” looking company website or company email with appropriate colleague’s names. Except, the “website” or email was spoofed and all the cybercrook is trying to do is to get the recipient to open the email so they can do an SQL injection – which is malicious computer code – into the company’s system.
Another way in is called “keylogging”, where software is placed on an employee’s computer and captures every keystroke the employee makes on their keyboard. Of course, that includes passwords and usernames and other access data, and ends up compromising the sensitive data stored on the company’s server. There are many other ways cybercriminals work their dirty deeds, but the bottom line is that data is compromised and people and information are put at risk. Most larger companies are aware of the damage a data breach can cause, which is why many have implemented a data breach response plan.
It’s not just the data that’s stolen, which can include customer Social Security numbers, personal and financial information and sensitive company information. The companies who have had a data breach are also subjected to huge fines; some have paid in the hundreds of millions of dollars.
The damage to the customers whose data was breached can be costly as well. Once the cyberthieves have the information they need, they go to work monetizing their nefarious activities. This may include selling customer’s personally identifiable information to other cybercrooks on the dark web, opening new credit accounts in the customer’s name, stealing money from the customer’s bank accounts, filing fraudulent tax returns and so much more. Or, they simply outright steal from the customer’s financial accounts.
Other ways cybercriminals can cause damage is by committing synthetic identity fraud, where they take some actual personal and financial information from the data breach and mix it with fabricated data that the cybercrooks create. Because they have certain key knowledge, like a SSN or PIN, it’s easy for them to gain credit and gain access to financial accounts of the victims of a data breach. The victims end up with damaged credit, legal and financial costs and many other financial problems.
Because cybercriminals spend all of their time finding new ways to illegally access data from companies and organizations, it’s hard for companies and individuals to prevent data breaches entirely.
One of the first steps is to reduce the amount of unauthorized data that’s available to cybercriminals by deleting it from people-search sites like Spokeo, Whitepages and Pipl. Just be aware that there are more than 100 of these sites, and each one has unique requirements for opting out and deleting data. It could end up taking a lot of time to successfully remove that data, but it’s worth it.
Another way to avoid a data breach is to ensure that the company you’re considering sharing sensitive information with, like your SSN, for example, doesn’t have a history of being a victim of a data breach.
If they do, you might want to think twice about giving up those numbers.
Another way to help avoid a data breach is to avoid being lenient on which services you’re willing to share your personally identifiable information with. Many services ask for email addresses and permission to receive data from Google or even a financial institution. They may need it for marketing purposes, but most of the time it isn’t really necessary to give that permission. Just say ‘no thanks”, and you’ll add a level of safety to your data.
If a data breach occurred, the company will notify those who are impacted and share what data was taken. Follow the FTC’s guide on what to do after a data breach. In addition, change all of your passwords, cancel any impacted bank credit cards or accounts and monitor your credit from the major bureaus with a free online credit report.
Follow the recommendations and suggestions listed above and you’ll have a good roadmap on understanding, preventing and taking appropriate action after a data breach occurs.