Understanding the Impact of Data Breaches
Background / Reality
Understanding the Impact of Data Breaches – Data breaches have become an everyday phenomenon, with a staggering 3.2 million records leaked in 10 of the most significant data breaches in the first half of 2020, according to the Identity Theft Resource Center and the U.S. Department of Health and Human Services.
Even though hundreds of data breaches have affected consumers globally, some of the most notable ones have occurred in just the last few years and involve the exposure of sensitive information, despite cybersecurity efforts aimed at data protection.
There is a substantial difference between how breaches occurred in the past and how it happens today. Previously, personal information such as telephone numbers and addresses could be easily picked up from yellow pages and telephone directories. Even though data was available, there was a minimum impact, and the aspect of involving social engineering was considerably low. The benefits outweighed the risk. As technology progressed beyond leaps, crimes have also evolved in cyberspace.
Cybercriminals are resorting to new tactics that involve impersonating victims by utilizing personal data for various malicious activities where such personal data can be used to create accounts and verify their identity. It’s not that personal information was not readily available in the previous years, but the mind-shift in how to utilize it has changed.
Nowadays, individuals themselves divulge most of their personal information without knowing it. The very process of installing apps and permitting it to access your phone’s data can be the very first step of exposing personal information. The individual is not at fault as the sole intention of permitting access is to use the app effectively. Contextual data that apps nowadays collect anywhere from locations to personal interests and choices. The purpose of gathering such data would be for data personalization and also for remarketing purposes. A breach of the app would have chaotic ramifications where criminals can use the leaked information or sell it in the black market.
Individuals need to understand that we, as humans, have already put a substantial amount of information about ourselves online. To put things into perspective, this very information that we so easily publish online is a starting point for cybercriminals to pivot from and leverage into your personal accounts or your organization. It’s almost inevitable to avoid publishing your data online as it provides legitimacy, and some apps require such info to be public to use their service.
Most of the apps and online products that we use today require a certain level of access to our information and an irrational amount of access to our personal devices.
Access to our devices gives them more valuable data about our behavior, which can be used by big corporations and Cybercriminals who choose to target us in one way or another. Realistically speaking, we’ve already been ‘breached’ and by our own will. We have given such apps permission to track our behavior, conversations, microphones, cameras, locations, and more.
When we look at the reality of data breaches, there are two areas that need to be considered.
First, the data that is already publicly published be it online on social media platforms or phone books and directories.
Second, the confidential data like passwords and critical documentation that shouldn’t be breached.
Addressing or preventing data breaches requires us to look at organizations as a whole.
We need to identify all the weak spots, and that includes the personal digital security of individuals working at the organizations as well.
It’s nothing new to say that employees are the weakest link in any organization, but having an organization that includes security orientation as a part of its core values isn’t the most common.
How can the leaked data be used by criminals?
- The stolen data cane used to impersonate the victim to lure in more people who are associated with the person.
- Fraudsters can apply for new credit cards and bank loans with the victim’s data
- Can apply for social security, medical and other government recognized claims.
- File for tax returns and claim the amount.
- Stolen data can be used to infiltrate companies where the victim works. This data can be used to spy and infect organizational networks.
- Leaked data can be sold to other criminals on the dark web, which can then be used for various other malicious purposes.
How can we protect personal data?
- Use strong and complex passwords by combining alphanumerics, cases, and special character symbols.
- Periodically change passwords
- Use different passwords for every account
- Implement passwordless access.
- Only use secure websites.
- Computers and devices are using the latest version of operating systems and apps.
- Regularly check your accounts and statements for any unusual activities.
- Avoid writing down passwords and account details and shred any sensitive documents that are not required anymore.
- Use only websites with secure URLs. i.e., domains with https.
- Remove data before disposing of devices. Make sure the memory is completely wiped.
- Avoid oversharing of data on social media platforms as they indicate a lot of factors of your work and private life, which can be leveraged.
What to do if your data gets exposed
- If you believe your data could be part of a breach, find out what exactly was leaked. As per regulations, compromised companies are required to inform clients regarding any related breaches. Contact the company to understand the information that was leaked.
- If it’s financial-related, connect the respective bank to find out the next steps like changing or closing accounts, blocking issued cards, etc
- Monitor your accounts for suspicious activity. If there are discrepancies, please notify the relevant authorities immediately.
- Change passwords to all your accounts immediately. There are more chances that the same or very similar passwords are being used in other locations. Ensure each password is different and complex.
Industry pain points / solution
Common industry knowledge will tell you, the maximum you can do is strengthen your passwords, apply 2FA, and many other tips that are useful, yet tedious for the average user to adapt to.
As an industry leader, I believe we need to be focusing on improving individual identification without passwords, rather than strengthening passwords. This would mean that we need to incorporate more technologies, more specifically towards identification without a password in all our products and services globally, to protect consumers from instances such as account hijacking, impersonations, and more. Additionally, a prime focus should be set on being fully aware of what data is already being put out? Where? And most importantly, what security measures are set? Is it encrypted?
Organizations need proper information audits to adequately secure their organizations from the outside in.
If an organization isn’t completely aware of its data present in the cloud, this becomes an easy gap for criminals to exploit.
The real question is, what can we easily adapt, and how can we make personal identification more convenient at the same time? We need to work on different methods or techniques that make personal identification almost impossible to hijack and set up basic security control standards globally to ensure proper security regulation of all online data.
Understanding the Impact of Data Breaches