What to Do if Your Information Has Been Exposed
RiskBased Security recently released its 2019 Year End Data Breach QuickView Report and the numbers are quite alarming. According to the report, over 15.1 billion records have been exposed in 2019 – a 284% increase compared to 2018 – and this number is likely to grow as breaches are discovered throughout the first half of 2020.
Data breaches affect companies of all sizes and it’s easy to panic when a company you’ve done business with has been involved in one. Even if you’re not sure, websites like Have I Been Pwned? and others like it allow you to search for your personal information to determine if anything has been exposed in any known breaches.
My information has been exposed. What do I do?
With the multitude of exposures out there, the unfortunate truth is that there is a good chance that at least some of your information has been exposed at some point in the past. If your information has been exposed there are things that you should watch out for and things that you can do to protect yourself from fraud.
Narrow down what information has been stolen.
Before you can take any action in response to your information being exposed, you must determine what kind of information was exposed in the first place. Follow up with official company statements and press releases to determine whether the breach involved lightly sensitive information (such as first and last names), more sensitive information (such as email addresses or payment card numbers), or highly sensitive information (such as Social Security numbers, passwords, or payment card security codes).
Change your passwords.
If a password was exposed in the breach, change that password right away! That means changing it on all the accounts you use that password for! It is never recommended that you reuse passwords across different accounts, but I understand that it still happens so it needs to be said. Another thing to remember is once a password has been leaked in a breach consider that password dead! You can assume that hackers and cyber attackers will continue to associate that password with you and your accounts well into the foreseeable future, so you should not reuse that password for the breached account nor for any others.
end users: i will use the same password for everything
IT: that's a really bad idea
end users: it will be so easy to remember!
IT: no, i don't think you understa–
end user: same 🙂 password :)— ArmorPoint (@ArmorPointSIEM) September 12, 2019
How to protect your passwords
Consider utilizing a trusted password manager like 1Password or LastPass to help you generate secure passwords and manage them all. With a password manager, you come up with one very strong password that you can remember, then the password manager stores all your different strong passwords for your different accounts. You install that password manager on your different devices and use it to sign in to your different accounts. Rather than type in each different username and password, you enter your master password for the password manager and it will fill in the login form for you using the stored login credentials. Using the password manager and remembering to store the passwords for new accounts may be something you’ll have to get used to, but it’s well worth the bit of effort considering the value in protecting your accounts. One thing you definitely don’t want to do is download a password manager then continue to use the same password across different accounts; make use of the secure unique password generator!
Check your security settings.
Check the security settings on your accounts to ensure that you are properly secured; you may also find that the available security options have changed since last you set them. Do you have a backup email or phone number assigned and is it up-to-date? Do you remember the answers to your account recovery security questions? Is Two-Factor Authentication (2FA) available? If available, 2FA makes a huge difference in securing your account and also serves as an alert for any time someone is trying to sign in with your information.
Contact relevant financial institutions.
If a payment card account number or other payment information has been exposed in a data breach, contact your financial institution right away! If you manage to notify the card issuer before any fraudulent transactions have occurred, then you should be completely off the hook for those charges. If you notify the card issuer after fraudulent charges have occurred, then the rules differ depending on the financial institution and type of card. The best place to go for answers to questions about fraud liability on your account would be direct to the card issuer and your card agreement. In any case, best practice is to notify your bank as soon as possible after you notice any suspicious activity on your accounts!
Contact the credit reporting bureaus.
If a breach involving highly sensitive information such as your Social Security number or Driver License number takes place, you should contact the major consumer credit-reporting bureaus to ask that they each place a fraud alert on your name. With a fraud alert, you’ll be notified when your information is used to apply for an account or when someone tries to look your information up. You can take it a step further and request a credit freeze, stopping anyone from opening accounts in your name without your explicit authorization. This can be a hassle for you when making legitimate financial transactions because you will need to provide extra verification, but it is worth the trouble if it stops even one bad actor from stealing your identity.
How to request a credit fraud alert with the credit bureaus
U.S. residents can either request a credit alert online or call the bureau directly.
Consumers do not need to provide a reason when contacting the credit bureaus, and though each bureau is required to contact the other if an individual requests a fraud alert, it would be a good idea to notify each bureau by contacting them yourself. When communicating with the credit bureaus, be sure to note any reference numbers attached to your interactions!
These are just some of the steps you should take after you find out your information has been exposed. Keep in mind this is by no means a complete list of actions one should take following a breach. As the threat landscape evolves, companies are strengthening their security posture, but no one is immune to the threat of attack.
Ven Auva'a, a security analyst at ArmorPoint, is an experienced cybersecurity professional who has a passion for security analysis, threat investigation, and security awareness education. Connect with him on LinkedIn.