Imagine you have an account with an online bookshop. You use a hard-to-guess
password and do a great job of keeping it a secret.
Then one day someone hacks into the bookshop’s server and takes a copy of a million customers’
accounts, including yours. This is a data breach. They happen often,
in varying scale and severity.
It is in the interest of businesses and other organisations to protect your data, and they may
be fined for not taking adequate measures to do so, but achieving total security is
impossible.
The upshot is that much of what we consider private information may not remain private forever.
The consequences of a data breach depend on the importance of the service and the kind of
information disclosed.
Consequences
Your account with the bookshop probably has your home address and phone number. If these are
made public, fraudsters might include them when sending you
scam emails to make them sound more convincing, or make bogus
phone calls that seem more believable because they already know your name.
If passwords are breached, a third party might even be able to log into your account and order
books. They’ll also try the password on other popular websites, because people often use the
same password for several accounts.
Finally, information like your bank details or date of birth might assist criminals in identity
theft.
Finding out
While caches of stolen data may be traded ‘underground’ for money, they can also end up on the
Internet. The silver lining is that you can use tools like
Have I Been Pwned to check whether your data appears
in a public breach. Additionally, if you let Chrome, Edge, Firefox or Safari remember your
passwords, you benefit from the fact that these browsers regularly check those passwords against
a database of known breaches, and alert you if they’ve been compromised.
What to do
If you discover you’ve been affected by a data breach, don’t panic, and don’t blame yourself.
You didn’t do anything careless, and it doesn’t mean there’s something wrong with your
computer.
Try to find out which kinds of information were breached, such as phone numbers, credit card
numbers, or passwords. A responsible company should release a statement detailing this, it may
be reported in the news, or you can check
Have I Been Pwned.
If the breached information poses a risk and is feasible to change, change it. For example,
report a credit card as compromised so you get sent a new one. If your password was breached,
change it, including on any other websites where you used the same password — and take this
opportunity to make them all different.
Be realistic about what you can’t change. It’s unlikely any harm will come of your email and
phone number being leaked, for example, and you’re not going to move house because a fraudster
knows your address! Just keep in mind the possibility that this information might be used in
efforts to scam you, especially in the immediate aftermath of the breach.
The dark web
The term dark web has increasingly featured in reports by mainstream
media. The name originates from the fact that sites comprising the dark web cannot be reached
using regular browsers, and do not appear in Google searches and similar.
People accessing the dark web may use systems that conceal their location and usage — providing
effective anonymity for whisteblowers and human rights workers to contact journalists, for
example. Naturally, this technology is also abused, and illicit activity on the dark web includes
the trading of people’s private information.
Services have appeared that promise to monitor the dark web for your private information.
Consider that for such a service to work for you, you must trust it with the very same
information you are hoping it won’t find. This presents something of a conundrum because, of
course, there is always the possibility that the service itself might be breached or that your
account with them could be compromised.
Remember that it is in the interest of a dark web monitoring company to instil a certain amount
of fear in its customers, so that they will pay for the service. On finding a customer’s private
information on the dark web, one well-known security company sends an email that ominously
begins “check out what we found on the dark web”!
In terms of how you should respond to learning that your private information has been exposed
on the dark web, the answer is: the same as you would with any data breach. If the exposure
poses a risk and the information is feasible to change, change it; otherwise, just be aware of
the possibility of the information being used in efforts to scam you.