Data breaches

Imagine you have an account with an online bookshop. You use a hard-to-guess password and do a great job of keeping it a secret.

Then one day someone hacks into the bookshop’s server and takes a copy of a million customers’ accounts, including yours. This is a data breach. They happen often, in varying scale and severity.

It is in the interest of businesses and other organisations to protect your data, and they may be fined for not taking adequate measures to do so, but achieving total security is impossible.

The upshot is that much of what we consider private information may not remain private forever. The consequences of a data breach depend on the importance of the service and the kind of information disclosed.

Consequences

Your account with the bookshop probably has your home address and phone number. If these are made public, fraudsters might include them when sending you scam emails to make them sound more convincing, or make bogus phone calls that seem more believable because they already know your name.

If passwords are breached, a third party might even be able to log into your account and order books. They’ll also try the password on other popular websites, because people often use the same password for several accounts.

Finally, information like your bank details or date of birth might assist criminals in identity theft.

Finding out

While caches of stolen data may be traded ‘underground’ for money, they can also end up on the Internet. The silver lining is that you can use tools like Have I Been Pwned to check whether your data appears in a public breach. Additionally, if you let Chrome, Edge, Firefox or Safari remember your passwords, you benefit from the fact that these browsers regularly check those passwords against a database of known breaches, and alert you if they’ve been compromised.

What to do

If you discover you’ve been affected by a data breach, don’t panic, and don’t blame yourself. You didn’t do anything careless, and it doesn’t mean there’s something wrong with your computer.

Try to find out which kinds of information were breached, such as phone numbers, credit card numbers, or passwords. A responsible company should release a statement detailing this, it may be reported in the news, or you can check Have I Been Pwned.

If the breached information poses a risk and is feasible to change, change it. For example, report a credit card as compromised so you get sent a new one. If your password was breached, change it, including on any other websites where you used the same password — and take this opportunity to make them all different.

Be realistic about what you can’t change. It’s unlikely any harm will come of your email and phone number being leaked, for example, and you’re not going to move house because a fraudster knows your address! Just keep in mind the possibility that this information might be used in efforts to scam you, especially in the immediate aftermath of the breach.

The dark web

The term dark web has increasingly featured in reports by mainstream media. The name originates from the fact that sites comprising the dark web cannot be reached using regular browsers, and do not appear in Google searches and similar.

People accessing the dark web may use systems that conceal their location and usage — providing effective anonymity for whisteblowers and human rights workers to contact journalists, for example. Naturally, this technology is also abused, and illicit activity on the dark web includes the trading of people’s private information.

Services have appeared that promise to monitor the dark web for your private information. Consider that for such a service to work for you, you must trust it with the very same information you are hoping it won’t find. This presents something of a conundrum because, of course, there is always the possibility that the service itself might be breached or that your account with them could be compromised.

Remember that it is in the interest of a dark web monitoring company to instil a certain amount of fear in its customers, so that they will pay for the service. On finding a customer’s private information on the dark web, one well-known security company sends an email that ominously begins “check out what we found on the dark web”!

In terms of how you should respond to learning that your private information has been exposed on the dark web, the answer is: the same as you would with any data breach. If the exposure poses a risk and the information is feasible to change, change it; otherwise, just be aware of the possibility of the information being used in efforts to scam you.