Data breaches

Imagine you have an account with an online bookshop. You use a hard-to-guess password and do a great job of keeping it a secret.

Then one day someone hacks into the bookshop’s server and takes a copy of a million customers’ accounts, including yours. This is a data breach. They happen often, in varying scale and severity.

It is in the interest of businesses and other organisations to protect your data, and they may be fined for not taking adequate measures to do so, but achieving total security is impossible.

The upshot is that much of what we consider private information may not remain private forever. The consequences of a data breach depend on the importance of the service and the kind of information disclosed.

Consequences

Your account with the bookshop probably has your home address and phone number. If these are made public, fraudsters might include them when sending you scam emails to make them sound more convincing, or make bogus phone calls that seem more believable because they already know your name.

If passwords are breached, a third party might even be able to log into your account and order books. They’ll also try the password on other popular websites, because people often use the same password for several accounts.

Finally, information like your bank details or date of birth might assist criminals in identity theft.

Finding out

While caches of stolen data may be traded ‘underground’ for money, they can also end up on the Internet. The silver lining is that you can use tools like Have I Been Pwned to check whether your data appears in a public breach. And if you let Chrome, Edge, Firefox or Safari remember your passwords, you benefit from the fact that these browsers regularly check those passwords against a database of known breaches, and alert you if they’ve been compromised.

What to do

If you discover you’ve been affected by a data breach, don’t panic, and don’t blame yourself. You didn’t do anything careless, and it doesn’t mean there’s something wrong with your computer.

Try to find out which kinds of information were breached, such as phone numbers, credit card numbers, or passwords. A responsible company should release a statement detailing this, it may be reported in the news, or you can check Have I Been Pwned.

If the breached information poses a risk and is feasible to change, change it. For example, report a credit card as compromised so you get sent a new one. If your password was breached, change it, including on any other websites where you used the same password — and take this opportunity to make them all different.

Be realistic about what you can’t easily change. It’s unlikely any harm will come of your email and phone number being leaked, for example, and you’re not going to move house because a fraudster knows your address! Just keep in mind the possibility that this information may be used in efforts to trick or scam you, especially in the immediate aftermath of the breach.