Accept That Data Breaches Happen
Imagine you have an account with an online bookshop. You use a strong password (see Use Strong, Unique Passwords) and do a great job of keeping it a secret.
Then one day someone hacks into the bookshop’s server and takes a copy of a million customers’ accounts, including yours. This is a data breach. They happen often, in varying scale and severity.
It is in the interest of businesses and other organisations to protect your data, and they may be fined for not taking adequate measures to do so, but achieving total security is impossible.
The upshot is that much of what we consider private information may not remain private forever. The consequences of a data breach depend on the importance of the service and the kind of information disclosed.
Your account with the bookshop probably has your home address and phone number. If these are made public, fraudsters might include them when sending you scam emails to make them sound more convincing, or make bogus phone calls that seem more believable because they already know your name.
More sensitive information, like your date of birth or bank details, might assist criminals in identity fraud. This is where someone knows enough about you to assume your identity for the purpose of opening or taking over financial accounts, ordering goods or services, or obtaining official documents like a passport or driving license.
Finally, if passwords are breached, a third party might even be able to log into your account and order books. And as we saw in chapter four, an attacker who knows your password will try it on many popular websites, because people often use the same password for several accounts.
While caches of stolen data may be traded ‘underground’ for money, they can also end up on the Internet. The silver lining is that you can use tools like the website Have I Been Pwned to check whether your data appears in a public breach. And if you let Chrome, Edge, Firefox or Safari remember your passwords, you benefit from the fact that these browsers regularly check those passwords against a database of known breaches, and alert you if they’ve been compromised.
What you can do
If you discover you’ve been affected by a data breach, don’t panic, and don’t blame yourself. You didn’t do anything careless, and it doesn’t mean there’s something wrong with your computer.
Try to find out which kinds of information were breached: phone numbers, credit card numbers, passwords and so on. A responsible company should release a statement detailing this. It might also be reported in the news, or you can check Have I Been Pwned.
If the breached information poses a risk and is feasible to change, change it. For example, report a credit card as ‘stolen’ so you get sent a new one. If your password was breached, change it, including on any other websites where you used the same password — and take this opportunity to make them all different, ideally storing them in a password manager (see Use Strong, Unique Passwords).
Be realistic about what you can’t easily change. It’s unlikely any harm will come from your email address and phone number being leaked, for example, and you’re not going to move house because a fraudster knows where you live! Just keep in mind the possibility that this information may be used in efforts to trick or scam you, especially in the immediate aftermath of the breach.