Recent Data Breaches and How to Protect Yourself

Billions of accounts and data points have been compromised in the past year, learn how it happened and how to minimize the fallout.

Scores of government and industry computer systems store your most private, personal information. And as many unfortunate events have revealed, your data is vulnerable to unauthorized access and outright theft from these environments—a cyber event known as a “data breach.”

Data breaches are becoming increasingly common and severe. It may seem like a hopeless situation, but there are in fact a number of things you can do to protect yourself from breaches and consequences like identity theft. Corporations are also doing their part to keep your data more secure.

Notable recent digital security breaches

There have been dozens of serious data breaches since the start of 2017. Three of the most notorious and extensive, however, were the attacks on the Marriott International database, Equifax credit rating bureau, and the data aggregator, Exactis.

Each breach exposed over a hundred million personal data records to improper use. Together, they show how vulnerable people are to malicious actions of hackers.

Marriott International

Marriott Hotel entrance
Justin Lane / EPA

What happened? 

Marriott International is the world’s largest hotel company, owning over 6,500 properties in 127 countries. In 2016, Marriott purchased the Starwood group of hotels, which include the St. Regis, Westin, Sheraton, and W Hotels.

On November 30th, 2018, Marriott announced that they were victim to an enormous corporate data breach – by far the largest of 2018. Hackers copied and encrypted protected information from Marriott’s Starwood guest system, and began the process of removing it. Marriott disclosed that hackers have had unauthorized access to the database 2014, but the company only identified the breach in November 2018.

Who was affected?

Private information of up to 500 million guests in Marriott’s Starwood guest reservation database may have been compromised. For around 327 million guests, the information stolen includes names, mailing addresses, phone numbers, email addresses, password numbers, birthdays, gender, Starwood Preferred Guest account information, and arrival/departure information. Credit card information was likely stolen as well.

Takeaways

Marriott’s data breach provides proof of the growing scale of data breaches, as well as how much time can pass before companies identify a breach has taken place. It is crucial to be conscious of where your personal data is stored.

“We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward,” said Marriott CEO Arne Sorenson.

Equifax

Equifax Inc. headquarters
AP Photo/Mike Stewart

What happened?

 Equifax is a major credit reporting agency, relied upon by banks and credit card companies to score the creditworthiness of American consumers. To this end, Equifax compiles extensive credit histories and databases of personal information on virtually every adult in the United States.

In September 2017, the company disclosed that it suffered a massive data breach. The breach was evidently caused by hacker compromising a system whose vulnerability could have been mediated with a security patch—a patch that had never been applied.

Who was affected?

The Equifax breach resulted in the theft of a wide range of personal data, including 145,500,000 social security numbers, 99,000,000 home addresses, 20,000,000 phone numbers, 209,000 credit card numbers, and over 17,000,000 million driver’s licenses. Business customers also suffered the breach of tax identification numbers.

Takeaways

 The breach showed how shoddy security practices can endanger massive amounts of sensitive data. It reveals that corporations may not deserve the trust that is placed in them to safeguard data. In the Equifax case, the data collection is involuntary.

No one asks Equifax to store their data. Yet, they do store it, where it is vulnerable to theft.

Exactis

Exactis logo
© EXACTIS 2018

What happened?

Exactis is a large marketing data broker. It compiles data on American consumers by collecting and correlating website visits (cookies) and other extractable information about online habits. The Exactis database contains multiple data points on Americans, including their interests, how many children they have and so forth.

In mid-2018, a security researcher published that he could access 340,000,000 records on an insecure database at Exactis. This incident was classified as a leak rather than a breach because it’s not clear if anyone deliberately stole this information. However, it’s likely that unauthorized parties accessed the Exactis data.

Who was affected?

 It appears that hundreds of millions of consumers had personal information about themselves revealed. While the data did not contain social security numbers or credit cards, it did expose victims to theft of intimate details of their lives, including addresses, phone numbers, and email addresses.

Takeaways

Like Equifax, Exactis does not ask consumers’ permission to store their data. They simply amass data that’s semi-publicly available. These practices can be debated, but again, the data leak shows a breakdown in responsibility, accountability, and trust by a corporate custodian of sensitive information. What’s more, the breach shows that it isn’t always about identity information or financial data. Attackers can also target databases that hold interests, life events, and more.

7 Steps to Take After a Data Breach

If you have been the victim of a data breach, there are steps you can take to protect yourself. Instead of hoping for the best, you can limit the impact the breach can have on your life.

One slightly reassuring idea that’s arisen in the wake of the Equifax attack involves its attribution. Most data breaches involve selling stolen data on the “Dark Web,” an online black market.

Anecdotal evidence suggests that the Equifax breach has not translated into an expected surge in identity fraud from Dark Web sales. The reason is that the attacker may have actually been a national government like Russia or China, who wanted the data for espionage purposes.

In any event, it pays to be prepared. Here are 7 steps to take after a data breach:

1. Get prepared

Be ready for a notice from the company. Remember, you may not even be aware that your data is held by a company like Exactis. Pay attention to any abnormal notices, such as letters that look like junk mail but in fact contain important information about the status of your personal information.

2. Create a fraud alert with banks and credit bureaus

If hackers steal your personal data, they may try to set up credit accounts in your name. (Then, they borrow money and let you pay it back.) A fraud alert makes it harder for hackers to open such accounts.

If someone tries to open an account in your name, the bank or credit bureau will contact you to confirm that the request is legitimate. This is a control that can block the bad consequences of a data breach.

3. Monitor finances and online bank closely

If someone fraudulently uses your bank information (e.g. your debit card number) to make unauthorized charges to your account, you can usually get these refunded if you contact your bank quickly.

Most banks and credit card providers enable you to set up regular monitoring of your account and notifications for odd activity.

4. Monitor your credit closely

person checking credit report

The major credit bureaus (Equifax, Transunion, etc.) let you monitor your credit scores. If someone has committed identity fraud on you and run up debts in your name, your credit score will fall. Being aware of such activities as soon as possible can help you remediate the problem.

5. Freeze/lock your credit and bank

Your bank will let you freeze your account so that no one other than you can make use of the account or change its parameters.

For example, if a hacker gets your information and then contacts your bank claiming to be you—requesting that your “spouse” (another hacker) be added as a cosignatory to the account, a frozen account will block that from occurring.

6. Subscribe to portals like ‘haveibeenpwnd.com’

have i been pwned logo
haveibeenpwned.com

This site tracks unauthorized use of email accounts. If your email has been hacked, attackers might be able to discover confidential information about you. If you learn about an email compromise, it’s wise to change your account passwords or close the account.   

7. Watch out for possible over-the-phone scams

Once hackers have your personal information, they can try to trick you into disclosing more information or sending them money under false pretenses over the phone.

For example, a person may contact you claiming to be from the IRS. They might ask you to pay a late tax filing penalty with a credit card. In so doing, they share enough information about you to sound as if they really are from the IRS. (Hint, the IRS never calls anyone. They only use postal mail.) It pays to be circumspect and careful about such calls.

One recommended practice is to hang up and call the actual entity that claimed to be calling, such as a bank—ask them if they were calling you.

What are companies doing about data breaches?

Businesses try to take data breaches seriously. These attacks are quite costly to handle, with industry research putting the price of a data breach at $3.8 million.

A “mega breach,” affecting 50 million records could cost up to $350,000,000 to remediate with credit insurance, notifications, lawsuits and so forth. Plus, a breach is also terrible for a company’s reputation.

To mitigate the financial and image risks of a data breach, most companies now devise data preparedness plans. As events show, these plans are not always bulletproof. However, they represent focused efforts on keeping data safe.

Plans and related actions include steps like:

  • Encrypting data
  • Implementing robust controls over data access
  • Network access controls
  • Application monitoring and management

What about the government?

The government also now requires businesses to take specific actions in the event of a data breach.

The SEC, for example, issued its Statement and Guidance on Public Company Cybersecurity Disclosures in 2018. This document sets down rules for publicly-traded companies in how they are to notify investors and others in the event of a data breach or comparable cybersecurity incident.

At the state level, legislation like the California Data Breach Notification Law establishes clear rules for consumer rights to know about the status of their personal data in the event of a breach.

Takeaways

Data breaches represent a serious threat to consumer privacy and safety from financial fraud. At a high level, the repeated incidence of breaches should make you cautious about what data you share voluntarily with corporations.

Even with this attention to sharing, data about you is still vulnerable to theft. It is possible, though, to minimize the impact of a breach if you take certain steps. These include freezing accounts, establishing credit notifications and so forth.

Companies, on the other side of the equation, are investing time and resources into keeping your data safer. They’re doing this partly to save money and avoid embarrassment. But, it’s also becoming part of the law in more and more places.

Data breaches will not end soon and might thrive in the coming years, but their effects on consumers may become less significant over time if proper regulation is introduced.

Hugh Taylor

Hugh Taylor

Hugh Taylor is a Certified Information Security Manager (CISM) who has written about cybersecurity, compliance, and enterprise technology for such clients as Microsoft, IBM, SAP, HPE, Oracle, Google, and Advanced Micro Devices. He has served in executive roles at Microsoft, IBM, and several venture-backed technology startups. Hugh is the author of multiple books about business, security, and technology