On average, a cyberattack occurs every 39 seconds and with a steady track record of mass digital data breaches since the first in 2004, hackers don’t seem to be slowing down. Although cyber criminals have a tendency to target larger companies, millions of customers can be placed in the line of fire by association.
For this reason, it’s important to be proactive in understanding data breaches and how you can take measures to protect yourself should you become involved in one.
What Is a Data Breach?
A data breach is a cyberattack in which private information is accessed without authorization. Data breaches can occur within various organizations, from second-party retail stores and medical companies to third-party businesses like credit bureaus.
How Does a Data Breach Occur?
Data breaches are typically carried out in three separate steps: research, attack, and exfiltration.
- The Research Phase: A cybercriminal will look for vulnerabilities in the targeted company’s security system.
- The Attack: Once the attacker finds any weaknesses in a company’s security, he or she may attempt to access private information through either a network or social attack.
- Network Attack: A method through which the cybercriminal breaks into private information through the organization’s infrastructure or security system.
- Social Attack: A social attack is a method of infiltration in which the attacker uses a scam, such as phishing, to bait employees into providing access to a network or opening an attachment that holds a virus.
- Exfiltration: This last phase of a data breach occurs once the attacker finally gains access to a system. He or she may not have access to any data right away, but is able to work towards the information needed. Once the data is extracted the attack is successful.
Data breach vs. identity theft
Although the two are closely related, there is a distinct difference between a data breach and identity theft. A data breach can lead to identity theft. However, this is not definite. Just because there was a massive data breach involving your private information, it doesn’t mean your identity was or will be stolen.
So while a data breach means your private information is accessed and taken, it is not identity theft unless the attacker actually uses the stolen information to impersonate you.
Why Do Data Breaches Occur?
Data breaches can occur for various reasons:
- Out-of-Date Systems: According to Verizon’s 2019 Data Breach Investigations Report, 52% of breaches were caused by hacking. Oftentimes, breaches can simply be caused by a combination of small, avoidable security vulnerabilities (such as out-of-date software) and a good hacker. If software isn’t maintained and using the latest security protection, then companies are inviting hackers to take advantage of them.
- Viruses/Malware: Verizon’s report cites malware as involved in 28% of breaches. Malware can be exposed to systems through social attacks or through network attacks by modifying existing software (even antivirus software) to have a malicious impact, despite appearing safe.
- Human Error: In a separate report, the Society for Human Resource Management claimed that mistakes made by an individual rather than a system account for 52% of security breaches. The Verizon Investigations report claims 33% of breaches included a social attack involving people, like phishing. In other cases, company servers have been left open and accessible to the public, ready and waiting for anyone to come along and take a look.
How a data breach can affect you
Although being involved in a data breach doesn’t necessarily mean your identity has been stolen, it’s important to know what types of information may be stolen and the impact a breach can have on you.
The types of information stolen may include:
- Dates of birth
- Social Security numbers
- Phone numbers
- Clinical/medical info
- Banking/credit info
- Credit card numbers
- Insurance claims
Although a name and a date of birth may seem like insignificant information, with them hackers have the ability to deeply impact your life in a negative way. With the aforementioned data, a cyberattacker has the potential to steal your identity.
Hackers can use the stolen breached data to impersonate you, like applying for credit or medical benefits, or filing for your tax return. Some of these crimes can destroy your credit, which can take loads of time (years, in many identity theft cases!) and stress to undo.
Data Breaches in 2019: What Happened?
Capital one data breach
In July of 2019, Capital One® was involved in a massive breach in which a hacker gained access to over 100 million Capital One® customer accounts and credit card applications. The hacker was identified shortly after the breach as a former Amazon employee. Capital One® was using Amazon’s servers at the time to store all the breached data. The hacker intended on using the stolen information to engage in “cryptojacking,” which is the process of mining cryptocurrency using some unwitting person’s computer.
Upon further investigation, Capital One® claims that no account numbers or login credentials were compromised in the breach and that over 99% of social security numbers were left untouched. The company vowed to contact those involved in the breach and extend free credit monitoring and identity protection services. It expects to incur between $100 – $150 million in damages from the breach, including the additional support for compromised customers.
First American Financial Corporation data breach
In May 2019, there was a security flaw in First American’s website, leading to a data breach that exposed nearly 885 million records. The exposed documents related to mortgage deals dating back to 2003. The documents included sensitive information like bank account numbers and statements, tax records, and SSNs.
Although First American restricted access to the database immediately upon being notified of the breach by Krebs, it is unsure if any hackers noticed the accessibility and stole information. The cause of this breach was simply a lack of security in the company’s website design. First American has since hired an external forensics firm to investigate the severity of the hack, and expects to offer victims free credit monitoring as support in the aftermath of the breach
Quest Diagnostics/LabCorp data breach via AMCA
In May 2019, the American Medical Collection Agency suffered a data breach that left the information of up to 12 million Quest Diagnostics patients vulnerable. The hacker gained access to financial information, SSNs, and medical data but not including lab results.
LabCorp was also affected by a breach suffered by the AMCA several days later. The medical testing company claimed that the compromised information for nearly 7.7 million customers did not include what types of tests were requested or the results of those tests.
Since the two breaches, the AMCA has conducted an internal review of its cybersecurity, which included taking down the web payments page that had been hacked. It has since moved its web payments page to a third-party site and hired an outside company to reevaluate its security system.
Facebook data breach
You probably won’t be surprised to hear that Facebook was hit with yet another major data breach in April of 2019.
In this recent breach, over 540 million Facebook user records were exposed on Amazon’s cloud computing service. It was suspected that two third-party developers, media company Cultura Colectiva and an app called At the Pool, posted the exposed records.
Cultura Colectiva exposed 146 gigabytes of user data, which included account names, IDs, and user behavior details like comments and reactions to posts.
At the Pool exposed plaintext passwords for 22,000 users in addition to user IDs, friends lists, photos, and location check-ins.
Data Breaches in 2018: What Happened?
Marriott Hotels data breach
In November of 2018, Marriott International revealed that a breach of its Starwood guest reservation database had occurred, leaving the personal information of up to 500 million people vulnerable. The breach took place on September 8, 2018.
In March 2019, Marriott’s CEO Arne Sorenson further discussed the details of the breach. The specific information compromised included 383 million guest records, 18.5 million passport numbers, and 9.1 million payment card numbers.
Facebook data breach
In September of 2018, 30 million Facebook users were involved in one of the social network’s more notable breaches. Facebook reported that half of those users had sensitive info accessed, like usernames and recent search history, as well as profile information like race, religion, gender, relationship status, birthdate, and location. The other half only had names and contact details, like emails or phone numbers, exposed.
Since this data breach, Facebook has undergone in-depth investigation, and the results have been mostly disappointing. In early 2019, investigations found that the company had uploaded the email contacts of 1.5 million users without their consent.
When opening an account, Facebook requested users provide their email and password as a method of verification. Upon entering a password, the site began importing contacts without permission. The month prior to this second incident, the company admitted to storing passwords in a readable format within an internal storage system that could be accessed by employees.
Since the breaches, Facebook says it will be notifying all users involved, encouraging them to change passwords and turn on the two-factor authentication privacy tool. It will be taking measures to implement stronger encryption methods to keep login information more secure.
Data Breaches in 2017: What Happened?
Sears/Delta data breach
Between September 26 and October 12 of 2017, customer service operations company 7.ai experienced a data breach. The breach compromised the customer payment information of several of the company’s clients, including Sears and Delta.
Although Sears suspects fewer than 100,000 of its customers were made vulnerable, the credit card information of this group may have been compromised for online transactions that occurred between September 27 and October 12 of 2017. Sears claims purchases made with the company-branded credit cards (the and ) were not compromised. The company set up a hotline to assist customers who fell victim to the breach.
Delta concluded that a small number of individuals were affected by the breach. Payment card information may have been exposed during the period above, but Delta assured customers that passport, security, and frequent flyer data were not included. It set up a designated website for customers concerned about the breach.
Equifax® data breach
In September of 2017, Equifax® suffered a breach that left the personal information of 147 million people exposed. The credit reporting agency has since been involved in a global settlement case, settling on up to $425 million in assistance for those affected by the breach, which was decided in July of 2019.
Those affected by the breach are eligible to file a claim for the following:
- Free credit monitoring service for up to 10 years
- Cash payment up to $20,000 to cover any fraudulent charges made with stolen information or additional legal costs associated with damage control efforts, as well as compensation for time spent dealing with the repercussions of the breach
Beginning in 2020, all U.S consumers will receive six free Equifax® credit reports per year for up to seven years, in addition to the one free annual report already offered. This perk will be offered to everyone, even if you do not file a claim. Those who choose not to file a claim will also be eligible for a free identity restoration service for up to seven years. In 2015, Experian also suffered a data breach in which one of its business units was hacked, exposing data associated with one of its clients: T-Mobile. The breach exposed the names, addresses, and license and passport numbers of nearly 15 million people.
What Should You Do If You’re a Victim of a Data Breach?
In all 50 states, a company is legally obligated to let you know if you’ve been involved in a data breach. Upon being alerted that your information has been made vulnerable, it’s important to be proactive in strengthening your defenses against potential repercussions of a data breach.
Contact the breached company
Sometimes cyberattackers will pose as the targeted company and reach out to those affected by the breach in order to phish for more data. Never respond with any private information to emails appearing to be from an affected company. Locate official contact information and reach out to the company directly to investigate the following:
- Confirm that your information was involved in the data breach.
- Identify what information was exposed. Knowing what information was compromised will help you be more strategic in strengthening your defenses.
Issue credit freezes and fraud alerts with all three credit bureaus
Placing credit freezes on your credit reports can prevent a thief from using your information to commit credit-related identity theft. With freezes, however, you’re also preventing new lenders from checking your credit and opening new accounts in your name, until you use your provided PIN to lift the freeze.
Adding fraud alerts to your credit reports will tell lenders to proceed with extreme caution whenever they see a request to open a new account. Fraud alerts are ideal for those who want to add a layer of protection but not lock down their reports completely.
Contact the appropriate agencies/companies
Contacting the IRS is especially important if your Social Security number was compromised in a breach. You may want to strongly consider filing your taxes early in order to prevent a fraudster from stealing your return.
If your credit or debit card number was involved in a breach, call the issuer to cancel the card and get a new one with a new number. This can prevent you from dealing with the consequences of fraudulent purchases down the line. In general, it’s a good practice to keep a close eye on your credit card statements to watch for unauthorized activity, and that’s especially true if you’ve been involved in a breach.
You may also be entitled to help offered from the affected company. However, it is important to read the legal terms associated with any reparations extended to you. Accepting assistance may waive your right to sue a company, which can prevent you from receiving help for any extensive damages that may occur due to the breach.
Monitor all three of your credit reports frequently
Nearly one in three breach victims become fraud victims in the same year. One of the best tactics for being proactive with protecting your identity is checking up on your credit reports (yes, all three of them).
If you can’t get on board with remembering to thoroughly check them on a monthly basis, then aim to monitor them quarterly. Looking at your reports frequently will help you stay on top of any meaningful changes that may warrant further investigation and action.
Fill out an identity theft report
If you suspect that you are a victim of identity theft, file an identity theft report immediately. Once you’ve received your completed report, send it to each of the credit bureaus and request the removal of any unauthorized activity.
Consider filing a police report as well. This can prove helpful when attempting to dispute any fraudulent activity on your reports.
Strengthen your online security
Reset and improve passwords belonging to all breached accounts. If you have other accounts that use similar or identical passwords, change those as well.
Another way to strengthen security is by taking advantage of fraud and identity theft alerts that may be offered by your credit card issuer. Both Capital One and Discover offer Social Security number alerts designed to monitor the dark web for any of your personal information, and alert you if any is found.
While Discover’s SSN and account alerts are only available to its own cardholders, Capital One offers these tools to anyone. You’ll also get new account alerts with most credit monitoring services.
Data Breaches: A Brief History, and What’s to Come
Although there have been many major breaches receiving significant news coverage throughout the past decade, the data breach isn’t a new threat to companies and consumers. Hackers may have expanded tactics for accessing private information and achieved new depths in the damage caused, but the threat of having a company’s information breached has loomed for some time.
The original data breach
Data breaches are closely associated with cybertheft, cybersecurity, and new technologies. However, data breaches didn’t always and still don’t have to involve digital records.
Before companies had the technology to store their information digitally, a breach could occur if someone were to simply look at restricted information he or she didn’t have permission to access (which can still happen with digital tech). It was this type of situation that sparked the rise in legislation such as HIPAA to help guide companies in concealing sensitive information.
But digital records do make massive data breaches quite a bit easier. One of the first major digital data breaches happened in 2004 when AOL was hacked, compromising over 30 million consumers and 90 million screen names as well as email accounts.
The future of data breaches
Experian released a 2019 forecast for the data breach industry, which outlined five predictions for data breach trends:
- Biometric hacking: Cyberhackers are predicted to begin targeting biometric security such as facial recognition, fingerprint scanners, and passcodes. Organizations are encouraged to ensure biometric data is encrypted, stored in secure servers, and part of a multi-factor authentication system.
- Taking skimming to new heights: Experian predicts there will be a continued focus on skimming, specifically targeting bank networks by downloading malware into a bank’s computer system or ATMs. Companies should implement processes to regularly monitor their networks for suspicious activity in order to catch skimming early on.
- Targeting mobile networks: Hackers will infiltrate mobile networks to gain access to millions of smartphones, which may hold more valuable information than desktops and laptops. This will expose locations, pictures, and identifying/financial information. Experian urges phone manufacturers and networks to work together to ensure that Signalling System No. 7 (SS7), an integral component of telecom systems, is secure.
- Infiltrating the cloud: The three current challenges in cloud security are protecting against data loss and exposure, threats to privacy of this data, and compromised confidentiality. Companies should have monitoring protocols in place to stay on top of vulnerabilities, and additionally, create hierarchies of responsibility and liability for keeping their servers secure.
- Entering the gaming community: Cybercriminals will pose as gamers to bait other community members into sharing personal information to steal data and take over gaming accounts. These accounts may have access to valuable in-game assets, like tokens or weapons, along with real-world bank accounts and digital currencies. Gaming systems should focus on stronger authentication processes and gamers should work to enhance the strength of passwords used.
If you have become a victim of identity theft or credit card fraud as a result of a breach (or any other reason), educate yourself on immediate action you can take for disputing fraudulent credit card charges and slowing down damage brought on by having your identity stolen.