A Deeper Look at Data Breaches - and What You Can Do to Protect Yourself

Many of us hear the term “data breach” tossed around on an almost weekly (if not daily) basis. This makes sense due to the massive amount of information we seem determined to share with the internet at an ever increasing cadence. With more “life” taking place online than ever before, criminals have discovered sophisticated ways to exploit our digital activities for their gain. 

‍

One of the most lucrative cybercrimes to date is the data breach. Breaches are usually designed to siphon large amounts of personal information, or very targeted, specific, and highly-valuable information (think state secrets). The volume and nature of the information varies, but any information gained through nefarious means is likely to be used for nefarious purposes.

‍

While we may not be able to stop every data breach every time, we can become educated on ways to protect ourselves and our data in the event of an attack.

‍

What counts as a “Data Breach?”

‍

A data breach occurs any time that unauthorized parties manage to gain access to sensitive, private information. This doesn’t always have to be electronic, although cyber hacking is the prevalent form of attack. Stealing hard copies of sensitive company information is considered a data breach akin to a hacker stealing digital data. 

‍

Access can come in the form of hacking into organizational systems, accidental shares by employees, gaining unauthorized access using employee credentials, or any activity that exposes an unauthorized party to the protected data. 

‍

‍

Methods used to gain unauthorized access to sensitive data

‍

There are several methods by which bad actors can gain access to sensitive data, including:

‍

Malware: This is a type of “malicious software” that can be downloaded into systems to collect data, or weaken the system to allow for unauthorized access. Certain types of malware may continue to gather data and pass it back to cybercriminals without disrupting the operating flow of the system it is attacking. This is especially dangerous, as it can go unnoticed for long periods of time and introduces brand new data regularly.

‍

Phishing: This method involves finding a way to “trick” employees or others into sharing sensitive information that will give hackers the data they need to gain access to personal or professional accounts. Phishing emails may be sent using spoofing techniques to appear as if they are being sent from a legitimate or familiar source, or people may be targeted via live phone calls that use trickery or fear to try and bully others into sharing data. Any time that a bad actor uses deception to fool others into sharing sensitive data, it is likely a phishing attack.

‍

Physical Theft of Devices: Many people keep all of their passwords and access codes on their mobile devices or laptops. It’s relatively easy for a hacker to steal these devices and then find ways to gain entry into their operating systems. From here, they will have open access to every account - from financial to e-commerce.

‍

Trial and Error: Hackers sometimes use data they’ve stolen or collected from one place to gain access to other accounts. They do this by combining usernames with known passwords until something works, usually with the help of faster moving programs. There are also a variety of software programs that can decode passwords and speed up the process of breaking into sensitive accounts.

‍

‍

The types of sensitive data targeted by malicious actors

‍

While not all data breaches are intentional (think of allowing a co-worker or family member to access your computer or phone for an innocent reason), the unauthorized recording and improper use of the data collected is. When a cybercriminal chooses to exploit data they’ve accessed for personal gain or malicious intent, the impact can vary widely depending on the information they’ve gained access to.

‍

The types of data that hackers may want include (but are likely not limited to):

• Personal data: Social security numbers, full names, contact information, data on family members, date of birth, or anything unique to an individual.
• Financial data: Bank account and routing numbers, credit card details, pin numbers, investment information, and even payroll information. For companies, this data may include all of the above en masse, along with corporate account information, third-party payment data, and a variety of other information that could lead to disastrous results.
• Medical data: Any information that is protected by HIPAA falls under this protected category. This can include treatment information, personal data, financial data, DNA information, personal history details, information on upcoming visits or procedures, and much more.
• Government Data: Any information that would expose national secrets to potentially nefarious parties, or that will negatively impact the country or those involved in running it to unwanted attacks.
• Corporate/Organizational Data: Trade secrets, consumer and business financial data, payroll data, investment data, employees’ personal data, competitor data, personal correspondence, and anything that a larger organization holds as proprietary. 

‍

In reality, hackers will take advantage of any data that they can gain access to, whether it’s to gain direct access to bank accounts, or to sell to unethical marketing agencies to turn a profit. 

‍

‍

How are data breaches identified?

‍

The method by which data breaches are discovered can have a significant impact on how organizations that have been targeted respond. While the hope is that any breaches are immediately detected by companies themselves via internal auditing, this is far from the norm.

‍

The most common ways that data breaches are discovered include (but are not limited to):

‍

• Non-Malicious External Parties: All too often, white hat (not malicious) hackers detect weaknesses in systems, and will expose these through gaining access to protected data. Then, they will usually contact the company impacted and let them know about the breach potential, and ways it may be avoided moving forward. These hacking attempts are sometimes in response to “bug bounty” programs, where companies challenge people to expose weaknesses in their products or systems in exchange for money.
• Internal Audits: Smart organizations have implemented a solid security department and engage in regular audits to test for vulnerabilities. Doing this allows them to detect weaknesses before hackers can, and to prevent future data breaches by patching the issues.
• Internal Employees: At times, an employee who is not performing a security audit may run into a vulnerability that could cause a larger data breach if left untreated. These are usually chance discoveries, and this method is not a dependable way to prevent leaks.
• Accidental: Occasionally overlapping with data breaches discovered by internal employees, accidental discovery of data leaks can occur in many ways. Any time that a user or employee comes across a weakness that is leaking or giving unauthorized access to data, it can be considered an accidental (while fortuitous) discovery. For example, a user may notice that information being sent from another user on an app is displaying more information about the recipient than it is supposed to.
• The Public: When customers begin flooding social media and customer support channels with reports of ransomware attacks, it’s a good indicator that a leak has occurred. This is the least desirable way to discover a data breach, and usually requires public relations to craft a public response plan.

‍

Here’s what you can do to proactively protect yourself from data breaches.

‍

Because consumers are required to consistently provide data to access different things online (or in-person), there is no foolproof way to prevent data from being leaked. What people can do is control the amount and type of data that they are making available online, and track any reports or alerts that indicate their information was involved in a leak.

‍

To do so:

• Use Cloaked to prevent the sharing of unnecessary personal info and to unlink your phone and email address from your personal accounts by creating separate identities for every new account or connection.
• Check to see if your data has been leaked regularly using a site like haveibeenbreached.com.  
• Set up credit monitoring to stay on top of any unauthorized purchases or strange financial activity.
• Use an identity theft protection service to monitor your personal data.
• Use software or a service that actively removes your personal information from the internet.
• Contact data brokers and request that they remove your personal information from their databases.
• Only ever provide the least amount of information possible to gain access to accounts or other platforms. If a company is asking for an unnecessary amount of data, there’s a good chance that they may be storing and selling it
• Read privacy policies to see if companies are contracting with third-parties who may pose a risk to your data privacy
• Monitor streams and threads on social platforms that focus on data breaches to get additional insight on breaking situations. Companies aren’t always the first to report a problem - social listening can help.

‍

Use Cloaked to protect your identity and stop privacy exposure.

‍

Cloaked allows you to create new identities for every new connection–online and in real life. If a company you’ve Cloaked gets breached, simply delete the identity from your database. Because the information that you shared was not personally identifiable, you never have to worry about hackers using it to gain access to your accounts, or life.

‍

Click here to get started now.