Between data breaches at Dropbox, Adobe, Yahoo, Target, and eBay, it’s unlikely that your personal information has not been compromised at some point. A “breach” is any incident in which a hacker illegally obtains data, usually by exploiting weaknesses in a business or other organization’s software. Not all data breaches contain usernames and passwords, but even without login information, a breach can still represent a privacy concern—for example, addresses or health information.
How to Identify a Legitimate Data Breach
Sometimes a data breach will be announced by a hacking group, but will turn out to be a hoax. And the matter is complicated by the fact that there are scammers who take advantage of hackings in order to get you to release more information.
One of the most concerning data breaches in recent years involved government databases that contained Social Security numbers and other personal information of government employees, spouses of employees with government clearance, government contractors, and job applicants for government jobs. People victimized by the data breach were sent letters from the federal Office of Personnel Management, which identified the details that had been compromised and offered free identity theft protection. In this case, the hacking was legitimate. You might have gotten worried when you tried to register for your free identity theft protection product, and it requested your Social Security number.
In this case, the scenario WAS perfectly legitimate, but skepticism is a good default stance. Always check URLs to make sure they make sense. Government websites should end in a .gov. An identity theft protection product should be something you’ve heard of before.
How to Defend Yourself from a Data Breach
Data breaches are incredibly common, and often companies do not notify their customers of a breach until long after it has happened. An organization might not even know it was hacked, particularly when the hackers choose not to publicize the hacking. Many hackers take pleasure in trading data sets, and do it without any intent to use it maliciously.
One website we like to use is haveibeenpwned.com.
Pwn, pronounced “pone,” is a slang term that originated in the geek/gaming community. It is derived from the verb ‘own,’ meaning ‘to appropriate’ or ‘to conquer to gain ownership.’ The term implies domination or humiliation of a rival, used primarily in the Internet-based video game culture to taunt an opponent who has just been soundly defeated (for example, “You just got pwned!”).
The website was founded by Troy Hunt, a Microsoft Regional Director and expert in Developer Security, who created it as a free (and beneficent!) resource to allow anyone to quickly assess if their online accounts have been “pwned” in a data breach. To find out if you have been ‘pwned,’ you can enter your email address. All the data in the site comes from website breaches that have been made publicly available. ‘Have I Been Pwned’ has become such a reliable information source that some hackers contact Hunt directly and provide newly obtained data, much to his disgust.
That said, not every data breach is on this website. This tool is just a start. The best defense for a data breach is to change passwords on a fairly frequent basis, to use unique passwords, and—most importantly—check your credit card and bank balances often, and obtain credit reports regularly for any unusual activity.
Have you found yourself the victim of a data breach and aren’t confident about what to do? We’re here to help!