It's a sickening feeling. Maybe you heard on the news that a store where you shop frequently has suffered a data breach, and thousands have been affected. "It never happens to me." you say, and blow it off. Until you get the phone call or the letter in the mail, or worse your once healthy bank account is suddenly empty, your credit cards maxed out.
Major Recent Breaches and Company Responses
Data breaches happen all the time, and the question now is only when a company will have to deal with a cyber attack than if. There have been several breaches in 2016, affecting millions. Here is a list of some of the biggest, and how the companies responded:
Yahoo. This hack actually occurred in 2014, but was discovered this year, reportedly as early as July according to Motherboard. Yahoo is still reeling and reacting to the theft of nearly 500 million user records, and it may affect Verizon's decision to purchase the company for $4.8 billion. "The deal still absolutely makes sense," Verizon Executive Vice President Marni Walden told the Wall Street Journal in October.
Anthem. Nearly 79 million user records were compromised when the second largest health insurer in the United States suffered an attack. Not to mention the money it cost the company already, they also offered two years of identity theft protection to those affected.
Myspace. Even if you have not used your Myspace account in years, your information is still there. The hackers did not get as much information as in other breaches, but if you use the same password for multiple online accounts and Myspace was one, you may want to consider changing it.
Washington Office of Child Support Enforcement. A personal laptop and portable hard drive were stolen from the Child Support office by thieves who used a key kept by a former employee. Five million records were stolen, and the office came under fire for a number of violations, including having personal information on a laptop and failing to report the breach in a timely way as required by law.
They also had to offer credit repair and identity theft services to those affected.
TESCO Bank. Most recently, TESCO bank suffered a data breach, and money was stolen from 20,000 customer accounts. This breach is so new that who orchestrated it and what the fallout will be is unknown.
All of the companies above and countless others who have suffered smaller breaches are being sued by those affected, and the outcome of those suits is still pending, but costs could easily run into the millions.
What I Expect If My Data is Compromised
In the quite likely event that my personal data is stolen, I have some expectations of the company that was supposed to protect it, and you should too. Every consumer has the right to expect that the data they shared will be secured to the best of the ability of the company they entrusted with it, and when compromise happens, they will respond appropriately.
Timely Reporting. A company should let customers know as soon possible if their data has been compromised. This means not only a public announcement of the data breach, but at least an attempt to contact those they know are affected.
Corrective Action. If the breach costs me any money, I should be reimbursed as quickly as possible, including all fees incurred and compensation for the inconvenience of the loss. I should not have to file suit or even be part of a class action suit to recover this money: it should be an automatic response.
Preventative Actions. If my information was compromised I need assurances that it will be protected going forward if I continue to do business with them. What changes will be made, and how should I alter my behavior? What ways will the company or organization fight off attacks in the future?
Personal Attention. This one is tough for companies to do, especially when 500 million users are affected. However, I (and other customers) need to be reassured that even in the middle of all of the noise that kind of breach creates, our losses matter and will be addressed individually if need be.
We as consumers have the right to set expectations of companies that suffer data breaches and expect them to be met. Some studies show that retailers who experience data breaches can lose as much as 20% of their customer base initially and have to earn it back. The only way to combat that is through proactively dealing with breaches as efficiently as possible.
Where the Weak Are
There are several industries lagging behind in internet security, and these are places for consumers like us to be extremely conscientious. It is up to us to change passwords, not use the same one for multiple sites, and be aware of when our data is at risk.
The Government. The US government is extremely vulnerable to attack, as many agencies are still using older software and hardware, due mostly to budget restrictions. Security Scorecard found 35 major breaches in government agencies from April 2015 to April 2016.
These agencies often house some of our most sensitive information. For government sites, be sure to use strong passwords different than the ones you use for other sites, and change them often.
Education. Going to college? Kids in school? Educational institutions retain a great deal of sensitive personal information, yet rarely have the budget for great internet security. They are vulnerable targets, and you should use special caution in protecting your information on these sites.
Strong passwords and changing them often is just one method: the other important thing to consider is what you share with these organizations: only share absolutely essential information, and leave optional blanks empty.
Your Car. Love your smart car and how it is always connected? Hackers love the idea as well, and automakers are new to the game, and so are vulnerable. Be careful what you use your smart car for. Keep in mind that any connected device can be hacked. Accessing financial and other personal information from your connected car might be a poor choice, at least until security gets better.
Investigations
There is no doubt that investigating cybercrime is an arduous task. Attacks often occur from far away, and even identifying and locating the hackers can be challenging. Getting the full picture quickly before cyber criminals cover their tracks is difficult as well, especially in cases like the Washington Child Support Office where the crime was not reported right away.
However, investigating this kind of crime needs to be a priority as it becomes more common, and the scale of the damage it causes increases. Despite jurisdictional limitations when attacks originate outside the country, cyber criminals must be pursued.
As we move into a more connected world and more of our information is online, companies and individuals need to be conscientious of who has our data, how it is protected, and what we will do if it is compromised.
The next hacker target might be something as simple as the smart lightbulbs in your house or your thermostat. If it is connected, it needs to be protected. The responsibility is ours, the companies and organizations we share our data with, and reasonable regulations that will protect consumers when their data is compromised.