Data breaches can sucker-punch you. Prepare to fight back

This is personal.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
7 min read
Getty Images

When a big data breach makes the news, there's one thing that can get lost in the noise -- the harm that hacking causes regular people like you.

Experts tend to focus on the number of people whose records hackers stole, or whether the breached company could have prevented the hack. Those are important questions, but you can be forgiven for wondering what they have to do with you. What, really, is the worst that could happen to you personally?

Plenty, according to consumer advocates. That's because data breaches make crimes such as identity theft and other scams much easier for criminals to carry out. That includes the blockbuster data breaches of 2018, such as when sophisticated attackers breached millions of Facebook accounts in September, or when a hacker accessed information from 27 million Ticketfly accounts in May or when hackers stole information from 500 million travelers in a breach of a database owned by Marriott.

After your data gets stolen, it often goes up for sale on black market websites, where criminals can buy it and then pretend to be you.

"With the invention of the internet, we've built this Amazon for fraudsters," said Eva Velasquez, president of the Identity Theft Resource Center.

But you don't see that part of the equation happen. Maybe you hear about a data breach, and then later you experience identity theft. What happened in between is anyone's guess.

And this year showed there's end in sight for serious data breaches. We saw the theft of payment information from about 429,000 British Airways customers at two different points this year, the hack of credit card data belonging to an unknown number of NewEgg customers in September and hackers even stole old login information from Reddit in June. That's why advocates say it's important that victims of each hack keep in mind what could go wrong for them individually and develop a plan. You can't stop a major data breach, and you can only do a little to prevent criminals from stealing your identity.

But you can work out what to do if that happens and stop things from getting even worse.

Start with the company that lost your data

It might sound odd, but your first layer of protection against identity theft and other crimes is actually the companies or organizations that lost your data to hackers to begin with. Organizations that suffer data breaches pay a high cost when hackers break in, and it's growing every year -- each data breach cost companies $3.86 million on average in 2017, according to an annual data breach report sponsored by IBM. (Our sister site, TechRepublic has a guide for how companies should handle breaches.)

Lots of that money goes to things like forensic investigations to learn how hackers were able to breach the systems and the legal fees to deal with lawsuits and regulators. Some of it also goes directly to helping you. Companies insulate their customers from harm by paying for credit-monitoring services and, in the case of credit card issuers, covering the cost of stolen funds for most customers.

So when a data breach or other hack happens, make sure you take advantage of any services offered by the breached company. For example, after someone gained unauthorized access to 2.65 million healthcare records at a company called Atrium in September, the company is offering free credit monitoring services for some patients whose Social Security numbers were exposed.

It may take some calls to customer service, but it's worth it to protect yourself from further harm and recoup any money you may have already lost.

Prevent identity theft

After a data breach, don't just accept a company's offer of credit monitoring services and leave it at that. You can also freeze your credit and set fraud alerts to keep you apprised of any fishy activity on your credit cards and bank accounts. Remember to keep up regular checks of your credit report, and follow up on anything that doesn't look right.

Luckily for you, it's relatively easy to do these things in the age of the internet, said Kelvin Coleman, executive director of the National Cyber Security Alliance.

"Several years ago, it was much harder to do," he said. You had to send for your credit report in the mail, for example. "Now it's just a click away."

Of course, the same internet technology that lets you quickly check your bank statement online also makes it easier for cybercriminals to do their work. "I say that knowing there's some irony there," Coleman said.

With data like passport numbers, which were stolen in the Marriott breach, there's no action consumers can take that's an equivalent to a credit freeze. You can't flag your passport number with the State Department unless you're in the process of applying for a new one, said Michael Bruemmer, vice president of breach resolution at Experian. So if you learn from Marriott that your passport number was stolen -- and you want to put a total stop to abuse of your passport numbers -- you can consider replacing your current passport.

You should also avoid compromising yourself on social media. With lots of information about you already floating around on internet black markets, publicly sharing things that flesh out a broader picture of you only makes it easier for someone to steal your identity.

That can include things like sharing your dog's name, if your dog's name is also the answer to your bank's security question. (A better solution, of course, is to avoid security questions by using a different technique for verifying your identity, but not every online service offers this option yet.)

To limit the self-inflicted damage, change your privacy settings. Share your social media posts only among friends. Or, if you must have a public profile, consider being a little more circumspect. Remember that criminals could be among the people checking your timeline.

It's all about taking as much ownership of your data as possible, said Darrell Laffoon, chief technology officer of EZShield, a company that provides identity protection services, including monitoring dark web markets for an individual's personal information.

"You are your first line of defense," Laffoon said.

Know the different kinds of identity theft

Identity theft doesn't just happen when someone opens up new credit cards in your name and goes to town.

It can also include medical identity theft, when someone else uses your insurance benefits. According to the US Federal Trade Commission, this can affect not just your future medical treatment by changing your medical record, but also your credit report if you never receive the bill for treatment someone else got under your name.

Signs of medical identity theft are bills for treatment you never received or calls from collections agencies about those charges. The FTC recommends reading your explanation of benefits and keeping track of all the care noted in your medical record.

Criminals may also try to steal your government benefits, like Social Security payments, veterans' benefits or tax refunds. You may receive alerts in the mail from government agencies when new accounts are opened in your name, or if your personal information gets changed. That's why it's important to open and read any mail from these agencies.

Scammers use stolen personal information, too

Another way a data breach can harm you down the line is through scammers. The best defense against this is to keep your head.

In an effort to sound more legitimate, scammers can use true information about you to make their demand for money sound more credible.

In July, internet users started receiving threatening emails from criminals. We hacked your computer and captured embarrassing images of you, they told their intended victims. Now pay us in bitcoin or we'll send the pictures to your family and friends.

To show they were for real, they included the recipient's actual password in the email.

Except the scammers were tricking their victims, and they hadn't hacked them at all. More likely, they bought a big batch of stolen passwords from online black markets. That helped make the threat seem more credible to victims.

It can be hard, but when you receive a threatening email or phone call demanding money that seems convincing, the best response is to take a step back and reassess the situation. Short timelines -- or threats to arrest you or send the police if you don't pay immediately -- are signs that a scammer is using pressure tactics to get you to pay up before you realize something isn't right.

But if you find you've fallen victim to a scam, don't be ashamed. Put your recovery plan into place. The first step is a little compassion for yourself.

"Smart people fall for scams," said Velasquez, from the Identity Theft Resource Center. "They are relentless, and it can happen to anyone."

The same can be said for any kind of identity theft.

For more information on how to avoid identity theft or respond when it happens to you, visit the FTC's resource page or the Identity Theft Resource Center.

Security:  Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night. 

Rebooting the Reef: CNET dives deep into how tech can help save Australia's Great Barrier Reef.

Read more :

Best Identity Monitoring Services

Best VPN Services

Best Password Services