Data Breaches

It seems like more and more frequently, we hear about a new data breach of a major retailer, such as Target, Home Depot, or Staples. When these stories break, there is a justified sense of concern for consumers, wondering if their information was stolen in the breach and how they may be affected.

What is a data breach?

A data breach occurs when an unauthorized third party, such as a hacker, crime syndicate, or malicious insider (such as a corrupt employee or contractor) accesses, views, or retrieves sensitive information. This information can include personal or corporate credit card numbers, email addresses, financial statements, and countless other pieces of private information. This information is highly valuable on the black market, and results in billions of dollars of “income” for bad guys.

data-breaches-notificationHow do hackers do it?

The methods can vary, depending on which company is targeted and by whom. Generally, the most common method is via malware (malicious software program) installed by the hackers on a company’s point-of-sale (POS) systems, such as the cash registers or credit card machines. This malware is designed to skim this sensitive information from the POS transactions and send it to the hackers, who then utilize it for themselves or sell it to the highest bidder. Another common form of data breach is through compromised credentials, meaning stolen passwords. These authentication-based attacks involve guessing or cracking passwords, or utilizing passwords stolen from other hacks. Another method is called phishing, in which seemingly legit “organizations” trick people into giving up their personal information.

What can be done to stop these breaches?

300x250identity guardFor years, the industry focused on keeping the bad guys out by setting up multiple layers of defense perimeters, much like building a fort during a battle. However, the bad guys always managed to dig their way under the fort walls, pick the locks, or find someone to usher them inside. It became clear in the last several years that perimeter defense was simply not enough to keep this sensitive data safe. Nowadays, the prevalent mindset is to assume the bad guys will get in, and prevent them from getting back out again with the information. As more data breaches continue to occur, companies are having to play catch up, figuring out their weaknesses and battening down the hatches.

The recent data breaches of Target, Staples, Home Depot, and USPS have made it clear that these attacks are more prevalent than many consumers previously realized, and that no one is immune. While stealing a few individuals’ private information used to be the go-to for hackers (and still is for some), nowadays big-name retailers are the common targets. Why? Because they do hundreds of millions of dollars in transactions every single day! By hacking into any one of these retailers, the bad guys have access to countless personal and corporate credit card numbers. In other words, big money.

You’d think national retailers would be too big to hack; that they’d have so many layers of security it would be virtually impossible for undesirables to get in. In reality though, that’s not so. The sheer skill and industriousness of these hackers cannot be understated. There is also one variable that even the strongest security protocols cannot take into account: human behavior. Whether it is ignoring the warnings of the data security monitors (Target); getting complacent and allowing security protocols to lapse (Home Depot); or having an insider intentionally breach the data (AT&T), human decision-making has a pivotal effect on maintaining a company’s security and helping prevent a data breach.

Because of this, many companies are now beginning to take decisive actions to secure their data. American Express, for example, is leading the charge to encrypt their customers’ data using “tokens”. Rather than exchanging actual card numbers, Amex is looking to turn this information into a token; an otherwise meaningless symbol that is in no way attached to the financial information it represents. This way, when a consumer swipes their Amex card, the card’s information is erased, and the token acts like sort of a secret handshake between American Express and the retailers; it means nothing to outsiders, making it useless to hackers. Other companies are considering using a “chip and PIN” system, in which a microchip embedded in the credit card automatically encrypts the financial information and requires a second authentication factor. These cards are more secure than traditional credit cards, however, they are still vulnerable to data breaches because the information may be unencrypted by savvy hackers.

What is the effect on consumers and what can they do?

By having access to your credit card numbers, your social security number, and other personal information, the bad guys are able to 1) just take your money straight out of your accounts, and 2) pretend to be you and take out lines of credit in your name. This not only puts you in seriously dire financial straights, but it also ruins your credit score, which can affect your ability to secure a home or car loan, rent an apartment, or even get a job (more and more employers check credit scores upon considering hiring someone). In short, if someone steals your data and your identity, it can take years to clean up the mess.

The first line of defense is to keep track of your financial statements. Immediately look into and report any suspicious activity on your cards, such as small, random charges (a way hackers test the card). If you find fraudulent charges, big or small, report them immediately. Report your card stolen (not just compromised) so that it is cancelled and any future attempts at it’s use are thwarted. If a retailer you frequent has been breached, request new debit and credit cards, just in case.

Second, never store your credit card info with a retailer (online or in store), and never give up personal information to anyone seeking it (email, written, or over the phone). Legit companies will never ask for personal information, such as account numbers, passwords, social security numbers, etc. If someone does, that’s a huge red flag and is likely an attempt at phishing.

You can also call the credit agencies and put a freeze on your credit, requiring you to be contacted for every credit inquiry or to automatically have inquiries declined. While this can inadvertently hurt your credit if your information has been compromised and someone is making multiple inquiries, it’s better than having your identity stolen.

Finally, you can utilize identity theft protection services, such as IdentityGuard or LifeLock. These companies monitor your credit for you, immediately alerting you to any fraudulent activity. However, you have to give these companies access to all of your personal information, which can feel very uncomfortable. Do your homework and make sure whatever identity theft prevention company you use is legit, and if you’re still uneasy with it, use the above steps to monitor it yourself. Familiarize yourself with your states’ data breach statutes so you know what protections are available if they become needed.

We live in a digital world, and data breaches cannot be completely prevented. However, by being attentive and proactive, you can catch nefarious activity before it becomes too damaging.