Illustration:Jianan Liu/HuffPost,Photo:Getty Images
Unfortunately, cybersecurity breaches that let thousands of people’s personal information leak online are all too common. As a result, it’s all too easy to shrug off the data leak notifications you get in the mail. But don’t ignore the news about this latest massive hack.
Last week, National Public Data, a background check data aggregator based in Florida, acknowledged that a vague “security incident” in which a third party “trying to hack into data” obtained the names, email addresses, phone numbers, Social Security numbers and mailing addresses of people in the spring and summer of this year.
Advertisem*nt
NPD did not share exactly how many people may now be at risk, but did say it is cooperating with law enforcement and will “try to notify you if there are further significant developments applicable to you.”
What’s different about this NPD data breach is “the fact that it’s a large corpus of data in one place,” said Troy Hunt, a cybersecurity expert who analyzed the leaked data and maintains the site HaveIBeenPwned.
Bloomberg Law broke the news about the leak by reporting on a class-action lawsuit against NPD, which claimed a data breach there had exposed the records of 2.9 billion individuals and allowed them to be sold on the dark web. Cybersecurity experts estimate that the number of compromised records is more likely in the hundreds of millions.
In other words, it’s unclear how many people were affected in this data breach, but security experts say you should operate as if you were.
“Assume that your [Social Security] number is out there somewhere, and act accordingly,” said Cliff Steinhauer, the director of information security and engagement for the National Cybersecurity Alliance.
Some cybersecurity and data protection firms have created websites where you can look up your SSN or other data to see if it was compromised by the NPD breach. But neither of the two cybersecurity experts HuffPost talked with recommended that you share personal information like your birth year with them.
“My worry with those services is that now you’ve got a vector by which there can be even more violation of privacy,” Hunt said.
“What’s probably more important to understand is that these breaches are continuous, and this isn’t the only time your data has been exposed,” he added. He suggested using the NPD data breach as a “wake-up call” to secure your data, if you have not already.
You want to be a harder target for bad actors to take advantage of your personal information. Here’s how:
Advertisem*nt
Freeze your credit ASAP.
When someone has your Social Security number, it’s much easier for them to pretend to be you while applying for credit cards, taking out loans or trying to buy a new car.
That’s why freezing your credit is “the first thing you should do,” Steinhauer said, because then a bad actor “cannot open fraudulent accounts and take out loans and stuff that can be really damaging to your financial situation.”
When you apply to get a credit card, car loan or mortgage, the company providing you this service will run a credit check as a way of proving your identity. By freezing your credit, you make it harder for another person to impersonate you.
You will need to sign up for a free account with each of the three major credit reporting agencies ― Experian, TransUnion, and Equifax ― to freeze your credit. The agencies must freeze your credit report within one day of your request if you ask them online or by phone.
When you need to apply for credit, you can go to your accounts and temporarily remove the security freeze. If you do this online or by phone, your freeze must be lifted within one hour, according to the federal government.
Advertisem*nt
Freezing your credit with each credit bureau will take some time to do, but the years-long headaches you can avoid from dealing with identity theft are worth it. “It’s a lot easier for cybercriminals, or just criminals in general, to commit fraud in your name than it is for you to undo that fraud,” Steinhauer said.
And if you do believe your identity has been stolen, you can go to Federal Trade Commission website IdentityTheft.gov, which has a detailed recovery plan. You can also check your credit report at each of the three agencies once a week for free to see if there is any activity you have not authorized.
Use multi-factor authentication.
Beyond credit freezes, you should make it harder for bad actors to log in to your accounts as a general online safety practice.
Your email and banking accounts will typically ask if you want to set up multi-factor authentication with your phone or email. Take advantage of this option.
This way, if a scammer managers to figure out your password from a data breach, “then at least you know they won’t be able to get in, because they won’t be able to receive the multi-factor codes. So it adds a second layer of protection,” Steinhauer said.
Advertisem*nt
Create a stronger password.
Your password is one of the final gatekeepers to your most sensitive information, and you can make it easier or harder to guess.
“It has to be long and strong, but it also has to be unique, because it only takes one compromised account,” Steinhauer said. Hackers will take the one password they obtain and “try it all over the place.“
Most Americans just memorize passwords in their heads, according to a 2017 Pew survey. But a password manager, like 1Password, and Bitwarden, can do the work of making complex, unique passwords for your accounts.
And do not recycle old passwords, because that’s exactly what scammers wait for you to do. Bad actors use “a set of credentials over and over again hoping that the user will go back to a password that they used before,” Steinhauer said.
Taking action can be inconvenient in the moment, but the security you get in return is worth it.
These extra security steps will take time, and in an ideal world, so much work would not be placed on individuals to keep their data secure.
Advertisem*nt
The U.S. does not have a federal privacy law to prevent data-scraping sites like National Public Data from collecting data without permission.
“If you look at Europe, they have the GDPR [General Data Protection Regulation] that’s not allowed to give permission for companies to do that, whereas here we don’t have that. So I advocate for personally a national privacy law that says that you have to opt in to having your data collected in this way,” Steinhauer said.
Until then, these simple steps of freezing your credit, adding multi-factor authentication and using a password manager are actions that will make you much a much harder target for scammers to exploit.
Bad actors “don’t want to go through the extra work of trying to figure out how to unlock everybody’s credit or go through multi-factor [authentication] –– they just want to go for the easy, low-hanging fruit,” Steinhauer said.
Take it from the pros. Hunt said he’s been in dozens of data breaches but he has also had a password manager for the last 13 years. “Every password is crazy and unique and multi-factor is on everything. The impact to me personally [from these data breaches] is always negligible. And that’s where you want to be,” he said.
Advertisem*nt
