How Could a Data Breach Affect Me?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.pcmag.com/article2/0,2817,2428274,00.asp

Let's play a game. Try to make a list of all the businesses and other
entities that have your personal information stored in their databases.
Well, there's your city, county, state, and federal government
organizations, probably many at each level. Every credit card and bank
account provider necessarily has your information, and any online merchant
with whom you've set up an account. Don't forget schools, discussion
forums, social media... Hmm, making this list isn't such a fun game after
all.

If any one of these entities suffers a security breach, your private data
could be exposed, and they do get breached. Tumblr, Google Glass, and Apple
all suffered breaches just this July. More recently, the Finnish government
reported a serious and long-standing breach.

Why Should I Care?
Let's suppose your cash-strapped county government uses an antiquated
system to store property tax records. No encryption; they didn't have that
when the system was installed years ago. Crooks who penetrate security and
capture the county's data now have your full contact information, SSN, and
other personal details. With this information in hand, they could register
a credit card in your name, or open a line of credit secured by your house.

If a merchant or bank suffers a breach, your account and credit card
information could be exposed. Yes, if the crooks make fraudulent
transactions using your credit card, the issuing agency won't make you pay,
but you'll have to go through the pain of dealing with a new card number.

Possibly the worst situation would be a breach that exposes your email
username and password. With this information in hand, a crook could lock
you out of the account by changing the password. The next step would be to
take over more of your accounts—any that use a simple email reset for
"Forgot password" are vulnerable.

Password Hash
Of course, all of these institutions should be keeping your important data
in encrypted form. Passwords in particular shouldn't be stored at all.
Rather, they should run the password through a hashing algorithm and only
store the result. To verify you've entered the right password, the site
simply hashes what you entered and compares it with what's stored.

Hashing is like encryption, but it's a one-way street. Even if a
cyber-crook knows exactly which algorithm was used, there's no way to go
from the hashed value back to the password that it came from.

Or is there? Yes, hashing isn't reversible, but if you guess a password,
hash it, and find that it matches a stolen data record, you know you've
discovered the password. The hackers who breached LinkedIn last year posted
millions of hashed passwords on a public forum. One white-hat researcher
cracked 900,000 passwords in four hours simply by hashing a huge number of
potential passwords and checking the results with the exposed list.

A simple technique called salting adds a random factor to the hash
algorithm that makes this kind of discovery-by-guessing impossible, but you
can't know for sure if those entrusted with your data are using this
technique.

Minimize Your Exposure
In a very real sense, there's nothing you can do to protect against the
fallout from a data breach that exposes your personal information. You
don't have control of the data, or the way it's stored. Even so, you can
minimize your exposure.

For starters, you need to become a personal data miser. Never enter more
than the required minimum on any website. If they seem to want too much,
consider whether what you're doing on the site merits the risk. And if you
stop using a particular website, delete your profile. Don't leave your data
sitting there, potentially exposed. (How long since you logged into
MySpace? Right. Delete that profile now!)

If you're the kind of person who uses and re-uses the same password, a
breach that exposes that password can be catastrophic. Yes, it's nearly
impossible to remember a differentstrong password for every website, so get
a good password manager and use it to generate and store unguessable
passwords. LastPass and Dashlane both include a feature that rates your
existing passwords and helps you improve them. Use it! You'll be glad you
did.

Watch for Evidence
Keep an eye on your credit scores and details; you can get a free report
from each of the three major scoring agencies once a year. Don't request
them all at once; space them out equally. If a crook uses your personal
data to set up a new credit account of some kind, you'll see it in the
report. Note that LastPass will notify you if your data turns up in a known
breach and will also warn of changes in your credit report status. To
automatically get details about credit changes, you'll need the
dollar-a-month LastPass 3.0 Premium.

Check every line of every credit card bill. It's not uncommon for
fraudsters to make a few small charges first, just to see if you're paying
attention. If you're not, they'll go whole-hog, ordering up all the goods
and services they can, right up to your credit limit.

If, despite your best efforts, the bad guys compromise your identity, don't
panic; help is available. Visit the Federal Trade Commission's Identity
Theft page and follow the instructions there.

Data breaches happen, and big breaches make the news. Any time you see a
breach reported, stop and think. Does the victim organization have any of
your data? If so, take the time to read all the details and determine what,
if any, action you can take.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.