In the Big Data Breach Era, the Safety of Your Personal Data is Ultimately Out of Your Hands

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.cio.com/article/750139/In_the_Big_Data_Breach_Era_the_Safety_of_Your_Personal_Data_is_Ultimately_Out_of_Your_Hands

Each time there's a high-profile data breach, security experts exhort the
same best practices: Create unique logins for every service you use, use
complex passwords, vigilantly comb your credit card statements for
anomalies. The advice is sound. Unfortunately, it obscures the fact that
the safety of your personal information is ultimately in the hands of
companies you share it with.

Identity theft is changing. Customer databases are a treasure trove of
personal information and much more efficient for hackers to target than
individuals. In this new landscape, the guidelines security experts--and
journalists like me--espouse are really just damage-control measures that
minimize the impact of a successful attack after the fact, but do
absolutely nothing to protect your personal data or financial information
from the attack itself.

Look back on some of the major data breach incidents of 2013. Adobe was
hacked, and attackers gained access to customer account information for
nearly 150 millionusers, as well as credit-card information from nearly
three million customers. Target was hacked, and the credit- or debit-card
details for 40 million customers were exposed. In those cases, there was
little any individual consumer could have done to prevent being affected by
those data breaches.

This week it was revealed that an EA Games server was compromised, and the
attackers launched a phishing attack aimed at capturing Apple ID account
information. In this case, there doesn't seem to be a direct compromise of
user data, and hopefully users won't fall for the phishing scam and share
account details with the attackers. But it illustrates the same point: With
identity thieves targeting companies rather than individuals, your personal
data is vulnerable no matter how well you, personally, protect it.

Of course, if you accept that a data breach is more a matter of "when" than
"if," then it still makes sense for you to do everything that is in your
power to safeguard your personal information and minimize the fallout.
Attackers can crack any password given enough time, but in cases like the
Adobe breach, the millions of accounts using silly passwords like "123456"
are much easier to victimize.

You also need to accept that preventing the data from being compromised in
the first place is the responsibility of the site or service and is out of
your direct control.

The one area where you have the most influence in this regard is your
ability to choose which companies you do business with. Be discriminating
about where you share sensitive information, and exactly which information
you trust with third parties. If a company shows a lack of regard for
protecting your data, move on.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!