On late Friday, news emerged that Uber, the ride-sharing app used by nearly everyone you know, had suffered a major data breach. But what happens when you get caught up in a security breach? What are the consequences and what do you need to do?
It isn’t just Uber; reports of data breaches are an increasingly common occurrence. As former FBI Director Robert Mueller famously said:
“I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”
But the takeaway here isn’t to get comfortable with your data being breached. It’s to be prepared for what to do if it is.
What is a data breach?
A data breach is when personal information is shared with or accessed by an unauthorised person. This can be by accident or because of a security breach. Say for example your real estate has a copy of your rental agreement and they accidentally forward it on to a different tenant instead of you, that’s a breach. So is a hacker stealing documents from a company’s server. Both range in severity, but both are classed as a data breach as there was a security lack. In general, data breaches happen due to weaknesses in technology and user behaviour.
What are examples of security breaches?
There are many types of security breaches that can occur, but as Kaspersky explains, the most popular examples of data breaches are ‘accidental insider’ (for eg an employee using a co-worker’s computer and reading files without having the proper authorisation permissions), a ‘malicious insider’ (someone purposely accessing and/or sharing data with the intent of causing harm to an individual or company), lost/stolen devices (such as an unencrypted and unlocked laptop or USB going missing) and lastly, a ‘malicious criminal’ (which, as you’d assume, is a hacker/s using various attack vectors to gather information from a network or an individual).
Examples of data breaches experienced by companies/organisations recently include The University of Western Australia and, of course, Uber.
How do I know if I’ve been caught up in a data breach?
Data breach repository Have I Been Pwned is a good place to start. It’s an aggregator that was started by security expert Troy Hunt to help people find out if their email or personal data has shown up in any prominent data breaches. The website allows you to enter your email address to see if you’ve been breached.
The eight breaches I have been caught up in range in severity – but all of them are a big deal. Another service it offers is a password search that allows you to check if your password has shown up in any data breaches that are on the radar of the security community.
Luckily, my password for [REDACTED] is in the clear.
Another way you may become aware of being caught in a data breach is from the company itself. This may be via an email informing you that the company has been caught up in a data breach and they ‘strongly recommend’ you change your password to a tweet declaring a whoops in security.
What information is usually exposed in a security breach?
At the less severe end of the data breach data exposure scale is your name. At the more severe it’s data such as your bank account info, Tax File Number and medical history. Most commonly, it’s name, date of birth, mailing address, email address and phone number.
What happens if you’re affected by a data breach?
If a security breach involves your contact information such as your home address, email or phone number, you should change the password you use for that service. If you use that password for multiple accounts/services, change those too. Next, enable multi-factor authentication if possible. When changing your password, remember the rules of password setting, which are that your passwords should be simultaneously impossible for anyone else to guess and also impossible for you to forget. That latter rule is less important in the age of password managers, which will keep track of long and complex passwords for you.
Even if the data breach hasn’t affected a service that plugs into another (for example I use PayPal with Uber), it wouldn’t hurt to change the associated account’s password, too.
If the data breach includes banking information, reach out to your bank immediately and seek advice from them. It would be beneficial to change your banking passwords, too, just in case. It is best to chat to your bank in this scenario, but you could raise with them the concern that loans/applications could have been made in your name.
If your TFN or ABN, or even your driver’s licence/passport info, has been breached, reach out to the relevant government organisation.
If a data breach involves your health information such as your health care records or prescriptions, you should contact your health service provider using the contact details on their website.
Take care with suspect emails/phone calls/text messages as your contact info might be used by scammers who have got a hold of your details.
Take care out there, folks.