What Happens to My Personal Information After a Data Breach?
Data breaches have become far too common.
If you weren’t one of the 3 billion people who had your birthday, email address, or security questions exposed during the 2013 breach at Yahoo, maybe you were one of the 147 million people hit by Equifax’s 2017 breach. Or one of the 152 million whose Adobe usernames and passwords were stolen in 2013. Or the 150 million whose email addresses were taken from MyFitnessPal in 2018.
The list goes on and on. In 2019, nearly 1,500 companies were hit with data breaches, according to the Identity Theft Resource Center, which led to more than 164 million sensitive records like passport and Social Security numbers being exposed. (For a list of website breaches where your data was compromised, check out Money's new identity theft tool).
We're way too comfortable giving our information to anyone who asks for it—in large part, no doubt, because the consequences of doing so are pretty murky.
How serious are data breaches? What can a cybercriminal even do with my phone number? Or my Social Security number? If my email address is linked to previous breaches, how much should I be panicking right now?
Here's a no-nonsense guide to understanding, and navigating, these questions.
What is a data breach?
We hear about data breaches all the time, but beyond having a nebulous image of a hooded hacker holding our information hostage, our collective knowledge about what that means doesn't go very far.
In short, a data breach is when someone accesses sensitive, confidential, or protected information without authority.
The most common user information stolen is names, email addresses and phone numbers, but hackers sometimes also get their hands on credit card numbers, home addresses, and Social Security numbers, says Casey Oppenheim, co-founder and CEO of the cybersecurity app Disconnect.
This information can be used to access your credit card and bank account info, as well as other valuable accounts.
Digital data is like a genie in a bottle: Once it’s out there, it’s hard to get it back, Oppenheim says. In a best-case scenario, you find out about the breach immediately, and are able to change any information the criminal obtained (like an email password) before they're able to do anything with it. In a worst-case scenario, a more sensitive piece of information (like your Social Security number) is stolen, which can't be changed unless evidence of identity theft has already taken place, like serious, unexplained dips in your credit score, or unexplained bank withdrawals.
How do data breaches happen?
There are several ways cybercriminals go about snagging your data. Among them is malicious software, commonly called malware, in which viruses or other programs are used to gain access to a server or network. Malware can take a lot of different forms, like a Trojan horse—which tricks you into clicking a link that allows a cybercriminal to take control of your computer under the guise of something appealing, like a free online game—or spyware, which tracks your online activity.
There’s also ransomware, a type of malware in which the hacker locks down a system and demands a fee. Criminals may also use phishing scams, where recipients are tricked into clicking malicious email links, to access your data.
In the case of Equifax, hackers found a vulnerability in some of the company’s servers, which allowed them to remain undetected for 76 days while extracting personal information from the credit reporting agency’s servers. The Yahoo breach started with a phishing email to employees, disguised as a company-wide email. It's unclear how many Yahoo employees actually fell for it, but it only took one gullible worker to click the phony link and open up the company's entire user database to a hacker.
What are the consequences of having my data stolen?
Here’s an example of how your data might be used after you're told that, say, your phone number has been stolen.
It might not seem like a big deal at first, since you can ignore robocalls. But it opens up the possibility of more dangerous crimes like SIM-jacking, where someone takes control of your phone by transferring your number to a new SIM card. (Tip: Oppenheim suggests using whatever extra protection your phone company offers to avoid this, like a verbal password.)
Another example: someone gets hold of your email address and password, and now has access to every account you’ve set up with that address, from your investment portfolio to your health insurance. (Second tip: use two-factor authentication, an extra layer of protection that requires you to provide two pieces of information to access your account instead of just your password).
The more information a hacker has about you—even seemingly benign stuff, like your birthday and gender—the easier it is to create a fake version of you. And once your information is stolen, it can be used to open fraudulent loans or credit card accounts, or even sold to other criminals online.
“The consequences of the lost information is a richer and richer digital version of you that is more convincing and is more capable of doing harm,” says Richard Bird, Chief Customer Information Officer at Ping Identity, a cybersecurity company.
If you find out your information has been stolen, there are specific measures you should take, like signing up for credit monitoring (companies like Experian offer this for free), or closing your bank account if your banking information has been stolen.
For more detailed information, check out the Federal Trade Commission (FTC)'s step-by-step "recovery guide" for dealing with different types of identity theft.
How do I protect myself?
In short: do not assume that any company you have given your data to is working to actively protect you.
“A lot of people just don’t really realize how much security is expected of them,” Bird says.
Do your homework. When you’re creating an online account for a food delivery service or retailer, it can be easy to share information that you’re asked for without thinking twice. But you should avoid oversharing in any commercial relationship, no matter how big the company is, or how long it's been around.
Think of all the companies that ask you to give them your phone number for a quick 15% discount. By doing so, you’ve just connected a phone number to a real live human being—and a valuable target for robocalls if that information gets leaked (or the company decides to sell it).
Be cautious about the relationships you establish with companies online, and consider using a cybersecurity app to protect you from the companies you don't (BlueKai, a little-known marketing behemoth that uses website cookies to track our online activity for targeted ads, recently had a treasure trove of data spilled online.)
Monitor your accounts. While it’s difficult to keep track of everything that could be impacted if someone gets hold of your personal information, check-in on those where losses would be the most painful, like your credit card charges.
This goes beyond accounts that are regularly on your mind. People rarely check 401(k) balances, making them ripe for bad actors to slowly siphon out money without causing alerts, so check them monthly.
Set up alerts. Many companies already have tools in place to help you with monitoring. With bank accounts, for example, you can set up email notifications every time $500 has been removed from your account. Credit monitoring services like CreditWise can send you notifications when your Social Security number has been used with a new name or address.
Bird, for one, says he gets an email every day with his bank account balance so that he can stay on top of any unexpected changes.
Use a password manager. Companies like Dashlane and 1Password can help you generate unique, complicated passwords that are basically hacker-proof, then protect them all with a single password. And they’re “absolutely essential” nowadays, Oppenheim says.
More from Money:
What Is Identity Theft, Exactly?
That 'Package Delivery' Text You Just Got Is Probably a Scam
Credit Repair: Should You Pay to 'Fix' Your Score?