16

What to do about a personal data leak or breach – Before and After

This recent news roundup mentioned that the state of California has leaked and mishandled data on thousands of gun owners. This has come up before. Data leaks and breaches always seem frustrating and sad. While I would love to see strict penalties for poor security and mishandling that lead to data leaks and exposure, this also got me thinking – what _can_ we do to prepare for or prevent a personal data leak?

The Prepared site has excellent articles and forum posts on general digital security and preparedness. But what about data breaches specifically? Here are some intro steps from a bit of light research:

What to do before and after a data breach:

Before:

  • Use encrypted text messages. Install Signal – the most secure, open source, encrypted text messaging app. Keep your data private. You can use Signal for all texts on your phone – it will simply use encryption with anyone else who also has Signal, but still send regular text messages to those who do not. Then you can invite them to improve their texting too.
  • Use a password manager. Don’t store your sensitive information inside emails etc.
  • Don’t give out your Social Security Number (SSN). Or other very sensitive info. This may depend on geography. In North America there are usually only two places that need to know about your SSN: Your employer (so you can get paid), and your bank. That is it. Many other places try to ask and get this information. Tell them no. Often you may find them sheepishly admit the information was “optional”, and they will back down.
  • Sign up your email address at https://haveibeenpwned.com/ . This is an interesting website that monitors data breaches and will email you if it finds that your email address has been included in a data leak. A good way to at least be aware that your information may have been exposed.
  • Get a backup credit card and/or bank account. If you have the ability, having one main credit card but also a backup card can help to ensure you still have a way to operate or pay your bills if your main card is stolen or compromised. Likewise – opening two different bank accounts at different _types_ of institutions with different risk profiles – e.g. one large national bank and one local credit union. Storing some funds in each can help to make sure you still have access to some of your money.
  • Keep some cash on hand. So you can keep operating even if everything goes down.
  • Freeze and set a PIN on your credit file. Equifax, Experian, and TransUnion will let you set a PIN – like a password – that must be used to unfreeze your credit account. This should prevent or make it more difficult for anyone to take out a loan in your name or otherwise access your credit. If you want to take out a loan or apply for credit yourself, you can simply call them with the PIN to unfreeze, and then re-freeze your account.
  • Get and read your own credit report every six months. This can be a painful process, but the three firms above should let you get a free copy of your own credit report. Emphasis on free: they are not allowed to charge for it. However, they often make this intentionally difficult and confusing by adding many “upgrade” tiers and options, and changing the name to things like “consumer disclosure report” instead. Checking your report e.g. every six months can help you to spot if anyone used or tried to use your credit account.
  • Consider credit- or identity-protection. I am wary of these services and have never tried them. I am not sure how much they actually help in the event anything happens. Would love to hear from anyone who has had good or bad experiences with identity protection.

After:

  • Call the company or organization and confirm whether your data was included in the breach or leak.
  • Find out what type of data was affected. If your credit card info was leaked, you probably want to call your credit card company to cancel and replace the card.
  • See if the company now offers help, or offers free identity protection after the fact. They may be able to help you get back to normal.
  • Change the password on any accounts that were affected.

What other ideas or actions can you think of?

References

8

  • Comments (8)

    • 7

      This is an area where many people only do something about it after the fact. Like the person who thinks about food storage after the hurricane is announced and the store shelves are already empty. It’s already too late. So for you to give some proactive tips on things we can do before is a better way to look at things.

      It won’t be as organized, but here are some of my random ramblings on what you can do before:

      Know that whatever information you provide to a doctor, store, or even government, as we are seeing here, will be leaked at some point. Don’t lie on important forms, but maybe don’t, put in your personal email address. So create some alternative email accounts that you can pass out like one for shopping and another for just junk.

      I have created an alias name, phone number, and email that I use for things that don’t really matter. Does my grocery store rewards card really need my true name, phone number, email, or address? No. Can you change your name in which you receive items from Amazon? Yes. Maybe my real name is James Gentry but I receive packages to my house in the name of Harry Yonker. I still get my packages but Amazon and the different people and companies shipping out my stuff don’t know my real name. Little things like that will lower your attack surface and who cares if it leaks online someday, it will show that Harry Yonker lives at my address instead of me and people trying to target me will have a bit harder time doing so.

      Can I offer another service in addition to the very well recommended and free encrypted messenger Signal? There is another app called MySudo. It’s a very organized and easy way to set up some of these aliases or different compartmentalized areas of your life. You can get 1-9 additional phone numbers and email addresses that then can be given out to places instead of your personal number and email. So maybe you give out one phone number and email to all government organizations, another is used only for banking, and another is just for absolute junk and can be used on all those dumb websites that need an email address to continue viewing the site. It’s a very cheap and easy way to protect different areas of your life.

      I wrote a post about how to view your credit report and place a freeze on it. I wouldn’t pay money for a credit or identity theft protection. Placing a freeze on your credit, and enabling good practices such as password manager, 2FA, shredding documents with your info on them, etc.. will probably do more good than any of these services. Your homeowners or renters insurance might even cover expenses incurred if you are the victim of identity theft, mine does.

      When you are involved in a leak or breach, because it will happen, here are some tips I have on what to do (AFTER).

      Take a breather and know that it will be okay. It’s too late to change the past, but lets keep a calm head for the future damage control and cleanup we have to do.

      As soon as you become aware of the leak or breach, go into that account and access the damage. If everything they have on you was included, what would the damage be? Maybe only phone numbers were leaked, but it usually takes some time before the organization themselves knows the full extent of the damages. Still, the first thing that I do is go into the online account and change my password, even if the company says passwords weren’t included in the breach. I’ve seen before that they later come out and say that passwords were included after all. 

      You should be using a unique password for every site, see brownfox-ff’s tip on password managers, but if you didn’t, you will need to change your password on every site in which you used that ‘recycled’ password.

      Be aware of phishing scams following a breach. Tmobile has had many breaches over the past few years of data being stolen. And by being aware of that breach allows me to put up my guard that if I receive a call from Tmobile in the coming months asking me to confirm information, then I know it could be a scammer taking that breach data and then calling everyone and getting more info from them. In this case I would politely say to them “What is this call about? Okay, well I’ve been scammed by receiving calls like this in the past (even though I haven’t) and I will call the main corporate number or go into a local Tmobile store and talk with them about the issue.” I then hang up.

      • 3

        Hi Supersonic, great information and detail. I have added your link on checking credit reports to my References section.
        I appreciate your clarification also in the news post about the difference between a ‘leak’ – poor security or lax technology – vs a ‘breach’ – breaking in and stealing the information.

        Your link to MySudo also reminds me of the website https://privacy.com/ . Privacy.com claims to let you set up virtual payment accounts and strictly control how much they can be charged, when they expire, etc. The idea being that you use a payment account from them rather than your real credit or bank information. Then if e.g. a subscription tries to automatically charge you to renew, the payment will be declined and denied. So you can avoid charges. I have not used this myself, but it is an interesting concept. Of course it also involves handing over your payment info to someone else.

      • 2

        I use and highly recommend privacy.com as well. Everyone should check it out and feel free to ask us if you have any questions about it because it is just a no-brainer privacy and security solution to your money once you understand how it works.

        If the shopping site you buy things at gets breached and you are worried they now have your card number, no worries! Just click a single button on the app and that card is burned and you can create a new one. No having to call your credit card company, changing your card number on every site, and waiting the three business days to receive your new one. These temporary and burner cards have saved my bacon more than once.

      • 2

        Great info Supersonic… I had to learn the hard way about a data breach way back in 2006 or 2007 when the Fed’s GSA database was hit and all of my personal information had to be included for a couple government contracts that my company had bid/won was listed as “potentially” stolen – aka they didn’t know if it had been accessed or not… luckily, I acted quickly upon hearing the news and never had any issues… but what a pain in the a…

    • 4

      I was part of the big Equifax breach and signed up for their class action lawsuit. Still haven’t seen any money out of that…

      I’ve had the chance to join multiple other class action lawsuits since then for data breaches with companies like Google, but have learned my lesson and don’t sign up for them anymore. First off, after the lawyers take their cut, and the rest is divided up between the millions of people affected, your payout usually is like $3 or something. Not worth it to hand over even more information to a 3rd party to get that $3.

      A popular settlement option that organizations do to make it seem like they are doing something for us is to offer a year of free credit monitoring. The thing is though that if you sign up for this, you often waive your rights to sue them later or be apart of a class action suit. And after that free year of credit monitoring, they charge your credit card to keep it going. Pretty crumby and low tactic I think.

      I love all the tips you guys have been sharing so far.

      • 2

        Ahh, Robert – excellent point that signing up for ‘free’ credit monitoring after an incident may involve waiving your right to sue. That is incredibly shady. Thank you for pointing it out.

    • 5

      This latest breach was due to ridiculously poor application security. I would expect companies or government agencies to be heavily penalized for privacy violations like this, such that it is cheaper for them to pay for good security up front than to pay damages later. Are the penalties too low, such that companies and agencies are saving money by skimping on security?

      I know from experience that many programmers have so little security awareness that they would create vulnerabilities like this without even realizing it. That would change in a heartbeat if security competence had any effect on hiring and salaries.

    • 3

      Good post! When my kids were home years ago I froze all our credit proactively & it’s worked great! My adult son was discussing this with me recently & said he just had some monitoring now, and I reminded him that monitoring just tells you there’s a problem AFTER the fact, freezing PREVENTS it, and for free. Must freeze all three credit bureaus tho, and keep track of PIN info to be able to unfreeze selectively for new loans. Well worth that minor hassle. 

    • 1

      I just got an email that an old Samsung account of mine was involved in a data breach which might have affected my “name, contact and demographic information, date of birth, and product registration information.”

      I created this account before I started using a password manager full time so I don’t know exactly what was all affected, but over the past few years whenever I add an new entry into my password manager I also add whatever information I give to that site such as which phone number, address, date of birth, etc… So when it is involved in a data breach like this, at least know what information was exposed.

      Now I am going to do some detective work and figure out what information Samsung had on me… Thanks for this guide with some helpful tips on what to do.

      P.S. I don’t like Samsung anymore. I have had a lot of troubles with many of their products for quite some time.