Your data has been leaked - now what?

2015-06-21_Ars-TechnicaIDENTITY

The math isn’t good. Since 2013, more than 1 billion records containing personally identifiable information (PII) have been compromised. From credit card purchases at hardware stores to government background checks, your data is on servers completely outside of your control. And it appears that the owners of those servers haven’t cared about securing your data as much as you have. So your data has been leaked. Your world is changed, and here are 6 steps to take to get back in control of the situation -- a few of them immediately, the rest over time.

Do this TODAY!

Acknowledge that you are a victim. Say it to yourself: “My data has been stolen and will probably be sold to the highest bidder.” That realization should permeate your behavior. Where you used to click links, enter passwords in fields, or throw official-looking mail in the trash, now you can’t. Try to assess everything you receive from the perspective of someone trying to exploit your personal data. Don’t just become skeptical, remain skeptical. Attacks will come over time, and you need to be wary, especially of phone calls. The bad guys will try any channel they can to get past your defenses.

  • UPDATE (07/09): OPM has created a website for victims to receive official information about the breach. Visit https://www.opm.gov/cybersecurity for more details.

Notify others that you’ve had your data stolen. Start with financial and other service providers, and make sure you put a fraud alert on your credit report. Then let the police know. Having this paper trail will show that you’ve done your part. Tax fraud is a huge and growing issue, so let the IRS know through Form 14039, an affidavit of identity theft. Find more useful tips in GoodCall's "Guide to Protect Yourself From Identity Theft." Anyone that you do business with should know that you’ve been victimized. This can help you with liabilities you may incur in the future. .

And if you are a victim of the latest OPM breach and completed Standard Form 86 for national security clearance, you should also notify those who provided references that their data has been leaked.

Do this over the next MONTH

Create an inventory of your current accounts. Save your bank statements, credit card details, insurance disclosures, and as much of your medical record data you can. If you’re able, make printouts from the websites of the providers. This will give you a starting snapshot, which might be useful with any future claims. Put this stuff in a place where it is safe. If your personality is the type to keep updated records, you should definitely keep updated printed copies of these accounts. Going to each once a month and printing isn’t too hard. But if you’re the type who can’t be bothered, at the very least take an account snapshot once and keep the paper copies in a safe place.

Take advantage of the free credit service or other alerting services that the provider will offer. Take a look at the agreement to see if there is any insurance coverage as part of the offering. Try to read the fine print to see what they’ll cover or not, and if you don’t understand something, call their customer service. Someone paid for this credit monitoring account, so pester them to get answers and get the most out of the service.

Google Alerts can be useful, too. Create an alert with your name and name variants, your address, car license plate(s), phone number, whatever. Certain transactions that become a matter of public record will be identified, and you’ll get a notification. That way, if someone steals your house and changes the title, you’ll know.

The big three credit agencies - Equifax, Experian and TransUnion - are required to give you a credit report 1 time per year. Check out annualcreditreport.com, but don’t request all three at once. Spread them out every 4 months so you can keep current.

Complete these steps within 90 DAYS

Move the goalpost. I mean, change everything that you can. Banks will give you new credit and ATM cards. Insurance providers can issue new cards with new numbers. Tell them that your wallet was stolen, since it is simpler for them to understand. Change security questions on websites. If you can prove that you’re “continually disadvantaged,” the Social Security Administration can change your social security number. It’s a PITA, but the form is here.

It’s important to know that moving the goalposts for the bad guys also means moving the goal post for yourself. You’re going to have to jump through a lot of hoops to make changes and re-verify yourself with every provider that is legitimately relying on old data. It will suck. But it will minimize your risk, and the pain will diminish over time.

And do these things FOREVER

Secure yourself online. This is the perfect opportunity to hit the “Big 3” security steps online: passwords, 2-factor authentication, and isolation.

  • Change all of your account passwords, especially email. Use a password manager to make them unique and complex.
  • Turn on 2-factor authentication to everything you can. This system is so elegant, yet overlooked. A provider will send a text to your phone to verify every login attempt.
  • Isolate your online environment. Use a dedicated browser for only those sensitive accounts. Browse Facebook, Twitter, or dating sites on another browser.

Every few months, make sure to review account records for fraudulent activity. The initial inventory of account records and the move to secure yourself online with a password manager and secure browser should make this much easier. But get in the habit of looking at your statements. You’d be surprised how clever some criminals are, making small charges to your card that might get overlooked, like $6.17 for Acme Digital Services.

The world has changed for you, sorry to say

While it’s human nature to drop your guard over time, bear in mind that criminals are a patient bunch when it comes to exploiting PII. Because the information is difficult or impossible to change, criminals will often wait until credit monitoring runs out. That means that some of the most damaging crimes can take place long after the news coverage has moved on to the next data breach. So if you change your habits now, you’ll be more prepared when they strike.

We live in a world where data is king, and a breach has long-term risk. To paraphrase Thomas Jefferson, eternal vigilance is the price of online security.

UPDATE: If you were a victim of the OPM breach, we're offering 1 year of Silo for free.

Notable Breaches Since 2013

Visit DataIsBeautiful.com for more examples of data breaches in the past decade.

Scott Petry - Scott is Co-Founder and CEO of Authentic8. Prior to Authentic8, Scott founded Postini and served in a variety of C-level roles until its acquisition by Google in 2007.

Topics: Identity