Skip to main content

An in-depth look at how a data breach could affect you

Let's play a game. Try to make a list of all the businesses and other entities that have your personal information stored in their databases. Well, there's the local council and government organisations for starters. Every credit card and bank account provider necessarily has your information, and any online merchant with whom you've set up an account. Don't forget schools, discussion forums, social media... Hmm, making this list isn't such a fun game after all.

If any one of these entities suffers a security breach, your private data could be exposed, and they do get breached. Tumblr, Google Glass, and Apple all suffered breaches back in July, and JP Morgan was hit this month. You can bet that more of these major incidents will occur.

Why should I care?

There are a good number of reasons why you should care. Should your county council’s network get breached by cyber-crooks – or indeed an employee could lose a USB stick containing data which ends up in the wrong hands – all manner of sensitive personal information could be spilled, including all your contact details, perhaps your National Insurance number, and so on.

If a merchant or bank suffers a breach, your bank account and credit card information could be exposed. Yes, if the crooks make fraudulent transactions using your credit card, the issuing agency won't make you pay, but you'll have to go through the pain of dealing with resolving the situation and getting a new card number.

Possibly the worst situation would be a breach that exposes your email username and password. With this information in hand, a crook could lock you out of the account by changing the password. The next step would be to take over more of your accounts – any that use a simple email reset for the "Forgot password" system are vulnerable.

Password hash

Of course, all of these institutions should be keeping your important data in encrypted form. Passwords in particular shouldn't be stored at all. Rather, they should run the password through a hashing algorithm and only store the result. To verify you've entered the right password, the site simply hashes what you entered and compares it with what's stored.

Hashing is like encryption, but it's a one-way street. Even if a cyber-crook knows exactly which algorithm was used, there's no way to go from the hashed value back to the password that it came from.

Or is there? Yes, hashing isn't reversible, but if you guess a password, hash it, and find that it matches a stolen data record, you know you've discovered the password. The hackers who breached LinkedIn last year posted millions of hashed passwords on a public forum. One white-hat researcher cracked 900,000 passwords in four hours simply by hashing a huge number of potential passwords and checking the results with the exposed list.

A simple technique called salting adds a random factor to the hash algorithm that makes this kind of discovery-by-guessing impossible, but you can't know for sure if those entrusted with your data are using this technique.

Minimise your exposure

In a very real sense, there's nothing you can do to protect against the fallout from a data breach that exposes your personal information. You don't have control of the data, or the way it's stored. Even so, you can minimise your exposure.

For starters, you need to become a personal data miser. Never enter more than the required minimum on any website. If they seem to want too much, consider whether what you're doing on the site merits the risk. And if you stop using a particular website, delete your profile. Don't leave your data sitting there, potentially exposed. (How long since you logged into MySpace? Right. Delete that profile now!)

If you're the kind of person who uses and re-uses the same password, a breach that exposes that password can be catastrophic. Yes, it's nearly impossible to remember a different strong password for every website, so get a good password manager program and use it to generate and store passwords that can’t be guessed. LastPass and Dashlane both include a feature that rates your existing passwords and helps you improve them. Use it! You'll be glad you did.

Watch for evidence

Keep an eye on your credit scores if at all possible. It costs £2 to obtain your statutory credit file online, although there are ways you can get a freebie as this article explains. If a crook uses your personal data to set up a new credit account of some kind, you'll see it in the report.

Check every line of every credit card bill. It's not uncommon for fraudsters to make a few small charges first, just to see if you're paying attention. If you're not, they'll go the whole-hog, ordering up all the goods and services they can, right up to your credit limit.

If, despite your best efforts, the bad guys compromise your identity, don't panic; help is available. Visit the Action Fraud web page and follow the instructions on what to do.

Data breaches happen, and big breaches make the news. Any time you see a breach reported, stop and think. Does the victim organisation have any of your data? If so, take the time to read all the details and determine what, if any, action you can take.