On Creating Better Digital Privacy and Security Habits Before a Data Breach
(Posted on Monday, October 16, 2023)
Like it or not, we all rely on major corporations to provide services and products we need to make our lives better. Unfortunately, one of the pre-conditions of the digital age is that to allow companies to bring us maximum value, we provide them with a great deal of personal data.
When companies are irresponsible with our data, our data can be breached, available on the dark web, and can leave us open to financial damages, identity theft, and great personal inconvenience with very little recourse.
For example, let’s take a look at a recent example of where vital personal data can be hacked to track specific groups of people. As someone who does not believe in coincidence, 23andMe accounts were breached one day before Hamas launched an attack against Israel.
According to many reports, 23andMe accounts were breached calling out Jewish people specifically, at first. There are now other groups listed in this “first of its kind” data breach according to CBS and global cybersecurity company Checkpoint.
23andMe has over 14M customers, and the hackers were able to access leaked usernames and passwords from previous data breaches purchased on the dark web, then leveraged automated bots to re-use those access credentials (also known as credential stuffing) that did not have multi-factor authentication to access 23andMe customer accounts.
In my opinion, this is an extreme and terrifying example of what can happen when companies, and we as consumers of these products and services, do not take the time to continuously review and update our own personal privacy and security practices with companies we do business with, such as simply adding multi-factor authentication to all of our digital accounts.
Short of filing an expensive lawsuit (and of this writing, lawsuits have been filed against 23andMe) the only consequence most of us can deliver to a corporation that appears to have failed in protecting our data (such as recognizing bots in real-time, or unusual consumer behavior) is to withhold our business.
In order to do that, we have to know which companies are acting responsibly and which ones are not. Enter this article.
I have reviewed numerous resources and identified several that can give the curious consumer a clear picture of which companies act responsibly when it comes to protection of electronically stored data, and which ones don’t. I will be naming names in this article (other than to perhaps name some of the organizations that are consistently good at protecting data) but I will talk about the methods you and anyone else can employ to find out who is awarded your business, even if your level of technical sophistication is basic.
Because remember, most of us are not cybersecurity experts, nor have the technical expertise or training on how to detect, identify, and resolve a cyberattack. Our best bet is to become your own best ally, by constantly reviewing and updating your privacy and security settings on a monthly basis.
Let’s start at the state level. Some states, so not all, maintain public databases of organizations that experienced data breaches. California’s database, for example, lists data breaches in a given year chronologically, and also allows you to search for specific companies, hospital networks, nonprofits, or colleges that have been hit by cyber attackers.
One of your first stops should be to check your own state of residence to see if it offers its own publicly accessible database of breaches. As of this writing, California, Delaware, Hawaii, Indiana, Iowa, Maine, Maryland, Massachusetts, Montana, New Hampshire, New Jersey, North Dakota, Oklahoma, Oregon, Texas, Vermont, Washington, and Wisconsin offer such databases.
Privacy and security blogs like the Identity Theft Resource Center are also good resources. They regularly publish articles about the results of consumer and business data breaches and identity theft surveys and research. These articles are good places to find news about the latest private government service regarding highly trusted brands like Adobe, Under Armour, and Apple, which have strong records of protecting consumers’ privacy.
One more time-consuming method of learning which companies not to trust is to do regular news searches or have Google alerts set up for phrases like “company data breach.” When large, consumer-facing brands such as retailers, carmakers, banks, and cable companies have major security failures that result in stolen data, it’s always big news and will be covered by the major news outlets.
However, if you are not on-top of the daily cybercrime news cycle, it’s best to practice your own digital hygiene habits on a regular basis, to add additional protection to your digital footprint, in the event a company is breached.
Finally, if you want to see if your personal information has been compromised, you can go to HaveIBeenPwned.com. This free, invaluable site lets you enter your email address or phone number and find out if either has been compromised in a data breach, and by what companies.
None of this is easy. Creating new digital habits to better defend your digital privacy and security, takes time and effort. But, like any new habit, such as setting a goal to go to the gym four days a week, or eating healthier, new digital habits can be learned, and will become part of your routine over time to protect yourself and your loved ones.
Stay safe.
Christopher A. Smith is the author of Privacy Pandemic: How Cybercriminals Determine Targets, Attack Identities, and Violate Privacy—and How Consumers, Companies, and Policy-Makers Can Fight Back—release date November 7th, 2023 from Amplify Publishing.