Your Data Was Stolen (Again). Here's What to Do.

You received (another) letter from (another) company that holds your data saying that they had cyberbreach. Oh, and your personal data was maybe compr

Another company was hacked, and your data was probably stolen (again).

I like being able to easily find what I need, so I am a big fan of being organized. I have color-coded file folders for things we receive in paper form and need to keep (yes, really!). This include things like bills paid, paperwork for the kids’ schools, medical forms we receive from the doctors, car maintenance, bank statements, and so on.

I’ve had these same folders for many years, but there’s a new file folder that I recently had to set up: Stolen Data/Cyber Breaches.

Yes, I now have a folder for all those letters we’ve received over the last few years about the cyber breaches that the spousal unit and I have received. The last one we got was in May, from TaskRabbit, Inc., one of the resources that Frank used to launch his home energy audit and weatherization business last year.

Also in that folder: Home Depot, JP Morgan Chase (twice), US Department of Veteran Affairs, IRS, Verizon, Citigroup, CVS, Gap, Hyatt Hotels, US Army, Department of Defense, and UMass Salem State, to name a few.

That doesn’t include the ones that sent email notices, like Yahoo!, Gmail, eBay, DropBox, Facebook, LinkedIn, Living Social, and Zappos. Or the ones that didn’t even bother sending anything, like Equifax.

Our data is being compromised so often that it almost feels normal, like data breaches are the price we pay in order to live in our world today. Most of us probably don’t even bother reading the letter past skimming the first few sentences. We just roll our eyes, sigh, and file or throw away the notice.

That’s probably not the best response.

They want YOUR information

Let me make this crystal clear: The reason cyber criminals steal this kind of data is because they want your information, whether it’s your name and address, last four digits of your social security number, ID and passwords, security questions, etc.

Yes, even little, ole, insignificant you.

The more information they have, the better they are able to develop a profile on you. And the more detailed your profile, the more your information is worth on the black market. I guarantee you that there’s some enterprising shady character who is aggregating information that’s been stolen and creating composite profiles to be sold.

Composite profiles are valuable because we make it so easy for anyone else to use our information. Most of us use the same information (passwords, user IDs, email addresses)—or some variation thereof—again and again. As a result, most of us wouldn’t pass a basic pentest (which tests the penetration your cybersecurity). This is true for both business and personal cybersecurity.

So now what?

I know, I know. You are absolutely sick and tired of hearing about cybersecurity. You don’t think that your information is worth anything to anyone. You don’t have the time, energy or money to take on this huge task. And even if you did, you don’t even know where to start.

Despite your frustration or annoyance, ignoring this is NOT an option. And I have a few ideas that shouldn’t take much time or effort when you get one of those letters.

**Sign up for **identity theft protection. Most of the companies who lost your data offer identity theft protection for a year. It’s free, so you might as well sign up for it. Pro tip: They should not be asking you for a credit card so they can charge you after your one year is up. Depending on the service, they claim to help you (expenses, advice) if you become a victim of fraud. ConsumersAdvocate.org did the research and has some recommendations.
Add a fraud alert. If you think you might be the victim of fraud, add a fraud alert to your credit report. An initial alert is 90 days, but if you can prove that you were a victim, a fraud alert will last seven years. (A police report works, as may a letter that suggests your data was stolen and not just compromised.) Fraud alerts cause new credit approval to take a whole lot longer. When my wallet was stolen a few years back, I added a fraud alert, and when I went to open an account somewhere, it took more than an extra hour because of the extra verification steps required. I’ve been told by a former hacker that if something takes more than 10-15 minutes, hackers will generally walk away and try something else. It’s not worth it when there are so many easier targets.
Change your password. Make it long and nonsensical. If tracking these are a nightmare, use something like LastPass (which has a free version for individual accounts) to track all your user IDs and passwords. If you can change your user ID, do that as well.
If you don’t use the account anymore, close it. Closing unused accounts is not a panacea, especially since a lot of those organizations will keep your information in their system indefinitely. However, if you close your account, there’s one less portal into your life that is available to cyber crooks.
Visit haveibeenpwned.com to see if any of your accounts were compromised in a data breach.

Longer term, you really need to take a more comprehensive approach to cybersecurity. If you don’t believe me, consider the fact that 70% of cyberattacks target small businesses. Also, how many phishing emails have you received recently? Chances are, several.

Your options to get protected

To stay protected, you will need to beef up your cybersecurity. You have a few ways you can go about this. You can:

Google all the things you need to do and get started;
Take a course, like the one I developed with cybersecurity and privacy specialists, that will walk you through the key things you need to do even if you’re not an entrepreneur, you’ll find most of it useful);
Hire someone to set it up for you;
Do nothing (please don’t do this).

The first is free but can be time consuming; the second is inexpensive and will take less time; the third could get expensive, but you at least don’t have to think about it; and the fourth is simply playing with fire—which will eventually cost you way more time, money and energy, sooner rather than later. More than half of small businesses that experience a breach close their doors within six months.

Whatever you decide to do, start somewhere. Even just making sure your operating system is up-to-date adds a layer of protection.

Meanwhile, I’ve set aside that letter from Task Rabbit so we can check to make sure that the spousal unit's (free) ID Theft service is up-and-running. Then I’m going to file that letter.

Categories: CYBERSEC