The fear is completely normal – and logical. When news of a data breach comes out, your first question is simple: Am I a victim?
The normal reaction is to compare the hacked firm with an internal list of companies, products, and online interactions you’ve had in recent years. Once this list of potential risk points comes clear – you’re free to exhale. And since your other accounts aren’t mentioned in the news, there is nothing else to worry about and you can relax. Right?
Wrong. The “no news is good news” reaction ignores a simple point: There is often a significant period of time between when personal data has been stolen and when the breach has been publicized. Sometimes this time lag can be for years. And there are many data breaches that are never publicly known.
The ways people find out about a data breach are as varied as the ways that data was taken. People might see on the news that a company where they regularly shop has been hacked. They might notice a sudden flurry of activity in a bank account. Or they might not notice anything – until they go apply for a loan. The fact is that not all data thefts are created equally. Other data leaks can be spotted in the dark web within weeks of a hack as the cybercriminals work to convert the data into money while the stolen data is fresh. For some industrial and state-directed hacks –such as the Marriott breach where the data has never appeared in the dark web — as the purpose of the hack was simply to collect detailed records on people.
Five ways to find out about your personal data being stolen/leaked
Publications such as the New York Times or the Wall Street Journal will often carry news of the big data breaches. Security focused publications such as Krebsonsecurity and SC Magazine are even better, often providing more detailed information as to how the breach took place.
2. Bank statements
You should be checking your bank statements for odd and unusual payments. If you see a repeated string of pizza purchases, your account may have been hacked or your credit card details stolen.
Have I Been Pwned? is the go-to website for people to check if their personal data has been compromised by a data breach. It was built by Troy Hunt on the heels of the Adobe breach where he saw the same accounts and passwords being hacked repeatedly. To use this, simply go to https://haveibeenpwned.com/, enter your email-address, and click on “pwned?” If you see the message “Oh no — pwned!” chances are that your email details have been included in a recent breach. This is limited to emails and does not include other important hackable details such as social security details or phone numbers.
4. Credit bureaus
Within the US, you can get one free credit monitoring report annually from each of the three major credit bureaus: Equifax, Experian and TransUnion. This is the traditional way to uncover suspect activity and the appearance of new accounts. However, Equifax itself has had its own major data breach making their own data handling processes a little suspect. Beginning in 2018, Americans have also had the ability to place a freeze on their credit files, keeping the three bureaus from releasing or selling your credit report. This is also a free service in comparison to the bureaus’ own “credit lock” services.
5. The announcement
Yes, there are formal reporting requirements for companies following the breach of personal data of their customers and clients. Penalties for not complying can be significant for the companies. However, these notifications tend to come after news of the breach has already been in the press, making them a stale confirmation of an already known fact.
This post is also available in: FrenchItalianPortuguese (Brazil)