It seems that hardly a week goes by without another shocking data breach that affects millions of ordinary internet users making the headlines. But what is a data breach, how can one affect you, how do you know if your data has been breached, and what can you do if it has?
A data breach is any unintentional release of secure or private data. This can include classified information belonging to the military, sensitive information relating to corporate assets. The term is most widely used, however, to describe the unintentional release of data that jeopardises the privacy and security of ordinary members of the public.
Most commonly, this is in the form of customer databases leaked in some way by private companies, although the danger governments leaking even more sensitive healthcare information and the like is very real.
The information exposed by data breaches often include things like customers’ names, email addresses, usernames, passwords, postal addresses, order history, and even bank payment details.
Data breaches can be accidental, can result from the actions of internal staff members (for example whistleblowers or disgruntled employees), or from the actions of external hackers.
Most such hackers are simple criminals, although motives may also include political activism or simple bravado by the kids keen to build a reputation within the hacker community. Regardless of motive, once the information is within the public domain it is almost certain to be exploited by criminals.
In hacker speak, to pwn something is to own it. The ';--have i been pwned? tool below will help you find out if private details belonging to you are available on the internet by searching a wide range of leaked databases to see if any of them contain your email address.
Powered by haveibeenpwned.com
Are data breaches on the rise?
It’s not just your imagination, data breeches are indeed on the rise. And not only are they becoming increasingly common, but the scale (number of people affected) and scope (sensitivity of the information leaked) of the beeches has been getting steadily worse.
It is estimated that in 2019 some four and a half thousand records are lost or stolen every minute, adding up to over 6 million records every day! Between 2017 and 2019 there was an 88 percent increase in the number of people affected by health data breaches.
The total number of data breaches in the United States rose 44.4 percent between 2016 and 2017, although this dropped to 13 percent in 2018. These figures belie the scale of the problem, though, as the total number of records exposed between 2016 and 2018 is rose 1117 percent to a staggering 446.5 million!
Which companies have had data breaches?
It could almost be asked which companies haven’t had data breaches! What follows, however, is a list of the world's biggest data breaches over the last few years.
| Who | When | How big | Severity | Type of data | Encrypted? |
| Yahoo | 2013-14 | 3 billion (!!!) users | Moderate | Emails, passwords, phone numbers. But | Most (but not all) details were hashed using strong bcrypt algorithm). |
| Marriott International | 2014 | 500 million customers | Severe | Contact info, passport numbers, credit card details, travel plans. | No. |
| Adult Friend Finder | 2016 | 412.2 million users | Very high | Names, email addresses, passwords. | Hashed using weak SHA1 algorithm. Within 1 month 99% had been cracked. |
| eBay | 2014 | 145 million users | High | Names, addresses, dates of birth, passwords. | Passwords were hashed using proprietary measure. it is not known how strong these are. |
| Equifax | 2017 | 143 million US consumers. | Severe | Social Security Numbers, birth dates, addresses, driver license numbers. 209,000 unlucky consumers also had their credit card data exposed. | No. |
| Heartland Payment Systems | 2008 | 134 million credit cards | Severe | Credit card details | No. |
| Target Stores | 2013 | Up to 110 million people | Severe | Names, addresses, emails, telephone numbers, credit card details | No. |
| Uber | 2016 | 57 million users + 600,000 drivers | Moderate | Names, email addresses, and mobile phone numbers | No. |
| JP Morgan Chase | 2014 | 76 million households and 7 million small businesses | Moderate | Names, addresses, phone numbers and emails. | No. |
Will I be notified if my data is breached?
Between 2013 and 2014 Yahoo was victim of the largest data breach ever recorded, but it did not make this information public until September 2016. Marriot, in 2013 victim of the second largest data breach ever recorded, waited until November 2018 before alerting its customers to the danger.
This despite the fact that since 2002 all 50 states in the United States have passed data breach notification laws (although the last of these were only passed in 2016). In Europe, the 2016 General Data Protection Regulation (GDPR) mandates that companies report personal data breaches that “pose a risk to the rights and freedoms of natural living persons” to their supervisory authority. For example, the Information Commissioner’s Office (ICO) in the UK.
What history shows us is that, faced with huge financial loss and damage to reputation, companies simply cannot be trusted to notify the public in a timely manner if their data has breached. Regardless of any laws requiring them to do so.
Have I been pwned
Use the ';--have i been pwned? tool to scan a huge and continuously updated list of breached databases to discover if your email address has been involved in a (known) breach.
The tool will tell you which databases your email address appears in, together with a brief history of the breach and a summary of the kind of information which was leaked and is now in the public domain. Try it!
Powered by haveibeenpwned.com
Yikes! I’ve been pwned! What now?
Don’t Panic! Unless the breach is new, then it is unlikely you are in any immediate danger. If the breach is new and involves payment details then check your bank statements immediately.
Even if you find no suspicious activity, it is worth contacting your bank to alert it of the situation. In all likelihood it will take precautionary measures such as reissuing your card. But even if doesn’t, you are then in a much stronger position to demand redress should money start to mysteriously disappear from your account.
Regardless of the severity or time that has elapsed since the breach, you should immediately change your password (if the account is still active) and ensure that you have not reused that password across different websites. Indeed, re-use of passwords is arguably the single gretaest danger posed by most data breaches.
In 2011, for example, Sony suffered a series of data breaches that resulted in far more than the 77 million customer accounts exposed from a single PlayStation breach that year becoming public. Yahoo Voice was hacked for 453,491 email addresses and passwords.
Analysis revealed that 59 percent of people whose password was exposed by the Sony hack were still using the exact same password on Yahoo a whole year later. A further 2 percent had only changed the case.
How to minimise the impact
How companies, social media platforms, and government organizations store and protect the data we give them to perform the service they provide is in large part out of our hands. Despite overwhelming evidence that such organizations simply cannot be trusted to keep our sensitive data safe, we have no option but to trust them with it, anyway. C’est la vie.
We can, however, ensure that passwords obtained from a data breach cannot be used to access our other accounts.
Use a password manager
For every website and online service you use, you should create a strong password which is unique to that site or service. Note that 123456, the name of your pet, or of your favourite football team are not strong password. A genuinely strong password consists of a long string of random alphanumeric characters with mixed caps and (preferably) symbols.
Of course, us poor humans often struggle to remember even one such secure password, let alone one for each website and online service we use! It is therefore luckily that computers can do the heavy lifting for us!
Password manager apps generate secure and unique passwords and then conveniently autofill them into website logins when required. They also sync across devices so they are always available when you need them.
Here at ProPrivacy we favor open source password managers such KeePass and BitWarden, but any halfway decent password manager is lightyears ahead of not using one at all.
Two-factor authentication
One-factor authentication is something you know i.e. your login details, which can be compromised by a data breach. Two-factor authentication (2FA) uses an additional something you have to verify your identity.
At present this second something is usually your smart phone. A verification code is typically sent to your phone via SMS messaging, or you verify a login via an authenticator app (often using biometric authentication such as a fingerprint).
Enabling 2FA on your accounts makes accessing them without your permission all but impossible unless, in addition to your account details, a hacker also has physical access to your phone.