For the first time, hackers have become the biggest cause behind publicly reported data breaches, according to a recent report.
The Identity Theft Resource Center began tracking the cause of reported breaches three years ago. For the past two years, the top cause was what the ITRC calls "data on the move"--typically a lost laptop with unencrypted data, or even a lost briefcase. That changed in 2009, when about one out of every five data breaches had a hacker behind it.
Why does this matter? A thief who walks away with a laptop is likely more interested in wiping its hard drive and selling it than in selling its data. But a hacker who invades a company's network and swipes a trove of credit card numbers is sure to use them, or sell them to someone else who will.
The ITRC notes that its study is based only on reported breaches. Because state laws and policies vary, not all breaches or their causes are reported. The number of data breaches dropped from 657 in 2008 to 498 in 2009 (in 2007, there were 446). But the while the total number of breaches dropped, the number of hacker-launched thefts rose. And that's bad news.
The upshot? As security gurus I talk to like to put it, assume that your information has been compromised, and be ready to catch it when it's used.
That's Wade Baker's approach. He's a researcher and coauthor of a data-breach report for Verizon Business, a Verizon subsidiary that investigates information theft. According to Baker, hacker thieves are typically after credit card and debit card numbers, closely followed by other types of personal information that can be used to turn a fraudulent buck.
While you can't improve the security of a credit card processing company you've never heard of that might fall victim to a hacker, you can stay vigilant to quickly catch attempts to use stolen info.
The traditional, low-tech, simple approach to such vigilance is to carefully scan your credit card and bank account statements. But hey, this is PCWorld. We're all about high-tech time-savers. Here are four.
(1) Most banks let you set alerts if a charge above a certain amount hits your account. Some will even automatically send an e-mail or an SMS message if a charge from overseas shows up.
(2) A nifty and free online service called Mint.com can pull in data on your disparate credit cards, checking and savings accounts, and even investments and loans for you to view in one place. The company says it carefully encrypts its info, and the site allows only information viewing. But using it still requires trusting the service with your financial accounts' usernames and passwords. See more on automatic account alerts and Mint.com.
(3) Check your credit reports regularly. The free annualcreditreport.com allows access to the reports held by Experian, Equifax, and TransUnion once a year, for a total of three reports per year. (The much-advertised but misleadingly named freecreditreport.com requires paying $15 a month to enroll in its credit protection service and get access to your reports.)
(4) Consider using virtual credit card numbers, offered by some banks and by PayPal. These virtual numbers, typically a free service, can be used only by the company you give it to, and become worthless in the hands of a digital thief. In the usual trade-off between convenience and security, using them does require taking the additional step of generating a new number prior to or during an online purchase. But this high-tech option affords some very real protection. See more on using virtual-number services.
Hackers aren't going anywhere (just ask Google). But a little extra legwork can blunt the risk they pose, at least as far as your data is concerned.