In late April, users of Sony's PlayStation Network (PSN) or Sony Online Entertainment, were victimized by a series of data breaches that exposed sensitive information about 100 million customers, as well as tens of thousands of credit card numbers. The breach grabbed headlines around the world, but incidents of this type are more common than you might think.
At this point, if your personal data hasn’t been compromised at least once, consider yourself very lucky. But short of just staying off the grid and living some Luddite existence in a cabin in the Rockies, what can you do to protect your data and minimize the impact of these breaches? We'll show you how.
A Look at Data Breaches
In 2011 alone, tens of millions of users have had personal information exposed or put at risk in some way by data breaches at Epsilon, RSA Security, the state of Texas, Ashampoo, and Sony's PlayStation Network, among others.
Data breaches can occur in various ways. In the case of the Texas Comptroller's Office, a configuration error on a publicly accessible database left sensitive details open to the Web. With the RSA Security data breach, a simple phishing attack exploiting a zero-day bug in Adobe Flash enabled an attacker to gain access to the internal network.
In some of the breaches, investigations are pending and details are sketchy, but in almost every case the responsible company or entity was guilty of some degree of negligence. That said, given enough time and a dedicated attacker, no network is impervious.
How Does a Data Breach Affect You?
The impact of a data breach is determined by two things: what kind of information is compromised, and what the attackers do with the information they steal. Some data breaches may expose only e-mail addresses, while others may give attackers much fuller and more-valuable information, such as credit card or bank account numbers.
If a breach is limited to exposing e-mail addresses, the only real concern it raises is the possibility of phishing attacks, as was the case with the Epsilon data breach, where hackers stole millions of e-mail addresses. But knowing that an e-mail address is active--and that it has a relationship with a given business--enables attackers to craft far more convincing phishing attacks with a much higher potential for success.
If the data breach compromises relatively details--as in the case of the Texas State Comptroller data breach, which left names, addresses, dates of birth, Social Security numbers, and driver's license numbers available to the public--identity theft becomes a serious concern. The attacker, or someone who buys the information from the attacker, can use data such as this to pose as you and open new, fraudulent accounts in your name.
The worst type of data breach is one in which the attacker obtains actual bank account or credit card numbers. The attacker can then make purchases using your credit card information or--with the right additional information such as your account password--drain your bank account.
Protect Your Personal Information
At least part of the responsibility for protecting your information falls on you. Granted, when you entrust data to an organization, you expect that recipient to be vigilant about safeguarding it; but ultimately nobody cares about your data as much as you do--with the possible exception of the attackers.
To start with, you should assume that your data will be stolen at some point. It's the online equivalent of driving defensively: If you operate from this mindset and choose which companies to share your personal or financial information with based on this premise, you'll be much more discriminating about which ones are worthy of that level of trust.
Online, many Websites require you to provide some information in order to use them. Some allow only registered users to access certain content; others require you to sign up and log in before you can contribute or comment. But that doesn't mean that you have to provide correct information.
First, don't share your primary e-mail address with just anyone. Set up a dummy Webmail address that you use for the express purpose of signing up for Websites. That way, if your e-mail address gets sold or stolen, the resulting spam and phishing attacks will go to the dummy address and you can ignore them.
Second, don't supply real information if you can avoid doing so. One option is to invent a fake persona just for signing up for Websites. You can use your real name, or something close to it--like "Anthony" instead of "Tony"--but enter a fake mailing address and phone number, and use the dummy Webmail address I mentioned earlier. That way, if the site gets hacked, your real data is not at risk.
Don't Use the Same Password
One of the biggest mistakes that people make is to use the same username and password at multiple sites. If you do that, an attacker who succeeds in stealing your information from one site that you have a relationship with suddenly has the keys to your entire online life.
No doubt, remembering 10, 20, or 50 different usernames and passwords is a daunting task. I recommend that you use different usernames and passwords on sites that matter--meaning any site that you rely on, or that grants access to sensitive information such as your bank account or credit card information.
For minor sites that you sign up for once and may never visit again, it's okay to use one username and password across all of them. That way, you can follow the recommended security practice while minimizing the number of username and password combinations you need to remember.
For tips on creating secure passwords, see "How to Build Better Passwords Without Losing Your Mind."
Don’t Fall Prey to Phishing Attacks
Let's start with one simple rule: If you get an e-mail that has spelling errors or poor grammar, delete it. Legitimate companies do sometimes mangle spelling and grammar, but nine times out of ten, a poorly worded e-mail is the handiwork of an attacker who doesn’t speak the language fluently.
Some phishing attacks are more sophisticated, however, and may use the built-in spelling and grammar checkers that most word processors provide to iron out such problems. A phishing e-mail with good production values can look and sound very convincing.
Nevertheless, avoiding phishing attacks isn't terribly difficult. The crucial rule is this: Never supply your username, password, account number, or other sensitive information via e-mail. No legitimate company should ever ask you to do so; and if one does, it doesn’t deserve your business.
Another important rule: Never click a link in an e-mail message. Phishing attacks often contain links that lead to spoofed but seemingly legitimate Websites. The e-mail message may direct you to "correct" your personal information or to "create a new password," but really the attacker is just gathering whatever information you type in.
Keep an Eye on Your Accounts
One way to avoid having your bank account wiped out--or having an attacker max out a $5000 credit card--is not to give any site access to such information in the first place. Get a disposable credit card, or a credit card with a restricted $250 limit that you use specifically for Web purchases. That way, if it is ever compromised, the most severe damage you'll endure is a loss of $250--and you won't run the risk of waking up to find that a criminal has surreptitiously transferred your life savings from your account.
Some banks also offer virtual credit cards, which resemble one-time alias card numbers that you can use to make online purchases, but that have no real-world value if intercepted or stolen.
Early detection is the key to survival. Scrutinize your bank and credit card statements so that you can identify suspicious activity and address it as quickly as possible. Doing so will help minimize the resulting damage. Besides, the greater the amount of time that elapses between having your account compromised and having that attack detected and reported, the less helpful your bank or credit card company are likely to be.