What Is a Data Breach and How It Affects Your Privacy

This day and age isn't exactly the best time regarding the state of online security. And there's no wonder given that technology advances at a rapid pace along with the techniques used by cybercriminals to deploy cyber attacks and their number of valuable targets.

In fact, 2018 has been the year of data breaches, with more incidents than we can actually remember. Cybercriminals managed to steal personal information from users of not only small companies but also major players such as Facebook and Quora.

The consequences of a data leak prove to be pretty costly for companies because it damages their reputation and they also have to spend great money so they ensure better security for users in the future.

And the consequences are not only felt by the companies. Users who are part of a data breach lose their privacy and personal information and become possible targets for identity theft or other scams.

To better understand how a data breach affects your online privacy and security, we'll go through what a data breach is, how it occurs, and what cybercriminals can do with the information they steal from users.

A data breach is an incident when a third party gets unauthorized access to a system to steal information. Stolen information can include customer information, usernames and passwords, credit card numbers, Social Security Numbers, and even trade secrets.

A data breach can highly damage the reputation of a company, its customers losing their trust to provide personal information in the future. There are also monetary loses involves as the company has to pay both a fine for not managing to secure their customers' data along with the investment in higher security measures. Individuals who have their information stolen in a data breach can also suffer consequences as their identity and privacy are in danger. The information collected can be used by cybercriminals to deploy attacks on users such as identity theft or other financial scams.

Exploits

With this type of attack, cybercriminals gain unauthorized access to a computer system by exploiting software bugs or vulnerabilities. The cybersecurity researchers work on patching the bugs and vulnerabilities while cybercriminals are looking to abuse them. It's a matter of who gets to find them first. The most commonly exploited software are operating systems, internet browsers, Adobe apps, Microsoft Office apps.

Spyware

Spyware is one of the different types of malware cybercriminals and hackers use to steal information about users and their internet usage. When the system gets infected, the spyware sends all the personal data it collects to the cybercriminals. You can easily install spyware on your computer by accessing a compromised website and clicking on malicious pop-ups.

Phishing

Phishing is a social engineering technique is a technique used by cybercriminals to trick you into giving them personal information, including usernames and passwords. Most phishing attacks are deployed through emails. The attacker sends you a fake email designed to look as coming from a business or person you know and trust. The email copy will request you to provide some sort of information in order to verify one of your accounts or even a payment. If you click the link in the email, you'll be taken to a fake website that will capture all the information you fill in.

SQL injection

An SQL injection is a type of attack which exploits security vulnerabilities by injecting malicious code into to control a database server behind a web application. Injecting SQL statements can go around security authentication of a web page or application and retrieve the content of the database. Criminals use this method to access sensitive data such as customer information and personal data.

From the beginning of users' databases, cybercriminals have found ways to get into companies' systems and steal personal information they could misuse. After all, why bother trying to steal information from separate individuals when you can steal a whole bunch of data in one go? And the number of incidents only keep on rising each year because more and more companies are keeping databases of users' information so there are more preys to target.

To put the state of data breaches into perspective, let's take a look over the statistics provided by Truth Finder.

• 2013 has seen 421 data breaches
• 2014 has seen 783 data breaches
• 2015 has seen 780 data breaches
• 2016 has seen 1091 data breaches
• 2017 has seen 1597 data breaches
• 2018 has seen 1232 data breaches

Even if the number of data breaches decreased in 2018, the number of compromised records increased by 133%. Compromised records include medical, credit card, and financial data or personal identification information.

Moreover, even more data breaches could've happened that we don't know about yet because companies take on average 47 days to publicly disclose a data leak...after they find about it themselves. In fact, only 13% of data breaches are discovered by the victim company, most of the incidents being reported by third parties.

Heartland Payment Systems - In March 2008, 134 million credit cards were breached through SQL injection that installed spyware on the company's data systems. The data breach was discovered only in January 2009 when Visa and MasterCard noticed suspicious transactions.

• RSA - Even the biggest security companies are not immune to being hacked. In March 2011, two hackers group working together deployed a series of phishing attacks against RSA employees to gain access to the company's network. 40 million employee records have been stolen. No customer's records were breached according to RSA.
• Yahoo! - The web services provider has seen the biggest data breach in history. In September 2016, they revealed that 3 billion user accounts have been leaked in 2013 and 2014. The stolen information included users' real names, emails, dates of birth, phone numbers, passwords, as well as security questions and answers.
• Adobe Systems - In October 2013, the company revealed that their database was hacked and between 38 and 150 million user records were leaked. The information leaked contained users'' details such as names, IDs, passwords and credit card information.
• Target Stores - The retail giant discovered that it fell victim to a data breach in December 2013. The attack has actually started in November but was detected weeks later. 110 million customers' data was breached, including 40 million credit card numbers.
• eBay - In May 2014, eBay reported a cyber attack which caused 145 million user accounts to be compromised. Users' names, addresses, dated of birth, and encrypted passwords were leaked.
• Equifax - One of the largest global data, technology, and analytics company was exposed to a data breach in July 2017 due to a vulnerability on one of their websites. 143 million consumers had their personal information leaked, including Social Security Numbers, birth dated, addresses, and drivers' license numbers in some cases. around 200k consumers also had their credit card details leaked.

• Under Armour - The well-known sports clothing company have been the target of a data breach in March, a third party gaining unauthorized access to their MyFitnessPal platform. 150 million records have been leaked containing information such as emails, usernames, and passwords. Fortunately, no credit card data was breached. Still, their stock fell 3.8% after the data breach was made public.
• Marriott International - In September, 500 million records were breached. Marriott found out during the investigation that, since 2014, there has been unauthorized access to the Starwood network. The information leaked included loyalty program account and reservation information along with guests' private data such as emails, home address, phone numbers, identifiable information, and birth dates.
• Quora - The most popular question-and-answer website's database was compromised in November when a third party gained unauthorized access to one of their system. 100 million records have been leaked containing users' information such as names, emails, and passwords.
• Facebook - You probably heard about the Cambridge Analytica scandal as it was one of the major news in 2018. Cambridge Analytica had harvested the personal information of 50 million users without their consent and used it for political advertisement purposes. 87 million Facebook users were informed in April that their data has been leaked.
• British Airways - In September, the leading airline had suffered a data breach where 380k records were leaked through an attack similar to card skimming. The leaked information contains personal and financial details of customers. No passport or travel details were breached.

Information leaked through data breaches is usually sold on the Dark Web.

The Dark Web is the hidden part of the internet that search engines, such as Google and Bing, do not index. To access the content on the Dark Web you need a special browser called the Tor Browser. The Dark Web is mostly used by criminals to sell illegal products such as guns, drugs, pornography, and even your personal information.

The marketplaces look a lot like regular online shopping sites, and users mostly use cryptocurrency as a way of payment so they keep their identity anonymous.7

In January 2019, Troy Hunt, the creator of Have I Been Pawned, found a collection of stolen information totaling 87GB of data. It is known to be the largest collection of files containing information gathered from many individual data breaches. This information included around 772 million email addresses and 21 million passwords.

Even though the data in the collection is around two to three years old, it doesn't mean it lacks value for hackers and cybercriminals.

Hackers can use old login credentials to trick you into thinking they have access to your account deploying a phishing attack. This is the case if you use to regularly change the passwords for your accounts. If you use the same password you set up three years ago well, cybercriminals will get a lot more use from your leaked credentials.

Also, if you use the same password across multiple websites and one of your accounts have been part of a data breach resulting in exposed login credentials, cybercriminals can hack into all of your accounts. They don't even need to manually try the login credentials on multiple websites. There are tools that send automated login requests to popular sites.

How much your data value on the dark web

• Social Security Number: $1
• Credit Cards: %5 - $110
• Drivers license: $20
• Online payments login info: $20 - $200
• Subscription services: $1 - $10
• Passports: $1000 - $2000

As you would expect, credit card information details are the most common pieces of information on the market. But login information for common platforms such as Instagram and Facebook is becoming increasingly valuable on the dark web also.

Firstly, to verify if your email has been part of a data breach, you can input your email on a website such as Have I Been Pawned. Mind that these kinds of websites do not contain all the data breaches, but mostly the bigger ones.

To protect your personal information and identity in case of data breaches, there are a couple of steps you should be taking as it follows.

• Use strong passwords - Using complex passwords that are hard to guess is mandatory for online security and protecting your personal information. Don't use the same password for multiple accounts and make sure you change them regularly.
• Monitor your bank accounts - Make a habit of regularly checking your banking accounts to notice anything suspicious. If the companies provide activity alerts through email or text it is best practice to sign up for them
• Act quickly - If you notice any suspicious activity, immediately report it to your financial institution and let them know your information has been stolen through a data breach.
• Mind your emails - After a data breach, cybercriminals can send you phishing emails designed to look as coming from the hacked accounts because users are already expecting them. Learn how to spot a phishing email so you don't fall the victim of this scam.
• Use multi-factor authentication (MFA) - MFA means that, besides the password, you must also verify your identity through a second method (such as providing a code you receive on your phone via text). Meaning that even if a cybercriminal gets the login credentials to your account, he won't be able to access it without also getting access to your phone.
• Only use HTTPS - The S in HTTPS stands for Secure and you should only be using these kinds of websites when surfing online, especially for money transactions.

Install antivirus software - Always run antivirus software that's up to date so you protect your computer from getting infected with viruses and malware.

Data breaches nowadays are massive as they target major companies which store personal information about hundreds of thousands (if not millions) of users.

We live in a day where more personal information is exposed than ever and we can't rely on government regulators to secure our data.

If you want to protect your personal data online, you have to do it yourself.

Extra tip: Use a VPN to become anonymous online

A VPN service makes you anonymous online and protects your privacy while browsing the internet by hiding your real IP address and location from prying eyes. Furthermore, it also encrypts all your internet traffic so, even if a cybercriminal manages to steal the records of your online browsing, the data will be unreadable and useless. Even though a VPN does not protect you against data breaches, it does prevent cybercriminals and hackers from stealing your private information by accessing your browsing history.

The DrSoft VPN provides a reliable service with servers located all around the globe, allowing you to maintain your privacy when surfing online. You get the strongest 256-bit encryption for your data and you don't have to worry about your private data as we don't keep any logs of your browsing.

Learn more about how to stay safe online, improve your online security and privacy, and protect yourself against cyber attacks: