This article was first featured in Yahoo Finance Tech, a weekly newsletter highlighting our original content on the industry. Get it sent directly to your inbox every Wednesday by 4 p.m. ET. Subscribe
Last month, T-Mobile (TMUS), the nation’s largest wireless carrier, was hacked by a 21-year-old American living in Turkey named John Binns. In an interview with The Wall Street Journal, Binns said he spent about a week rummaging through the company’s servers.
T-Mobile has since confirmed the data of more than 50 million current, prospective, and former customers was stolen in the hack. That includes Social Security numbers, driver’s license numbers, names, addresses, and dates of birth.
The T-Mobile hack was massive, but not at all uncommon. In 2020, hackers accessed the customer data of 2.5 million customers of alcohol delivery app Drizly (UBER). In 2019, the information for 30 million payment cards used at Wawa convenience stores was stolen through a breach in the company’s payment systems. In 2018, Marriott confirmed cybercriminals stole the information of 500 million guests. And in 2017, credit monitoring bureau Equifax (EFX) was attacked, with hackers making off with the personal data of 147 million Americans.
Those are just a small sampling of hacks from the last few years. To put it bluntly, you, dear reader, have likely already been the victim of a hack.
“The answer is yes, you've been hacked,” NYU Tandon School of Engineering professor Justin Cappos told Yahoo Finance. “Your data, and everyone else's, is probably out there from one data breach or another.”
Herbert Lin, a senior research scholar at the Stanford University Center for International Security and Cooperation, went even further by saying that for a mere $10 he can buy your mother’s maiden name, your Social Security number, and your current address.
It sounds scary, and it is. But there are ways to protect yourself even if your data is already out there including taking advantage of free credit monitoring services. As for the companies that fall victim to hacks, experts say the government needs to find a way to punish them so they start doing a better job of protecting your data.
Your data is lost, and it’s not entirely your fault
You can use the perfect 21-character plus password, multi-factor authentication, and a virtual private network that makes it look like you’re connecting to the web from the Moon. But in the case of corporate hacks and data leaks, there’s nothing you can do to protect your information from ending up in the hands of cybercriminals or nation states.
“There's really nothing you can do once [your data] gets out,” Cappos explained. But unless you intend on living your life as a kind of digital hermit, never signing up for a website or using your credit card, there’s little you can do to ensure your data is safe when you hand it over to a company. The moment you sign up for a service, app, or use your credit card, the fate of that data is more or less out of your control.
So what do the experts do to protect themselves? Lin and Cappos both say they’ve put freezes on their own accounts, meaning even if somebody has their information, they can’t open a card or take out a loan in their names.
Freezing your credit account is cumbersome. You have to reach out to the three major credit bureaus — Experian, TransUnion (TRU), and the aforementioned Equifax — to put them in place. You need to contact them again to take the freeze off your account when you want to sign up for a new credit card or otherwise access your credit account. Still, it’s easily one of the best things you can do to protect yourself online.
You can also sign up for credit monitoring services. And if your information has been stolen in a hack, you’ll likely get access to two years of credit monitoring for free in the event of some kind of legal settlement with the hacked company. Victims of the Equifax hack, for instance, got 10 years of free credit monitoring.
It’s also worth noting that your hacked data isn’t relevant forever. Chances are you’ll eventually move, or you might get a new phone number or email address, and when that happens your previously pilfered information is no longer a risk.
Privacy legislation will help, but it’s not coming anytime soon
There are some protections in place, namely the California Consumer Privacy Act (CCPA), which goes into effect January 2023 and allows consumers to have their data deleted from a company’s servers. Following California’s lead, Virginia and Colorado have also adopted consumer data privacy legislation of their own that will go into effect in 2023.
But these laws fall well short of national legislation because they don’t protect all Americans.
And as The Washington Post's Geoffery Fowler found, it’s tough to delete your data.
According to Lin, the best way to pressure companies to better protect data is to ensure they pay up when they lose consumers’ information. The CCPA, as well as the Virginia and Colorado laws, establish fines for violations, but those don’t apply to all Americans.
Various members of Congress have proposed consumer data protection laws, including Sen. Jerry Moran (R-Kan.), who reintroduced the 2020 Consumer Data Protection and Security Act this year, and Sen. Maria Cantwell (D-WA) who introduced the Consumer Online Privacy Rights Act in 2019. But nothing has ever come to fruition, and it’s unlikely to anytime soon.
“Legally, a lot of things have to change to make a really meaningful improvement in this area,” Cappos said. “And when you have companies like Facebook (FB) and Google (GOOG, GOOGL) that would be very strongly opposed to this, you can see why it's very unlikely that legislation of this sort would get passed.”
You might also wonder why companies aren’t legally required to encrypt data to the highest standards. According to Joseph Carrigan, senior security engineer at Johns Hopkins’ Whiting School of Engineering, that’s because those standards are always evolving.
“Let's say I say everybody has to encrypt their data at rest [not being transferred] using at least the advanced encryption standard...and I put that to legislation,” Carrigan said.
“Well, eight years from now that algorithm is no longer valid. So you have to go through the process of updating that [law]. Again that's a slow process. That's kind of why I don't like to see this happen in legislation.”
For now, your best bet is to continue to monitor your credit cards and, if you’re truly concerned, put a freeze on your accounts. It’s a hassle, to be sure. But it’s one you might have to learn to live with in a digital era where nobody’s data is safe.
Daniel Howley is tech editor at Yahoo Finance.
Got a tip? Email Daniel Howley at firstname.lastname@example.org over via encrypted mail at email@example.com, and follow him on Twitter at @DanielHowley.