There were a bunch of big data hacks in 2019, and 2020 will likely be just as bad as the number of cyberattacks increase. (The average number of security breaches in the last year grew by 11% from 130 in 2017 to 145 in 2018, according to Accenture research.)
Companies may be hiring cybersecurity consultants, one expert told Yahoo Finance, but many of them are simply box-checkers looking to cast off liability.
If you haven’t been involved or impacted by a hack, don’t think your luck won’t run out. Yahoo Finance spoke to two cybersecurity professionals for a definitive guide on what to do if you’re involved in a hack.
Do this first
There are three general types of security breaches, says Alex Hamerstone, GRC (governance, risk, and compliance) practice lead at TrustedSec, a cyber security consulting firm. There’s a breach of a service you’ve never used, a breach that you do use but didn’t involve your data, or a breach of a service you do use with your information.
If you use the service, change your password immediately. Do not reuse an old password. And change any passwords for other sites that might use the same password as the breached service. If you don’t use the service, consider using “this as a reminder to go change my passwords and make sure that I have things locked down as best I can,” says Hamerstone.
The reason why it’s so important to change your passwords for other sites is precisely because hackers know you recycle the same password at multiple websites.
“Hackers will check other accounts when they have a victim’s password,” says Jason Glassberg, co-founder of Casaba Security. “You should also set up up two-factor or multi-factor authentication to guard against future password theft.”
Glassberg says you can use text-based two-factor authentication (2FA), but a dedicated app like the Google Authenticator is better because “phone porting (phonejacking) attacks are increasing and if someone hijacks your cell number, they then have access to your 2FA codes,” says Glassberg.
The next steps: monitoring and being proactive
If your data was breached, the experts suggest careful monitoring of bank and credit card accounts (many banks offer app and text-based notifications.)
After the short-term fixes like changing your passwords and making sure 2FA is in order, Hamerstone recommends considering a credit freeze (“for at least a year!”) if your Social Security number was compromised, even if the breached company says the number was encrypted. (A credit freeze lets you restrict access to your credit report, which makes it harder for identity thieves to open new accounts in your name.)
In the months following a hack, don’t be surprised to receive suspicious messages.
“You should expect social engineering scams that will use your information against you,” says Hamerstone. “For instance, in a common email phishing scam today a hacker — who bought your password along with countless others from a data dump — will claim to have hacked your webcam and recorded you watching adult movies, or something else, and will cite your password as proof.”
This can seem extremely believable, and Hamerstone adds that hackers may also have more info from emails, calls, and texts to give you the impression they have already hacked you.
“This is a tactic that will catch a lot of people off-guard, and they can end up being victimized a second time — and much worse,” says Hamerstone. “So it's important to understand how this stolen information is used by scammers, and sold/traded/rented to other criminal groups.”
Because all this information that’s easily accessible can include card numbers, Glassberg strongly advises against using debit cards. “I can guarantee almost everyone will lose their card number to a breach, skimmer or theft in the next year,” he says. “When that falls into the hands of a criminal, you can lose access to your money instantly.”
While you can get the money back with prompt response, both security experts point out that it’s a pain that can be avoided by using a credit card. (With a debit card, the money is taken directly from your account, but with a credit card, you pay later so you aren’t on the hook in the same way.)
“Mobile payments (like Apple Pay) are even safer than that,” says Hamerstone.
The long-term: assume the worst
“By now, most people in this country have some personal information that is available to scammers in the dark web,” says Hamerstone. “Maybe it's just an old email address or password, or maybe it's more serious than that — like a Social Security number. But either way, you should assume you are already in the dark web and proceed accordingly.”
Even if you haven’t been involved in a recent breach, a little monitoring can go a long way.
“Keep a close eye on your banking — never stop. Don’t reuse passwords, ever, and don’t store sensitive stuff in the cloud — like nude photos,” Hamerstone says.
Hamerstone has another bit of bad news, which sounds like pessimism but is grounded in realism: “Expect to become a victim of tax fraud.”
The IRS now has a special program providing taxpayers with an Identity Protection PIN, or IP PIN, he says. This number helps the IRS verify your identity and accept your tax return. Note that taxpayers in certain states are eligible; check the IRS’s website to see if you qualify.