In the jargon of cybersecurity, “breach” is the thing companies and organizations try to prevent from happening. To the average computer user, “breach” can sound horrific. The reality is that there are many different kinds of breaches, and their severity and impact vary widely.
First, consider what kind of information has been exposed. This can range from your email address only, all the way up to your social security number. Your email address by itself is almost not worth worrying about, as it is probably in numerous places on the internet anyway (that’s where spam comes from). Was your email password also disclosed in the breach? That could be more serious. And if you were unwise enough to re-use your email password elsewhere, that’s cause for serious concern. The scammers could try to use that breached password at other websites and accounts, putting all your personal data at risk.
Breaches may also be of two types, internal or external. An internal breach means someone in the company or organization accessed information they should not have. An external breach means a scammer (crooks, organized crime, foreign nation-states). Both can have dire consequences, of course, but the external variety is more dangerous. That’s because stolen information in external breaches frequently gets resold so your credentials could wind up in the hands of multiple bad guys.
A breach may involve what security pros call “highly-sensitive information”, meaning data that could be used to steal your identity, or be used for fraud in your name. If this happens, you need to take action quickly – file a police report, contact your banks and credit card companies, the IRS and state tax department, and local creditors. Let them all know of the breach and request a change in any access codes they use for your information. Don’t forget the valuable service of an annual free credit report at www.annualcreditreport.com. You can check without cost once a year that your accounts have not been accessed by anybody who was not supposed to have access.
How will you find out about a breach? Although there are laws requiring firms that store data to notify users of a breach, they are at the state-level and the conditions vary widely. Some states have requirements for all breaches, no matter how small, to be disclosed, but don’t specify how quickly reports must be made. Other states require disclosure only if a certain number of users have their information stolen. Virginia’s rules are convoluted, with numerous loopholes. For example, if disclosure of a breach could hamper a law enforcement investigation, the company or organization can delay notifying affected customers.
Are the third-party services that warn you of breaches of any use? These purport to monitor the “dark web” and alert you if your private information is posted in a public location. If they are offered as part of another service, like a credit card company, or have minimal cost, they can be useful. In general, though, keeping an eye on your accounts yourself is just as helpful, and may be more timely.