How To Keep Personal Data Safe When Companies Can’t (Or Won’t)

Organizations came under fire in 2017, a year of reckoning for businesses on how they managed corporate and personal data. The increase in cyberattacks, and in particular the use of ransomware, has become so pervasive that an underground ransomware market has developed in strength.

According to Carbon Black, the number of ransomware applications available for purchase, which currently accounts for approximately 45,000 different ransomware products, has grown from US$250,000 in 2016 to US$6.25 million in 2017. A staggering 2,500 per cent increase.

The stats continue with ransomware payments from affected individuals and organizations totaling close to $1 billion dollars in 2016, up from $24 million in 2015. Ransomware is becoming sophisticated, easy to access and, most important of all, the best way to make a profit out of malware.

One thing is clear: cyberattacks, in their many forms, are here to stay.

But the question remains are organizations incentivized to prioritize our safety, or are they more driven by self-preservation?

A tale of two cyber gaffes

Equifax and Uber were two high-profile cases last year that rocked consumer confidence and suggested the latter — self-preservation. The lack of privacy management processes shown by the two companies before, during and after the breaches have resulted in them facing serious financial and legal consequences that have significantly hindered both their profits and their credibility.

These are lessons worth learning for other businesses. Thinking of other long-lasting implications, such as loss of customer trust and reputational damage, some companies may be forced to close their doors completely. We are living in a new world of cybersecurity and privacy awareness and we need to evolve in the way we do business today and into the future.

If public safety were their number one priority, they would have ensured they were protected.

Equifax’s main downfall was that they were not prepared with comprehensive policies and processes outlining specifically how to handle a breach response. Instead, their approach appeared careless. Ranging from directing worried customers to a questionable domain separate from their website to check whether their information had been compromised, to high-level executives selling their stocks days before the breach announcement. That does not do much to soothe the worries of thousands and indicates a lack of risk management structure being in place. Thus, their response, instead of eliminating doubt and quickly resolving the issue, actually further damaged credibility and exacerbated the situation.

Then there is Uber: another important example of a lack of transparency at a time when arguably it is needed most. More often than not, the truth will come out and the lengths that Uber went to pay off hackers to delete the data and keep the breach secret were a huge violation of public trust. The case with Uber is worsened by the very nature of the personal information the company has access to and was unfortunately exposed: names, email addresses, phone numbers, and driver’s licenses. Therefore, if public safety were their number one priority, they would have ensured they were protected not only from a security standpoint but from a privacy management one too. With the appropriate steps laid out clearly, that would not only extinguish the fire but most importantly, would minimize damage to customers.

Consumer impact: another important consequence of a data breach

Data breaches can have very hefty financial implications for a consumer. A consumer will spend on average about 20 hours and $770 on lawyers and time lost to resolve the case when they find themselves on the receiving end of a data breach.

According to PwC’s Consumer Intelligence Series, 92 per cent of customers want companies to be proactive about data protection. Although consumers want both companies and government to be involved in data protection, over half of respondents believe companies bear the larger share of responsibility. In industries as wide-ranging as finance or tech, businesses are playing catch-up when it comes to enforcing an effective privacy framework.

The most dangerous misconception consumers can have when it comes to data privacy is eschewing their share of the responsibility. Consumers have a stake in how they control their personal data and they need to act on it.

Lessons to learn

These are some of the takeaways on what to do if you find out your personal data has been compromised by a cyberattack or a privacy breach incident:

Stay alert and be proactive

First and foremost, make sure you know what businesses have your data and how they use it. If you receive letters or emails from companies you don’t recognize, call them and ask them how they obtained your information.

If a company informs you of a breach, change your account passwords, be mindful of phishing emails and if you believe your credit or debit card numbers have been compromised, reach out to the credit card company or banking institution and request a new card. Keeping an eye on your credit score for a period of time doesn’t hurt, either.

Protecting personal data is paramount in moving forward to continue fostering this trust and loyalty.

Make a complaint to the appropriate regulators

In Canada, there are different regulators responsible to ensure that personal data is managed appropriately. If you feel a company is not using your personal data as per your expectations or if you believe your data has been compromised, you have the right to reach out to the Office of the Privacy Commissioner of Canada or to the local privacy authorities in your province.

In the case of complaints around email communications, the Canadian Anti-Spam legislation (CASL) is enforced by the Canadian Radio-television and Telecommunications Commission (CRTC) and they take these complaints very seriously.

Ask the organization for identity theft monitoring services

When there is a data breach and an organization gives you notification, in most cases they offer identity theft monitoring services. If they don’t, demand that they provide such services since you are certainly at a higher risk of identity fraud and the implications that this conveys. Identity theft monitoring usually includes insurance that will cover any costs related to an identity theft incident so it is very important to ensure you are protected.

Request the organization to erase your data

If you experience a breach and you don’t feel you will do business with this company due to lack of trust or simply because you are not interested anymore, ask them to erase whatever personal data they have that belongs to you to ensure that if an incident occurs in the future, you are not impacted by it again.

More from HuffPost Canada:

Moving forward in the cyber world

The digital world has provided great opportunities for organizations and consumers to work with each other more efficiently. When done right, this dynamic can help establish long lasting loyalty from consumers whose lives are made easier by companies that provide them with personalized products and services.

However, protecting personal data is paramount in moving forward to continue fostering this trust and loyalty. The world of cyberattacks is here to stay, and my advice to consumers is to stay vigilant — and remember that you have options. Ultimately, protection of your personal data is in your hands.

Follow HuffPost Canada Blogs on Facebook

Also on HuffPost:

The state of Israel’s cybersecurity market

 The Equifax breach, WannaCry, NotPetya, the NSA leak, and many more cyber incidents – 2017 was certainly a busy year for hackers, illustrating yet again just how vital innovative cybersecurity solutions are in the fight against cyber threats.
Second only to the U.S., in terms of cybersecurity investment 2017 was another excellent year for Israeli cybersecurity startups, with dozens of… Read More

Uber data breach includes UK users — but it’s still not clear how many

 The UK’s digital minister has said the October 2016 data breach that Uber disclosed this week does affect UK users — though it’s still unclear how many are impacted at this stage. Read More

Senators push to ditch social security numbers in light of Equifax hack

 Eyeing more secure alternatives to social security numbers, lawmakers in the U.S. are looking abroad. Today, the Senate Commerce Committee questioned former Yahoo CEO Marissa Mayer, Verizon Chief Privacy Officer Karen Zacharia, and both the current and former CEOs of Equifax on how to protect consumers against major data breaches. The consensus was that social security numbers have got to… Read More

Equifax hack being probed by UK’s financial watchdog

 The fallout from the massive Equifax hack, publicly disclosed last month, continues: Today the UK’s financial watchdog said it also wants to get to the bottom of what happened.    Read More

Federal watchdog tells Equifax—no $7.25 million IRS contract for you

The Government Accountability Office (GAO) on Monday rejected Equifax’s bid to retain its $7.25 million “taxpayer identity” contract—the one awarded days after Equifax announced it had exposed the Social Security numbers and other personal data of some 145 million people.

At its core, the Equifax-IRS ordeal reveals the strangeness of the government contacting system. That’s because Equifax wasn’t even originally chosen to continue its contract with the IRS’s Secure Access online program, which enables taxpayers to store and retrieve online tax records. But because Equifax protested when the agency gave the contract to rival Experian for a fraction of the cost, the IRS said contracting rules demanded that it offer a “bridge” contact to Equifax until the GAO sorts out the protest.

The GAO sorted everything out on Monday. It set aside the challenge from Equifax which contended that Experian, whose bid was worth up to $795,000 annually, didn’t have the technological wherewithal to verify taxpayers signing up for the Secure Access program.

Read 3 remaining paragraphs | Comments

After second bungle, IRS suspends Equifax’s “taxpayer identity” contract

Last week we brought news that the Internal Revenue Service awarded a $7.2 million contract to Equifax to allow Equifax to “verify taxpayer identity.” The contract was awarded days after Equifax announced it had exposed the personal data, including Social Security Numbers, of about 145 million people.

The tax-collecting agency is now temporarily suspending the contract because of another Equifax snafu. The Equifax site was maliciously manipulated again, this time to deliver fraudulent Adobe Flash updates, which when clicked, infected visitors’ computers with adware that was detected by just three of 65 antivirus providers. The development means that at least for now, taxpayers cannot open new Secure Access accounts with the IRS. Secure Access allows taxpayers to retrieve various online tax records and provides other “tax account tools” to those who have signed up.

An “alert” on the IRS website says the Secure Access service “is unavailable for new users at this time.” The alert notes that taxpayers who already have an account can “continue the login process.”

Read 6 remaining paragraphs | Comments

Equifax rival TransUnion also sends site visitors to malicious pages

Equifax isn’t the only credit-reporting behemoth with a website redirecting visitors to fake Adobe Flash updates. A security researcher from AV provider Malwarebytes said, a TransUnion site serving people in Central America, is also sending visitors to the fraudulent updates and other types of malicious pages.

As Ars reported late Wednesday night, a portion of Equifax’s website was redirecting visitors to a page that was delivering fraudulent Adobe Flash updates. When clicked, the files infected visitors’ computers with adware that was detected by only three of 65 antivirus providers. On Thursday afternoon, Equifax officials said the mishap was the result of a third-party service Equifax was using to collect website-performance data and that the “vendor’s code running on an Equifax website was serving malicious content.” Equifax initially shut down the affected portion of its site, but the company has since restored it after removing the malicious content.

Now, Malwarebytes security researcher Jérôme Segura says he was able to repeatedly reproduce a similar chain of fraudulent redirects when he pointed his browser to the site. On some occasions, the final link in the chain would push a fake Flash update. In other cases, it delivered an exploit kit that tried to infect computers with unpatched browsers or browser plugins. The attack chain remained active at the time this post was going live. Segura published this blog post shortly after this article went live on Ars.

Read 7 remaining paragraphs | Comments