Your Data Was Compromised; What You Don’t Know

How Long Is Too Long

If you’ve never received an email letting you know your data was compromised, consider yourself lucky. I’ve had three within the past five years (one of which was within the past week). They’re all the same; carefully worded non-apologies about the leaking of your personal information.

A lot of the time, the notification comes months after the breach is discovered. The company spends the first weeks and months trying to secure their systems, then talking to lawyers, police, their board, etc about what the best course of action is for litigation or mitigation. Next they spend time regathering all their information and reconfiguring their security. Finally, you’re notified. The process takes months.

In the case of Bannock County, Idaho, the time span was 8 months to be exact. In June of 2020, the Bannock County Courthouse was the victim of a data breach that affected 1,500 people in 12 states. Last week, the county began mailing out notices for people whose address they had on file.

Looking at that timeline begs the question; how long is too long?

Repercussions

Notifications for the theft of your personal data try to downplay the severity. They often tell you that there’s no reason to think any of the compromised data has been used. But how can that be tracked?

After 8 months (or 4 months or a year) without knowing that your information was exposed, there’s no way to go back and look at every event that may have been a repercussion. Did your credit go down 15 points? Have phishing emails increased in your inbox? Did your bank or credit card notify you that there was unusual activity? Are you now receiving more spam calls?

It’s a possibility that all of these or none of these could be a result of a data breach. The problem you encounter, however, is that you can’t go back and look at every event. It isn’t possible to investigate, and that’s what the entity that was breached is hoping.

No business, educational institution, or government office wants to be responsible for your identity theft. They’re already spending money to fix the problem, they certainly don’t want to deal with a lawsuit on top of it.

The Stigma

It’s easy to become frustrated and demand for the information to be sent out immediately. Don’t get me wrong, I agree it should, but there are reasons why an organization may keep it secret for a long stretch of time.

There’s a stigma surrounding attacks. Whether it’s a disgruntled employee accessing company information or a ransomware attack, the victims often blame each other. It’s easy to point to an organization, like Bannock County, and get angry at the leaking of personal information.

Like I mentioned previously, organizations don’t want to deal with backlash. This is a major reason why most wait until everything is back in working order to announce any disruption. It’s easier to say, “all this time and nothing’s happened,” than it is to say, “hey, we have to monitor your identity now.”

Human Error

There is some weight to the stigma of a data breach. Almost every time, it’s a result of human error. An employee with limited technical knowledge could have clicked on a phishing email link. Maybe a password change wasn’t done as scheduled. Administration could have forgotten to disable a former employee’s credentials. Whatever opened the door, however, was most often because of a person’s misstep.

Someone will argue that I can’t be sure that almost all security breaches are due to human error. That person would be right. I can’t be sure. And that’s mostly because there’s such a lack of transparency when security is compromised.

The Transparency Revolution

Currently there’s almost no regulation on security related events. Whether it’s an inside data breach or a ransomware attack perpetrated by a well known piece of malware, there are no guidelines on what to do afterwards. Everything is left up to the organization’s discretion.

In Europe, some are arguing that paying the ransom should be illegal. Among other issues, paying a ransom only makes the idea of ransomware more attractive to criminals. It also allows there to be even more secrecy around attacks.

Some have called for the outlawing of Bitcoin. Since it’s unregulated and the favorite payment method of criminals, they reason it removes the ability to pay. (This isn’t a great solution. There are over 1,600 forms of cryptocurrency and another one will rise if Bitcoin falls.)

Many people advocate for the increase in security, security training, and standards of protection. I’m on this train. The more real and valid education you have on ANY subject, the better you’ll be equipped to deal with it. Increased security is never a bad idea.

We could argue specifics until we’re blue, but one thing we should all agree on is increased transparency. Along with an increase in transparency, would be strict timelines for notifying the real people who are compromised when these events occur. That’s a starting point.

Humans learn through observation. We can’t learn if we can’t see what’s happening. Whether that’s the inner workings of the security system that was in place when the attack happened, or the knowledge that we have to monitor our personal identity for possible compromises, it all comes down to knowing the specifics. Transparency really is key to defeating security breaches.

You Don’t Know What You Don’t Know

We’re getting a little better every day. We learn a little more. If you’re a regular reader, you should know some tips for spotting phishing. You’re also getting better at securing your personal information. The more you learn, the safer you get.

But we don’t know what we don’t know. When the timeline between a breach and notifying people is so long, it’s hard to backtrack. So that’s our hurdle. We have to push for regulations that mandate how long an organization has before they notify people. It’s up to us to demand better stewardship of our sensitive information.

Join the conversation. Leave a comment below or hop over to one of our social accounts to talk about your experiences with data breaches and what ideas you have for keeping America more secure.

Until next time, stay safe out there.

Photo by Niklas Rhöse on Unsplash

 1,909 total views,  1 views today

(Visited 1 times, 1 visits today)

9 thoughts on “Your Data Was Compromised; What You Don’t Know

  1. One aspect which I have not seen emphasized is where data are stored. I use a POP-3 mail client, which removes my data from my ISP’s server. (Yes, both the ISP and the security services can, (and almost certainly do), monitor the traffic. But it is not exposed to hackers in longer term storage. ) I use MS-Word locally, on my individual computer. I don’t even back up to the cloud – I use a local external H/D. No hacker is going to be interested in going after one small player; they are going to go for the largest collection they can find. As Willy Nelson is credited with saying, (he didn’t…), when asked why he robbed banks, “That’s where the money is”

  2. For years I used IncrediMail for an email client. I even paid for a license. They had a breech I believe it was 7 or 8 years ago. I still haven’t been notified. I found out by way of a website I got from Avast that checked email accounts but it was to late. I reamed incredimail via email since I couldn’t find a number for them and removed the program from my computer. To this day I have never even got so much as a response from the many emails I sent them. A tech from avast also had me drop the email account and create a new one as well as notify my bank and credit card company. Approximately 3 months before I found out, my bank account was wiped out and my credit card maxed out. One from a place in North Africa and the other from Pakistan and within minutes of each other. Still paying off the credit card. These companies and organizations should be forced to contact anyone they deal with about a breech not months or years later but within a week or two. Even if the person’s info wasn’t involved it would give everyone a chance to take necessary precautions before hand….not after it’s to late.

  3. Our Tax accountant informed us that on February 5th, 2021 their business was the victim of a single cyberattack, known as ransomware. That was a month ago. We were advised to place a fraud alert on our credit files. Is there anything else we should do to protect ourselves?

  4. I get so many phishing email and phone calls it is just nuts. The only thing I can think of doing, is to change my email address and phone number, but I’m sure that would only be a temporary fix.
    What can we do?

  5. A largely unexplored area of data security involves IT asset disposition (ITAD). Organizations constantly replace outdated computers, servers, laptops, copiers, and countless other types of electronic devices to keep up with technology and enhance worker productivity. This rush to upgrade, however, creates a challenge: large numbers of excess electronics must be managed and disposed of properly. Very few companies have adequate controls to prevent unwanted assets from walking out the door. Most breaches go undetected and therefore undisclosed. ITAD is the most overlooked aspect of data security. When companies cannot account for the assets containing the data, they cannot credibility claim to have protected the data. The next time you receive an alert that your privacy has been compromised, think about ITAD.

  6. I was always taught that you admit your failures, and I think in this case, the sooner, the better, period! I don’t care who’s fault or misstep it was, the person who loses their identity takes the brunt of the event. THAT is who the perpetrator is looking to harm in the long run.

  7. Quote: The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act.

    Quote: These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity….

    So why not impose the same rules to all the companies, entities or agencies?

  8. Data compromising can be stressful, not to mention fear-inducing, so it’s important to know how to protect oneself. Most tech companies prioritize security and it’s easy to see why, especially as third-parties and hackers become more sophisticated with their methods.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.