The trail you leave online

It may be time to treat your personal information as if it were cash.

 

The e-mail came in from a friend, with the subject line “easy stuff.”

“Yo! I’ve found a very easy tutorial on the stuff we were talking about, look here open link,” it said. “Good wishes, Jason Reynolds.”

It wasn’t from Jason (not his real name). Turns out his account was hacked, and that “easy tutorial” was really a trick to suck in all his friends who received the message.

 

 

How did it happen? It can be hard to tell. 

But Jason had a LinkedIn account that he didn’t use much. And after data thieves revealed in 2016 that they had sucked out more than 100 million e-mail and password combinations, his showed up on the victim list.

Using that info, cyber crooks may have taken over his e-mail, especially if he used the same password on LinkedIn as well as other accounts.

“What were learning now is that we leave trails of our information so far across the web, often in places we haven’t been to in years,” said cybersecurity expert Troy Hunt. “And it doesn’t go away.”

“Every single day, there are just dozens of incidents where our data is taken out of the system and very often shared around,” he told Archer News.

 

The e-mail address for “Jason” showed up as “pwned” or “owned” on the data breach search site “Have I been pwned?”

 

‘Pwned’

Hunt’s information has been “shared around,” too.

He runs a site called “Have I been pwned?” where you can check to see if your e-mail has been caught up in one or more of the many data breaches.

“Pwned,” by the way, is hacker lingo for “owned,” as in, “Have I been owned?” or “Have I been hacked?”

Hunt found his own personal data in nine of those breaches, including the Red Cross incident last October where more than half a million blood donors found their information exposed online.

One breach can bring you trouble, as Jason learned. You can lose your e-mail account, your money, and even your identity. 

“Once you take a little bit of data from there, there, there, there,” Hunt said. “And if you start taking all my information from the different occasions and adding it up, you suddenly have a pretty rich profile, including things like passwords.”

 

More than 500,000 Australian Red Cross blood donors had their information exposed online, including data about their sexual activity, according to news reports. Photo credit: Eligius4917 via Foter.com / CC BY-SA

 

Getting better?

LinkedIn, Yahoo, Dropbox—new breaches month after month.

A breach at the London-based TalkTalk communications services company reportedly cost the company $75 million in damages.

Verizon is offering a lot less—$350 million less—to buy Yahoo after massive breaches, Reuters reported.

“These incidents keep happening,” said Hunt. “We keep seeing huge dollar figures costing these companies. But we don’t seem to learn, like it’s not really getting better.”

Many people have a cavalier attitude toward their personal data and passwords. Companies, too.

 

Communications company TalkTalk said a data breach caused millions of dollars in damages. Photo credit: osde8info via Foter.com / CC BY-SA

 

‘Not as big as ours’

Hunt said he found out about a massive data breach of more than seven million customers at a game-related company last year.

When he contacted the company, he said they told them they already knew about it, but decided not to tell the victims.

That could leave millions of people at risk, he said.

Later, the company boasted on Twitter about the large number of victims, after a competing company was breached, too, according to Hunt.

“Nice try, guys, but your data breach wasn’t as big as our data breach. We lost seven million. You only lost six` million,” he said the company tweeted.

“We’ve gotten to the point where you’re just trivializing incidents that have really serious impact on individuals,” Hunt added. “It is a sad state of affairs.”

 

Yahoo reported two large breaches affecting more than 1 billion users in 2016. Photo credit: keyaki via Foter.com / CC BY-SA

 

Cash

It may be time to think of your information—your password, your date of birth, your security questions—as money. After all, the cyber crooks already do.

“We have to start treating data as if it has real value,” said David Gibson of Varonis Systems, who gave a presentation with Hunt at last week’s RSA cybersecurity conference in San Francisco.

In other words, protect it like you would protect your cash. 

Companies should keep track of people’s data in the same way, Gibson said to Archer News.

“Where is the data?” he recommended that companies ask themselves. “If you look at it like a bank, where’s the vault? Is all the money in the vault? Do only the right people have access to the vault? Do we know where people are taking money out of the vault? And the truth is, for most organizations, the answers to those questions are no.”

Why?

The information revolution is moving quickly, not unlike the revolution that took place at the turn of the century, according to Gibson.

When cars took over the streets, society—and safety—took some time to catch up.

“A lot of people got hurt before some of the rules of the roads were established,” he said. “How long did it take for people to know, ‘You wear your seat belts’? It took a lot of damage there and that’s very unfortunate.”

But he said, the mindset is changing—people and companies are beginning to think of information as something to track and protect more closely.

 

Mr. and Mrs. Henry Ford in his first car. From The Truth About Henry Ford, by Sarah T. Bushnell. Public domain in the U.S. via Wikimedia Commons

 

What can I do?

Use multi-factor authentication on your accounts that offer it, Gibson recommended.

For example, you can use it with your LinkedIn account, your Gmail account, your Facebook account and more.

Don’t reuse the same password on more than one account, and use a password manager to keep track of all of your different passwords.

“There’s often this kind of sentiment of, ‘Look, I’m going to leave my information on the site. It’s not a particularly important site. Don’t think too much about it. But I’ve used the same password on my Gmail or my PayPal.’” Hunt said. “What you’ve done is literally given the keys to your account to some other party.” 

Be careful about where you enter your personal data and other details about your life, because it could become public, Hunt advised.

And you can do a ‘spring cleaning’ of the data you control to get rid of stuff you no longer need.  

“I think a lot of people are learning the hard way,” Gibson said. “I think nothing is a better teacher than pain. If you’re a victim of identity theft, if you’ve gone through some of that experience or if you can’t get credit for something that you want, I think that the consequences can be painful enough to potentially get people to change their ways.”

“I just hope that they would learn from other people’s pain before having to experience it themselves,” said Gibson.