FAQ: What to do if you are caught in a data breach

How do you even check that you’re affected when companies themselves can take days or even weeks to confirm a breach? If you are affected, what do you do next? Who can you contact for assistance in what is often a traumatic time?

Luckily, we were able to reach out to Jacqueline Jayne, security awareness advocate for the Asia-Pacific region at KnowBe4, for some expert advice. We wanted a no-nonsense guide that every Australian can follow, with basic steps to confirm what information of yours may be out there and a set of answers to frequently asked questions most people have when they discover they’ve been part of a data breach.

If you’ve been caught up in the recent spate of breaches, we hope this information can provide some answers as well as some peace of mind.

The data is out there

Every day for many years, customer data has been breached and stolen. Most of this data has been what I refer to as ‘basic data’, such as our names, dates of birth, addresses, emails, phone numbers, employment history, credit card numbers, and their expiry dates. All you need to do is visit www.haveIbeenpwned.com and enter your email(s) and mobile numbers to uncover just how much information is already out there that has been part of current and past data breaches.

Note: Please don’t be alarmed when you do this, as you will find a lot of your information is already available to cyber criminals as part of previous breaches. Continue reading for what you can do to reduce your risks.

What we see now is the next level of data being breached and stolen, affecting millions of Australians. Data called ‘unique identifiers’, such as Medicare numbers, passport numbers, driver’s licence numbers, tax file numbers, and the CVV number on the back of a credit card or an account number for a service such as electricity, gas, or phone.

It’s these unique identifiers that cyber criminals want more than anything. They can add it to the basic data they already have and then use it for fraudulent activities and even steal our identities.

Think of it as your profile that continues to be added to as you share information online, and your basic data and unique identifiers are added to the profile as new breaches occur. Some recent breaches have also included health records, which can be very sensitive and private, adding considerable stress and concern to any of us involved in a data breach.

VIEW ALL

FAQ: What to do if your data is part of a data breach

1. Contact the organisation directly via email requesting information about the breach. Ask if your data was involved and, if it was, what data was included.

2. Be on high alert for any incoming communication (phone, text, or email) with:

• A request for confirmation of your personal information
• A demand for payment to stop personal information from being made available on the dark web.

NOTE: Cyber criminals are opportunistic, and even those not part of this data breach will pretend to be the ones with your data to extort money from you. This is exactly what happened in 2022, when a scammer attempted to use data from the Optus breach to extort money from 92 customers.

3. If the breach involved using a password to log in, change your password immediately.

4. What if I receive communication that someone has my data and is demanding I pay a ransom to prevent it from being leaked on the dark web?

• Ignore it – the desire and curiosity to discover more is not worth the risk.

5. The nature of your data included in the breach will determine your next steps.

• Basic data such as your name, address, phone number, email address and date of birth are already in the public domain. Be aware from this point on what you share online.
• Medicare number and driver’s license are unique to you, and these can be used for identity theft and other fraudulent activities. If this data has been stolen, you must get a new Medicare card and/or driver’s licence.
• Financial data such as credit card details can also be used for fraudulent activities. If this data has been stolen, contact your financial institutions to inform them, cancel the card, and get a new one. Monitoring your bank accounts and credit reports is also a good idea.

6. What if my health records are leaked?

• This is a tough one as it’s not as if you can go and get new health records.
  

7. What if I think my identity has been stolen?

• If you are in Australia or New Zealand, contact the folks at IDCARE https://www.idcare.org/.
  

Remember, the likelihood that you will become a target of unrelated phishing (malicious emails), vishing (malicious phone calls), and smishing (malicious SMSs) will significantly increase as more of your information is made available to cyber criminals and scammers alike.

Practical tips to keep yourself safe online

1. Get a password manager: If you have more than 20 login combinations of usernames and passwords, get yourself a password manager tool so you only have to remember one strong passphrase. There are many to choose from.

2. Enable multi-factor authentication (MFA) with as many logins as possible: MFA gives you a second layer of authentication and protection from cyber criminals. Once you have entered your username and password (first authentication), a second authentication is required to access your account or app. There are a few options when it comes to MFA. The best choice for most of us is to use a third-party authenticator app such as Google Authenticator or Microsoft Authenticator. There is also the choice of getting the code sent to you as an SMS or via email – these are not the preferred options. However, if a third-party app is not a selectable choice, then SMS is your next option, followed by email.

3. Update software: This includes the software that runs your devices, laptops and all the software and apps you use on all your devices.

4. Back up your data: Make sure you take the time to back up your important information, data, photos and memories.

5. Be extra vigilant:

• If something sounds too good to be true, it probably is.
• If in doubt, don’t.
• If incoming communication (phone calls, SMS or emails) sparks an emotional response (fear or urgency), STOP and breathe. It’s more than likely a scam or an attempt to trick you. It’s better to be safe than sorry.
• If it quacks like a duck, walks like a duck – it’s probably a duck.
• As we say in the world of tech, TRUST AND VERIFY – always.

Will we be able to avoid these breaches?

In short – no.

Most IT teams in organisations worldwide, including in Australia, are, for the most part, doing everything they possibly can to protect against cyber attacks. No matter how good and advanced they are, cyber criminals still prevail – the question is why.

To give you an answer, we should look at a non-cyber analogy for a moment – driving a car. You can be the safest driver in the world, have the most secure and safe car in the world, be driving on the best roads, supported by the best tires, and despite your best efforts, you can have an accident. How about securing your house? You can have a ridiculously secure perimeter, guards, alarms, and locks everywhere, and if someone wanted to break in, they could tunnel under the ground to gain access – if they wanted to.

As consumers, we must accept that our basic data is already out there, and unique identifiers have a very high chance of being caught up in a data breach. We need to apply more levels of protection and basic cyber hygiene and realise that cyber security is everyone’s responsibility.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.