It seems like a day doesn't pass without a new data breach. Take the iOS debacle back in March, for instance, where it was reported that the iOS X app was sharing crash reports with the platform even if users had opted out. It's a bad look but, with so many of these occurrences popping up, it's easy to become numb to the news.
It doesn't help that it's hard to visualize where we, the individuals, come into the equation. Sure, it's our data being stolen and leaked, but the press often focuses on the business side of things, which can lead to a personal sense of detachment about the consequences of breaches.
I'll walk you through what a data breach means for you, why you should care, and what to do if you’re involved in a leak.
What is a data breach?
Let's start at the beginning. A data breach happens when personal data is unlawfully disclosed, accessed, lost, altered, or destroyed via a cyber attack or other nefarious means, like phishing scams. They can be accidental or calculated attacks, and range massively in scale.
According to the 2024 Verizon Data Breach Investigations Report, 68% of data breaches involved a non-malicious human element—like someone falling victim to a scam or social engineering tactic.
How do data breaches happen?
Some data breaches are purely accidental (which doesn't take the sting out of being involved in one, of course). If a co-worker checks out a file on your computer without having the right authorization, that's a breach, even if they don't blab about what they saw.
Of course, some employees do this sort of underhanded snooping on purpose, either to hurt the companies they're working for or to make a bit of money by selling what they find (like identifiable information or intellectual property) to brokers.
A phishing attack usually takes the form of a text or email that aims to dupe you into clicking a bogus link, downloading a dodgy file, or otherwise handing over identifiable information.
Criminals outside of a business aim for data, too, and these are the stories that most often make the news. They'll employ a variety of techniques to get what they want—and can plan their digital heists months in advance. Criminals keep an eye on their target business, watching for vulnerabilities, overdue updates, or employees who might just be susceptible to a phishing attack.
Then, when the criminals worm their way into the corporate network, they can rifle around for the juiciest files and data like your name, address, email, phone number, and even your recent purchases, which they'll sell to interested brokers.
What are the consequences of a data breach?
Click into any news story about a data breach and you'll often see how the company has been impacted. Maybe they've lost millions of dollars, been lumped with a lawsuit, or are implementing new security measures. The cost to us mere mortals tends to get glossed over.
The truth is that, armed with your login details, a cybercriminal can wreak havoc.
Even though I, and other privacy advocates, beg on our hands and knees for folks to use different passwords for different accounts, lots of people don't. You're making a hacker's day, though, because the first thing they'll do if they get hold of your password through a breach is check to see if it'll work on other sites, too. It's called credential stuffing—and it can escalate the impact of a breach.
So, you might not be overly concerned if you receive an alert about an ancient Facebook account being involved in a breach, but if you've used the same password for years, that old account could lead criminals right into your banking apps.
Criminals that wiggle their way into your email account can change the password without you realizing it right away, and then do their best to force access to your other accounts.
One of the most devastating consequences of a data breach is identity theft. It's wickedly easy for a criminal to pretend to be you online, and if a breach has informed them of your personal information (like your name, address, and date of birth), they pretty much have all the tools they need to dupe security questions, embroil you in legal trouble, take out dodgy loans in your name, and buy all sorts of expensive stuff for themselves that you'll pay for.
What you can do after a data breach
If you're doing your daily scroll through X, Facebook, or Reddit and notice that a service you use has been involved in a data breach—don't panic. There are a few things you can do to (hopefully) get ahead of the criminals behind the attack.
Companies don't want to admit they've suffered a breach—it's embarrassing. Instead, head to haveibeenpwned.com to see if you need to take action.
Take a look at the story to get a sense of how serious the breach was, but remember, sometimes a company won't share all the details of the incident, either to save face or because the scale is currently unclear.
Then, it's time to brush up on your digital privacy habits:
- Beef up your passwords: you knew this one was coming. Log into the affected account and change the password as soon as you can—as in, right away. This thwarts credential stuffing attacks that try to log in to sites by cross-referencing popular passwords with stolen account details. Remember, use numbers, symbols, and the weirdest non-dictionary terms you can think of—and a password manager can even generate rock-solid passwords for you.
- Use two-factor authentication (2FA): a vital tool when it comes to preventing criminals from taking over your accounts and should be enabled whenever it's available. It requires you to log in with your password and a code that'll be messaged to you, meaning a stolen password is just about useless on its own.
- Keep an eye on your account: if you think you might've been affected by the breach, hop over to your banking app and take a look through your recent transactions. If you spot anything suspicious, report it, and set up alerts that'll notify you about any account activity.
- Rein in the oversharing: stranger danger doesn't exist on the internet anymore, and we're all prone to sharing details of our lives online. Snippets of everyday life, career updates, announcements about new houses or trips—criminals can use it all to impersonate you and force access into your other accounts. Plus, our blasé attitude to data sharing can desensitize us to the real impact of breaches.
- Invest in a VPN: While a VPN can't keep companies from being targeted by criminals, it can keep your data safe as you go about your day-to-day browsing. The best VPNs create an encrypted tunnel between your device and the wider web and, when your data travels to and fro through it, it's encrypted, and unreadable to any would-be snoopers.
