When it comes to keeping our personal information secure, it’s hard for consumers not to fear the worst.
Just a week after the credit reporting agency Equifax agreed to pony up to $700 million to settle a 2017 security breach that exposed the personal data of 147 million people came Monday’s revelation that a Seattle software engineer and former Amazon Web Services employee allegedly hacked into a Capital One server, putting at risk the data of more than 100 million people in the U.S. and Canada.
It is the largest bank hack ever, consumer watchdog group U.S. PIRG says.
This very likely isn’t the end of it, either.
Cheesecake deals: National Cheesecake Day 2019
Noted security analyst Brian Krebs tweeted, “It’s looking likely that CapOne was only one of many organizations whose data was obtained by the defendant in this case. CapOne may be the only one that is public so far though.”
According to IBM, data breaches have collectively leaked more than 11.7 billion records during the past three years alone.
And investment bank UBS says the number of cybersecurity incidents is increasing by 20% to 30% per year.
The troubling aftershock is that most consumers should assume that some combination of their addresses, Social Security numbers, financial accounts and other records have been exposed, if not on the open internet, then on the encrypted Dark Web.
“You don’t always know how the bad guys got your info,” says CreditCards.com industry analyst Ted Rossman. “I would just assume as a consumer that my info is out there.”
Credit freeze and more: Equifax settlement 2019: How to protect yourself beyond a credit freeze
(For what it is worth, Capital One claims that no credit card account numbers or log-in credentials were compromised during its own breach, and over 99% of Social Security numbers were not compromised. And though the hack apparently was related to a vulnerability in a firewall on an Amazon cloud server, Amazon refused to take the blame for the breach.)
The sheer scale of the breach also means, of course, that the potential damage isn’t contained, like, say, a bank robbery that happened decades ago would have been.
According to the 2019 Identity Fraud Study from the Javelin Strategy & Research firm, last year showed mixed success for consumers, with an overall fraud incidence rate that fell notably from 2017, ultimately affecting 2 million fewer victims. But the Javelin study also pointed to a resurgence of higher-impact fraud types, which cast a shadow over the progress made in fighting card fraud.
What these latest ruptures reveal is the obvious reality of just how super-glued to digital we have become, and the potential risks associated with that.
It’s not even remotely possible to put the digital genie back in the bottle. Virtually all of us do our banking and investing in cyberspace, and if we haven’t quite given up on cash completely, we appear to be on the way. We not only shop online, but even at stores we typically pay with credit and debit cards and are increasingly using smartphones and smartwatches to complete those transactions. Even our physical wallets would appear to be on borrowed time.
Is the technological innovation and convenience worth the headaches caused by constant data breaches?
Wendi Whitmore, the director of IBM X-Force Threat Intelligence, points to a Harris Poll in which 75% of consumers said they wouldn’t do business with a company that cannot protect their data. But “ultimately consumers still end up doing business with companies post-breach despite this sentiment.” she says
Here is the damage such breaches do to businesses and consumers.
Effect on companies
Mammoth data breaches bring businesses way more than negative publicity. There’s a real financial cost.
A LexisNexis Risk Solutions study states that for every dollar of fraud, financial services companies incur $2.92 in costs, up from $2.67 in 2017. Such companies not only lose the value of the transaction but rack up various fees, fines and interest related to the fraud investigation and recovery.
Why can’t companies do a better job at securing our data?
“Human error remains a dominant factor in most of the data breaches we’re seeing,” says Whitmore. “Last year, 43% of all data breaches were the result of misconfigured cloud databases likely set up by humans. This is why we’re stressing more investment in the testing of systems, and the use of AI to help identify suspicious behavior on networks.”
Large organizations often have information dispersed throughout their operations and lack visibility into where all their sensitive data resides. “This is a blind spot that is being exposed in many of the data breaches you’re reading about,” she says.
Kyle Marchini, senior analyst of fraud management at Javelin Strategy & Research noted that Capital One discovered its own breach through regular testing of its systems to detect vulnerabilities. He says companies that consistently scan for weaknesses are able to detect issues faster and patch them up faster.
But it’s an uphill battle. “Every company, like large financial institutions, have big targets on their back because they are processing so many consumers’ data,” he says. “A company has to be able to protect all their data, all their devices, all of the systems, all of the time. A hacker only needs to breach one time.”
Effect on customers
When such a breach happens, identity theft is often the unfortunate result. And the process of recovering is “absolutely on the shoulders of the individual,” says Eva Velasquez, president and CEO of ID Theft Resource Center, a non-profit that helps victims of identity crimes try to do just that.
Velasquez says people too often look to quantify how much money was lost and how much time was spent on recovery.
But until you get it resolved, you may not be able to rent the apartment you want or pass a background check for a job that you’re trying to get, she says. And, “that opportunity may not come back again. How many employers are going to hold that job while you deal with this?”
There’s also an emotional cost. A recent Identity Threat Assessment and Prediction report from the University of Texas at Austin, showed that of all the consequences experienced by victims, including financial loss, property loss and reputation damage, a whopping 80% of victims reported emotional distress.
One scary proposition is the ticking time bomb of identity theft a victim may not even know about.
Adam Garber of U.S. PIRG, the watchdog group, says fraud doesn’t necessarily occur immediately after breaches. But that doesn’t mean consumers can breathe easily.
“Sometimes people hold onto it for years before they take action,” Garber says. “So you might not see something tomorrow, but you could see something years from now.”
When Social Security numbers, in particular, are exposed, “that’s your financial DNA” and it enables criminals to open accounts in your name, Garber says.
While data breaches like the Equifax and Capital One hacks make headlines, lower-level, more run-of-the-mill fraud like email phishing and skimming remain popular and target individuals, says Benjamin Preminger, a cyberthreat intelligence specialist at Sixgill. In these instances, it’s on the consumer to protect themselves and to take measures such as not clicking on links in emails without verifying the sender or refusing to accept a Facebook request from a stranger.
Experts also advise consumers to create strong and unique passwords or to use password managers. And employ two-factor authentication.
In the end, security is a shared responsibility between the company and consumer.
“It’s on us as end users to use these tools,” says IBM’s Whitmore. But “we must “ultimately hold the companies we do business with to high standards for security and privacy.”
Follow @edbaig on Twitter; @jannaherron; @NathanBomey