About a year after Equifax’s monster security breach that compromised 147 million people’s data, more news came out about exactly how damaging the hack was for those involved.
Millions of people’s sensitive personal information was exposed, including: dates of birth (146.5 million), Social Security numbers (145.5 million), addresses (145.5 million), gender (27.3 million), phone numbers (20.3 million), driver’s licenses (17.6 million), email addresses (1.8 million), credit and debit card numbers and expiration dates (209,000), TaxID (97,500), and drivers license (27,000).
According to Jason Glassberg, co-founder of Casaba Security, your Social Security number is probably the worst thing to get compromised, and it was the most affected part of the Equifax breach.
“This is the key to everything, so losing it will lead to long-term — if not permanent — identity theft and fraud risks,” says Glassberg. “Hackers are constantly reselling PII (personal identifying information) in the dark web, so a data breach in 2009 can still result in victimization in 2019 — and beyond.”
It’s very difficult to get a new Social Security number, though it is possible. According to the Social Security Administration, it “may assign a new Social Security number to you if you are being harassed, abused, or are in grave danger when using the original number, or if you can prove that someone has stolen your number and is using it.”
However, you have to provide evidence not only that the activity is happening but that it’s causing you significant continuing harm.
A different worst-case scenario
A compromised Social Security number is really hard to deal with in the long term, but the consequences are somewhat vague — compromised credit, for example. Instead, you’re just left looking over your shoulder for identity theft and the possibility that your credit score could get dinged, potentially costing you a favorable interest rate on a loan.
Bank account numbers and debit card numbers, however, are easier to deal with, but have a huge downside.
“When a bank login is lost, that gives the criminal total control of the account,” says Alex Hamerstone, GRC (governance, risk, and compliance) practice lead at TrustedSec. “That enables them to carry out larger transfers and transactions without any set limits — as compared to trying to cash out cards through an ATM.”
In these cases, getting money back can be a nightmare. And if your debit card information is stolen, you often have to wait to get your money back; with a stolen credit card number, the cardholder just has to tell the bank to waive the fraudulent charges.
In general, however, if you catch hacked card numbers quickly, it’s simply an inconvenience.
Consumer medical information “is another area that could have a large personal impact, beyond the financial,” says Hamerstone.
Hamerstone notes that if you check Privacy Rights Clearinghouse, which monitors hacks, it’s easy to see how often this type of data gets compromised, often simply involving run-of-the-mill hacks targeting Social Security numbers to sell on the dark web.
“They could also use this information to carry out extortion or to simply dump the information on the web for the purpose of embarrassing or humiliating people and institutions,” says Hamerstone. “For instance, Quest Diagnostics reported a massive breach earlier this summer. In this case, lab results weren't affected, but what if they had been?”
Quest is a large company, and Hamerstone is concerned that small doctor’s offices that don’t have a strong security budget may suffer incidents that result in blackmail.
“I'm pretty sure we'll see these incidents happen at some point — it’s just a question of when,” says Hamerstone.
Glassberg has a word for this: “diagnosis extorsion.”
The next category of leaked info is easy to imagine — it’s happened before with Ashley Madison, the dating site for married people.
Exposed names and email addresses from dating websites could pose a huge problem.
“Just being able to link a person to one of these sites and services could be enough to ruin their marriages or relationships, and cause them untold emotional and psychological trauma,” notes Hamerstone. “People commit suicide over this type of breach.”
Glassberg adds that any time you have a business that provides “discreet services,” the possibility for extortion is present. This is premium information that paints a target on these sites, attracting cybercriminal groups.
It’s not only websites, however. Hamerstone pointed out the myriad iCloud and Google Photo leaks that resulted in private photos hitting the web, something that especially affects women. Any breach of login credentials can cause this to happen.
This is another reason why it’s so important not to reuse passwords. “A password can be more dangerous to lose than a debit card number — particularly if it's linked to an important account, like email or an e-commerce account,” says Glassberg. “One password usually unlocks multiple accounts, and it can be used to escalate an attack.”
For many, the keys to your email may also be — or provide — the keys to your bank account.
“Your email account is one of the most dangerous things to lose, since it contains enormous amounts of information about you and is usually linked to all of your other accounts, finances, personal life and so much else,” adds Glassberg.