This article discusses the scenario where you may have kept your own data perfectly safe while a third party, such as a utility or telecommunications company,
holding your data was breached. Often you will only find out that your data has been put at risk when the third party contacts you. This may be a longer
time interval than ideal, meaning that you could be vulnerable to a number of risks, especially where you use the same password for multiple sites.
How third party data breaches can affect you
Even if you run a tight ship with your own security, it is still possible that you will find some of your data being
compromised through no fault of your own.
In recent times I have been contacted by a large telecommunications company and a large utility company regarding data breaches.
These breaches are fairly common and will see hackers stealing the data of hundreds of thousands of customers directly from large
companies. Companies are obliged to inform customers of data breaches by GDPR legislation.
This scenario shows how all the parts of the Web Safety Guru training are interlinked. The remedial measures I'll be recommending
fall under section 1 of the course which concerns your password regime and how to protect your data.
But how did the hackers get the information in the first place? On accasions, such as
the alleged US presidential twitter hack in autumn 2020
this might simply be because the password was too easy to guess.
Hacks have also resulted from company employees opening the wrong email or falling for a phishing scam (section 2) or
inadvertently downloading a virus (section 3). Hacks may also take place because the victim has
given away too much information on social media (section 5) or had information intercepted over a public network (section 6).
The 2017 NHS hack
was attributed to a vulnerable port and extremely old software.
As any defences are only as strong as their weakest point, the password section of the Web Safety Guru training forms part, but not all
of a strategy to protect your data. The other sections of the training are all important. You could have a ridiculously strong password which you changed
every day, but if you are sloppy with viruses, emails, social media and networks, you would still be vulnerable to data breaches.
Why password management matters
Take a moment to consider this question. How many accounts do you have on all the websites you use? Chances are it's over 50.
I reckon I have several hundred. Then ask yourself how many different combinations you have for email/password or login id/password.
As I am only too happy to reiterate, your defences are only as strong as your weakest point. If you have 50 user accounts and every one had the same
login and password, a hacker who'd gained access to any one would potentially have the ability to access every account you owned.
And while some of your accounts might be for obscure sites,
a motivated hacker with time on his hands would try the stolen details on numerous major websites such as shopping, social media,
telecommunications and utilities. With a bit of patience they could gain access to your birth date, full address, your list of friends
and your shopping habits. Even a small subset of this data would give a hacker the information necessary to apply for a credit card in your
name. Or they could change your password to shut you off from your own details. Disastrous consequences could ensue. All from your
details being stolen from another site.
I will discuss preventative strategies at length in section 1 of the Web Safety Guru course. You need to know how to minimise the damage
as quickly as possible. It is vitally important that your key accounts all have unique login id/password combinations. This minimises the
amount of sites that are compromised by a single breach and enables you to clean up the mess much more quickly.
If a security breach comes to light, the affected website will inform you and advise you to change your password. You would absolutely
need to change your password for all your accounts with the same credentials.
So take a moment to consider this question:
If you had to change your password on a particular site, how many other sites would you also need to change your details on?
Which sites? Do you have some sort of log listing what your credentials are on each website. If you only have these details in your
head, you will never be sure you've changed every password that needed to be changed.
In section 1 of the Web Safety Guru training, I'll explain some techniques for managing your password information in a way that doesn't make
this obvious or easy to find. I'll also explain the additional ways of protecting your data, such as password protecting individual documents
or making them invisible, in case you computer is hacked or stolen. The key thing is that if your receive bad news regarding a security breach
on a specific site, then you are quickly able to activate a plan to limit the damage.
Damage limitation after a third party data breach: key points
Login details for important sites such as online banking and credit cards MUST BE UNIQUE. No duplicates, no excuses.
Keep your software updated. Don't allow hackers the time to exploit loopholes in old software.
Have a plan for what to do if one of your accounts is breached. You will have to move quickly and panic will not be helpful.
Section 1 of the Web safety Guru training is not merely about telling you to get stronger passwords and change them regularly. It's about helping you develop
a mindset and routines that will minimise the damage if the worst happens. It will also help you stay on top of the increasing number of different usernames and passwords
you will find yourself using.