Any data breach involves with at least 3 parties. If unfortunately your data are leaked in an accident, you have to take some actions. Understanding other parties - criminals who steal your data and businesses who leak your data - in the accident will help you do more and better to avoid further troubles to be caused and claim rights to decrease possible lose.
How cyber criminals steal data illegally or how businesses host data from leaking is too complicated to common people. Here we omit more comments in view of law and technology, and start with the point that a data breach just happens. We will see what steps the criminal and business should take after a data breach takes place, by which right actions you should apply accordingly.
1. Next step of the criminal with stolen data
In general large data breach doesn't focus on particular or individual person. If the latter happens, it should be a spying but not data breach attacking. The final goal of cyber criminals is to make money. So the stolen data typically will be sold on the Dark Web, a special part of Internet but only for guys in dark side. In other words, common people cannot get any clues of stolen data market by Google or similar search engines.
Although the Dark Web is not visible in most indexes, you may access by a special kind of browser called Tor Browser. Basically they are dark markets for criminals to traffic various illegal goods, look and feel a lot like typical online shopping site. Cyber criminals are buying and selling illegal drugs, guns, pornography, and your personal data there. The large data needs large market to consume.
The largest known stolen data package found online, all 87GBs, was discovered in January of 2019 by Troy Hunt, creator of Have I Been Pwned (HIBP). The data package, known as Collection 1, included 773 million emails and 21 million passwords merged from multiple known data breaches. In other words, these data aren't new to breach. Cyber security author Brian Krebs found that all of the data in Collection 1 is two to three years old—at least.
Do the stale data from an old breach cost any money? Yes, as for Collection 1, each password is asking for .000002 cent.
Then, who are the buyer? They are cyber criminals too. These stale data are still valuable for them to exploit victims. The common ways are like:
Use old login to trick you into thinking your account has been hacked. It can work as part of a phishing attack.
Use stolen login from one site to hack into your account on another site. If you reuse passwords across sites, you’re exposing yourself to danger.
Use a list of emails, user names and passwords obtained from a data breach to send automated login requests.
2. Laws for data breached business
The businesses or companies who leak information should take the responsibility to lessen the further lose as soon as possible only if they know a data breach happens.
Data breach news are one after one. One possible reason for the increase in data breaches is growing, especially reported in public, is we communicate data breaches more positively and openly than before. Many governments all over the world have put laws to require organizations to make disclosure after experiencing a data breach immediately, which helps to let victims take possible actions to avoid further lose.
As of 2018, all 50 US states have data breach laws to force organizations disclose data leakage as soon as possible. Those laws vary from one state to the next, but below steps that any organization involved with a data breach must take:
Inform the victim affected by the data breach as soon as possible.
Report to government as soon as possible, usually that means notifying the state’s attorney general.
Pay some sort of fine.
California was the first USA state to regulate data breach disclosures in 2003. Anyone at the center of a data breach must notify affected victims without reasonable delay, who can sue for up to $750. Meanwhile the state’s attorney general can impose fines of up to $7,500 by individual case. After 2020, CCPA grants California residents stronger and clearer rights to guard their privacy.
In fact similar laws aren't only in USA but also in many countries in Europe, Asia, and other regions. Facebook is an example to show how EU’s General Data Protection Regulation (GDPR) works. A software bug gave Facebook's app developers unauthorized access to user photos around 6.8 million users, however Facebook didn't report the breach for two months. For the about 57 days delay, the company may have to pay up to $1.6 billion in fines under GDPR.
3. What a victim should do when knowing data leak
Before we address the question, another one may be more changeable: how to find my data leaked. If any news mentions a website or online service has been attacked, of which you happen to be a member, you should assume to be a victim of the data breach. However, only less than top 1 percent big data breach have chance to be in news. So before we get into steps for responding to a data breach, you may want to get some tools to check any data breach related to you. For example, here you can input email and check if it is in any reported data breach.
Of course any tools or methods have boundary. Especially a data breach shouldn't be discovered very soon. Usually the leakage will be known after one or more years. It's said that you, as a victim of a data breach, have little chance to know the dangers before the delay.
However, it is strongly recommended to catch data leak as early as possible. Once your data was compromised, probably your data will be compromised again.
Even if you know your leaked data is floating around on the Dark Web, you cannot stop it completely. Instead, you can invalid it. Below steps may help you deal with stolen data.
Reset password for the compromised account and other accounts sharing the same password.
Monitor credit accounts, look for any suspicious activity, consider a credit freeze.
Watch inbox carefully, the main sequence of email breach is scammers' sending out phishing emails.
Consider free credit monitoring services. It's worth noting that services like LifeLock et al. will notify you if someone opens up a line of credit in your name.
Use multi-factor authentication (MFA), it means you need password and one other form of authentication to sign in.