Any data breach involves at least three parties. Understanding other parties - criminals who steal your data and businesses who leak your data - in the accident will help you do more and better to avoid further troubles and claim rights to decrease possible losses. Unfortunately, if your data leak in an accident, you have to take action.
How cybercriminals steal data or how businesses host data from leaking is too complicated for ordinary people. Here we omit more comments because of law and technology and start with a data breach just happening. We will see what steps the criminal and business should take after a data breach takes place, by which the right actions you should apply accordingly.
1. Next step of the criminal with stolen data
In general massive data breach doesn't focus on particular or individual persons. It should be spying but not data breach attacks if the latter happens. The final goal of cybercriminals is to make money. So the stolen data typically will be sold on the Dark Web, a particular part of the Internet, but only for guys on the dark side. In other words, ordinary people cannot get any clues of the stolen data market by Google or similar search engines.
Although the Dark Web is not visible in most indexes, you may access it by a special kind of browser called Tor Browser. They are dark markets for criminals to traffic various illegal goods and look and feel like typical online shopping sites. Cybercriminals buy and sell illicit drugs, guns, pornography, and your data there. The massive data needs a large market to consume.
The most massive known stolen data package found online, all 87GBs, was discovered in January of 2019 by Troy Hunt, creator of Have I Been Pwned (HIBP). The data package, known as Collection 1, included 773 million emails and 21 million passwords merged from multiple known data breaches. Cybersecurity author Brian Krebs found that all of the data in Collection 1 is two to three years old—at least. In other words, these data aren't new to breach.
Do the stale data from an old breach cost any money? Yes, as for Collection 1, each password asks for .000002 cents.
Then, who are the buyer? They are cyber criminals too. These stale data are still valuable for them to exploit victims. The common ways are like:
Use old login to trick you into thinking someone has hacked your account. It can work as part of a phishing attack.
Use stolen login from one site to hack into your account on another website. If you reuse passwords across sites, you're exposing yourself to danger.
Use a list of emails, user names, and passwords obtained from a data breach to send automated login requests.
2. Laws for data breached business
The businesses or companies who leak information should take the responsibility to lessen the further loss as soon as possible only if they know a data breach is happening.
Data breach news is one after one. One possible reason for the increase in data breaches is growing, especially reported in public, are we communicate data breaches more positively and openly than before. Many governments worldwide have put laws to require organizations to disclose experiencing a data breach immediately, which helps to let victims take possible actions to avoid further loss.
As of 2018, all 50 US states have data breach laws to force organizations to disclose data leakage as soon as possible. Those laws vary from one state to the next, but below are steps that any organization involved with a data breach must take:
Inform the victim affected by the data breach as soon as possible.
Report to the government as soon as possible. Usually, that means notifying the state's attorney general.
Pay some fine.
California was the first USA state to regulate data breach disclosures in 2003. After 2020, CCPA grants California residents stronger and clearer rights to guard their privacy. Anyone at the center of a data breach must notify affected victims without reasonable delay, who can sue for up to $750. Meanwhile, the state's attorney general can impose fines of up to $7,500 by individual cases.
Similar laws aren't only in the USA but also in many countries in Europe, Asia, and other regions. Facebook is an example of how the EU's General Data Protection Regulation (GDPR) works. A software bug gave Facebook's app developers unauthorized access to user photos of around 6.8 million users. However, Facebook didn't report the breach for two months. For the about 57 days delay, the company may have to pay up to $1.6 billion in fines under GDPR.
3. What a victim should do when knowing data leak
Before we address the question, another one may be more changeable: how to find my data leaked. If any news mentions a website or online service has been attacked, of which you happen to be a member, you should assume to be a victim of the data breach. However, only less than the top 1 percent of significant data breaches have a chance to be in the news. So before we get into steps for responding to a data breach, you may want to get some tools to check any data breach related to you. For example, you can input email and check if it is in any reported data breach.
Of course, any tools or methods have boundaries. Especially a data breach shouldn't be discovered very soon. Usually, the leakage will be known after one or more years. It means that you, as a victim of a data breach, have little chance to learn the dangers before the delay.
However, we strongly recommend catching data leaks as early as possible. Once your data is compromised, probably your data will be compromised again.
Even if you know your leaked data is floating around on the Dark Web, you cannot stop it completely. Instead, you can invalidate it. The below steps may help you deal with stolen data.
Reset the password for the compromised account and other accounts sharing the same password.
Monitor credit accounts, look for suspicious activity, consider a credit freeze.
Observe inboxes; the primary sequence of email breaches is scammers' sending out phishing emails.
Consider free credit monitoring services. It's worth noting that services like LifeLock et al. will notify you if someone opens up a line of credit in your name.
Use multi-factor authentication (MFA), and it means you need a password and one other form of authentication to sign in.