Any data breach involves at least three parties. Unfortunately, if your data leak in an accident, you have to take some action. Understanding other parties - criminals who steal your data and businesses who leak your data - in the accident will help you do more and better to avoid further troubles to be caused and claim rights to decrease possible lose.
How cybercriminals steal data or how businesses host data from leaking is too complicated for ordinary people. Here we omit more comments because of law and technology and start with the point that a data breach just happens. We will see what steps the criminal and business should take after a data breach takes place, by which the right actions you should apply accordingly.
1. Next step of the criminal with stolen data
In general massive data breach doesn't focus on particular or individual persons. If the latter happens, it should be a spying but not data breach attacks. The final goal of cybercriminals is to make money. So the stolen data typically will be sold on the Dark Web, a particular part of the Internet, but only for guys on the dark side. In other words, ordinary people cannot get any clues of the stolen data market by Google or similar search engines.
Although the Dark Web is not visible in most indexes, you may access it by a special kind of browser called Tor Browser. They are dark markets for criminals to traffic various illegal goods, look and feel a lot like typical online shopping sites. Cybercriminals are buying and selling illicit drugs, guns, pornography, and your data there. The massive data needs a large market to consume.
The most massive known stolen data package found online, all 87GBs, was discovered in January of 2019 by Troy Hunt, creator of Have I Been Pwned (HIBP). The data package, known as Collection 1, included 773 million emails and 21 million passwords merged from multiple known data breaches. In other words, these data aren't new to breach. Cybersecurity author Brian Krebs found that all of the data in Collection 1 is two to three years old—at least.
Do the stale data from an old breach cost any money? Yes, as for Collection 1, each password is asking for .000002 cent.
Then, who are the buyer? They are cybercriminals too. These stale data are still valuable for them to exploit victims. The common ways are like:
Use old login to trick you into thinking someone has hacked your account. It can work as part of a phishing attack.
Use stolen login from one site to hack into your account on another website. If you reuse passwords across sites, you’re exposing yourself to danger.
Use a list of emails, user names, and passwords obtained from a data breach to send automated login requests.
2. Laws for data breached business
The businesses or companies who leak information should take the responsibility to lessen the further lose as soon as possible only if they know a data breach happens.
Data breach news is one after one. One possible reason for the increase in data breaches is growing, especially reported in public, is we communicate data breaches more positively and openly than before. Many governments all over the world have put laws to require organizations to disclose experiencing a data breach immediately, which helps to let victims take possible actions to avoid further lose.
As of 2018, all 50 US states have data breach laws to force organizations to disclose data leakage as soon as possible. Those laws vary from one state to the next, but below steps that any organization involved with a data breach must take:
Inform the victim affected by the data breach as soon as possible.
Report to the government as soon as possible. Usually, that means notifying the state’s attorney general.
Pay some fine.
California was the first USA state to regulate data breach disclosures in 2003. Anyone at the center of a data breach must notify affected victims without reasonable delay, who can sue for up to $750. Meanwhile, the state’s attorney general can impose fines of up to $7,500 by individual cases. After 2020, CCPA grants California residents stronger and clearer rights to guard their privacy.
Similar laws aren't only in the USA but also many countries in Europe, Asia, and other regions. Facebook is an example to show how the EU's General Data Protection Regulation (GDPR) works. A software bug gave Facebook's app developers unauthorized access to user photos of around 6.8 million users. However, Facebook didn't report the breach for two months. For the about 57 days delay, the company may have to pay up to $1.6 billion in fines under GDPR.
3. What a victim should do when knowing data leak
Before we address the question, another one may be more changeable: how to find my data leaked. If any news mentions a website or online service has been attacked, of which you happen to be a member, you should assume to be a victim of the data breach. However, only less than the top 1 percent significant data breach have a chance to be in the news. So before we get into steps for responding to a data breach, you may want to get some tools to check any data breach related to you. For example, here you can input email and check if it is in any reported data breach.
Of course, any tools or methods have boundaries. Especially a data breach shouldn't be discovered very soon. Usually, the leakage will be known after one or more years. It means that you, as a victim of a data breach, have little chance to know the dangers before the delay.
However, we strongly recommend to catch data leak as early as possible. Once your data was compromised, probably your data will be compromised again.
Even if you know your leaked data is floating around on the Dark Web, you cannot stop it completely. Instead, you can invalid it. Below steps may help you deal with stolen data.
Reset password for the compromised account and other accounts sharing the same password.
Monitor credit accounts, look for any suspicious activity, consider a credit freeze.
Observe inbox, the primary sequence of email breach is scammers' sending out phishing emails.
Consider free credit monitoring services. It's worth noting that services like LifeLock et al. will notify you if someone opens up a line of credit in your name.
Use multi-factor authentication (MFA), and it means you need a password and one other form of authentication to sign in.