When it comes to data breaches, 2018 was neither the best of times nor the worst of times. It was more a sign of the times.
Billions of people were affected by data breaches and cyberattacks in 2018 – 765 million in the months of April, May and June alone – with losses surpassing tens of millions of dollars, according to global digital security firm Positive Technologies.
Cyberattacks increased 32 percent in the first three months of the year and 47 percent during the April-June period, compared to the same periods in 2017, according to the firm, which was founded in 2002.
There wasn’t a breach “quite as significant” as the Equifax data breach from September 2017 in which an estimated 143 million Americans faced potential lifelong threat of identity theft, said Marta Tellado, president and CEO of Consumer Reports. “But the sheer volume of breaches of major companies was stunning,” she said.
Breaches and cyberattacks continue to escalate “and it’s not like it’s slowing down,” said Gary Davis, chief consumer security evangelist for McAfee, the California-based maker of antivirus and computer security software.
As consumers grow more accustomed to breaches being revealed regularly – only four weeks ago, Dunkin’, Marriott and Quora each announced one within a span of six days – they tend to either accept or ignore them, Davis says.
With “security fatigue, (consumers) just throw their hands up and say something bad is going to happen, so I should brace myself for it,” he said. “Or they say, ‘It’s not going to happen to me, it will happen to somebody else.’ ”
And several breaches in 2018 were among the largest of all time. Last month, Marriott, the world’s largest hotelier, announced one of the largest-ever breaches involving as many as 500 million people who made reservations at its Starwood properties on or before Sept. 10, 2018. Those customers may have had their personal information accessed in a breach of the Starwood guest reservation database, the company said.
Marriott announced the breach Nov. 19, but said unauthorized access to the database had gone on for as long as four years. Among the data potentially accessed: names, mailing address, phone number, email address, passport number, date of birth, gender, arrival and departure information, reservation dates and communication preferences.
The 2013 Yahoo breach, which affected as many as 3 billion accounts, remains the largest to date. A separate subsequent Yahoo breach also hit 500 million accounts.
Just days after Marriott’s announcement, question-and-answer website Quora said a security breach compromised the data of as many as 100 million of its 300 million users. The data potentially accessed included names, email addresses and encrypted passwords, along with questions and answers posted. The Dunkin’ breach, which made up that late November-early December trifecta, involved only a “small percent” of DD Perks program members having their account usernames and passwords accessed, the company said.
Back in March, sports apparel merchant Under Armour disclosed an intruder had gotten the email addresses and login information of about 150 million users of its food and nutrition website, MyFitnessPal.
Breaches hit other big-name brands, too. In April, Hudson Bay’s, the Canada-based parent company of the Lord and Taylor and Saks Fifth Avenue chains, said hackers had stolen the personal and financial information of more than five million credit and debit cards used at stores in North America.
About 29 million Facebook accounts were breached in September – originally Facebook said it was 50 million – with attackers getting sensitive personal information from nearly half of those users. Among the data accessed: phone numbers and email addresses, recent Facebook searches, location history and the types of devices people used to access the social network.
The revelations of that breach came during Facebook’s attempt to assure its 2 billion-plus users of its sincere efforts to protect personal information after Russian operatives spread propaganda on the network during and after the 2016 presidential election – and in the wake of the Cambridge Analytica scandal, in which the accounts of 87 million users were accessed without consent by the U.K-based political targeting firm.
Facebook’s “deliberate data practices are often as outrageous as their failure to use strong security,” Tellado said. “As badly as we need new laws to protect people from malicious hackers, we also need new laws and corporate norms to keep the companies we entrust with our information from selling it without our consent. So 2019 is going to see robust calls for new security and privacy legislation.”
Breaches used to be isolated. One of the first big ones hit Target in 2013, affecting as many as 110 million people. When that happened, “you worried about your credit card or your Target data and any of that being leaked,” said Bart McDonough, CEO of Agio, a New York-headquartered information technology and cybersecurity provider.
But that breach was just a harbinger: Each escalating breach these days is interconnected, he says. That means cyber-criminals may be able to compile enough of a digital profile about you to trick you into revealing more.
“Now you think about what information do they know about me or my clients based on this breach that can allow the next breach to happen,” said McDonough, whose book, “Cyber Smart: Five Habits to Protect Your Family, Money and Identity from Cyber Criminals,” publishes Jan. 7.
That interconnectivity is only going to make each successive breach potentially more worrisome, McAfee’s David says. “You hear about all of these high-profile attacks,” he said. “Ultimately, there is so much data out there now that the bad guys are going to start using machine learning and artificial intelligence to sift through it all.”
Some simple tips to protect yourself:
• Use unique passwords. Too many consumers still use “password” or “123456” as their password. “And the sad thing is they use it over and over again,” Davis said. He and McDonough recommend using a password manager such as LastPass or 1Password. Those also let you use two-factor authentication, requiring an additional step before access is allowed to your accounts. “It’s a defensive depth approach,” McDonough said.
• Be suspicious of email. Seven out of 10 cyberattacks (71 percent) start with a phishing email, Davis says. “It’s obvious to me that people are still willing to click on either links or attachments in emails without a lot of thought,” he said. As cyber-criminals get bits of data about you, be careful not to accidentally give them more. “Especially this time of year, before you start clicking away, think through it for a minute – did you actually order something that would suggest that this shipper (or retailer) should be sending you a notice,” he said.
• Update your software. Admittedly, it’s annoying, McDonough says. “But apply all the software updates on your devices as frequently as possible,” he said. “If you do these things you are dramatically better protected than the person who doesn’t.”
•Credit freezes and other measures. If you have been a victim of data misuse and are concerned about identity theft you can get a credit freeze. “(It) makes it a lot harder for identity thieves to open accounts in your name, and, since the Equifax breach, it’s free,” Tellado said.
You should also limit the personal information you give out, she says. “For example, if a retailer asks for your email address or phone number, you should politely decline,” Tellado said. Another smart move – install a tracker blocker such as Disconnect.me, uBlock, or Privacy Badger, she says, to protect against malware and ransomware delivered through online advertisements.
For more, check out Consumer Reports’ Guide to Digital Privacy and Security, Tellado said, to “help consumers navigate the risks and solutions to keep you and your family safe and secure.”