Recent Breaches and What You Can Do

Recent Breaches

Whether personal or work related, individuals have more online accounts than ever before which contain personal information, financial information, and other individuals’ information. With seemingly endless data within reach, it is imperative that individuals are cognizant of risks and mechanisms they can utilize to minimize the risk associated with their personal data, others personal data, and/or organizations data which may be accessible through their personal and work accounts.

Massive data breaches across all sectors have become common place in news headlines in 2024 across the world and in the United States. 

• National Public Data's data breach, due to a third-party bad actor, affecting approximately 170 million individuals and comprising of 2.9 billion records including names, addresses, Social Security numbers, and relatives dating back at least three decades quickly hit the headlines (https://www.cnet.com/personal-finance/check-if-your-social-security-number-is-included-in-the-national-public-data-hack/).
   
• AT&T announced that call and text-message logs of nearly all customers (~100 million) were stolen. Additionally, AT&T announced that 7.6 million customer passcodes had been compromised (https://www.nytimes.com/wirecutter/reviews/how-to-protect-yourself-att-breach/, https://www.att.com/support/article/my-account/000102979?source=EPcc000000000000U, https://www.att.com/support/article/my-account/000101995?bypasscache=1/?source=EPcc000000000000U).
   
• UnitedHealth Group (UHG) announced the breach of protected health information (PHI) and personally identifiable information (PII) for a substantial proportion of people in the United States due to lack of Multi-Factor Authentication (https://www.unitedhealthgroup.com/ns/health-data-breach.html).

While many mechanisms could have been utilized by each organization to reduce the risk of these attacks and/or breaches, lessons can be learned from each of these for individuals to improve personal account security practices. 

What can you do?

While the sophistication of attacks is increasing, the following simple practices can be employed by all individuals to help mitigate the risk of account compromise.

Verify what you have received

With the emergence of AI technologies, phishing capabilities have become more and more realistic whether the mechanism for the phishing attempt is through email, text message, phone calls, or even video calls as seen within Hong Kong's multinational firm’s $25 million payment to fraudsters using deep fake technology (https://www.cnn.com/2024/02/04/asia/deepfake-cfo-scam-hong-kong-intl-hnk/index.html).

The following practices should be utilized to verify the legitimacy of communications received:

1. Ask yourself the following questions:
   1. Was the communication expected?
   2. Was the communication from someone and a source (i.e., phone number, email address) you know?
   3. Are there any irregularities within the communication (e.g., sense of urgency, non-standard mode of communication, odd timing, seems too good or bad to be true)?
   4. Do I typically receive this communication (e.g., system notifications, billing statement due, unsolicited offers, direct messages from the CEO)?
2. Reach out to whoever is communicating with you through a trust method to verify the request or offer (e.g., direct call, trusted email address, stop by their desk).
3. Manually navigate to desired URLs instead of utilizing links or QR codes provided in suspected phishing communication
4. Never provide personal information or login credentials to an unsolicited communication (e.g., call verifying personal information, email requiring login credentials).

Password Management

Password hygiene is essential to account security. With the volume of accounts people use daily, appropriate password management can seem like a burden. To facilitate account security and convenience, individuals should consider the following:

1. Utilize strong passwords consisting of sufficient length, upper-case, lower-case, numbers, and special characters. Avoid passwords known to be previously compromised, dictionary words, repetitive or sequential characters (e.g., ‘aaaa’, ‘1234abcd’), and context specific words such as the name of the service, the username, and derivatives thereof.
2. Limit how often passwords are re-used across accounts and ensure that work and personal credentials remain distinct.
3. Consider utilizing a trusted password manager (e.g., 1Password, Keeper, LastPass) to store and/or generate passwords across your accounts.
4. Change passwords when notified of potential compromise.
5. Work passwords should never be shared with anyone. Individuals should limit sharing of personal account passwords as much as possible and ensure that any passwords which are shared, are different from critical account passwords (e.g., financial institutions, mortgage company, etc.) and work passwords.

Implement Multi-Factor Authentication (MFA)

In addition to strong passwords, individuals should enable MFA for all personal and work accounts, where able. As an added layer of defense, MFA helps to reduce the risk of unauthorized account access if a password is compromised. Where available, MFA should be configured through an industry recognized authenticator app. Authentication may also occur through call or email verification.

Additional Security Considerations

Individual’s actions often pose the biggest risk to organizations as well as account security. In addition to constant vigilance against communications received, strong password management, and the consistent use of MFA, these additional security considerations can enhance account and data security.

1. Periodically check for "trusted devices" in your accounts which may allow for the bypassing of MFA. Limit the number of trusted devices for your accounts.
2. Configure alerts for new logins, account updates, and/or password changes to ensure you are aware of account activity.
3. Consider what security questions you use and where your responses may be public knowledge (e.g., social media, Google searches, etc.)
4. Monitor your personal finances to identify potentially fraudulent transactions.
5. Place a credit freeze on your credit report to prevent the approval of any new credit in your name. Credit agencies (Equifax, Experian, and TransUnion) are required to unfreeze your credit upon request within one hour if requested by phone or online and within three business days if requested by mail.
   https://www.usa.gov/credit-freeze