Companies Cannot Be Trusted to Tell the Truth About Data Breaches
Last week, online sneaker trading platform StockX asked its users to reset passwords due to “recently completed system updates on the StockX platform.” In fact, back in May, the company suffered from a serious data breach and finally made it clear only under pressure from reporters who had access to some of the leaked data .
In other words, StockX lied . And while the company eventually revealed the details of the hack , there is still no explanation as to why it took StockX so long to figure out what happened, or why the company felt the need to obfuscate the situation with its suspicious password reset email last week.
While most companies are quite responsible about security disclosures, there is no doubt that many would prefer that information about massive security breaches affecting them never made it to the public eye. And even when companies have to disclose the details of a hack, they can shy away – as we’ve seen with Capital One’s recent troubles .
It’s not your job to play the role of detective or journalist for all the companies you like and use, but there are a few things you need to remember to stay safe in the event of a data breach, especially if the company is down. I’m talking about them.
Be skeptical about random password reset requests
It’s not difficult, but still worth mentioning. If a website or service unexpectedly asks you to reset your password, something is wrong. Ideally, he found that your email address or username is part of another data breach, and this helps you protect your account in advance if you accidentally use the same password for both services. However, you should still suspect suspicion and perhaps check the news (or Twitter) to see if anyone is reporting a data breach about the company itself.
Make sure you are using “Have I Been Pwned”
In case the company doesn’t report a data breach, it never hurts to have someone else watch your back. Sign up for Have I Been Pwned notifications that tell you if or when your email address was involved in a hack.
If you’re a 1Password user , you can also take advantage of the built-in password manager tool that checks to see if your credentials were associated with any violations. This is called The Watchtower and is a great way to stay on top of every weekly (daily?) Violation.
Conduct your own threat analysis
On Lifehacker I can read about a lot of hacks. Some we cover; some don’t. Typically, if a hack only involves information that isn’t that interesting, such as your email address and shoe size, it’s not worth talking about compared to hacks that involve more important data, such as account numbers, your plain text password or your social networks. security number.
When a company informs you of a violation that affects your information, don’t just take their word for it. Imagine every bit of data you send to this company’s service has also been compromised, and act accordingly – does that mean paying closer attention to associated credit card spending (or setting up some kind of notification or warning), changing passwords to other sites. , or freeze your credit reports. You never know when a seemingly innocent hack can turn into something worse.
I realize this may sound like the sky is falling, but being more proactive about data security is not a bad thing. You can always accept a balanced answer. For example, you probably don’t need to order a replacement credit card every time the website from which you previously purchased an item is compromised, but you can be reminded to check your credit card statement more closely for the next month or so.
Don’t be afraid to leave
Unless a company is telling you the truth about issues that could have a big impact on your personal privacy and data security, you don’t need to continue using their services. Find another company that is willing to make extra efforts to keep your data safe, or at the very least, provide you with truthful information about any incidents. I’ll accept a guilty lie any day.