How to protect yourself after a data breach

I posted about the EasyJet data breach yesterday, but realised I didn’t provide comprehensive advice regarding what actions to take to safeguard your online identity if you’ve been involved in the breach.

There are a few threats you can be exposed to following a data breach like EasyJet’s. I outline some of these below along with the protective measures you can take.

Leaked login details

If your email and password for an account were leaked, cybercriminals will attempt to use this combination on other online services.

Actions

• Reset the password on all of your online accounts to unique, random ones. Use a password manager to keep track of all of your login credentials.
• I have a blog post about passwords which can help you get started.

Social engineering

When personal information (like your full name, email, phone number, location, identification numbers, etc) is leaked online, it becomes easier for someone to figure out details about you which grant them access to your accounts.

This is why “security questions” are no longer a secure way of protecting your account if you forget your password. Most modern and big companies don’t support this method anymore. After all, how hard is it to guess your mother’s maiden name or your city of birth?

Actions

• Change all of your security questions to random words. You can store them in the password manager you set up in the previous section.
• Delete old online accounts you don’t use anymore. Make sure the data is completely deleted from their systems.
• Remove personal information like passport numbers, addresses, etc from websites which don’t strictly require them. If you can’t remove them, enter fake details.

Phishing

Your email address is usually leaked along with your personal information. This means you’ll probably receive very convincing emails (with your personal information, which is now available publicly) from people pretending to be your bank, Facebook, and so on. They’ll try to get you to give them even more personal information like passwords and card details.

Actions

• If the breached company’s website allows it, you should change your email address. That way, if you receive an email that seems like it came from the company, but is addressed to your old email, you can probably assume it’s a scam.

• If you want to be proactive, the best way to isolate your accounts is to have a different email for every account. You can use a service like AnonAddy and store the unique email in your password manager. This takes much more work so it’s completely optional.