The Impact of a Database Breach – L.E. Edition Part 1
As a law enforcement officer, any piece of your personal information, when in malicious hands, can be considered a serious threat. Once a hacker obtains a single piece of personally identifiable information (PII), they will apply various techniques that will allow them to obtain more. For example, lets say that your email has been hacked. This is completely harmless because it is “just your email address” right? Wrong. In my opinion, an email address is a major component to the foundation of your digital footprint.
In today’s digital world, in order to utilize the majority of online services you are required to sign up using an email address. While this seems like a “normal routine”, the reality of what is obtained about individuals is rarely disclosed. Each one of these services log various pieces of information related to your account such as full name, email address, password, home address, telephone number, date of birth, IP address, and so much more.
The act of “doxing” which has been discussed here before, is the act of searching and publishing private or identifying information about (a particular individual) on the internet, typically with malicious intent. This is a common practice in major “officer involved” incidents that the media feeds love to report. Information such as addresses, phone numbers, emails, etc. can be gathered from online people search websites if you have not taken the appropriate steps to remove it. But what if you have, are you safe from doxing? Absolutely not.
As I stated earlier, attackers utilize several techniques to gather information. One of these techniques includes obtaining and searching stolen databases. By searching your email address against these breached databases, a hacker uncovers the information these companies have obtained about you. For instance, if you signed up for a “Free Cruise” sweepstakes, chances are that your name, phone number, email address, IP address, and home address are circulating the internet in one of the well known spam dumps.
While the degree of information contained in each database varies, it is important to note that even if you have not provided your full personal information online, you are still at risk. “Combo” database dumps are a compiled list of email/password or username/password combinations. Given the fact that people reuse their credentials across their email, social media, e-commerce, banking, and work accounts, an attacker can use this type of dump to uncover your digital footprint.
In reality, this means that even though you have taken all steps to remove your home address from public view, a determined adversary can use non-traditional investigative methods to locate and expose your personal information online. Once your information is exposed in a database breach, it cannot be secured as it will be traded and sold online indefinitely.
Being aware of this threat is the first step to protecting yourself against. Awareness that your data has already been stolen from services you use or have used in the past. You cannot change history, the data is already out there. What you can do is make sure all of your passwords are changed across the various services you use, and that those passwords are so complex and unique to the point you need to maintain them in a password manager. Never use your personal email to sign up for services either. Compartmentalize your email strategy to the extent you are using many different email addresses for different things. Your financial institutions for example, should have a different email from the email you use for shopping or communicating with family and friends. Also, always scrutinize and carefully consider if a service or business needs real information about you. The answer much of the time is no. Use alias information whenever possible, alternate addresses, phone numbers, emails, etc., when asked to provide that type of information. When that particular service is breached, the information revealed will not compromise anything real.
I have briefly discussed the threats posed by data breaches here and a few things you should consider to minimize the damage that can be done when it happens. All of the privacy strategies discussed here in more detail will help with that effort. Lastly, please educate others on the changes you learn about to protect their personal information. The dangers posed by compromised personal information are very real and the damage could be something a person never recovers from. Being proactive, as always, is the best strategy.