Tips to protect yourself after a data breach
Hackers released troves of Oakland employees’ personal data online over the weekend, leaving many workers vulnerable to identity theft and reviving long-standing fears about cybersecurity in an increasingly online world.
Private data made public by the hacker group following a February ransomware breach of Oakland’s municipal network includes thousands of current and past employees’ Social Security numbers, driver’s license numbers, birth dates and home addresses — information that could be used by nefarious actors looking to profit by opening false credit card accounts and stealing tax returns.
Civil servants aren’t the only ones vulnerable to such attacks. Anyone can be a target, experts said, as hackers become more sophisticated and as financial transactions move online.
Here’s what you should know and how to protect yourself.
Take action immediately
Victims of data leaks should change their online banking passwords as soon as possible to protect financial data, said UC Berkeley cybersecurity expert Davis Hake. Closely monitor those accounts for fraud, he said. Be especially vigilant for phishing attacks — emails or texts that try to trick you into clicking a link or divulging sensitive information — or attempts to bypass multifactor authentication controls, a second layer of security to some password-protected accounts.
As a rule, everyone who uses online banking accounts should update their passwords regularly — with fresh words and symbols. Avoid the temptation to rejigger old passwords.
“Lots and lots of personal data already exists out there on the web from prior breaches, so it is important for everyone to practice good cyber hygiene on a regular basis,” Hake said.
Be especially wary of the growing trends in personal fraud, he added. Extortion schemes, home-purchase wire fraud and compromised email accounts are among the biggest threats to web users as more personal data becomes available online.
Guard your credit
In cases like Oakland’s that result in exposed Social Security numbers, the Federal Trade Commission recommends that those affected order free credit reports at annualcreditreport.com and check them for accounts or charges they don’t recognize. Because of the pandemic, credit reports can be ordered weekly free of charge through December 2023.
The FTC says those affected should also consider placing a free credit freeze, which restricts access to their credit and lasts until they remove it. At a minimum, the FTC recommends placing a fraud alert, which makes it harder for others
to open a new account in their name. A credit freeze must be requested from each of the three credit bureaus — Equifax, Experian and TransUnion. A fraud alert requires contacting just one of the three bureaus, which must then tell the other two to place the alert.
Don’t overshare
Keep social media accounts private and limit what you post. Once in possession of personal data like birthdates and Social Security numbers, hackers often seek out context clues from social media posts. Use private internet networks whenever possible to avoid someone hijacking your accounts.
Using information willingly shared on social media sites like Facebook, Instagram and TikTok, “criminals can easily build a profile of you to help them monetize your life,” Hake said.
Beware the butterfly effect
While it is unclear what motivated the Oakland hackers — a group named Play has claimed responsibility, the city said — the data they obtained could ricochet around the dark web for years to come.
“What most people don’t realize is that threat actors around the world work with one another often,” said Ryan Chapman, a principal consultant at Palo Alto Networks, a cybersecurity company headquartered in Santa Clara. “While a ransomware group may not find such data specifically useful to their purposes, it would not be difficult for them to visit any one of the many dark web marketplaces to sell the data.”
To prevent further damage, consider credit monitoring services that scour the dark web for any signs of compromise and provide fraud alert notifications. Like the FTC, Chapman also recommends credit freezes.
Identity theft services typically cost between $10 and $30 a month. But their powers are limited, according to Consumer Reports. Identity theft protection can tell users whether their information is on the dark web and help victims sort out the damage in the aftermath of a breach, the nonprofit watchdog said, but it cannot prevent leaks or scrub data that’s already out there.
Claim tax refunds — before the hackers do
Bad actors know how to use leaked financial information to get fraudulent tax refunds, said Sarah Powazek, the program director of UC Berkeley’s Public Interest Cybersecurity initiative.
Due to recent storms, most Californians have until Oct. 16 to file their 2022 federal and state tax returns and pay taxes, according to the Internal Revenue Service and state Franchise Tax Board. But most people should not wait that long — especially any data breach victims.
File your tax return as soon as possible, and claim your refund before someone else tries to steal the payment from the mail or wire the refund to their own account.