A recent data breach at Blue Shield of California has us revisiting the topic of personal data and security. It’s a reminder that a lot of our data is stored by other people and reminds us that sometimes there’s not a lot we can do to protect all of our data. While you may be doing everything you can to stay safe with your data, corporate data breaches are big business for hackers. In this week’s blog post, we’ll discuss why these breaches happen, what we can do about them, and what happens after a big, corporate data breach.
One attack, many companies
One of the things that increases the value of a data breach for the attackers is data from multiple sources. If they can get successfully breach a company that serves other companies, attackers can gain a massive ball of different types of data with one attack. The Blue Shield of California breach mentioned above is one of these. If you’re a client of theirs, then data including your name, address, subscriber ID, group ID number, and date of birth were exposed in the attack. Luckily, the data doesn’t include medical information, presumably because that information is stored with a higher security standard in mind.
As part of their own incident response reports and investigations Blue Shield went back to find out what data were affected in this breach once it was disclosed to them that there was a problem. That might sound a little interesting, since a third-party needed to reach out and let them know that they were affected. The third-party is a company called MOVEit, which creates software tools for moving data from place to place. Because the successful attack was perpetrated on a company that handles data for many companies, the data that was compromised was as wide-ranging as their client base. If one employee falls for a scam, it could mean that the data of millions is at risk.
Many breaches, one solution
While the data that Blue Shield disclosed to their clients is somewhat limited in how it can be used on its own—it doesn’t contain financial or payment information, but is still personally identifying information—it can still be used to corroborate or update other identity information from other sources. Since that’s the case, it’s important to retain vigilance in protecting your credit and financial identity.
You can imagine, for instance, that a few different data breaches could expose different details, and when put together, bad guys can create a more detailed picture of who you are if they have multiple sources. If your credit card information had previously been leaked, but the address was wrong, for example, a new breach may expose your new address.
It’s for this reason that even a partial release of your data requires renewed vigilance on your credit report. If you’re not in the practice of using credit freezes, it’s a good time to review how to use them and what tools to set up for using them effectively. Most of the time, a company that has experienced a breach will give free services to those affected by the breach. If you receive a notice from a company about a breach, be sure to check what they’re offering to help you.
For Blue Shield’s part of the breach, they’ve set up a call center that gives information about these services. Given the amount of large, corporate breaches that there have been in the past decade, there’s probably free credit monitoring and identity protection available to every American most of the time.
-Written by Derek Jeppsen on Behalf of Sean Goss and Crown Computers Team