This past week, consumers were hit with news of more data breaches -- just the latest in a long line of breaches that have occurred over the past several years. Indeed, there have been so many that it's seemingly getting easier to remember which companies have not suffered a breach than remember those that have. This past week, both Dunkin' Brands Group (NASDAQ:DNKN) and Marriott International (NASDAQ:MAR) released news that their databases had been breached, to varying degrees, exposing their customers' information to fraudsters.
Marriott's breach seems worse, at least on the surface. The world's largest hotel chain stated that up to 500 million guests' information had been accessed in a breach that might date back to 2014. For 327 million of these guests, this breach exposed information such as their names, dates of birth, phone numbers, addresses, email addresses, and even passport numbers.
Dunkin' Donuts stated that the usernames and passwords of some members of its DD Perks program were exposed. The company believes this was not a result of an internal breach but rather a result of breaches at other companies. This information was then used in attempts to access the members' accounts.
Why data breaches should scare you
American consumers seem to be taking the news of data breaches with little more than apathy. The sentiment is understandable, as our society has been inundated with stories of data breaches in recent years. But as understandable as it is, it is not prudent to ignore the dangers these breaches can represent.
The type of information lost in the Marriott breach alone is a treasure trove for hackers. This information can then either be sold on the dark web or directly used by the hackers for identity-theft purposes, making those victimized by the breach potential victims of identity theft and fraud for years to come.
As an economic-crimes detective, I've seen these breaches affect victims firsthand. Many will come stating that they've been victims of fraud and identity theft many times over and can't understand why it keeps happening to them. I have to explain that once their information is in the wild, so to speak, it will be sold and resold on the dark web multiple times, giving different criminals the chance to open accounts and lines of credit in their name.
In a best-case scenario, victims might never suffer a monetary loss but will be forced to spend hours explaining to third-party collection agents that they never opened certain accounts, making police reports, and clearing their credit reports of fraudulent accounts. The ensuing mayhem will also almost certainly wreak havoc on their credit scores, possibly costing them higher interest rates on loans if the fraud remains unnoticed or isn't corrected in time.
What you can do to protect yourself
It's likely that hackers have accessed your personal identification information in a data breach. Rather than sticking your head in the sand and pretending everything is OK, here are some constructive steps you can take to protect yourself.
1. Watch your passwords. Often, when accounts are breached, users don't think about their password that was used for the account as being a particularly valuable piece of information that was stolen. Yet because many of us use the same password across multiple accounts, this might be the most valuable piece of information the cyberthieves steal.
Many of us know what we should do when choosing passwords for our accounts: Use a combination of alphanumeric and strong characters that are not easily guessed. The problem is that doing this is almost impossibly hard, with dozens and dozens of accounts that must be managed. Yet it must be done. To tackle this problem, consumers can explore programs that generate random passwords and save them. Many of today's web browsers and other password management platforms, such as LastPass, perform this function for free. Of course, make sure you only do this from secure devices.
Another solution is to come up with a string of universal characters that can be used with a unique code for each account. If you take this route, make sure that the codes can be easily remembered for each account but not easily guessed -- a fine line if there ever was one!
Whatever you decide to do, make sure you reset and change any passwords that might be identical to those that were used for an account that was exposed in a data breach.
2. Monitor your financial accounts closely. If you think your information was accessed in a data breach, you will want to pay close attention to your accounts for fraudulent activity or even a change to your contact information on the account's profile. Account takeover fraud, which happens when criminals gain access to victims' bank or credit card accounts and then make unauthorized transactions on the account, is rising frighteningly fast.
3. Pull a credit report. Besides closely monitoring existing accounts, you should also regularly check your credit report to look for accounts you didn't open. With your personal identification information, it's relatively easy for criminals to open accounts in your name. If you don't check your information frequently, these accounts can go months, even years, without being identified as being fraudulent. In these cases, your credit score will inevitably suffer while these accounts go undetected. I've been approached by victims wanting investigations to be conducted years after the fraud took place because they only found out about the fraudulently opened account after third-party debt collection agencies contacted them.
4. Consider digital wallets. Finally, consider using digital payment platforms to make online payments. These types of digital wallets, including Apple Pay, Google Pay, and PayPal, use tokenization to make secure forms of payments, essentially meaning they don't store your credit or debit card information.
While it's almost impossible in this digital age to keep your information from being accessed in these types of data breaches, we can make sure to minimize the information we leave on websites and limit the damage when they do occur.