On Christmas day, I was chatting with my niece, during family celebrations. My phone buzzed and I saw a notification that she had just sent me a message. That was truly odd, because, as I mentioned, we were chatting and, unless she was using her telepathic skills, she was not texting at the same time. Nevertheless, I asked her if she had sent me a message. She looked at me as though I had lost my mind, but double checked her phone and shrugged. It wasn’t me, she said and carried on with her day. Since she was engaging with people and not her phone, and because we were having a fun time with family, I decided that the likely bad news could wait.
I attended a talk earlier in the year where the speaker told us – There are two types of people: those who have been hacked, and those that don’t know it yet. By the time we got home, my niece had gone from being in the latter group to being a panicked person in the former. Often, a person finds out that they have been hacked when, as happened to my niece, their contacts complain about spam messages that they have received from that person. However, more and more often, people don’t know that they have effectively been hacked because the party hacked is a company that is holding people’s information.
In 2017, the most notorious example was, on 17 September, when the credit reporting agency, Equifax was hacked. Initially, the information was that about 143 million people might have been impacted. However, that number has climbed and what kind of information was accessed was vague. When people tried to check with Equifax, they often got different responses each time that they tried. Also, as the months have gone by, the number of people impacted has climbed. If Yahoo! is anything to go by, who knows what the final count will be. The best advice to take right now, is to assume you have been impacted and to take preventative steps and, if you have not already done so, freeze your credit with all four of the major credit reporting agencies.
What is unsettling about how companies announce that they have been hacked is how long it takes for the news to come out. Equifax claimed that it discovered their breach at the end of July but they only made a public announcement in the middle of September. It was only in October 2017 that Yahoo announced that all of its accounts were hacked in 2013. That’s not a typo; they are telling us that if you had Yahoo, Flickr, Tumblr, or any other account owned by Yahoo, you were hacked in 2013. What is anyone supposed to do with that information, four years later? This is worse than a “Look out for falling ice” sign. In November, we found out that Uber had been hacked in 2016 and that the company had opted to pay off the hackers to destroy the information and keep the hack quiet.
The big takeaway is that it may be a while before anyone lets you know that you have been hacked and, unless you live completely off the grid, it is smart, and safe, to assume that you have been hacked. That said, there are steps that you can take to try to minimize the damage that can be caused by hacking:
- Freeze your credit with the major credit bureaus. Learning about the Equifax breach was especially frustrating because people do not choose to share their information with the credit bureaus. I rolled my eyes at a headline that referred to “customers” being compromised. The best one can do right now (beyond not having a credit history of any kind) is to try to limit how much information gets out.
- Check your credit regularly. Do this at least quarterly, to make sure that cards have not been opened in your name and without your permission. Annual Credit Report is the only website, authorized by federal law to provide you with a free credit report from a credit reporting agency every twelve months. A great way to spread out the checking over the year is to get a report from one of the agencies every 4 months (instead of getting all three in one fell swoop).
- Use two factor authentication. This gives extra security over only using a password. The most common method of two factor authentication is having a company send you a text with a unique code, before you can complete logging into an account.
- Don’t click on every link you come across. If you receive an email with a link and it is not something you have been expecting (and sometimes even if it is something you have been expecting) don’t click on a link because it is there. Check the email to make sure you recognize where the message is coming from.
- If you trust the link and have clicked on it, still be careful about what information that you share. If you start to feel as though a company is asking for too much – either over the phone or through a website, stop sharing information. Find out, independently, if you really need to share that information and, again, make sure you know who you are sharing your information with and why.
Try to include these in your list of New Year’s resolutions. It won’t stop you from being hacked but at least, it may improve your chances of finding out about it early and taking appropriate steps.