Butlin’s has stated that it believes up to 34,000 records have been accessed by hackers and the data comprises of names, home addresses, email addresses, and phone numbers, adding that they believe payment details are secure. This breach comes shortly after Dixons Carphone revised the number of people possibly affected in their data breach from 1.2 million to 10 million.
During disclosures for most data breaches the organisation will state that no payment details have been taken, but in many ways the data they list that has been taken that they position as worthless is more valuable than payment details. I thought I would go through what some of this data could be used for and the possibilities of mitigating the effects of this data being known more widely.
Names are one of the most used pieces of data and when viewed in isolation are not that useful. If a hacker simply stole a list of names from a mundane retailer such as Dixons Carphone it wouldn’t perhaps be too much of an issue. Where this data becomes more important is for organisations that operate in more sensitive areas. For example if you’d signed up to Ashley Madison and your name appeared within its database that was stolen by hackers, that could become a lot more of an issue, especially if your name is unique.
Protecting Your Name
Protecting your name is a difficult thing to do. Short of using a fake name for all online dealings; which is often a breach of many sites terms of service, there isn’t much you can do to obscure your name except perhaps withholding it wherever possible.
Residential addresses are one of the most important pieces of information and can be affected in ways varying from the relatively irritating but mundane; sending junk mail to the home address, to more serious issues such as swatting.
Protecting Your Address
When required an address is a difficult one to obscure. Unless you’re willing to go through the process of setting up a PO BOX address the best way to protect your address is to think about where you enter it. Does a social media site need to know your home address? Do you really want to sign up for a survey site that requires your home address?
Email Address and Username
Nearly all websites ask for you to sign-up using your email address or a user name, so if you use a single email address or username for all your sites this could be used to try and access your accounts on other websites. This information becomes even more valuable if you use the same password across different sites as if you used a username and password for Butlin’s that is the same combination as what you use for your PayPal account, you could find your online wallet becomes lighter quite quickly.
Protecting Your Email Address and Username
One way I attempt to minimise the effects of my email address being leaked is by using a separate email for financial dealings and another for more general use. The key way to protect yourself is to use a unique and complex passwords on the sites you use. Having the same password for multiple accounts means that if this combination is leaked, or even if only the username is leaked but an hacker guesses your password, they then have access to multiple accounts.
A trick if you’re using Gmail is that you can use an alias based on your email in order to have a degree of protection and if your data does get leaked you might be able to see which company leaked the data based on the alias the emails are sent to. If your Gmail address is email@example.com just enter firstname.lastname@example.org in the site you’re signing up to. There’s no need to do anything in Gmail’s settings, Gmail simply directs any email to that address as if it’s going to your inbox as normal. If you like you can create rules to manage the emails going to the alias addresses.
On their own the data mentioned above may not be that useful but keep in mind what else you have online that could be used elsewhere. A hacker my get your username from one leak and attempt to gain access to anther site using this. Perhaps he can’t work out what the password is, but the site asks for your hometown and the name of your first pet to reset your password. If the hacker doesn’t have your name already he could enter the username he has into Google to find another site where your username is paired with your name (e.g. Twitter) with your name he could find your Facebook Profile which will likely list your home town and; as you’re so proud of your first pet, contain a photo of your first pet also announcing its name.
As well as steps above I recommend using a password manager. I mentioned previously if you use the same username and password combination across sites a hacker effectively has access to all the site using those details. With a password manager you can keep track of each sites password allowing you to use a unique password on each one. In addition the password can be made incredibly long and complicated, adding an extra degree of security. I personally use 1Password as along with website passwords you can use it to manage wireless network passwords, credit cards, and documents. If you don’t want to pay for a password manager, iOS has iCloud Keychain built-in while Android has Smart Lock for Passwords.
Credit and debit details for me remain perhaps one of the least important pieces of information. If this data is stolen as part of a breach the card can be cancelled and a new one issued within a week or two. In the UK it is written in law that consumers are not responsible for fraudulent purchases; even if the data is used to pay for something the money will likely be given back. One thing I would do to ensure the least amount of inconvenience is to always use a credit card. If a debit card is used fraudulently to purchase something the money will be taken from your account and returned later. If you have a number of direct debits that are paid using that account there may be a delay paying them, potentially causing stress and worry (One additional benefit to using a credit card for an online purchase is that it may also give you the additional protection provided by Section 75 of the Consumer Credit Act 1974).