Wednesday, 16 December 2015

You can’t trust anyone with your data

You can’t trust anyone with your data

Worried that your bank details have been stolen? They already have, says Barry Collins

“Only the paranoid survive,” according to former Intel chief Andy Grove. Yet there’s not even a tinge of paranoia in what I’m about to tell you: your personal data has been stolen. Get over it.

Unless you’ve never filled out an online registration form, never bought from an online store and never signed up for a free webmail account, your personal details are almost certainly logged in a stolen database somewhere.

I’ve lost count of the number of times I’ve been informed that my personal details “may” have been compromised or I’ve been asked to change my password because of an attack on a company’s systems. Without even rooting through my inbox, I can recall such messages arriving from the online postcard company Touchnote, Sony’s PlayStation Network, Adobe and – perhaps most worryingly of all – the password-locker service LastPass.

The sheer number of accounts that have been compromised in major attacks makes it almost inconceivable that your details aren’t being traded on the black market. The attack on Adobe affected 152 million different accounts, the Sony attack leaked personal information from 77 million users and the recent TalkTalk attack hit over 150,000 customers, almost 16,000 of whom had their bank account numbers and sort codes exposed.

And that’s just the attacks we know about. Companies (in this country, at least) are under no legal obligation to tell us when they’ve been hacked. They might not even know themselves. And let’s be honest – there’s little incentive for big companies to come clean when they’ve suffered a security breach. TalkTalk’s share price bombed by a quarter in the immediate aftermath of its attack – which wasn’t as bad as first feared – and the company estimates it will cost up to £35m to put it right. The CEO was embarrassed on national television when she couldn’t confirm if the data had been encrypted. How many other companies have hushed up an attack to avoid the cost, hassle and reputational carnage of admitting customers’ data has been stolen? I suspect it’s an almost everyday occurrence.

You simply can’t trust other companies to look after your personal data – just as Santa can’t trust his elves to deliver the presents. You’ve got to do it yourself. If you don’t use a password locker that creates random, strong passwords for you, you’ve got to manually change passwords yourself – at least once a year, perhaps more often. On webmail services, such as the Outlook or Gmail account you use for all your web registrations, switch on two-factor authentication. Yes, it’s a hassle having to punch in a code sent to your mobile phone every time you log in from a new computer, but it’s less of a hassle than having your Amazon, Tesco or eBay account hijacked because the attacker broke into your webmail account and used it to reset the passwords at the various stores.

Switch credit cards regularly. The longer your credit card number is in circulation, the more chance it has of being swiped. Hackers buy credit card numbers by the thousands, often paying just pennies for each one. Yours is going to be on a list somewhere, and when they marry it up with data leaked from another attack that shows your account is still active, you’re going to be a target.

Work on the assumption that your details have been stolen and you’ve got less to lose when they actually are. Enjoy that Christmas shopping now, won’t you?