Been Hacked? Here’s What You Need to Know

What happens if your data is compromised?

Data breaches are becoming increasingly common for American companies and American consumers alike. All kinds of companies, from retailers like Whole Foods to big consulting companies like Deloitte, have found themselves subject to hacks in recent months. And the 2017 Equifax hack affected nearly 148 million Americans and millions of consumers overseas.

​Essentially, there are nine kinds of identity theft – financial, child, social security, driver’s license, criminal, employment, insurance, synthetic and medical identity theft – and as more and more of this data goes digital, it’s become easier and easier for hackers to exploit the cracks in data protection systems and get a hold of our personal information – and use it to perpetuate all kinds of identity fraud.

So what does that mean? Where has my data gone?

​Once it’s been compromised, your data has likely gone to the dark web – a section of the internet that is actually not as sinister as its reputation would lead you to believe. The dark web is a part of the larger deep web – itself a pool of websites that you can’t find via a search engine, including private sites like your Gmail inbox. To browse the dark web specifically, you have to already know the web address in advance, and you have to use software such as Tor (an acronym for “The Onion Router”), a web browser that lets you surf the internet in total privacy. Sometimes you even have to use a password or other form of authentication to access the content.

​There’s no denying that the dark web is used to sell all kinds of illegal material. Your personal data is for sale, right alongside drugs, weapons and child pornography. But much of it is also used for perfectly ordinary purposes as well. People can buy legal items, use social media sites and hold discussions on forums about all different kinds of topics. The dark web even has its own news sources, with Deepdotweb reporting on the value of Bitcoin, profiling major dark web hackers and leaders and hosting instructional articles on hacking. In fact, according to a recent survey of 400 dark web sites, less than 50 percent of them host illegal content or activity.

How do companies find out about my missing data? How do I recover?

​Great question – if a tricky one. The dark web is extremely difficult to access and to search, as it’s specifically designed by and for people who want to cover their tracks. It’s also a highly temporary space: Websites will crop up and then be taken down within a matter of hours. Tracking down stolen information isn’t just a matter of doing a quick Google search – it’s a highly complex, highly challenging process.

​The good news is that it can be done. There are companies out there that use sophisticated technologies that can comb through (“crawl” or “spider”) the dark web looking for your personal information. And although methods vary slightly from company to company, there are some basic industry practices that are standard across the board. First, as they crawl the dark web, they will index information that is found by looking at social media, un-indexed transient deep web sites, sharing sites, black markets and other seedy places. Then, they will compare what they find to see if there are matches with the personal information of individuals that may have been exposed.

​When there is a match, the individual will get an alert. With this information in hand, the individual is then able to take appropriate steps to address the potential risks posed by the nature of the personal data that was found and how it would likely be misused for fraud. Fortunately, modern identity protection services are providing technologies of this type that are available to both consumers and enterprises.

Can I prevent it from happening in the future?

Sadly, not really. Breaches continue to grow in size and scope, and there’s no guarantee that it won’t happen again. What you can do is be smart. Use two-factor authentication when accessing your online financial accounts. Don’t reuse the same passwords for your Facebook account and your bank account. Think carefully about what companies you share your data with and where you’re making online purchases.

​Most importantly, if you work for a company, ask your employer whether they provide identity protection plans as a benefit. If they provide one, sign up. If you’re not employed or your employer does not offer a plan, then consider buying one yourself. They’re relatively inexpensive, and it’s a smart way to mitigate potential risks. If you are an employer or company, go ahead and invest in protection services for all your employees. It might seem like an added expense, but it’s ultimately far less expensive than the losses incurred in damage control, revenue and reputation after a serious breach.

​You may not be able to control what goes on in the dark web, but you can control exactly what you do on the clear web. Make it easy for yourself in the future by doing your best to make it hard for hackers in the present.

​Thomas F. Kelly is president and CEO of ID Experts, a Portland, Oregon-based provider of data breach and identity protection services including MyIDCare. He is a Silicon Valley serial entrepreneur and an expert in cybersecurity technologies.

Thomas F. Kelly is president and CEO of ID Experts, a Portland, Oregon-based provider of data breach and identity protection services, such as MyIDCare. He is a Silicon Valley serial entrepreneur and an expert in cybersecurity technologies.