Incognito — July 2024: Data Breaches Increase by 78% in the U.S.

Welcome to the July 2024 issue of Incognito, the monthly newsletter from DeleteMe that keeps you posted on all things privacy and security.

Here’s what we’re talking about this month: 

• Data breaches. Why we’re seeing more breaches and what you can do to reduce your risk.  
• Recommended reads, including “DuckDuckGo Lets Users Access AI Chatbots Anonymously.”
• Q&A: Can you “unagree” to a privacy policy?

With breaches now occurring weekly, if not daily, it’s easy to become desensitized to them. 

Read on to learn why you shouldn’t ignore data breaches, how to protect your data from future breaches, and why breaches are happening so often. 

You Were (Probably) Caught Up In a Breach Last Year

Were you impacted by a data breach last year? 

If you’re a US resident, the answer is: More than likely. 

While the number of breaches in 2023 fell pretty much everywhere, in the US, it actually tripled, found Surfshark. 

This is corroborated by a report from the Identity Theft Resource Center (ITRC), which says that the number of reported data compromises in the US last year increased by 78% compared to the year before. 

The good news is that despite more breaches, there seem to have been fewer victims. 

The ITRC’s explanation is that identity criminals have shifted their focus from mass attacks to specific data and identity-related fraud and scams.

Big breaches last year that you might have been in include:

1. T-Mobile, affecting 37 million accounts and information like names, emails, phone numbers, billing addresses, and birth dates (this wasn’t the only security incident T-Mobile experienced last year, either). 
2. Xfinity, affecting almost all its customers (~36 million) and information like account usernames, passwords, and security question answers. 
3. PeopleConnect, Inc., affecting 20 million Instant Checkmate and TruthFinder (which PeopleConnect owns) customers and information including first and last names, hashed passwords, email addresses, and phone numbers. 

This Year Isn’t Looking Any Better

“The worst data breaches of 2024 to date have already surpassed at least 1 billion stolen records and rising,” said TechCrunch in a June article. 

Recent headlines involve Ticketmaster, which made news for a breach that potentially impacted 560 million users (though Ticketmaster reportedly claims the number is closer to 1,000), and Dell, which experienced a breach affecting 49 million customers globally. 

The source of some data leaks, like the recently published online database containing information on Americans with criminal records, is a mystery. 

Meanwhile, some data compromises were accidental. The City of Baltimore, for example, left exposed a database containing the identities of residents who reported crimes.  

Why So Many?

There are three core reasons for the surge in breaches, according to Stuart Madnick:

1. Ransomware groups don’t just encrypt systems; they now steal data to increase the pressure and likelihood that victims will pay a ransom. We’ve seen this tactic evolve for a few years now, but it’s becoming more common.
2. More organizations keep data in the cloud, but not all have procedures to keep it safe. IBM found that 82%(!) of breaches last year involved data in the cloud.
3. Most organizations rely on a network of vendors for services. These vendors have access to the computers of the organizations they serve, but they also often have somewhat more limited cybersecurity. Criminals, therefore, might be able to access the vendor’s system first and then migrate to the systems of the organizations that use the vendor. 

How to Know If You Were in a Data Breach 

The easiest way to know if you were exposed in a data breach is to see if you got a notification from an organization that was affected. However, being told your data was exposed isn’t necessarily something you can rely on.

At least periodically, you should check HaveIBeenPwned.com, a website that lets you see if your data was compromised in a breach (including where and what data). 

You can also get the site to notify you when your information is compromised (click the “Notify me” button in the top menu). 

What to Do If You Were In A Breach

The steps you’ll need to take after a breach will depend on the kind of data that was compromised.

Login details: Change your password on that account but also all other accounts where you reuse it (better yet, stop reusing your passwords in general). Also, enable multi-factor authentication where possible.

Credit card information: Call your bank immediately. 

SSN: Report the incident to the FTC and freeze your credit at each credit bureau. 

Other data: At least for the foreseeable future, be extra vigilant about texts, emails, social media messages, and calls you get, as someone might try to scam you using the information they stole about you. 

No Such Thing As “Harmless Data Exposure” 

You might think, “Oh, it’s just my email address; everyone has that,” but as CSO Online writes, data exposed in a breach doesn’t just get put into a silo and get forgotten about.

Exposed data compounds over time into a detailed profile.

One breach might expose your email, while another might expose your full name and email. Cybercriminals merge data from new breaches with data from older breaches to create detailed datasets. 

And while these datasets are mainly used by the criminals who create them, the next step “will be renting these merged data sets for phishing campaigns,” says John Kinsella, chief cloud architect at Accurics, a security and compliance tools provider in the CSO Online article.

“Fence Your Data” (aka How Not to Get Breached)

It’s probably impossible to ensure that your data never appears in a breach, but there are certain steps you can take to make data compromise less likely. 

One of the best tips is to “fence your data,” as shared by Chris Briggs in a Forbes article. Don’t share your personal data if you don’t have to.

Don’t: 

• Sign up for loyalty programs (we talked more about this in a previous issue of Incognito).
• Fill out optional fields on online accounts and forms.
• Share your SSN – any part of it – if at all possible. As per The Wall Street Journal article, when Eva Velasquez, the CEO and president of the Identity Theft Resource Center, was asked to provide her and her son’s SSN at the dentist, she asked if it was really necessary and was told she could leave the space blank on the form. Chester Wisniewski, director and global field chief technology officer at Sophos, recommends asking the organization if you could use another form of ID instead. If the organization insists you share your SSN, ask them plenty of questions about how they’ll store it and who will have access to it.
• Overshare on personal blogs, social media, forums, etc. 

Choose companies to do business with based on how much data they collect and whom they share it with (i.e., read their privacy policies, and if you’re too lazy, read Terms of Service; Didn’t Read, a project that summarizes internet services’ terms of service and privacy policies). 

Delete, Delete, Delete

Even if you’ve already overshared or signed up for accounts you don’t really need, it’s never too late to take your data back. Or at least try to. 

Various state laws give residents the ability to delete their information and/or opt out of the sale or sharing of their data from companies that are classed as “data brokers.” Some companies even let you exercise these rights even if you’re not a resident of one of the states with consumer privacy laws.

Another thing you can do? Delete all the online accounts you don’t need (check out our account deletion guides for step-by-step instructions) and uninstall all the apps you don’t use (which suck up a ton of data). 

Readers Tips

Once in a while, we’ll also share tips from our readers. Here’s a great tip related to last month’s Incognito:

“I customized the voicemail greeting on my phone. Answering then pausing, so they believe a person is on the line and wait to listen, it goes like this:

“Hello…..you’ve reached (phone number). Please leave a message, we’ll call you back. If you’re a solicitor or advertiser, this number is on the Do Not Call List, please remove [it] from your records. If you’re a Bill Collector, we conduct all financial and legal transactions exclusively via the US Postal Service. Any and all suspect calls are reported to the FCC and FTC. Thank you, and have a good day.”

This seems to reduce spam, scam & collections calls by about 75%. And, we do report them to the FCC regularly, after blocking the numbers, of course.”

We’d Love to Hear Your Privacy Stories, Advice and Requests

Do you have any privacy stories you’d like to share or ideas on what you’d like to see in Incognito going forward? 

Don’t keep them private!

We’d really love to hear from you this year. Drop me a line at laura.martisiute@joindeleteme.com.  

I’m also keen to hear any feedback you have about this newsletter.

Recommended Reads

Our recent favorites to keep you up to date in today’s digital privacy landscape. 

DuckDuckGo Lets Users Access AI Chatbots Anonymously

DuckDuckGo announced a new feature, DuckDuckGo AI Chat, that lets users access AI chatbots like GPT-3.5 Turbo, Claude 3 Haiku, Mistral’s Mixtral 8x7B, and Meta Llama 3 anonymously. The feature is free to use and has a daily limit. DuckDuckGo says that they anonymize all chats and that none of the chats are used for training AI models. You can switch the feature off if you want. 

Clearview AI to Give Americans a Stake In the Company

The facial recognition start-up Clearview AI, which scraped billions of photos from the web without users’ permission and was sued in an Illinois lawsuit for doing so, agreed to a somewhat unusual settlement. Rather than cash payouts, the company said it would give a collective 23% stake in its company to Americans who are in its database if the company is acquired or goes public. A preliminary approval was given to the agreement by the Judge. 

Walmart to Introduce New Tracking 

Walmart already tracks and shares data with suppliers about customers who buy products. But its new insights solution, Walmart Insights (in beta), will collect and share data about customers as they are considering buying (i.e., browsing the site or app), even if they don’t make a purchase. According to an Inc.com article, the end goal is identifying a customer’s path from viewing an ad to making a physical purchase in-store. 

Google Database Leak Reveals Thousands of Privacy Incidents

An internal Google database leak reveals a number of previously undisclosed privacy issues across Google products, including children’s voices logged in the YouTube Kids apps and car license plates logged (at one point) by Google Maps. The database contains incidents reported internally between 2013 and 2018, and it was confirmed by Google as legitimate. Google also said that all documented breaches were flagged and resolved. 

You Asked, We Answered

Here are some of the questions our readers asked us last month.

Q:  Can you “unagree” to a privacy policy?

A: Sort of. 

If a privacy policy you previously agreed to changes or you suddenly realize that it wasn’t great to begin with, you can “unagree” to it (to some extent) by:

• Stopping using the service.
• Deactivating/deleting your account.
• Sending the service an opt-out request to prevent it from sharing your data with third parties (though, depending on the service, this might only be an option for residents of specific states, like Californians covered by the CCPA).

In general, it’s always a good idea to read the privacy policy of any service before you start using it. Or, at least (privacy policies can be very long and very incomprehensive), the sections that matter most (like what data they collect, whom they share it with, whether they notify users when they make changes to the policy, etc.)

For a quick summary of internet services’ terms of service and privacy policies, check out Terms of Service; Didn’t Read. 

Q: If I update a website with new information, like an email alias, will the website delete my old information?

A: Depends on the website’s internal data retention policy.

From personal anecdotes shared online, it does seem like websites keep old information even when users update it. That said, there’s no definitive answer. More than likely, it depends on each individual website/service/company and their internal policies.

Your best bet is to assume that the old information will be kept. 

Back to You

We’d love to hear your thoughts about all things data privacy.

Get in touch with us. We love getting emails from our readers (or tweet us @DeleteMe).

Don’t forget to share! If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter. If you’d like to subscribe to the newsletter, use this link.

Let us know. Are there any specific data privacy topics you’d like us to explore in the upcoming issues of Incognito? 

That’s it for this issue of Incognito. Stay safe, and we’ll see you in your inbox next month.