#6 Cybersec Charcha: What comes after Breach Pe Breach?

In previous editions of Cybersec Charcha, we discussed what you could do to protect your data from being stolen and how to best implement strong digital security practices to protect yourself and your sensitive information. However, we haven’t yet looked at what you can do to take back control — if your data has already been compromised in a data breach.

Data breaches are now becoming increasingly common. In 2021 alone, we have seen some of the most serious instances of data breaches — both in India and around the world. In a scenario like this, it becomes really important to learn not only how you can protect yourself, but also the measures you can take if your data is leaked in a data breach.

In the sixth edition of Cybersec Charcha, we’ll be exploring what you can do to take back control in the aftermath of a data breach.

1. Confirm the breach and and figure out if your information was stolen:

The first step is to confirm if the breach actually occurred. Rely on information from independent security researchers and trustworthy news outlets to confirm if a breach occurred. Make sure you don’t fall for rumours circulating on Twitter and always verify information from 3-4 independent sources.

When a prominent data breach occurs, many scammers may also reach out to you posing as an employee of the breached company and try to gather more of your personal information. It’s important you don’t fall for this. Instead visit the company’s website or try contacting them via email or a phone call. Additionally, you can also check if your data has been breached in a recent or past data breach here.

2. Understand what type of data was breached:

Your next steps will depend on what kind of data was leaked. If it is email or password information that has been compromised, in most cases it is fairly straightforward to change your passwords everywhere.

In case your financial information like credit card details are leaked, you should contact your bank and cancel your card immediately. However, in case of a leak of your Aadhaar number it might be difficult to change or cancel your existing Aadhaar number. Similarly, if information like your phone number was leaked, you can change your number although this can be a difficult one to implement in practice. As a general practice though, you should avoid giving out your number to places that don’t require access to it to provide you with their services.  

3. Change and strengthen your online log-ins, Security QnA and Passwords:

It is really important to change all your passwords in case your credentials have been leaked in a data breach. Additionally, it’s also important to not repeat the same passwords everywhere and not include any Personally Identifiable Information (PII) like birth date, anniversary or parents / spouses’ names in your passwords. Your PII is easily available in the public domain and can make your passwords easy to crack. Here's a great guide by the Electronic Frontier Foundation that will help you create strong passwords. Spoiler alert: Use a password manager! More on password managers in the previous edition of Cybersec Charcha.

You should also update the security questions associated with your account. However, a thing to note is that security questions are fundamentally insecure. Most of us pick security questions that are dangerously guessable (like your mother's name - this information is probably out in the public domain already and hence easy to crack!) so it might be a better idea to answer your security questions with lies only you will remember. Ideally, use a random string of characters as your answers instead of giving up meaningful information.

One of the most important steps to take is to make sure you enable 2 Factor Authentication on your accounts. This will provide an extra layer of security to your digital account and will make it harder for malicious actors to gain access, even when your password has been compromised.

4. Contact the right people who can help secure your account:

In case of leaked credit cards or other financial information, it is important to reach out to the particular financial institution(s) and cancel your card(s) immediately, alongside asking for a new one to be assigned. It’s also prudent to check past transactions in case there were any unrecognisable expenses that were made around the time you found out about the breach.  

5.  Maintain Encrypted Backups and update your software:

Maintaining encrypted backups can help you recover your data if it has been lost in a data breach or a ransomware attack. Updating your software systems also becomes very important in case of a ransomware attack that exploits security vulnerabilities in a previous version of your operating system. In such a case, an updated software might protect your device and data from being compromised or stolen.  

6. Inform others whose information may be compromised due to a breach of security in your systems:

Privacy and security don’t exist in silos; Harm reduction is collective. Because of the many ways our digital lives are inherently intertwined, it’s important to remember that we are responsible for each others’ safety and privacy. If your communications data has been compromised, it impacts those who are communicating with you as well. In such a case, if you become aware that your conversations with someone may have also been breached, you must responsibly disclose this to the people whom it impacts. This will help them take the necessary next steps to secure themselves and their data, as well as plan for it in a better way. This way we can ​coordinate to reduce threats and vulnerabilities that affect people in our lives — such as our co-workers, family members or friends.

In other news…

1. Why you should stop using SMS for 2 Factor Authentication:

In our newsletter, we’ve often stated that it’s not a good idea to use SMS based 2 Factor Authentication (2FA). This helpful guide by CyberNews helps us understand exactly why SMS based 2FA is insecure, and why you should use an Authenticator App instead.

Don’t know what 2FA is? Don’t worry, we’ve got you covered!

2. A chilling report by yet another journalist targeted with Pegasus:

Since the revelations around the Pegasus Project, there have been multiple reports of people who were targeted with the spyware. The latest comes from Ben Hubbard, an NYT correspondent who covers the Middle East and had his phone hacked twice. It is yet another reminder that we need to hold governments and the trade around this kind of spyware accountable.

In more India specific news, the Supreme Court has appointed a committee to examine the use of Pegasus spyware in India. This is a promising development that may drive some accountability towards the government’s use of the spyware on its citizens. You can read more about the Supreme Court’s decision here.

That’s it for this edition! But if you like staying updated with the latest digital security related developments, consider joining IFF’s Telegram channel. We post regular cybersecurity tips and updates on there, and it’s a great way to engage with the community.

Lastly, if you like the work we do, consider donating to IFF and help us reach our goal of raising 30,00,000 INR by the end of 2021! We’re already halfway there and could use every little bit of help. Recommend our work to your friends and family, and keep talking about digital rights.