Personal Security After Data Breaches

Yes, I have seen similar too.

Heck, my own mail server is configured to reject all email from suspect TLDs in appropriate circumstances (since those domains are the source of so much spam - however in my case .one is accepted just fine i.e. not regarded as a suspect TLD, nor a source of spam). In my case it is neither database nor hard-coded; it is config.

However, just so we are all on the same page, we were talking (digressing! :wink:) about postal address / street address i.e. physical, real-world address, rather than email address.

1 Like

I just got notified by my former mortgage company (from 7 years ago) that my private data was stolen, including:

  • name
  • address
  • phone number
  • email address
  • Social Security number
  • data of birth

They’re offering only 2 years of credit monitoring from a single major credit bureau, not all of the major credit bureaus.

The hits just keep on coming. I’ve lost track of how many data breaches have hit me.

Guess I’ll be initiating a security freeze now.

1 Like

In contrast, I do not consider any of those listed values as private from my perspective, as they deal with the public in some way or another. At least with anything relating to credit, you can forge a pathway to becoming unbanked.

Yes, but just having one or two of them can enable criminals to take over my accounts and/or apply for credit in my name, then default on the payment, or they could conceivably gain access to my bank or investment accounts and drain them. Especially with phone numbers plus a couple bits of additional info.

I don’t want to be “unbanked.” :wink:

3 Likes

Right, well you can always change the rest of the values except the SSN and DOB, although the process is quite the hassle.

Yep. I have changed and compartmentalized phone numbers and (lots of new) email addresses, and my physical address, fortunately. Maybe I should finally just change my name: “Amarok Smith” has a nice ring to it…

2 Likes

If you are serious about it, then I highly suggest that you do so when you have ample time, as renewing every identification document and public credentials is time-consuming. It is also a great opportunity to reflect upon these dependencies and whether or not they should continue to exist after your name transition.

1 Like

Going off-grid, so to speak, would make for an interesting discussion. You should start a thread.

1 Like

Maybe, but I already have “off-grid” practices and objectives in my life, so I do not need to create a thread for it. If the thread is created by someone else, I will contribute practical suggestions no differently than this one.

FWIW, I’m working (albeit slowly) on a data retention policy for Purism and will consider publishing it once it is more mature (and I verify legal data retention requirements). In general, the current operating policy is that customer data is retained for the shortest amount of time possible that still allows for product warranties (i.e. if we don’t store your info, we don’t have a method to know who you are or RMA your equipment) and follows legal requirements (i.e. tax returns, etc etc). As Purism ships products globally, legal requirements get a bit messy since different countries have different legal requirements regarding data retention, invoice information accountability, and taxes.

2 Likes

I wonder if data breachers are in league with security companies so they can offer the “2-years free” sales pitch?

1 Like

I’ve never accepted any of these offers for credit monitoring after all the data breaches I’ve been caught up in, because I felt that it was kind of unhelpful, especially after data theft by foreign state actors (as opposed to run-of-the-mill criminals), and that the cure might be worse than the disease (propagating my private information here, there, and everywhere in order to “protect” it).

And, too, I get real-time credit alerts from my credit card issuers anyway.

Now, though, with data theft occurring ever more frequently, everywhere, I think I might as well start accepting every offer of monitoring that comes along, and have active “protection” in perpetuity. At the very least, it racks up costs for the entities that failed to provide adequate safeguards for my data.

The government here is certainly doing nothing meaningful for consumer protection, as far as fines and penalties.

3 Likes

Your personal security is your responsibility, not the government or other third-party entities. It is up to you to assess whether or not trusting you or them will solve your own issues; I am firmly of the former stance.

Just change the caption on this old pic, "My data has been stolen and NSA won’t arrest the culprits."

nsa-joke-backup-meme-crop

(Warning: I’ve used this pic before.)

2 Likes

I recommend The Ransomware Hunting Team by Renee Dudley and Daniel Golden to learn of the codependency of data breachers, insurance companies, and commercial ransomware mitigation “services” and how some government agencies in some countries ignored the problem when it was still small enough to do something about precisely because it was “too small”. (And the story of a small international band of ransomware crackers and police in a smallish European country successfully partially mitigated attacks.) The Ransomware Hunting Team - Wikipedia

spoiler

The companies sometimes used info actually from the amateurs to break the encryption of ransomware victims but mostly acted as “negotiators” fir “reduced” ransoms. Usually the negotiated ransom was less than the cost of recovering from backup so insurance companies would pay up.

2 Likes

This looks interesting: https://remover.visiblelabs.org/

  • Free to use.
  • Source code hosted on GitHub; buildable yourself, if desired.
  • Works internationally.
  • Completely automated.
  • Sends formulaic deletion request to brokers, with your name and address (only), plus your provided email address (for direct responses from the data brokers).
  • Repeatable every 45 days.
  • Only your email address is stored at Visible once it has been hashed (SHA256), and is deleted after 45 days; name & address is only used to generate the one-time deletion request emails.

I’m testing it.

EDIT: Already getting confirmations of data deletions or “data not found” replies from the brokers.

2 Likes

You should also inspect the other side of the coin.

1 Like

The California DELETE Act is now law! It will be a while before the actual opt-out “button” is available to California consumers, though.

This article contains the timeline: https://www.privacyworld.blog/2023/12/california-delete-act-imposes-new-obligations-on-data-brokers/

2 Likes

10 Minutes of Delete:

1 Like

Just needs an army of Cybermen to go through Big Tech … DELETE DELETE DELETE DELETE …

2 Likes