Have you ever thought twice about clicking “send” after drafting an email? We’re sure you have; everyone has. The most common reasons involve editing the text for clarity, context, or tone. Sometimes you verify the email addresses for the “to” field. These are all great measures that everyone can — and should — take before sending an email, especially one with sensitive data enclosed.
Yet, accidents happen. A recent accidental keystroke shared an email to an incorrect distribution list, which included the unencrypted personal data of more than 20,000 U.S. Marines, their families, and civilians. Social security numbers, bank details, credit card information, home and mailing addresses, and emergency contact information were all disclosed. Does this fall under the label of “data breach” if the disclosure was part of an “oops” and not a cyber attack?
Marine Forces Reserve spokesperson Andrew Aranda has said the Marines’ IT staff is reviewing cybersecurity and information assurance processes to update their overall guidelines and to better train team members at every level. More importantly, this was an accident without malicious intent, and a cybersecurity vulnerability was not the cause. Additionally, the United States Armed Forces branches fully understand the great responsibility to protect highly-confidential personally identifiable information (PII) stored in their records and a lengthy history of excellence in this arena.
More than 20,000 individuals will now need to diligently check their credit report on a regular basis to ensure this disclosure doesn’t leave them open to identity theft. Add to this number the family members potentially impacted, and the full amount affected could double or triple. This is a story too well-known by millions of Americans in recent years. Customers of Anthem, Target, eBay, and The Home Depot are just a few examples of organizations whose customers have been impacted by data breaches. Cybercriminals and cyberterrorists — hackers — are just waiting for a weakness to exploit. This introduces two key questions:
How effective are an organization’s cybersecurity protocols and training?
What can consumers do to protect themselves if they’ve been impacted by a data breach?
How aware are the individuals behind this incident of security protocols and risks? The basic information assurance training from as recent as a year ago isn’t current for today’s needs as a means of self-awareness and protection.
What is information assurance? When information is processed, stored, or transmitted (data) involving systems, there are risks. Information assurance is the effort a group takes to protect this data and these systems to ensure the security of the data and minimize risks involved.
The focus of information assurance is on the security of data. While “protection of data” may not be the first concept that comes to mind when you think of the United States armed forces, the protection of its people is an inherent byproduct of its very nature. The military does not operate in the same ways as Corporate America, with many factors contributing to the differences. One thing is certain: the military takes its duty to serve and protect American citizens very seriously and is dedicated to assisting those impacted.
How can consumers protect themselves?
As we already mentioned, check credit reports regularly. Once a cybercriminal has a name, address, and a few pieces of personal information, this data can be used to misrepresent an identity online.
Anyone can add a fraud alert to their credit report with each credit reporting agency for added protection. This will prompt a two-step verification process for any attempt to open a new account in someone’s name, and is a very helpful feature to protect someone’s identity from being used by other parties.
Aside from checking credit reports, we strongly suggest changing all passwords. Most importantly, start with changing passwords for online banking, credit cards, email, and social media accounts. After these, move on to seemingly innocuous accounts like the United States Post Office and those for magazines or local newspapers, with active subscriptions.
It’s worth it to keep a list of all locations with usernames and passwords. Imagine how helpful this list might be in this situation, cutting response time drastically and potentially reducing the overall impact. Just don’t store the list somewhere online, like email. If that is the first thing a hacker can access, they have access to everything after discovering this data goldmine!
Make sure new passwords created are complex, using a combination of capital and lowercase letters, numbers, and symbols like ?!@#$%.
Change passwords on desktop systems to prevent a sophisticated hacker from accessing further personal data, or giving them the smallest access point to plant a virus or ransomware, or even mine cryptocurrency.
Running the most recent updates and install these packages immediately will help close any security gaps discovered by operating system manufacturers and application developers.
In this case, credit card numbers were included in the disclosed data. It’s a huge pain, but it’s worth it in the long run for protection to report the accounts as compromised and have new card numbers issued.
Every day brings a story of new ways hackers use to access PII of consumers and how this information is used to their advantage – and to the detriment of the consumers affected. Consumers need to regularly assess their risk and do their best to eliminate the unknown, where possible by taking these measures to protect themselves. Maintaining a realistic perspective on this risk will be instrumental as “an ounce of prevention” here.
In modern days of digital communication, we can never be too careful as hackers are becoming far more sophisticated and staying one step ahead of consumers. Imagine if cybercriminals used their power for good!
Don’t let one mistake cause years of hassles and headaches – talk to an expert if you think you’ve been compromised in this or any other data breach, and protect yourself.
Brian Gray, MCP, is the President at Kraft Technology Group, LLC (KTG), an affiliate of KraftCPAs PLLC. Within his role, Brian is responsible for all aspects of service delivery to our clients. Brian has a decade of experience working for managed service providers. He has worked with clients in a variety of industries, including financial services, accounting, legal, healthcare, manufacturing, and retail.