Beyond the data breach singularity - why your online identity may never be safe again
You can change your password, but you can't change your fingerprints or date of birth.
Data breaches have become an epidemic -- and the rate at which large organisations are finding themselves victimised by hackers seems only to be on the up.
Add to this the fact that, across a series of hacks in recent years, cyberthieves have made off with more than just email addresses and passwords -- they also stole sensitive information about individuals' identities such as dates of birth and even fingerprint records.
That personal data is even more valuable to malicious users because, unlike a password, it can't be changed -- and it gives cybercriminals everything they need to mimic your identity.
"With a credit card, you can call the provider, cancel it and change the details -- but you can't change your date of birth," says Udi Mokady, CEO of cybersecurity firm CyberArk.
"Your name, address, social security number -- when they grab those they have a higher marketable value and they're much harder to change. It's scary. In the [US Office of Personnel Management] hack, they even stole millions of fingerprint records and that's something you certainly can't change."
Even if the cybercriminal forum where the personal data resides is taken down, it's already too late because the information will have been sold on and duplicated again and again. "Once it's out there, it's out there, and it's changing hands," Mokady adds.
If it's your name, date of birth, or address that's been stolen, you can't realistically change those personal details and they may be permanently available to cybercriminals.
"We have to [be] proactive because we're at the point where if we lose that type of data there's no way of getting it back," says Andre McGregor, a former FBI cyber special agent and now director of security at Tanium.
Being proactive is key to any effort to keep your identity safe online, because according to James Chappell, CTO of Digital Shadows, we're almost at a point of no return with data breaches and leaked details.
"We're heading towards the breach singularity. We're getting to a point now where pretty much all of our credentials are known online in one form or another," he says.
So what can you do to protect yourself from becoming a victim of cybercrime or online fraud, if your data is readily available on the dark web?
"All of the good advice still applies -- so having different passwords for different websites, making sure that you update your passwords on a frequent basis, using two-factor authentication when it's available. All of those things are effective protections you can take with user ID and password compromises," Chappell says.
However, he concedes that it "becomes a lot more difficult" when information like your name and date of birth are online because that allows a fraudster to do a lot more.
"The only really effective tool available to you is to continually monitor uses of that information on an ongoing basis," says Chappell.
CyberArk's Mokady issues similar advice: "People need to pay attention and try to change what is changeable and be cautious about financial transactions happening around them," he says.
But does the average person have enough wherewithal to do this?
Cris Thomas, strategist at Tenable Network Security and founding member of the hacker think tank L0pht Heavy Industries, doesn't think so.
"For the average user, this is a risk and it will continue to be a risk. Most people won't even be aware that their information is out. There are websites which have been set up where you can enter your email address and see if it's in a massive breach," he says.
"But most people aren't even going to bother doing that, so they're not going to know if their information is out there and compromised -- and then [they'll] get their bank account drained and credit card details stolen," Thomas adds.
If it wasn't time to pay attention to every hack and data breach before, it's definitely time to do so now -- no matter who you are.