How to Protect Your Information after the Potentially Largest Data Breach Ever
How to Protect Your Information, after the Potentially Largest Data Breach Ever
How to Protect Your Information after the Potentially Largest Data Breach Ever
BU computer engineer Manuel Egele on why we’re vulnerable and what we can do to protect ourselves
If the torrid rush of data breaches during the first half of 2024 holds, there will be more than last year, which logged 72 percent more than the year before. The latest prominent victim was National Public Data, a firm that conducts background checks on job applicants and consumers. It was hacked earlier in the year, with millions of Social Security numbers compromised—or billions if you include those of dead people, according to a lawsuit against the company—in potentially the largest data breach ever.
Actually, reported breaches may be an undercount, as not all are reported, says Manuel Egele, an associate professor of electrical and computer engineering at the College of Engineering, who also has an appointment in the College of Arts & Sciences. That’s despite the fact that all 50 states, the District of Columbia, and some US territories require hacked companies to notify affected parties.
BU Today asked Egele about the surge in data attacks and what, if anything, individuals can do to protect themselves.
This interview has been edited for brevity and clarity.
Q&A
with Manuel Egele
BU Today: Why have there been so many breaches?
Egele: Potentially, because companies are becoming more aware of the issue. It would be great if they [have] invested in security and monitored better; in the past, it just went unnoticed. There are many data breaches and successful attacks that lasted for years before they were detected.
BU Today: Do we know what kind of data thieves are most interested in obtaining?
Egele: Thieves are entirely opportunistic. They will get whatever they can. If they can break into a system, they will download the database to the extent that they have access, and then whatever is in there is gone. If it was a newspaper website, you get email addresses, and if they didn’t do proper security, you get the passwords [for the paper’s paywall].
A lot of people reuse their passwords [for multiple sites]. And then, as an attacker, you’re off to the races. You can take those email addresses and passwords and try them at other venues. Maybe you use the same email address and password on your Facebook account; now, I [the hacker] know all your friends and whatever information you have on your Facebook.
BU Today: Is it possible to foolproof your data?
Egele: You can never get to 100 percent security. You can make it harder and harder for the bad guys to siphon off the data, especially if you’re talking about companies that have deeper pockets; they should be investing in that. But there is an asymmetry in security between attack and defense. For a defense to be good, you need to be able to defend against as many attacks as possible, and the attacker only needs to find one angle that you forgot.
There is a very good example—Apple. A lot of attackers will just try “password stuffing”: log into an online service with an email address, and then just try popular passwords—“123456,” “password,” “admin.” And then just try what works. To thwart this, what Apple did for all their online properties was, after your third try, you have to wait for 10 seconds. After your fifth try, you have to wait for a minute. And then it becomes really, really laborious and time-intensive for an adversary to try thousands of different passwords, thwarting a lot of attacks.
The only problem was on Find My iPhone [an app to find lost devices]—they forgot to put in this wait. So you have to wait everywhere on Apple except on Find My iPhone. Adversaries figured out that Apple forgot this defense. That’s where they compromised and breached a lot of very popular iCloud accounts.
As a defender, you need to cover all your bases. As the attacker, you only need to find one base that is not covered.
As a defender, you need to cover all your bases. As the attacker, you only need to find one base that is not covered
BU Today: Is the government doing anything to protect our data?
When it comes to high-profile targets, news stories have said that the government was informing this-and-that banking organization that, hey, someone broke into your system. So the government is certainly on the lookout for malicious activity. I don’t think the government has the resources or the obligation to do that for any run-of-the-mill mom-and-pop shop.
One that immediately comes to mind is Equifax about eight years ago, where the company was just very sloppy on their security practices, running software that was outdated, that had patches for known security vulnerabilities that they did not apply. A lot of their data got compromised, including, again, millions of Social Security numbers. [The federal and state governments settled with the company to pay up to $425 million to help affected parties.]
BU Today: How concerned should average people be? Are there precautions we can take?
If your email provider sends you a notification [their] database got compromised, it’s a good idea for that service to change your password. That is an organization that you have a relation with. For things like the National Public Data situation, almost nobody had a direct relationship with them. Almost nobody knew that their data might potentially be with them. However, good practices that people can easily follow [include having] different passwords for all the sites, all the services that you interact with. Which puts a lot of mental strain [on you] if you try to remember your passwords. So use a password manager.
Have they been hacked? Yes. However, if they’re implemented securely, it’s not immediately a problem for the individual users, because all the data that they store is encrypted under a key derived from your master password. If your master password cannot be easily brute-forced, then your password, your data and your passwords, are still protected by that.
Multifactor authentication will be the next aspect for good cyber-hygiene, like what BU does. BU uses Duo. There are many others. Have multiple factors of authentication, especially for services where you have direct impact if your service gets compromised. So for online banking, for example, you should not do without two-factor authentication.
There’s one more aspect in terms of cyber hygiene. Individual users can freeze their credit reports [from] credit reporting bureaus. Freezes are free. What this means, essentially, is that no one can open a new line of credit in your name while the freeze is in place. If you are applying for a new credit card, you will have to go and thaw the freeze first, and then you can get the credit card instated or mortgage or car loan. I’ve had my credit files frozen for the last eight years at least. What I did, when applying for a loan, is ask the company that issues the loan, which credit bureau are you inquiring with? I go to that credit bureau, I put a temporary thaw on the freeze—say, for the next 48 hours—so you can give it to the loan originator. After 24 or 48 hours, it automatically goes back to frozen, so I don’t have to go back and do anything.
Comments & Discussion
Boston University moderates comments to facilitate an informed, substantive, civil conversation. Abusive, profane, self-promotional, misleading, incoherent or off-topic comments will be rejected. Moderators are staffed during regular business hours (EST) and can only accept comments written in English. Statistics or facts must include a citation or a link to the citation.