What Is an “Over-Exposure” of Your Data?
The Identity Theft Resource Center has been tracking data breaches for years and has basically seen it all.
There have been events in which hackers stole the information for millions of credit card accounts. Some breaches have included usernames and passwords for more than a billion email accounts, while others have exposed the complete records—containing all the PII for each of the victims—for just a few hundred individuals, which is only a handful of people in comparison.
There are different outcomes in many data breaches, of course. What kind of information was stolen? Did the hackers get enough information to lead to identity theft? Can the victims’ finances be impacted? Will they need credit monitoring to watch for suspicious or criminal activity?
The type of breach can vary greatly, too. Was it an inside job by an employee with access to records? Did hackers break through what was supposed to be a secured network? Did someone throw away large amounts of papers that contain sensitive information? Did an employee intentionally but innocently forward information to someone who pretended to be the boss?
One other distinction that was recently reported is for an event in which the victims say it wasn’t actually a data breach, but rather just a “data over-exposure.” What’s the difference? For some states and their notification laws, there might not be a difference. But in the case of Dow Jones & Co, and their four million customers whose information was accidentally left open to the public on an unsecured server, the company claims it wasn’t a breach.
There are some minor differences here. First, the data was stored exactly where Dow Jones planned for it to go, but the way it was set up on the Amazon S3 web hosting server left it accessible to others with Amazon web authentication. A security researcher found the information during an intentional search for unsecured databases, and so far no unauthorized activity has been reported with the information.
This might be important to Dow Jones, but their approximately four million customers might not feel that this is so minor. The accessible database contained customers’ names, their in-house customer IDs, along with their home and business addresses. The most alarming information was the last four digits of the credit card the victims stored in their customer records, along with their email addresses. This information and the news surrounding the data breach means victims can certainly expect phishing emails that can lead to scams.
No matter how a breach occurs—or whether it was even a full-fledged breach or simply a mislabeled security protocol—consumers need to be prepared to take their security into their own hands. Monitoring their accounts carefully, practicing good password safety, and taking action against suspicious activity immediately can help no matter how your information fell into the wrong hands.