Between two and four million Dow Jones & Co. customers potentially had their personal information exposed because of a misconfigured database on a server. Dow Jones is calling the incident “data over-exposure” rather than a breach. The database was discovered by Chris Vickery of UpGuard.
According to this SC Magazine story, “The downloaded database contained customer names, internal Dow Jones customer IDs, and home and business addresses. Perhaps most critical was the inclusion of the last four digits of customer credit cards in the files, as well as customer email addresses also used to login to their accounts.”
Those email addresses could be the most problematic as they could be used for a phishing attack.
Phishing scams are one of the most common types of identity theft scams. “Phishing is when a scammer uses fraudulent emails or texts, or copycat websites to get you to share valuable personal information – such as account numbers, Social Security numbers, or your login IDs and passwords. Scammers use your information to steal your money or your identity or both,” according to the Federal Trade Commission.
Phishing scams can also be used to install ransomware and get access to your computer and important files. These types of scams are especially common after big data breaches. Following the huge Anthem attack in 2015, when 80 million records for current and former customers and employees were exposed, victims started receiving phishing emails encouraging recipients to click a link for credit monitoring services, as detailed in this CNBC.com story.
Based on how much personal information has been compromised in recent data breaches, identity thieves can craft very detailed, specific emails that could trick even a savvy consumer.
Here are some valuable tips from the Federal Trade Commission:
Be cautious about opening attachments or clicking on links in emails. Even your friend or family members’ accounts could be hacked. Files and links can contain malware that can weaken your computer’s security.
Do your own typing. If a company or organization you know sends you a link or phone number, don’t click. Use your favorite search engine to look up the website or phone number yourself. Even though a link or phone number in an email may look like the real deal, scammers can hide the true destination.
Make the call if you’re not sure. Do not respond to any emails that request personal or financial information. Phishers use pressure tactics and prey on fear. If you think a company, friend or family member really does need personal information from you, pick up the phone and call them yourself using the number on their website or in your address book, not the one in the email.
Turn on two-factor authentication. For accounts that support it, two-factor authentication requires both your password and an additional piece of information to log in to your account. The second piece could be a code sent to your phone, or a random number generated by an app or a token. This protects your account even if your password is compromised.
As an extra precaution, you may want to choose more than one type of second authentication (e.g., a PIN) in case your primary method (such as a phone) is unavailable.
Backup your files to an external hard drive or cloud storage. Backup your files regularly to protect yourself against viruses or a ransomware attack.
Keep your security up to date. Use security software you trust, and make sure you set it to update automatically.
Report phishing emails and texts.
- Forward phishing emails to email@example.com – and to the organization impersonated in the email. Your report is most effective when you include the full email header, but most email programs hide this information. To ensure the header is included, search the name of your email service with “full email header” into your favorite search engine.
- File a report with the Federal Trade Commission at FTC.gov/complaint.
- Visit Identitytheft.gov. Victims of phishing could become victims of identity theft; there are steps you can take to minimize your risk.
- You can also report phishing emails to firstname.lastname@example.org. The Anti-Phishing Working Group — which includes ISPs, security vendors, financial institutions and law enforcement agencies — uses these reports to fight phishing.
Is your business covered for a data breach?