Each time there’s a high-profile data breach, security experts exhort the same best practices: Create unique logins for every service you use, use complex passwords, vigilantly comb your credit card statements for anomalies. The advice is sound. Unfortunately, it obscures the fact that the safety of your personal information is ultimately in the hands of companies you share it with.
Identity theft is changing. Customer databases are a treasure trove of personal information and much more efficient for hackers to target than individuals. In this new landscape, the guidelines security experts—and journalists like me—espouse are really just damage-control measures that minimize the impact of a successful attack after the fact, but do absolutely nothing to protect your personal data or financial information from the attack itself.
Look back on some of the major data breach incidents of 2013. Adobe was hacked, and attackers gained access to customer account information for nearly 150 million users, as well as credit-card information from nearly three million customers. Target was hacked, and the credit- or debit-card details for 40 million customers were exposed. In those cases, there was little any individual consumer could have done to prevent being affected by those data breaches.
This week it was revealed that an EA Games server was compromised, and the attackers launched a phishing attack aimed at capturing Apple ID account information. In this case, there doesn’t seem to be a direct compromise of user data, and hopefully users won’t fall for the phishing scam and share account details with the attackers. But it illustrates the same point: With identity thieves targeting companies rather than individuals, your personal data is vulnerable no matter how well you, personally, protect it.
Of course, if you accept that a data breach is more a matter of “when” than “if,” then it still makes sense for you to do everything that is in your power to safeguard your personal information and minimize the fallout. Attackers can crack any password given enough time, but in cases like the Adobe breach, the millions of accounts using silly passwords like “123456” are much easier to victimize.
You also need to accept that preventing the data from being compromised in the first place is the responsibility of the site or service and is out of your direct control.
The one area where you have the most influence in this regard is your ability to choose which companies you do business with. Be discriminating about where you share sensitive information, and exactly which information you trust with third parties. If a company shows a lack of regard for protecting your data, move on.