The Quest for Security in a Data Breach World


This morning began with my coworker warning all of us to monitor our credit if we don't do 
so already. Quest Diagnostics, the popular lab most of us in the office and most of you get your bloodwork done at, got hit with a data breach on May 31st. 12 million people potentially had personal, financial and medical information breached due to an issue with one of its vendors.¹ As desensitized to cyber attacks as I am, working at a tech company and all, this one actually worries me- and it should worry you too.

"In a filing with securities regulators, Quest said it was notified that between Aug. 1, 2018, and March 30, 2019, that someone had unauthorized access to the systems of AMCA, a billing collections vendor. The information on AMCA’s affected system included financial information (e.g., credit card numbers and bank account information), medical information and other personal information (e.g., Social Security Numbers),"¹ 
[UPDATE 6/5/19 11:00 AM] 
As of this morning, LabCorp, another bloodwork facility has had the same data breach affecting 7.7 million people. "LabCorp said its third-party billing collections vendor, American Medical Collection Agency, notified the bloodwork company that hackers gained access to AMCA's online payment system. The unauthorized access took place between August 1, 2018, and March 30, 2019"⁵

"AMCA's system stored customers' first and last names, credit card and bank account numbers, birth dates, addresses, phone numbers, dates of service, health care provider information, and the amount customers owed. LabCorp said it did not provide AMCA with information about tests, lab results, or diagnostic information. AMCA said it did not store Social Security numbers."

Personally, as a twenty-something year old, I'm working on building my credit, trying to grow my savings, build up my financial reputation- the last thing I (or anyone, really) needs is my reputation destroyed before I even start life due to a data breach. This Quest breach does affect me- and it's scary. I've used Quest for bloodwork a dozen times in my life. It's easy to see a breach and say "Wow that's bad, moving on" when it doesn't affect you. When it does affect you however, there's a panic. 

What Can You Do To Keep your Personal Information Safe? 

Luckily, there's so many ways you can protect yourself and your personal information. They're easy and most of them are free:

Credit Monitoring: If you don't already, use a credit monitoring service like Credit Karma, Experian, or Identity Force. They each have unique features like weekly credit updates, notifications if unusual activity is found, advanced security features, and family-wide credit monitoring- just to name a few.³

Credit Lock or Freeze: A credit freeze lets you restrict access to your credit report, which in turn makes it more difficult for identity thieves to open new accounts in your name.⁴ It doesn't stop you from seeing your credit score or receiving a credit report. If you're really worried, or you know for sure that your information was part of a breach, this may be your best option.

Strengthen your Passwords: If you're unknowingly part of a data breach, and your exposed password is also your password for 10 other accounts, you'll be in some deep water. The best thing I started doing is use a password keeper. I use Last Pass and now, each password is randomly generated, and I don't have to remember any of them. The more difficult your password, the harder it is to crack, and the harder it is for your information to get stolen.

Question Companies: It may be uncomfortable for you to give personal information to so many companies, but it seems we do it anyway. Start asking why a company needs your personal information. At the very least, skim the Terms of Service to see how they use your information and how they protect it, and never hesitate to ask if you can proceed with whatever service you sign up for without the really personal items like credit card info and your social security number.⁴

Two Sides of the Data Breach Coin

This story has two important reminders for us as consumers and as business owners. From a consumer view, the information you provided in confidence was leaked to thousands of people with malicious intent. This could harm your finances, credit score, and personal life for years to come. All the hard work you've done in life could unravel because a bad actor has your information. It's not your fault that Quest got hacked, but you can prevent your information from getting in the wrong hands by using services like Credit Karma's credit monitoring, locking or freezing your credit from hard inquires, and keeping strong passwords by using a password keeper like LastPass.

From a business owner standpoint, this wasn't a Quest internal slip, this was their third party vendor (AMCA) that made the mistake. And even though AMCA is named in the reports, Quest is the one blamed and their stock value and public view will plummet. If you deal with third party vendors, it's absolutely critical to make sure they have some kind of cyber security practice in place. Your business needs one too. It's the only way to prevent something like this from happening to your business. You can't say "it wasn't us, its was our vendor!" You hired them, it's still your problem. You lose money to hackers, you lose your customers, your reputation, and just like that- your business is destroyed.


As a consumer, don't wait until a service you use gets compromised to start safeguarding your personal information. Likewise, as a business owner, don't wait until you get breached to start using cybersecurity practices.


Guy Baroan, President and founder of Baroan Technologies had this to say: 

"While Quest Diagnostics was not the one breached, their outsourced billing company was. This shows the importance and need of larger corporations to perform vendor verification for security compliance. Everyone working with these larger organizations is a reflection upon the larger entity here, like Quest. As a patient that may have used Quest services in the past, you must protect yourselves. Sign up for a credit monitoring service. Experian, TransUnion or LifeLock are some of the ones available. Be notified if a change has been made to your credit file. If you are a smaller company working with larger ones, check your network security, hire a company that can help you avoid being easily breached. Identify your sensitive data, know where it is, protect it, back it up, make copies available offsite and have a method to know if that data has been compromised, copied or changed. Have a plan for recovery ready to go and act quickly when something happens. If you don't prepare for this, at some point you will not get new business from your larger clients."


Sources:
¹https://www.nbcnewyork.com/news/local/Quest-Diagnostics-12-Million-People-Data-Breach-510754611.html?_osource=SocialFlowTwt_NYBrand&__twitter_impression=true
²https://www.networkworld.com/article/2286787/135100-The-worst-data-breach-incidents-of-2013.html#slide3
³https://www.thebalance.com/best-credit-monitoring-services-4164937
 https://www.consumer.ftc.gov/articles/0272-how-keep-your-personal-information-secure#online
 https://www.cnn.com/2019/06/04/tech/labcorp-hack/index.html

Comments

Popular posts from this blog

What is Multi-Factor Authentication (MFA)

Eight Ways To Keep Your Small Business Secure

Why You Need To Upgrade Your Windows 7 Machine, Seriously.