It seems like there is a major consumer data breach every day. Most breaches are “only” revealing your personal information and (hopefully well hashed) passwords. Some, like today’s EasyJet breach also include some stored bank card information.
As is often the case, based on early announcements, this breach is probably partial. This means there will be lucky people and less lucky people. In all likelihood, many people I work with across Europe will be impacted, maybe myself included.
So, what should we do?
Here are my top 5 actions to take when you hear about a new data breach that could impact you.
1. Change Your Password
Publicity from breach events will often lead to websites being overloaded with worried people trying to check their data, and/or the breached company’s security team may have restricted your account access while they assess the damage.
When the breached service’s site is less overloaded, login and change your password to a new long unique password generated by and stored in your password manager. Do this even if you are not one of the ‘lucky’ people who are notified.
If you have used the same password, or any variation of this password (for example adding a number, or adding “Am8z0n” instead of “E8syJet1”), change your passwords for those services also – of course to different new long unique passwords generated by and stored in your password manager.
If you are interested, I explain here the information theory behind why those “add a number”, “change ending”, and similar tricks do not add even a tiny bit of extra security.
2. Check Your Cards
Check your account on the breached service, and delete any stored bank cards.
In general, it is good practice to avoid storing card details with any online services.
Even the most careful companies can be breached. You do not want your cards to be part of any eventual breach.
Your password manager will help you easily fill out your card details on any service when needed for a specific purchase.
3. Monitor And Cancel
If you are one of the ‘lucky’ people to be notified as having your bank card detail leaked, you are going to have to call your bank and cancel your card.
You will have to wait for a new card to arrive, which is likely going to be disruptive and annoying, especially if you don’t have an alternative card. This is exactly why it is good practice to never save your cards with online services.
Even if you are not notified, if you had a card stored with the breached service, monitor the transactions over the next month for suspicious activity, and be ready to query your bank and/or cancel the card.
4. Temporary Bank Cards (US Only)
For those based in the US, there are services like https://privacy.com/ that allow you to provide a unique limited temporary card to each vendor. Unfortunately I don’t know of sometime similar for Europe.
When you have something like this available, it is definitely worth using – services like this limit the damage of any individual service being breached or card being stolen. It is the same principle as having unique passwords for every service: you avoid a domino effect of one breach impacting your whole digital life.
5. Use A Password Manager
If you are not already using a password manager, now is a good time to start. I have made a simple tutorial here.
Not only is using a password manager the single best thing most people can do to improve their cyber security, it is also likely to be much easier than whatever you are doing for your passwords and bank cards today.
Note that if you were already using long unique password manager passwords for EasyJet before this breach, and you didn’t store any cards with them, probably you have very little to worry about.
Very likely, EasyJet have been doing proper strong hashing of passwords, which means the criminals will need more than a trillion trillion times the lifetime of the universe to guess your password.
Also, as you used a password manager, you have a different strong password on every account, and so even if they guess your password before you change it, they will not be able to access any of your other accounts.