Stop making data breaches about Google and Facebook — people are in real trouble

Stop making data breaches about Google and Facebook — people are in real trouble
© Getty Images

Google+ always had lofty aspirations of being just like Facebook. While never comparable in terms of popularity and usage, both have recently reported major data breaches within days of each other. In the wake of the latest chapter in Facebook’s privacy-related saga — the security breach affecting some 30 million users — Google+ announced nearly half a million of its users had their personal data exposed.

In both cases, media coverage has primarily focused on what the companies knew and didn’t know, and what they did and didn’t do. While this makes for catchy headlines, it doesn’t address the more important — albeit somewhat complicated — issue: What is going to happen to the millions of individuals whose private and personal information is currently in the hands of cyber criminals? And more importantly, what should they do to protect themselves?

Here is what we know: Google and Facebook will be fine. The shareholders and executives will walk away from this with paper cuts, no major breaks. They will recover. Even if there is a class action suit, scrutiny from senators, or new privacy reforms, everyone will forget about yet another breach incident exposing consumers’ personal information.


But while everyone seems to be focused on Google and Facebook’s triumphs and pitfalls amid the breach, there hasn’t been enough attention to the impact on the potential victims exposed. If you consider the attributes exposed: full names, emails, birthdays, gender, profile photos, places lived, job, relationship status, etc., serious residual damage can follow these users for years after the initial breach.

Google claims they weren’t aware of the 483 apps using Google+ API misusing the data, which raises questions about whether Google ever prioritized the security of its users’ personal information. Predictably, Google sheepishly shrugs — as if to say, although our developers worked long and hard at the social network, it wasn’t very popular anyway. The statistics show that 90 percent of Google+ sessions were less than five seconds and for only 496,951 users.

After a breach of this magnitude, victims are potentially left open to synthetic identity theft fraud, which is a type of criminal fraud that combines stolen real information, and forged fake information to create new identities, open fraudulent accounts, and make fraudulent purchases. It could also lead to current account takeover, and other various forms of identity theft. If a developer or app was exposing or exploiting the data, they could potentially use it for social engineering or longer-term attacks on consumers. These cybercriminals could automate matching identity attributes with other data sources, breaches and leaks to build detailed, personal profiles on people.

Identity fraud can mean serious harm to your finances, personal credit, your reputation the people you care about, and organizations you are affiliated with. What needs to happen now, and every time a similar cyberbreach situation arises in the future, is immediate action and clear answers for consumers affected by a breach. 

Google and Facebook must provide adequate identity protection services to the users who are now at risk. In addition to credit monitoring, credible identity theft protection services offer real-time alerts when you need to be made aware of a problem immediately, stolen funds reimbursement and insurance, dark web monitoring, and other vital protections victims of a breach must be provided.

But it doesn’t stop there.

It’s not enough for consumers to take advantage of free services offered by breached companies. Those are a dime a dozen these days and consumers often don’t even understand the value they provide. What is more important is that every individual is vigilant in protecting herself.

Pay attention to the alerts you receive. Research and sign up for identity protection services that offer you tips and actions you can take to protect yourself. Don’t just change the password when the breached company tells you to. Use a unique, complex password for every single platform to ensure that one breached credential doesn’t expose your entire online identity. Services like password managers can help with this. These are all things that we don’t talk about enough.

It is understandable that companies look at data breach crises as threats to their bottom line.  However, the companies and the media covering these stories need to remember the potential impact on the true victims — consumers like you and me who may now be at risk. Unfortunately, when it comes to their priorities, the media chooses to focus on sensationalism and catchy headlines, over the real-world impact that data breaches have on real people.

Monica Pal is CEO for 4iQ, a cyber intelligence company that operationalizes the intelligence cycle from open source collection and data fusion to secure collaboration on complex ongoing investigations.