When your personal data has been affected by a breach

Why is this relevant to me?

Personal data is information about us as individuals. It includes information such as your name, phone number, health records, the password for your email account or even just a photograph of you. We all share personal data with banks, providers of telecoms and other services, online retailers, government bodies, and in communications with colleagues, friends and families.

If criminals gain unauthorised access to our personal data, we are exposed to the risk of being targeted and exploited by them. They may also try to deceive us into revealing further information for them to exploit.

This guidance shows you how to recognise and reduce those risks, and what to do when you become aware that your personal data is being used by unauthorised third parties.

What is identity theft?

One common way in which criminals exploit stolen personal data is identity theft. A criminal can use your personal data to pretend to be you, or to create a fake identity using parts of your personal data to make it appear genuine.

For example:

• A criminal discovers the access information for your online banking service. They log on pretending to be you and transfer your money to their account or withdraw it.
• A criminal acquires your user ID and password for an online retailer. They use them to buy goods or gift cards and charge them to the credit card you registered with your account.
• A criminal gains access to your pay slips and gas or electricity accounts. They use them to apply for a loan in your name but have it paid into an unrelated account.
• A criminal uses your name and photograph to create a social media profile. They then post harmful comments or information, leaving you to take the blame.

Don’t make it easy for the criminals

Banks, retailers, government bodies and other service providers are aware of many of the ways criminals use stolen personal data. As is required by data protection law, they use technology, training and other means to deter or stop them. However, criminals are persistent and always look for new ways around measures intended to prevent them using stolen personal data.

All of us, as individual users, can help to make things harder for criminals who steal personal data:

• Don’t use the same password on more than one website
• Make sure the password to your email address is particularly strong. If your email address password is compromised – it could have a knock-on effect in allowing your other online accounts to be compromised.
• Don’t base your passwords on information (e.g. your birthday, a football team or your pet’s name) that can be learned from your social media. Use something that only you know. Current guidance suggests that you should prefer a long password (12 or more characters is a good starting point), while maintaining some complexity by including numbers and special characters.
• If you find it difficult to keep track of your passwords, consider using a password manager service that generates and stores unique random passwords for you.
• Never share passwords or write them down where someone can see them.
• Where possible, use multi-factor authentication (MFA) to verify your identity. MFA is when a service provider uses a separate medium, such as a code sent by text message to the phone number associated with the account, to confirm that the person logging on is the same as the one who received the code.
• Change passwords immediately if you suspect that someone might have unauthorised access to your account. Contact your service provider for help if you have any difficulty. Additionally, if you have used a compromised password for any other online accounts, change it there too – consider that compromised password as being no longer safe to use, anywhere or in the future.
• Think before you post. Many social media providers allow you to restrict who can see what you put up, whether they can share or forward it, or to limit how long it remains accessible. Before posting, think who might see or share what you post. Are you happy for everyone to see it, whether today or five years from now?
• Do not store what doesn’t need to be stored. It may be convenient to store your credit or debit card details on the site of your favourite online retailer, but is it necessary? A criminal who gains access to your account could simply tick a box to use it. 

Don’t get caught by phishing!

Phishing is the use of email, phone calls or text messages to deceive persons into revealing information, or to unknowingly do something that is harmful to them. It is a type of activity known as social engineering, where people’s trust is exploited to obtain or do something that they would not otherwise agree to.

Phishing emails appear to come from reputable sources such as banks or government bodies. They can be very convincing in their appearance, with appropriate logos and language. If the criminals already have some of your personal data, they may refer to your name or a recent purchase or activity. In other cases, the email may not be personalised but will still appear genuine.

Often, phishing emails can appear in your inbox from someone who you trust, in cases where that person’s email address was compromised. If you get any odd requests from trusted individuals through email, or the style of writing doesn’t seem quite right, try to contact that person through another means (such as phone call) to verify that it was them.

Phishing text messages (also known as “Smishing”) are similar, and can even appear to be a response to an earlier phone ‘chat’ with the bank or other organisation that it pretends to come from.

Email and text phishing usually try to convince the person who receives them to click a link to enter login details, to open a file or to ring a number. They often do so by creating a sense of urgency, for example by saying that the victim’s account has been compromised and must be verified, that they have won a prize, or that a penalty charge will be applied if they do not respond immediately.

Links in phishing emails and texts lead to ‘scam’ web pages: even if it appears to be a genuine login screen for your bank, the fraudulent page is intended to harvest your details for the criminals to use or sell. Files that you are asked to download can contain malware to damage your computer or give criminals access to it, or contain other links to fraudulent sites. Phone numbers will not be the standard one for your bank or service provider, but may even have recorded messages and ‘holding’ music that sound the same! However they have set it up, the criminals are using these to deceive you.

It is often easy to see that a link in a phishing email is deceptive: if you ‘hover’ your mouse over the link, the target address will usually be visible. If the address belongs to a different organisation (e.g. UnknownCompany.com instead of MyBank.ie) it is almost certainly a phishing link. Likewise, the sender’s address on a phishing email may resemble, but still be different from, the legitimate organisation’s address (e.g. HealthServiceIreland.org rather than HSE.ie)

Voice phishing (or ‘vishing’) is the use of phone calls to convince a person that they are speaking to a legitimate organisation such as a bank, technical support service or government body. The criminals use a carefully prepared script to manipulate their victim into paying money, giving access to their computer or bank account, or disclosing confidential information. It is important to remember that phishing attacks have become “self-aware” in a sense – and so employ various tactics to gain a victim’s trust before sneakily requesting an action from the victim. For example, the ‘refund scam’ is a commonly employed phishing technique, whereby the criminal pretends an organisation has overcharged the victim and is offering a refund to the victim, thereby gaining their trust.

Some voice phishing calls are made randomly, but a criminal who already has some of your personal data – such as your name and phone number – may target you personally to obtain more and to exploit it however, they can. In some cases, the intended victim may be deceived into ringing the criminal, for example by a message on a fraudulent web page, phishing email or text message.

If you have any doubt about whether a call is legitimate, hang up. You can always check the legitimate organisation’s correct number using an independent source (e.g. a letter or email you know to be genuine, or by using the contact information on the legitimate organisation’s website) and ring later.

Also, remember that legitimate organisations will never make an unsolicited call to ask you for a login ID, password, access code, PPSN or similar data. If the person to whom you are speaking asks for that sort of information, ask for their name (but not their phone number!) and hang up. If the call is legitimate, you can resume the discussion after ringing the organisation’s trusted number and asking to speak to them.

What should I do about phishing?

In most cases, the simplest thing to do is to delete the phishing email or text message. Before doing so, check if your email software or phone allows you to flag the message as ‘spam’ so that you do not continue to receive repeated messages or calls from that number or so that they can be “quarantined” and you are not put at risk by them.

A phishing email, message or call may include information from a specific source. For example, it might refer to a recent purchase you made from an online retailer, or a trip that you posted about on social media. If that is the case, it may indicate that a personal data breach has occurred. In that case, you should in the first instance notify the relevant organisation - using the address in the privacy notice on their website. You should also change your password and review your privacy settings as required.

If you have been the victim of fraud, theft or other crime because of phishing, you should contact An Garda Síochána at your local station or the Garda National Economic Crime Bureau (gnecb_dv@garda.ie).

Threats to disclose personal data

Criminals will sometimes use threats to extort money or information. A criminal who gains access to health records, private communications or other types of confidential personal data may threaten to expose sensitive information unless they receive money, commercially valuable information, or similar things of value. Legitimate companies such as social media platforms will respect data protection law and court orders, and will not cooperate in the illegitimate disclosure of personal data. If you are subjected to criminal threats to disclose your personal data, you should immediately contact An Garda Síochána.

To refresh, you can protect yourself by being aware of the following:

• If you have not placed a call to an organisation, never give the other party information that they should already have. For example, if a bank calls you, they should not be asking for your number.
• If you believe that the call is not legitimate, hang up. You can always call the organisation to check if they have called you.
• Never allow a third party to take control of your computer or download software.
• Never bypass security policies or procedures.
• Do not click on any links in a suspicious email. You will never be asked for personal details or to verify account details unexpectedly.
• Remember that in all cases, when you are contacted via email, phone call or SMS, that you are the one in control over what personal data you provide, and what action you take, regardless of what the sender has stated. Phishing techniques are designed to gain your trust and/or put a sense of urgency on you. Verify things before reacting to what the message is asking you to do.

Steps to take when you are aware that you are affected by a personal data breach:

• Stay alert: It is likely that an organisation who has been subjected to a high-risk breach will contact you. Confirm with the organisation involved that your data was affected and request information as to what exact data was compromised relating to you. You might also consider asking the organisation as to whom it has shared your data with (if anyone) in case you need to alert those entities where you have previously made payments to them.
• Ensure that you follow any suggestions highlighted by the organisation on what steps you may take to mitigate against any potential risks. Many organisations, especially where financial information is at risk, will offer assistance around protection for a period of time. It is advisable to agree to the assistance offered. This usually involves monitoring of your accounts etc.
• Monitor your accounts yourself and consider notifying the fraud unit within your banking organisation if financial data is involved. You can also cancel your cards and request new ones.
• Change and strengthen your passwords, security questions, answers, and your online logins. This is particularly important when you are a victim of a breach with your web-service provider. If your password was compromised as part of a breach, you should change your password in any account that used the newly compromised password.
• Where you have not implemented MFA, do so.
• Stay alert!