How to limit your personal data exposure when a company is hit with ransomware

Modern ransomware seldom targets individual users. Instead, threat actors focus their efforts on businesses, corporations and government entities – organizations with high-value data assets, and the resources and motivation to pay for their recovery.

However, while the crosshairs might be firmly focused on commercial targets, there’s more than just business data getting caught in the crossfire. With data theft and data publication becoming the standard mode of operation among ransomware groups, many incidents now involve the exposure of customers’ personal data, including medical reports, financial information, social security numbers, academic results and much more.

This raises some serious security and privacy concerns for you as a consumer. But what can you do about it?

Customer data getting caught in the crossfire

Double extortion has quickly become the norm in the ransomware world. No longer content with merely encrypting data on a target system and holding it for ransom, bad actors are also stealing data from their victims and using it as added leverage. Failure to pay the ransom results in the stolen data being published or sold on the dark web.

While these data dumps are primarily made up of company-related assets – financial information, company emails, internal reports and the like – they also tend to contain large amounts of sensitive customer information.

This introduces significant concerns not only for the company affected by ransomware, but also for you, the consumer. When the victim company refuses to pay the ransom, it’s your private data that is exposed to the world. And, with data collection practices becoming increasingly aggressive, the breadth and depth of personal information exposed in a ransomware incident can be startling.

A ransomware incident at a car dealership, for instance, might result in the public exposure of your driver’s license, credit application, social security number, home address and contact information. Similarly, an attack on your healthcare provider could lead to your medical records, insurance information, prescription history and perhaps photographs and body scans being leaked online.

Once compromised, this information can easily be used to commit a wide range of fraudulent activities or sold on the dark web as part of a batch of stolen data.

What can you do about it?

As a consumer, there’s not much you can do to prevent a business from getting hit by ransomware. But there are some things you can do to limit your personal exposure.

• Limit the amount of information you share: While you can’t refuse all data requests, you can reduce the amount of information you share and, consequently, limit your personal data exposure in the event of an incident. Don’t give any business or online service more information than is minimally required and always opt out of data sharing schemes where possible.
• Ask businesses about their security practices: Businesses are quick to demand your personal information but are often not capable of adequately securing it. Make an informed decision about your privacy by reading license agreements before divulging your personal information and ask the company to clarify their security practices if anything is unclear.
• Use ephemeral messaging: Some ransomware data leaks contain .pst files, which are Outlook data files that store local copies of messages, calendar events, and other items associated with a particular email address. With this in mind, consider using ephemeral messaging when you need to communicate important or sensitive information. Ephemeral messaging services allow you to send messages that self-destruct after a period of time, erasing the message from both the sender’s and the recipient’s account.
• Don’t use personal information for passwords: Attackers may use your compromised data to attempt to gain access to your online accounts and services, so never create passwords based on personal information. See this blog post for more advice on how to create and manage secure passwords.
• Check if you’ve been involved in a data breach: Some organizations are more diligent than others when it comes to notifying you of a data breach. You can use online services such as Have I Been Pwned to help you determine if your data has been compromised and take action accordingly (e.g. by changing your passwords, checking for fraudulent activity and contacting your service providers as necessary).

Check out this guide for five steps you can take today to drastically improve your online privacy.

Conclusion

Ransomware incidents often involve the exposure of your personal data. As a consumer, you can’t stop the companies you do business with from falling victim to ransomware, but you can limit the amount of your personal data that is exposed during an attack.