Should I sue Quora Content Review

User data stolen ?! What to do in an emergency

Almost every week we receive reports of stolen user data. Forensic scientists recently revealed that 32 million other Yahoo accounts were compromised last year and the data of 950,000 visitors to the Coachella music festival surfaced on the Darknet. A good opportunity to take a look at how to check whether your own data has been stolen and what measures you should take as a victim.

How is data stolen?

Data is stolen in a number of ways. Corporate networks are hacked. Data is tapped from the users' end devices or during transport. In the case of phishing, the user accidentally shares them with the attacker, and in the case of social engineering, knowingly. Data can also be fished out of the waste paper in a very banal way.

In this article, we focus on user data that is stored by companies and stolen from there.

How do you find out that you are affected yourself?

The ways in which one learns about the loss of one's own data are just as varied as those of data thieves.

Sometimes you only find out about it when the data has already been misused, e.g. when you look at the bank statement, when you obtain a credit report and discover that someone has bought expensive electronic items on account on your behalf or when mail from a debt collection company flies into your home.

Occasionally, companies also provide information about data breaches. I received such a message from a British furniture store a few years ago. Name, address, order and payment information (i.e. credit card details) were gone.

For German companies, the obligation for such notifications results from § 42 a BDSG. The responsible supervisory authority and those affected must be informed immediately if the data mentioned there is affected and there is also a threat of serious impairments to the rights or legitimate interests of the data subjects. The legal wording offers a lot of leeway and not all companies conscientiously comply with the notification obligations.

Leak checker

The Potsdam Hasso Plattner Institute offers you at https://sec.hpi.de/leak-checker/search the opportunity to check whether your data has been offered for sale or published on the Internet.

In the self-test, a hit was displayed after entering all the email addresses I used:

Have i been pwned?

On the website www.haveibeenpwned.com operated by the Australian Troy Hunt, two hits were shown in a self-experiment:

Of course, these pages can only analyze a small part of the data actually stolen.

What can you do?

As a data subject, you should take different measures depending on which data is affected:

  • First, you should change the password for the account. If you use one password for several accounts (this is generally not recommended), this also applies to all other accounts. What a secure password looks like is described here.
  • Then you should consider what information about you has (possibly) been disclosed and what risks this may pose for you.
  • If banking information is concerned, you should contact the appropriate credit institution.
  • Depending on the specific circumstances, a criminal complaint should also be considered and legal assistance obtained.
  • The Working Group on Identity Protection on the Internet (a-i3) has set up a helpline for victims of phishing attacks or other forms of identity fraud.
  • The state data protection officers can also advise you.
Do you like the post? Then we look forward to a recommendation:

About the author

Dr. privacy

The contribution was made by Dr. Data protection written. Our employees, who are usually lawyers with IT skills, publish articles under this pseudonym. more →

intersoft consulting services AG

As experts in data protection, IT security and IT forensics, we advise companies across Germany. Find out more about our range of services here:

IT security advice

Do you have any suggestions for topics or improvements? Contact us anonymously here.