Your Data Has Probably Already Been Stolen

NEW YORK (MainStreet) – The past year has seen some of the world’s largest companies fall victim to data thieves, with firms from Sony to Zappos to Valve sheepishly informing their tens of millions of customers that their personal data may have been compromised due to data breaches. Still, it was a bit jarring to see a similar announcement last week from Symantec, one of the world’s largest computer security firms.

The source code of Symantec’s flagship security products – including Norton Antivirus and pcAnywhere software – was stolen back in 2006. In a release Tuesday, Symantec confirmed that users of pcAnywhere should disable the software until the company has a chance to release an update. The other security products involved in the theft are updated more frequently than pcAnywhere, and Symantec has not advised against using updated versions of those products.

“With this incident pcAnywhere customers have increased risk,” reads the announcement. “Malicious users with access to the source code have an increased ability to identify vulnerabilities and build new exploits.”

The ones protecting you from being hacked are getting hacked themselves, an unsettling idea that underlines an even more significant point: If even a company dedicated to computer security can have its own security compromised, then virtually every business, large or small, is vulnerable to an attack. While companies can implement sophisticated systems and strong data security practices, a determined hacker can still gain entrance by seeking out a weak link – and often that means tricking the all-too-human employees into giving them access.

“Any security system is based on people, and people are getting hacked,” says Claus Villumsen, chief technology officer for Bullguard, which makes security software. “If you’re conning people into giving you an access code, no security system can prevent that.”

With people at the root of new online security problems, it’s nearly inevitable that a company with which you do business is capable of being hacked. And as we’ve seen in the Sony, Zappos and Symantec breaches, that means that your own personal data could be compromised as a result.

“Many of the cyber security experts agree that the bad guys do have a lot of data,” says Mustaque Ahamad, director of the Georgia Institute of Technology’s Information Security Center. “But for them to actually profit from that is a little harder than stealing it.”

In other words, while there’s a decent chance that some of your personal data is already in the hands of some unsavory character – perhaps your email and home address were stolen during the Zappos breach, or maybe you had some information leak during the attack on Sony’s PlayStation Network – that information is insufficient on its own to do you any real financial damage. And it’s up to you to keep it that way.

Obviously, if you’ve been informed of a specific leak you may need to take immediate action. When email addresses and passwords were stolen from Zappos earlier this month, the company advised customers to change the password on any site where they used the same email and password combination.

But even if you haven’t been alerted about a specific incident that may affect you, you should still operate under the assumption that someone has at least some of your personal data, and there are certain best-practices you should follow to make sure that hackers can’t build on that info to make the jump from data theft to financial and identity theft.