Data theft affects hundreds of millions of people. In 2022, data thieves exposed 34.1 million records. Many incidents involve companies many people use frequently.
This type of theft can result in others using financial data, login credentials or personally identifiable information (PII) to gain access to victims’ accounts. It is also possible to impersonate someone online through their accounts or using ID numbers. Businesses, including accounting firms, that lose personal data are often liable for not properly protecting the information.
Here is a look at the most common causes of data theft and how practices can protect against them.
Payment card information
More consumers forego cash for the convenience of electronic payments. Businesses need to accommodate this trend by offering various payment options online and in stores.
While electronic payments are convenient, they require providing sensitive financial information. Hackers or thieves can gain access to credit card numbers, PINs, passwords or payment apps and use them. The victim may not even know their information was stolen until they receive notification of unauthorized charges. While some thieves rob physical cards or look through the garbage for bank or credit card statements, others rely on cybertheft tactics.
Phishing is a common strategy. It involves thieves impersonating banks or businesses with official-looking emails, messages or websites. The unsuspecting victim gets asked to verify account information or card numbers and unwittingly gives details away to thieves.
More sophisticated criminals hack financial institutions’ sites or target payment terminals, stealing card information when consumers make a legitimate purchase. Some thieves scan public Wi-Fi networks, where they can capture unsecured or unencrypted personal information stored on mobile phones and other devices using the network.
Protecting payment information
Credit and debit card issuers are on the lookout for fraudulent charges. However, their internal algorithms and systems won’t catch everything, and savvy thieves can often avoid detection by making smaller purchases or transfers over time.
Individuals and businesses can monitor accounts and receive purchase or spending alerts. Though these add to text messages or email inboxes, they can immediately notify you of unexpected account activity.
Firms should always use secure payment processors and payment terminals. These systems encrypt financial data so that it is not visible until the point of processing. Organizations should also regularly inspect physical payment terminals and keep websites and payment portals updated to avoid vulnerabilities.
Account login credentials
Login credentials are extremely valuable to cybercriminals. With login credentials, thieves can gain access to accounts. Once inside, they can change passwords, transfer funds, see additional personal data and even impersonate the victim to gain additional information from their friends and family.
Employee credentials can provide access to a business’s internal networks and databases. Hackers can use access to place malware or spyware or shut down databases using encryption and ask for a ransom to decrypt them.
Phishing is the most common method for getting login credentials. During the first six months of the COVID-19 pandemic, 34 percent of all Canadians received phishing emails. Hackers may also try to guess passwords or rely on sophisticated software to find passwords or possible permutations.
Protecting account information
Individuals can use several methods to secure login details. The first is two-factor authentication (2FA). 2FA requires users to use a one-time code, sent to their phone or email before every login.
Companies can educate employees or clients on proper credential protection practices. For instance, a company could require 2FA for all logins to their platform or network. They can also require the use of a virtual private network (VPN) when logging in from public or home Wi-Fi connections and provide training to recognize phishing emails and avoid malware.
Many businesses provide services and conduct operations in the cloud. In addition to reliable cloud-based accounting software, companies need to ensure connections to the system are secure and manage login and credential verification.
Intellectual property (IP) refers to ideas, artworks and other creations of the mind protected by trademarks, copyrights, patents or other legal protections. These designations allow the person or organization holding the right to earn compensation when their idea is used.
IP theft falls into two categories. One involves hackers or thieves breaking into the system and stealing the secrets and data that explain the idea or method. The other is stealing known IP-protected items and reselling or using them without providing compensation to the rights holder. Movie or music bootlegging falls into this category.
Protecting intellectual property
In some cases, hackers or thieves could steal secrets, such as the method for making a patented medication or the equation behind a search engine algorithm. In these cases, the sensitive data could be stored securely in a database partitioned from the rest of the network or even in a server not connected to the internet (an air-gapped server).
IP rights holders can also take legal action to sue the people responsible for copyright infringement or seek a settlement that involves paying to license the protected work.
Employees need to be aware of how to handle intellectual property information. The first step is to limit knowledge of protected methods or equations to those who need to know them to perform work tasks.
Data breaches in the healthcare system are common. One of the biggest data breaches in Canada in 2022 involved hackers accessing servers containing patient data from the Toronto-area Scarborough Health Network.
Regardless of where healthcare network breaches occur, cybercriminals often have the same strategy for profiting from stolen data. A representative from the American Hospital Association told Central California’s Union Democrat newspaper that cybercriminal groups often use the stolen info to submit hundreds or thousands of insurance claims in the hope that some will get approved.
Medical records are also necessary for patient care. Some hackers break into databases and encrypt the files, asking for a ransom to decrypt them. These so-called ransomware attacks are common in healthcare because of the reliance on medical records for care and insurance payments.
Preventing theft of medical information
Medical records are especially vulnerable because hospital staff require easy access to electronic health records (EHR) systems to provide proper care.
Hospital facilities and care networks can take steps to create a more secure environment for medical records. These may include requiring authentication, such as a biometric scan of an iris or fingerprint before a healthcare provider can view records.
Healthcare companies can also partition records and limit access to data necessary for specific types of care. For instance, a lab technician would see information directly relevant to the tests they need to run on the patient.
Third-party providers, such as auditors, may have access to medical records systems. Healthcare providers should ensure the software these providers use has encryption and security features that protect data during the audit.
Credit card information is a popular target, but thieves can also seek other forms of financial data. They can use bank account data details, personal identifiers like Social Security numbers and credit history to apply for loans, transfer funds or engage in illegal activity.
If authorities detect this activity, they trace it back to the account. In other words, criminals can use the account to commit fraud without exposing their identity. The financial details make loan applications, transfers and other activities appear legitimate.
Protecting financial data
Fraud detection is essential to banks, businesses, and other enterprises. Automated data collection and analysis help firms make informed decisions. Companies need to take specific steps to protect this information for customers and the integrity of their operations.
Data encryption is an important step in this process. Hackers cannot read encrypted data unless they have a decryption key, which may be stored separately or only held by a few people within the company.
Regular security audits and updates can help define vulnerabilities and eliminate them. Companies and financial institutions should always verify that third parties use secure software that won’t introduce vulnerabilities.
Personally identifiable information (PII)
Personally identifiable information (PII) is any data that allows someone to infer the identity of a person, either directly or indirectly. PII might include a name, social security number, address, telephone number or other identifying number, such as a driver’s license or passport number. PII could also include data that could help someone figure out your identity, such as birthdate, gender, location, employer or other similar details.
Hackers may not use PII themselves. They could sell the information, and someone else could use the identity to appear legitimate while conducting fraudulent activities, such as opening a credit card and running up debts.
Preventing theft of PII
Companies and individuals can take specific steps to protect PII. For individuals, personal information is often necessary. However, you can keep track of who has the information and secure your own computer and devices to avoid exposing it to hackers.
Institutions and businesses should not keep PII that isn’t necessary for business operations, and they should maintain and constantly update a full data security strategy.
Detection intrusion systems can find and isolate unauthorized users on a system or network. Accounting firms can also train employees in the correct handling of PII to avoid unintentional exposure.
Proprietary business data
Proprietary data is any information that is unique to the company and used to gain a competitive advantage.
Trade secrets and patents are a major part of business operations for many companies. Client data, marketing lists, financial records, customized software, prediction algorithms and forecasts can fall into this category, as well.
Hackers could target this notification and either sell it to competitors or threaten to expose it, ruining the competitive advantage the company enjoys.
Safeguarding business data
Security audits and risk management, including assessments of the security of third-party partners, can help define threats and take steps to mitigate them. As with other forms of data theft, firms can protect against this one by teaching employees security best practices.
Practices should pay special attention to data analytics systems, forecasting software and other tools that offer insights and help bring competitive advantages.