Oakland got hacked – and so could you. Here’s what to do if that happens
Hackers posted reams of Oakland employees’ personal data online over the weekend, leaving many workers vulnerable to identity theft and reigniting longtime fears about cybersecurity in an increasingly online world.
Private data released by the hacker group after a ransomware breach of Oakland’s municipal network in February includes thousands of current and former employees’ social security numbers, driver’s license numbers, dates of birth and home addresses — information that could be used by nefarious actors looking to profit by opening fake credit card accounts and stealing tax returns .
Officials are not the only ones vulnerable to such attacks. Anyone can be a target, experts said, as hackers become more sophisticated and as financial transactions move online.
Here’s what you should know and how to protect yourself.
Take action immediately
Victims of data breaches should change their online banking passwords as soon as possible to protect financial data, UC Berkeley cybersecurity expert Davis Hake said. Keep a close eye on these accounts for fraud, he said. Be especially wary of phishing attacks—emails or texts that try to trick you into clicking a link or divulge sensitive information—or attempts to bypass multifactor authentication checks, a second layer of security for some password-protected accounts.
As a general rule, everyone who uses online banking accounts should update their passwords regularly – with fresh words and symbols. Avoid the temptation to change old passwords.
“Lots and lots of personal data is already out there online from past breaches, so it’s important for everyone to practice good cyber hygiene on a regular basis,” Hake said.
Be especially wary of the growing trends in personal fraud, he added. Extortion schemes, home buying scams and compromised email accounts are among the biggest threats to internet users as more personal data becomes available online.
Protect your credit
In cases like Oakland’s that result in exposed social security numbers, the Federal Trade Commission recommends that those affected order free credit reports at annualcreditreport.com and check them for accounts or charges they don’t recognize. Due to the pandemic, credit reports can be ordered for free weekly through December 2023.
The FTC says those affected should also consider placing a free credit freeze, which limits access to their credit and lasts until they remove it. At a minimum, the FTC recommends placing a fraud alert, making it more difficult for others to open a new account in your name. A credit freeze must be requested from each of the three credit bureaus – Equifax, Experian and TransUnion. A fraud alert requires you to contact only one of the three agencies, which must then tell the other two to notify.
No top
Keep social media accounts private and limit what you post. Once in possession of personal data such as dates of birth and social security numbers, hackers often look for context clues from social media posts. Use private internet networks whenever possible to prevent someone from hijacking your accounts.
Using information willingly shared on social media like Facebook, Instagram and TikTok, “criminals can easily build a profile of you to help them make money off of your life,” Hake said.
Watch out for the butterfly effect
While it’s unclear what motivated the Oakland hackers — a group called Play has claimed responsibility, the city said — the data they obtained could ricochet around the dark web for years to come.
“What most people don’t realize is that threat actors around the world are often working with each other,” said Ryan Chapman, principal consultant at Palo Alto Networks, a cybersecurity company headquartered in Santa Clara. “While a ransomware group may not find such data specifically useful for their purposes, it would not be difficult for them to visit any of the many dark web marketplaces to sell the data.”
To prevent further damage, consider credit monitoring services that scan the dark web for signs of compromise and provide fraud alerts. Like the FTC, Chapman also recommends freezing credit reports.
Identity theft services typically cost between $10 and $30 a month. But their powers are limited, according to Consumer Reports. Identity theft protection can tell users if their information is on the dark web and help victims sort out the damage in the wake of a breach, the nonprofit watchdog said, but it can’t prevent leaks or scrub data that’s already out there.
Claim your tax refund – before the hackers do
Bad actors know how to use leaked financial information to obtain fraudulent tax refunds, said Sarah Powazek, program director for UC Berkeley’s Public Interest Cybersecurity Initiative.
Because of the recent storms, most Californians have until Oct. 16 to file their 2022 federal and state tax returns and pay taxes, according to the Internal Revenue Service and the state Franchise Tax Board. But most people shouldn’t wait that long – especially not everyone who is a victim of a data breach.
File your tax return as soon as possible and claim your refund before someone else tries to steal the payment from the mail or transfer the refund to their own account.
Reach Nora Mishanec: [email protected]
