I’ve good news and bad news.
The bad news? My data was accessed in a significant data breach.
The good news? You’re spared a post on my move to the Google Pixel.
An e-mail from Avis dropped into my inbox, and the third paragraph chilled my blood.
“We determined on 14 August 2024 that your personal data was obtained by the unauthorised third party, which included your name and your postal address, email address, driver's license, credit card number and expiration date, date of birth, and phone number.”
Oh.
The mail continues with advice on data security, apparently offered without irony, before finally giving me a code for a year’s free credit monitoring from Equifax.
A cynical synopsis might be;
“Whoops. We lost all your private data. Ensure you have strong passwords, and here’s access to a service that might show you if the bad guys are impersonating you. Maybe. Byeeeeeee.”
What fun.
Still - I like to be positive, so here’s my guide to what to do when some money-grabbing corporate outfit insists on storing and then losing your personal data.
First, I’ll get this out of the way. You can get rid of everything: electronics, banks, credit cards. Live like a modern-day Thoreau. By a lake. Go for it. However, if you need, or perhaps even want, to live in the real world, accept that data is a thing.
Second. Put aside the notion of getting companies to destroy your data. Yes, you have the legal right to ask them to do so. Yes, they have the legal obligation to comply with your request. However, there are loopholes that you could pilot an aircraft carrier through. It’s not worth the effort.
Third. Use a password manager. It makes no difference to a hack like the one I’m suffering - but it does protect me in the aftermath. The password that they presumably have from Avis is random and bears no relation to any of my other passwords. Using a password manager helps ensure that my passwords are strong and random. I’m not qualified to compare the various providers, but any of them is better than using the dog’s name on every site. Most important of all - do not use the same password on multiple sites.
Fourth. Multi-factor or two-factor authentication. Yes - it is one step up on the hassle front, but it’s worth it, I think.
If we accept that accidents do happen, then what to do if we are notified of a breach?
- You may be offered some support from the hacked company - as I was. I was offered “Protect” by Equifax for a year, and I signed up for it. There are several companies in this space (with similar products), and while I’m not sure I would maintain an account permanently, it makes sense to keep an eye on things post-breach.
- Speak to the company that provides your card. I spoke to mine, and they recommended holding fire for the moment but put a caution flag on the card. The CVV was not discovered in the breach.
- In the UK, it’s possible to put a flag on your own name. Through “CIFAS”, I have enabled protective registration. It acts as a warning to companies that bad actors may be trying to impersonate me. It may slow down genuine applications, too - but better than the alternative.
- Drivers Licence. The UK authority DVLA does not give guidance on what to do if the data is obtained, not the licence itself, which is a little scary, but in theory, more than the data alone is needed for a bad actor to misuse the information.
I’ll let you know how I get on.
People like you support my writing. You can join the site here. Members access the serialisation of my first novel draft and give comments to me in a member's Slack. They also get a free electronic copy of anything I publish during their membership. Sign up - help me move writing from a side project to a main project.
