Here's what to do if you suspect your data has been leaked in a data breach – almost every service is at risk

Although you may think that you are giving your data to a reliable service, even services that seem trustworthy may sometimes be subject to a data breach. However, there are things you can do to protect your data. It is also up to you to decide what information you provide to different services.

“When giving out different kinds of information, you should consider whether the service really needs all the information it’s asking for. For example, it’s not a good idea to give out your birthdate willy-nilly – you should use common sense when determining what information the service in question really needs. Only give services the information they actually require, and be particularly careful when sharing sensitive information such as your personal ID number or bank details,” says Havastila.

It’s also worth considering the access rights that applications request in relation to their purpose.

"For example, alarm bells should ring if a flashlight app asks for permission to access your photos, contacts or the messages on your phone,” says Havastila.

How to identify a suspicious service

The internet is full of services that ask users for different kinds of data and information. So how can you identify a safe service?

Havastila says that the first thing to check is whether the service's website contains sufficient information about the company – such as its business ID and up-to-date contact details.

“Respectable services also provide information about their data security and privacy practices. All companies that process personal data must have a privacy policy. You can read the service's privacy policy to understand how the service collects, uses and shares your information with third parties. The service must tell you how you can manage or delete your data at a later date.”

“In the case of websites, it’s worth making sure that the site uses an encrypted connection (that is, the URL starts with https and a lock icon) and offers two-factor authentication. When shopping online or using other services that involve money, you should only use well-known services and avoid accessing them via links. It’s also a good idea to only download applications from recognised app stores and to use antivirus software,” says Havastila.

f you suspect that your data has been leaked, take these steps just in case

Havastila advises you to act quickly if you suspect that your data has been leaked.

“Changing your password for the service is the first action that I’d recommended, and you shouldn’t hesitate to do this. If it's your bank or credit card details, the first thing you should do is call your bank. Services often have the option to log out from all devices, and this is a good thing to do when changing your password. If it’s available and you haven’t already done so, it’s also worth adopting two-factor authentication at this point.”

Havastila points out that it’s a good idea to have a data breach alarm that monitors whether data has been leaked to the ‘dark web’ for sale – and then to act quickly. The service will give you instructions on how to avoid more extensive damage.

If you are certain that you have been affected by a data leak or security breach, you should act immediately. Suomi.fi has published an official guide for Finns who find themselves in such situations, and it can be found at www.suomi.fi/oppaat/tietovuoto

This is what criminals use data for

What can stolen data end up being used for? Havastila points out that all information is valuable on the black market. When combined with other data, even seemingly harmless information can be damaging in the wrong hands. Data breaches are almost always motivated by financial gain or malicious intent.

Below are some examples of how data may be used:

• The consequences of online banking codes falling into the wrong hands are often disastrous if the criminal has time to transfer money out of the account. It will then be very difficult to recover.
• Credit card details can be used to make online purchases in the victim's name. Sometimes only an address, personal identification number and name are sufficient.
• Banking details and personal identification numbers can also be used to, for example, take out instant cash loans or other loans in the victim's name.
• Personal information such as photographs and medical records can be used to blackmail the victim.
• Passwords can be used to log in to services and steal sensitive information, or to hijack an account and blackmail the victim for its return, or to do harm in the victim's name.

Media enquiries:

Heidi Havastila, Head of Value Added Services, DNA Plc, tel. +358 44 044 3224, heidi.havastila@dna.fi

DNA Corporate Communications, tel. +358 44 044 8000, viestinta@dna.fi