A Guide to Securing Confidential Personal Data Both Online and Offline
In 2023, a T-Mobile breach affected an estimated 37 million customers — the eighth time an attack of similar scale had been launched against the company since 2018. MailChimp fell victim to a social engineering scheme that revealed customer and employee data. And the golden child of tech — ChatGPT — suffered an attack that, while surface level, revealed the dangers of AI language generation.
>> Related reading: Is ChatGPT Safe?
No matter how you look at it, data breaches are becoming a game of high-stakes whack-a-mole. No matter where you turn, one is popping up, and the consequences can be costly. The data malicious actors steal from these organizations are bought and sold on the dark web for a variety of purposes. Oftentimes it’s to steal people’s identities or commit some other sort of digital fraud.
It can be easy to feel powerless and like you’re facing a Catch-22 situation. For example, personal finance experts say that you should check your credit history once a year. However, in order to obtain a report, you must entrust personal data to at least one credit reporting agency. Similarly, paying via credit card has become a way of life and feels necessary in many situations.
Fortunately, not all hope is lost. You can take plenty of steps to secure your confidential personal data online and offline. That’s right—offline too. It can be easy to overlook the many ways in which your data can be stolen from under your nose when you’re relaxing at home.
View from the Experts: Data Security
Basic Data Protection Tips
To distill everything that follows in this guide, here are the essentials of what you can do:
- Pay with cash when feasible.
- Use cash to buy gift cards to online stores. Shop using these gift cards rather than credit cards.
- Limit the information you share on social media, and keep your friends list selective.
- Use unique, strong passwords for each online account/website.
- Protect online transactions with data encryption software.
- Share your Social Security number (or your child’s SSN) only when absolutely necessary.
- Find links or contact information yourself rather than click on links in emails, even those that seem legitimate.
- Avoid giving out data to someone who has contacted you (it might be OK to give out data if you contacted the person).
- Install antivirus and anti-spyware programs on your computers and other devices.
- Update your mobile apps and computer software regularly.
- Keep your guard up at home, and secure sensitive information there as well.
- Travel with the minimum amount of cards necessary.
- Shield the keypad when you enter PINs.
- Stay off public Wi-Fi networks unless you know in advance the websites you’re visiting are encrypted.
- Turn off location tracking on your devices.
- Check your bank and credit card statements regularly to catch potentially fraudulent transactions.
- Avoid sharing information such as bank account numbers in text messages and emails, especially if they’re unencrypted.
Keeping Your Information As Safe As Possible Online
Whether you get online mainly through your cell phone, computer, tablet or a combination, your personal data could be vulnerable. Start evaluating your level of risk by looking at your social media habits, and consider using a VPN to hide your digital tracks.
Who doesn’t like seeing pictures of the grandkids or new pets on sites such as Facebook? Unfortunately, criminals can take advantage of social media sharing to steal your personal data. Follow these safety essentials:
- Avoid listing your address, phone number, any account numbers, Social Security number and full name.
- Accept friend requests only from people you know and trust.
- Keep your friends list as small as possible.
- Make your posts accessible only to that small friends list.
- Beware of duplicate accounts and messages from friends that contain strange links or requests for money.
- Post information about your life sparingly.
- Avoid taking Facebook quizzes.
The reality is that if you post about your pets, even your first cat or hamster from 20 years ago, thieves can use that information to answer password or bank account challenge questions. These challenge questions tend to touch on areas such as your mother’s maiden name, the names of your nieces or nephews, streets you lived on as a child, your hometown, the school you attended, the name of your fourth-grade teacher and so on. Even posting about being on vacation might lead to your house being broken into.
It may be unrealistic to expect folks to not share the details of their lives, but any information you can refrain from posting, do so. Focus on keeping these friend lists carefully vetted, and limit them to people you trust. Be cognizant of how much information you’re sharing online, and always consider what would happen if it ended up in the wrong hands.
If you have passwords such as, “123456,” “password,” “iloveyou,” “qwerty,” “starwars,” or “hello,” you’re far from alone. That’s a problem since hackers may be able to easily guess your password.
Creating strong passwords: Your ideal password would combine lowercase letters, uppercase letters, spaces, symbols and numbers, and be at least 16 characters long. Whew! That sounds overwhelming, but you can get there (or close) using the following method that password security experts recommend.
Think of a sentence that you’ll remember easily and that includes a number. For instance, say that your favorite food is pizza. The sentence could be, “Wow! I love five slices of pizza with pepperoni, bacon and mushrooms from Pizza Hut.” Using the initials from each word, symbol and number, you get, “W!Il5sopwpbamfPH.”
Using unique passwords: It may be easy enough to remember a password such as, “W!Il5sopwpbamfPH,” for one site—but what about for five or 10 sites? Many people have multiple email addresses, bank accounts and social media accounts, meaning a lot of passwords to juggle. Your options, other than straight-out memorization, include password managers, old-fashioned notes and thumb drives. All three methods can be subject to data breaches, but you can drastically reduce that risk.
For instance, if you need your passwords mainly when you are at home, you can keep them in a notebook or thumb drive in a locked desk drawer. That is much safer than reusing passwords across sites or modifying them by just one or two characters. On the other hand, if you need your passwords on many devices when you are out and about, a password manager may work best. There is the risk of a data breach, but a strong master password decreases the danger. Using a password manager is much better than sticking with easy-to-guess or reusable passwords.
Changing passwords after a breach: If your email account or store account is compromised, the company tends to send an email urging you to change your password. Sometimes, it’s forced upon you. In any case, definitely update your password as soon as possible, and make it unique. If you’ve been using the password for the compromised account for other accounts, update them all to be unique. Otherwise, hackers could access, say, 10 of your accounts after getting the password to just one.
Other important password security measures include not telling anyone your password and opting for two-step verification when possible. The latter usually entails you having to enter a code that’s texted to your phone when you sign into your account. In most cases, you do this only once for devices that the company recognizes.
We recommend changing passwords regularly. If you’re still using the one you were assigned at college orientation, and have been using some variation of it for years, it’s time to change things up a little. Consider using randomly generated passwords, and storing them in an encrypted password manager for higher levels of security. It definitely beats keeping them in a notebook in your desk drawer.
You probably conduct online transactions such as making purchases or bank deposits/transfers. Check that there’s a lock on your browser’s status bar before you execute a transaction. The lock indicates that your data is encrypted. Of course, many websites don’t automatically encrypt your data. The solution is data encryption software, which comes in both free and paid versions.
It can be easy to fool people online. Scammers these days don’t just pretend to be Nigerian princes. They may purport to be from the IRS or your bank. They might say that they are your best friend or even the police. You could receive an email that looks perfectly legitimate and professional with impeccable grammar—and it may still be a scam with the ultimate goal of stealing your confidential personal data.
Say that you get an email that appears to be from your bank. It urges you to change your password and provides a link for doing so. You click on the link and are taken to a site that looks legit. It could still be a scam.
Basically, don’t click on links in emails. Instead, bring up the right website yourself. For instance, do a search for, “Chase bank login,” instead of relying on the link in the email. Another option is to go to the bank’s website and use the information there to contact customer service. You could also use the contact number on your account statement.
Reputable agencies and companies will not contact you and then ask you to give them sensitive information. They may ask for it sometimes if you contact them, but that’s because you initiated the contact and know who you’re talking to.
It may seem like everyone these days wants your Social Security number (or your child’s). Of course, you want to keep that number private. When someone asks for it, consider factors such as any alternative identifications available and how your SSN will be used and protected. Also consider why sharing is necessary and what might happen if you decide not to share the number. If a company cannot answer questions such as, “How will you protect my SSN?” or “Why is it necessary to have my SSN?” then that is a red flag.
In some situations, you may not have much of a choice in sharing. For instance, if you apply for a loan or set up an account for your water bill, the company you’re registering with may require your SSN. Still, it never hurts to ask if the company accepts alternative forms of identification. Also, some companies are better than others at taking safeguards to protect your confidential data. It’s definitely worth asking how they protect your SSN.
There are multiple ways that criminals can access your cellphone, computer and other devices online. To stay safe, check out the following tips:
- Do not download programs, click links or open files in emails sent by people you don’t know. It could result in a virus, malware or spyware issue.
- Read and understand a website or app’s privacy policy. You’ll learn how the company handles security, access and third-party information sharing, among other things. If there’s no privacy policy at all or what’s there makes you uncomfortable, go elsewhere.
- Avoid storing information such as bank account numbers or passwords on your devices, especially mobile devices. Say that your cellphone is stolen. The thief could use the automatic login feature that you set up for your email—and gain access to a staggering range of data.
- Approach public Wi-Fi use carefully like when you’re at coffee shops, airports, hospitals, hotels or the library. The information you send on encrypted websites may be protected, but many websites aren’t encrypted.
- Turn off the option to automatically join Wi-Fi networks on your cellphone. This way, you aren’t unknowingly logged onto a public or unsecure network.
- Use firewalls and install antivirus and anti-spyware programs. Update them often, and install any necessary security patches for your software and operating system.
Keeping Your Information As Safe as Possible Offline
Not all data breaches occur online. In fact, you could be most vulnerable offline. Here’s an example. Say that someone comes into your home. The visit could be for any apparent reason. Perhaps the person is there to sell a product, to fix your heating system, to babysit, to date you, to sleep over with your kids or just to drop in for a chat. The person could be a salesperson, HVAC technician, neighbor, friend of yours, friend of your child’s, a police officer, someone you have known and trusted for years or a complete stranger.
Now, suppose this person has dubious intent. How easily would he or she be able to access your data? A walk-through of many homes may show security gaps such as:
- Cellphones left unattended and that can be accessed without passwords
- Bank account statements out in the open
- Computer passwords on the monitor or desk
- Financial records kept in unlocked drawers
- Trash that has bank account information and other financial statements
- Containers for mail that contain bank account information and other financial statements
All it might take for your confidential data to be compromised is you leaving the person alone for a minute—or even less!
There are many ways to store information at home, and what works best for you might not be a good idea for another person. A lot depends on lifestyle, preferences and budget. That said, here are some general good practices:
- Keep all information in a room such as your office that stays locked
- Store data in locked drawers and containers
- Dispose of records by shredding them, never leaving them intact out in the open
- Convert records you plan to keep permanently to digital format (this also frees up space in your home)
- Remember to secure your wallet, purse or cellphone
The unfortunate reality is that it may be the people you love most who try to steal your data, whether you’re a child, younger adult or senior citizen. The fewer opportunities you create for theft, the better you can protect yourself.
Leave home with a minimal amount of documentation. Much of the time, all you really need are your ID, debit card or credit card. Your passport, Medicare or health insurance card, Social Security card and the like can stay at home. However, you may want to make copies of some items and carry them with you.
When you’re at work, keep your wallet or purse in a locked place. Also be careful about entering passwords into your computer or cellphone. For instance, at work or a coffee shop, someone could look over your shoulder and watch you enter your password into your phone. Be careful about where and how you enter sensitive information. Onlookers shouldn’t be able to see what you’re typing. That goes for keying in your PIN as well. Shield the keypad when you input the number. If embarrassment is an issue, try putting your fingers on all of the keys to conceal which keys you press down.
Be proactive when a school, employer or doctor’s office asks for personal or financial data. Ask why that information is necessary and what would happen if you don’t relinquish it.
Credit card skimming can be prevalent at places such as gas stations. If a gas pump appears to have additional gadgets, report it and go to another place. Avoid locations that are well-known for having skimmers.
When you go out to eat or shop, don’t leave credit card receipts unattended. In fact, pay in cash whenever you can. If that’s not feasible, it’s better to use a credit card than a debit card. With a debit card, you may permanently lose any money that gets stolen.
Just as people might try to impersonate others online, they may try to do so in person or via telephone or mail. Apply the same techniques you’d use online for phone or postal mail contacts. For example, if someone calls saying he is from the IRS, hang up. Find the IRS phone number yourself, and call the agency. IRS scams are common and can be easy to fall for. Keep in mind that the IRS will never demand for you to pay money immediately through a gift card or wire transfer, nor will agents threaten you with arrest.
Another common impersonation scheme relates to charity. Say that there’s been a hurricane or earthquake. You may see people at the local supermarket saying they’re with a charity or church as they try to solicit donations. Follow these tips:
- Take your time deciding whether to donate. Don’t give in to pressure. If you pay with cash, you probably won’t get it back if the charity venture is a scam. Likewise, paying with a credit card may result in your card number being stolen.
- Research charities before donating. It’s fine to tell people who are apparently soliciting for a charity that you’d like to go home and research first.
- Don’t donate if anything makes you feel uneasy. Instead, go online, and find a charity that you feel comfortable donating to and sharing your personal information with.
Limit the Number of Accounts You Carry
Ideally, you would have tons of cash resources and not need credit or debit cards, nor would you need student, car or mortgage loans. Of course, this is the real world, and many people must apply for a loan or credit account at least once.
One way to protect your data is to limit the number of accounts you carry. You only have to look at the staggering range of stores that have been hacked to understand why. For example, say that you had credit accounts with Macy’s, Best Buy, Target and Sears. Each store has had recent data breach issues, and each new card or account increases the risk that criminals will gain access to your data.
Loyalty accounts are another thing to keep in mind. Stores, restaurants, hotels, casinos, airlines and the like entice you to sign up for a loyalty program by promising discounts, coupons, freebies and gifts. You give up some personal data, and for some people, the tradeoff is worth it. However, it does put you at risk for fraud and data breaches. If you opt for such programs, be hyper aware of the information you’re asked to share, and keep good track of your accounts. Similarly, it’s better to have just one or two social media accounts than 10.
Understand the Tricks that Thieves Can Use Via Social Engineering Online and Offline
In the context of data theft, social engineering is when someone manipulates others to obtain personal data such as bank information. It can also be used to gain access to computers. Here are two examples:
Suppose one of your Facebook friends apparently creates a second account. This person sends you a friend request. After you accept, you get messages to click on a link. Thanks to malware, a data thief may be able to access your computer if you click.
Someone wants password access to your email account and calls the customer support number for your email provider. Thanks to statuses you’ve posted on social media, the person may be able to answer some security questions correctly (first pet’s name, street you lived on, etc.). This knowledge might be enough for the person to persuade customer support that he or she really did forget the answers to the other questions. Bingo, a criminal may be given the chance to type in a password and access your account—the customer support specialist was fooled.
In the latter case, setting up two-step verification may have avoided disaster because the criminal would’ve needed to be in possession of your cellphone as well for the scheme to work. Being more careful with the information shared on Facebook would’ve helped too.
In scenarios such as the first, listen to your gut. It may be alerting you to oddities such as:
- Your friend never posted about opening a second Facebook account.
- This person has never messaged you (or hasn’t in a long time).
- The language in the message doesn’t sound like something your friend would write.
- The link seems like it goes to a suspicious site.
- Your friend is asking you to give them money.
Do not engage the “friend” any further. Report any suspected spoofs or hacks, and contact your friend through a method you can trust.
Dispose of Financial and Personal Data Safely
How do you get rid of bank account statements, old cellphones and the like? They pose unique security risks in that you could have Social Security numbers, bank account numbers, password lists and much more all over them.
Check the user manual or website of a mobile device to see what the manufacturer recommends for erasing data permanently. At the very least, take the SIM card out. Delete photos, internet search history, voicemails, call lists and message lists. Also delete the contacts book/phone book. As for computers, the hard drive can be cleaned with a wipe utility program.
Shred paperwork such as credit applications, medical records, checks, bank statements and receipts.
Take any mail you’re sending to the post office or drop it into a collection box rather than let it sit in an unlocked mailbox for hours before it is picked up. Get mail holds when you go on vacation.
In addition, don’t request that new checkbooks be mailed to your home unless you have a mailbox that locks. Instead, order new checkbooks through your bank and pick them up there. It may cost more and be somewhat more inconvenient, but it means your checks don’t sit in the mail for hours for thieves to steal. There are also fewer people involved in the chain of getting the checkbooks to you.
Securing Children’s Confidential Data
Children are in a precarious position because they’re unaware of how their privacy and data are at risk. Even when they are mindful, many don’t quite understand the repercussions that can come from sharing private data. For example, teenagers who just passed their driver’s license test may post a photo of the new license on Facebook or Instagram, complete with the license number.
To identity thieves, children often represent clean slates and years of being able to use their information undetected. It’s not unheard of for young adults to apply for a student loan or credit card and find out that someone else is using their Social Security number. In fact, more than one million children in 2017 may have been the victims of identity fraud, according to Javelin Strategy & Research.
Parents and guardians play a vital role in helping secure children’s confidential data. Here is what they can do:
- Treat their children’s data as if it were their own.
- Stay on top of tech trends, especially those popular with children and teens.
- Shred your child’s paperwork such as medical records right along with your own.
- Monitor or check for any credit reporting activity in the child’s name at least once a year.
- Educate children on why it is risky to share information such as driver’s license numbers.
- Think about a credit freeze so no one can use your child’s information to open credit accounts.
- Share sparingly on school websites, school directories and school forms. Opt out when possible.
- Investigate if mail such as credit card offers arrive for your child. It is a sign that someone may have stolen your child’s identity.
- Be extremely selective about who gets the child’s Social Security number.
In some cases, it is the people closest to you and your child who steal the child’s identity. If that occurs, take steps such as freezing your child’s credit and submitting police reports, which creditors require.
Conclusion
Keeping your personal data confidential may seem impossible unless you never use computers or cellphones. That’s probably not going to happen, but there are degrees of involvement and risk. Taking certain steps such as limiting your sharing on Facebook and using password managers might mean the difference between never having your identity stolen and needing to spend hours repairing an identity theft that stripped you of thousands of dollars.
Additional Resources
- StaySafeOnline – The National Cyber Security Alliance has lots of information on social media safety.
- Scammers and the Elderly – Tips from AARP to protect your parents’ personal data.
- Social Engineering – The Identity Theft Resource Center explains how thieves can exploit social engineering.
- Are You At Risk? – A quiz from TransUnion to assess whether you’re taking good precautions with your personal data.