Sorry, America. You’ve already been hacked.

Unlock stock picks and a broker-level newsfeed that powers Wall Street.

Wed, Sep 1, 2021, 10:32 AM 6 min read

The T-Mobile hack was massive, but not at all uncommon. In 2020, hackers accessed the customer data of 2.5 million customers of alcohol delivery app Drizly (UBER). In 2019, the information for 30 million payment cards used at Wawa convenience stores was stolen through a breach in the company’s payment systems. In 2018, Marriott confirmed cybercriminals stole the information of 500 million guests. And in 2017, credit monitoring bureau Equifax (EFX) was attacked, with hackers making off with the personal data of 147 million Americans.

Those are just a small sampling of hacks from the last few years. To put it bluntly, you, dear reader, have likely already been the victim of a hack.

“The answer is yes, you've been hacked,” NYU Tandon School of Engineering professor Justin Cappos told Yahoo Finance. “Your data, and everyone else's, is probably out there from one data breach or another.”

Herbert Lin, a senior research scholar at the Stanford University Center for International Security and Cooperation, went even further by saying that for a mere $10 he can buy your mother’s maiden name, your Social Security number, and your current address.

ORLANDO, UNITED STATES - 2019/12/19: A Wawa convenience store and gas station seen on the day the company's CEO announced that the firm is investigating a massive data breach that has potentially affected all 700 of their locations.
Malware discovered on Wawa payment processing servers on December 10, 2019 affected customers' credit and debit card information from March 4, 2019 until the breach was contained on December 12, 2019. (Photo by Paul Hennessy/SOPA Images/LightRocket via Getty Images) — A hack at Wawa convenience stores exposed the information on millions of shoppers. (Photo by Paul Hennessy/SOPA Images/LightRocket via Getty Images) · SOPA Images via Getty Images

It sounds scary, and it is. But there are ways to protect yourself even if your data is already out there including taking advantage of free credit monitoring services. As for the companies that fall victim to hacks, experts say the government needs to find a way to punish them so they start doing a better job of protecting your data.

Your data is lost, and it’s not entirely your fault

You can use the perfect 21-character plus password, multi-factor authentication, and a virtual private network that makes it look like you’re connecting to the web from the Moon. But in the case of corporate hacks and data leaks, there’s nothing you can do to protect your information from ending up in the hands of cybercriminals or nation states.

“There's really nothing you can do once [your data] gets out,” Cappos explained. But unless you intend on living your life as a kind of digital hermit, never signing up for a website or using your credit card, there’s little you can do to ensure your data is safe when you hand it over to a company. The moment you sign up for a service, app, or use your credit card, the fate of that data is more or less out of your control.

So what do the experts do to protect themselves? Lin and Cappos both say they’ve put freezes on their own accounts, meaning even if somebody has their information, they can’t open a card or take out a loan in their names.

Freezing your credit account is cumbersome. You have to reach out to the three major credit bureaus — Experian, TransUnion (TRU), and the aforementioned Equifax — to put them in place. You need to contact them again to take the freeze off your account when you want to sign up for a new credit card or otherwise access your credit account. Still, it’s easily one of the best things you can do to protect yourself online.

FILE - This July 21, 2012, file photo shows signage at the corporate headquarters of Equifax Inc. in Atlanta. Equifax says a special committee has determined that four executives did not commit insider trading prior to public disclosure of its massive data breach. The credit rating agency said Friday, Nov. 3, 2017, that committee found that none of the executives had knowledge of the breach when their trades were made and that preclearance for the trades was obtained properly. (AP Photo/Mike Stewart, File) — Equifax suffered one of the most significant hacks in recent years when the information of more than 140 million consumers was stolen by cybercriminals. (AP Photo/Mike Stewart, File) · ASSOCIATED PRESS

You can also sign up for credit monitoring services. And if your information has been stolen in a hack, you’ll likely get access to two years of credit monitoring for free in the event of some kind of legal settlement with the hacked company. Victims of the Equifax hack, for instance, got 10 years of free credit monitoring.

It’s also worth noting that your hacked data isn’t relevant forever. Chances are you’ll eventually move, or you might get a new phone number or email address, and when that happens your previously pilfered information is no longer a risk.

Privacy legislation will help, but it’s not coming anytime soon

There are some protections in place, namely the California Consumer Privacy Act (CCPA), which goes into effect January 2023 and allows consumers to have their data deleted from a company’s servers. Following California’s lead, Virginia and Colorado have also adopted consumer data privacy legislation of their own that will go into effect in 2023.

But these laws fall well short of national legislation because they don’t protect all Americans.

And as The Washington Post's Geoffery Fowler found, it’s tough to delete your data.

According to Lin, the best way to pressure companies to better protect data is to ensure they pay up when they lose consumers’ information. The CCPA, as well as the Virginia and Colorado laws, establish fines for violations, but those don’t apply to all Americans.

Various members of Congress have proposed consumer data protection laws, including Sen. Jerry Moran (R-Kan.), who reintroduced the 2020 Consumer Data Protection and Security Act this year, and Sen. Maria Cantwell (D-WA) who introduced the Consumer Online Privacy Rights Act in 2019. But nothing has ever come to fruition, and it’s unlikely to anytime soon.

U.S. Sen. Maria Cantwell (D-WA) speaks during a news conference after the first Democratic luncheon meeting since COVID-19 restrictions went into effect on Capitol Hill in Washington, U.S. April 13, 2021. REUTERS/Erin Scott — U.S. Sen. Maria Cantwell (D-WA) has introduced privacy legislation, but there's little sign it will move forward anytime soon. (Reuters/Erin Scott) · Erin Scott / reuters

“Legally, a lot of things have to change to make a really meaningful improvement in this area,” Cappos said. “And when you have companies like Facebook (FB) and Google (GOOG, GOOGL) that would be very strongly opposed to this, you can see why it's very unlikely that legislation of this sort would get passed.”

You might also wonder why companies aren’t legally required to encrypt data to the highest standards. According to Joseph Carrigan, senior security engineer at Johns Hopkins’ Whiting School of Engineering, that’s because those standards are always evolving.

“Let's say I say everybody has to encrypt their data at rest [not being transferred] using at least the advanced encryption standard...and I put that to legislation,” Carrigan said.

“Well, eight years from now that algorithm is no longer valid. So you have to go through the process of updating that [law]. Again that's a slow process. That's kind of why I don't like to see this happen in legislation.”

For now, your best bet is to continue to monitor your credit cards and, if you’re truly concerned, put a freeze on your accounts. It’s a hassle, to be sure. But it’s one you might have to learn to live with in a digital era where nobody’s data is safe.

Daniel Howley is tech editor at Yahoo Finance.

Got a tip? Email Daniel Howley at dhowley@yahoofinance.com over via encrypted mail at danielphowley@protonmail.com, and follow him on Twitter at @DanielHowley.