Data Breaches Unmasked: The Devastating Reality of Identity Theft

No matter where you live, you’ve probably heard about the many breaches of data that have occurred over the last few years. It is even worse than what you read: identity theft is on the rise. Just to name a few (and no, I’m not singling out any particular companies):

• Equifax 143 Million, 2017

• Target 40 Million, 2013

• US Government Office of Personnel Management 25 Million in 2 breaches, 2015

• Ashley Madison 37 Million, 2016  

This short article will explore what you can do if your information is compromised, and give you advice even if it hasn’t (yet).

1. Disclaimer

I need to start this article with a few disclaimers.  No, I am not a lawyer.  No, I do not play a lawyer on Television.  And no, my opinions in this article in no way represent a binding solution for your particular situation.  If you wish to have a personal and professional recommendation, by all means, consult me.  But this article is just that — an article — and only represents the general opinions of the writer.

2. How can I find out if my information has been compromised?

Let me make this simple.  My recommendation here is to consider your information compromised.  Whether it be by way of phish or by way of corporate breach, consider your information compromised.

It also doesn’t matter whether today, at this limited moment in time, you have not been compromised.  Chances are that your very personal information has been compromised, or will be compromised soon.

That said, if you really want to know if your information is out on the deep dark web and is being used by adversaries…. well, my recommendation goes right back to don’t bother.  You are wasting your time, and it is better to consider that you have been compromised.   Remember, you cannot get the information back, it is real information, you can’t sue the guy who stole your data, you can’t sue the guy who is selling your data, and you can’t call Google nor the NSA and demand that they take all your information off the web.  It is there, and it is there for good.  Or at least it is likely there, or will be there very soon.

Even worse, if you start poking around the dark web, you may wind up getting even more of your systems and your identity compromised.

3. That wasn’t very helpful! 

Hey sorry about that, but it is important to understand that you cannot effectively research whether your information is out in the wild.  It is an impossible pursuit.  That said, I’m glad you asked what to do.  This is both simple and complicated at the same time.  And, there are two very different parts of a solution. First, what can you do, expecting that your data has been compromised.  And second, what can you do to maybe help keep your data a little more secure.

4. What you can do

There are a number of things you “can” do, there are some things you “should” do, and there are many things you shouldn’t or can’t do.

DO File your taxes early

Come next year, file as early as possible.  What is going to happen is that any personal data that is lingering out there will be used to file false tax returns.  Do whatever you can to file them as early as practical.  Get the information you’ll need together even this year, so you can quickly fill out the forms as soon as you can next year.

DO monitor your bank accounts and credit card statements

Put SMS Text and Email alerts on all your accounts.  If anyone tries to use your cards or lift money from your bank accounts, you’ll know quickly.  If you get an alert for a transaction that you did not complete, then call the associated credit card company or bank as soon as you can — immediately if at all possible.

DO change your passwords

A little technology here.  There is a password storage technique called “salted hashing” that protects your human readable password from the hackers.  But, not all sites store passwords correctly, and even the ones that claim to don’t necessarily store them correctly.  What this means is that if you are using the same password on multiple sites, and one site gets compromised, then your real live password might be used to get into other sites! Since you don’t know the “password storage” pedigree for each site you’ve entered your information into, go ahead and change your passwords — especially reused passwords, where you’ve used the same password on multiple sites.  It won’t hurt.  And besides, it gives you a refreshed idea of what your passwords are, and why you have access to the sites.

DO consider placing a fraud alert

A fraud alert makes it more difficult for a bad guy to open credit in your name.  Initial fraud alerts are enforced for 90 days.  You can call any of the three credit reporting companies to implement an initial fraud alert, and that first company you call will alert the other two.  Click here for FTC guidance on fraud alerts.

DO consider placing a credit freeze

A credit freeze makes it even more difficult for a bad guy to open credit in your name.  Note though, that it also makes it more difficult for you, yourself, to open credit in your own name.   Credit freezes are in place for 7 years.  If during that seven years you wish to open a line of credit, buy a home on credit, buy a car on credit, lease a car, or perform any number of other credit related activities, you’ll have to temporarily lift the freeze.  It is often the case (and it varies state to state) that in-placing a credit freeze and performing the temporary lift costs money.

DO NOT use the same password on all your sites

Although most sites use what are called salted hashed passwords, not all sites are compliant, and even the ones that say they are compliant are not necessarily compliant.  Definitely use different passwords wherever you can.

DO NOT believe anyone who calls telling you they are from the company who got hacked

These calls are likely social engineering, looking for ways to get more information from you!

DO be VERY careful with entering your information on any web sites

Especially web sites that say they are going to research whether you are breached, or whether your information is on “the dark web”, just avoid them. My honest recommendation is that this is a pursuit in unhappiness.  Many, many, many of these are trumped up companies that are in fact just bad sites themselves!  There are many scams out there, don’t be a double victim.  If that isn’t enough, consider this one. These companies are going to ask you for personal information to check against sites in the dark web.  What happens when they, themselves, get breached?  Just not worth it.  My recommendation is to just say no. 

Should I hire an identity theft protection company?

Many people are asking me about LifeLock, and other identity theft protection companies.  My personal recommendation is the same as for providing personal information to any web site or company:  In general, just say no.  For frame of reference, the FTC reports, “LifeLock will pay $100 million to settle Federal Trade Commission contempt charges that it violated the terms of a 2010 federal court order that requires the company to secure consumers’ personal information and prohibits the company from deceptive advertising.  This is the largest monetary award obtained by the Commission in an order enforcement action.” 

5. A few famous last words

Remember.  When you enter your personal information on a web site – any web site – you are opening yourself up to being compromised.

Do you have a shopping account at Wal-Mart, or Amazon, or Target?  Probably.  Did you provide your social security number to Comcast, or AT&T, or T-Mobile, or Dish Networks?  Probably.   Is your personal information retained at your favorite hospital, or clinic?  Probably.  Have you signed up for an “Rewards” accounts with an airline, or train, or local bus service?  Probably.

All these places are sources of leaks.  Every time you provide your personal information to anyone, anywhere, you are opening yourself up to potential leaks.  

When faced with a request for your personal information, consider alternatives.  Instead of signing up for postpaid cell service, opt for prepaid where your identity is not provided to that company.  When signing up for services, ask about alternatives.  Discuss what the company has in place to accommodate foreign nationals, who do not have a social security number and are still here in the United States legally.   There are usually options, but most companies are going to try to hard nose the request for your personal information.

If in doubt about providing your personal information, Just Say No.  You might just be saving yourself from a load of problems.

6. References

1. “The Equifax Data Breach: What to Do”,https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do
2. “When Information Is Lost or Exposed”,https://www.identitytheft.gov/Info-Lost-or-Stolen
3. “Target Pays Millions to Settle State Data Breach Lawsuits”, http://fortune.com/2017/05/23/target-settlement-data-breach-lawsuits/
4. OPM data breach, https://www.opm.gov/cybersecurity/cybersecurity-incidents/
5. “World’s Biggest Data Breaches & Hacks”, http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
6. “Credit freeze”, https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs
7. “Fraud alert”, https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs#difference
8. “Security Freeze”, https://www.experian.com/blogs/ask-experian/credit-education/preventing-fraud/security-freeze/ 
9. “LifeLock to Pay $100 Million to Consumers to Settle FTC Charges it Violated 2010 Order”,  https://www.ftc.gov/news-events/press-releases/2015/12/lifelock-pay-100-million-consumers-settle-ftc-charges-it-violated
10. “FTC, how to place a fraud alert”,  https://www.consumer.ftc.gov/articles/0275-place-fraud-alert

If you have any questions or comments on this article please leave me a note by clicking here.