This month I have decided to present short insights into the loss of personally identifiable data or identity theft. I will start by looking at some recent data hacks.
First, let me point out that I worked for Marriott for many years, but the insights I share about the Marriott breach last November are not based on insider information. The numbers when they were first reported said over 500 million people had their identities compromised. That is more than every man, woman, and child living in the United States, a seemingly impossible number even for an international company. The reality is the number was significantly overstated; it was not 500 million people but traveler records (reservations). Because often the same people take multiple trips, the number of people involved is much smaller but still on the order of eight-digit figures (tens of millions). I do not intend to minimize the significance or severity of the breach, but I want to make you aware that frequently what you first hear about a breach may not be entirely accurate.
The Equifax breach in 2017 almost two years ago saw the loss of important information including Social Security numbers of over 145 million people. This means almost everyone in the US that has ever applied for credit.
The Target breach in 2013 compromised 70 million customers and exposed 41 million credit card numbers.
In 2015, the Government Office of Personnel Management (OPM) reported a loss of information for 21 million people who worked for the government or had government clearances.
My point is that it is almost certain you have been hacked! Now, what do you need to do about it?
I Have Been Hacked! Now What?
The first thing most of these companies offer is credit-monitoring services through companies like LifeLock. This is NOT the first action you should take! I am not a fan of these services because they require you to provide them with the very information you are trying to protect. LifeLock itself has been shown to not adequately protect customer information. LifeLock has exposed its customer email addresses and has been known to store customer information without encryption. LifeLock even shared customer information with Equifax. LifeLock has been fined $100 million by the FTC for not protecting customer information. I do not recommend signing up for most of these services unless the service is provided by a company that already has your data!
What you do instead? Your actions should vary based on what was compromised. If it was email addresses, change the passwords on those accounts and add 2-factor authorization if you don't already use it. Remember that you should use a different password for every system that requires a password. Passwords should be difficult to crack; at least 12 characters long and a mix of upper- and lower-case letters, numbers, and symbols; and not use words that are found in a dictionary. Look into my columns from previous years for detailed instructions for creating secure yet memorable passwords. I am likely to cover this in detail again in a future column because it is so important.
If credit cards have been lost and you know the credit card number, call the card lost or stolen number of the issuing bank and follow its advice. The bank may choose to replace the card with a new number or just enhance monitoring card activity. You should always monitor your card usage to detect fraud. If you are not sure which cards were compromised, call each of the card companies, tell them of the potential loss, and monitor your cards diligently.
Alerts, Freezes, and Locks
If it was social security numbers, bank accounts, paystubs, or other financial information, contact the credit agencies. You can choose to ask for a fraud alert, a freeze, or a lock on your account. A fraud alert is free and protects your account from unverified access for one year.
As of this past year, a new law was passed making a credit freeze a free service and protecting the consumer if the data is provided from a frozen account. A freeze restricts access to your credit information and requires the freeze to be temporarily lifted to others to access your credit information. The credit bureau will provide you with a PIN or password to lift the freeze temporarily if needed to allow access to your records for a loan or apartment, for example. Consumer Reports magazine suggests that a freeze is better than a lock because it is backed by federal law.
A credit lock is offered by the credit bureaus to limit access and works in a similar fashion as a freeze. Locks may be free or may have charges associated with them. A lock is an agreement between you and the credit agency asking the agency to limit access to your information. It does not have the weight of federal law behind it.
There are three major credit bureaus: Experian, Equifax, and Transunion. Each is required to give you one free credit report each year. If you request the report from a different one of the three every four months, you can keep pretty close tabs on what is going on with your accounts. Make sure you recognize all account information and remove any you do not recognize.
Loss of the information is one thing; chances are the information will never be used. The most common use of the data is for spammers to better target their messages and help with phishing emails to discover more information about you.
The steps discussed previously are designed to reduce the chances the information can be used to cause harm to you or your accounts. If someone seems to be using your accounts, credentials, or cards, then you may want to talk to your financial institutions and change accounts numbers. You may also want to file a report with the FTC.
Things That Don't Seem to Help
I have been through this before with a credit card number stolen while I was on a short trip. As we have discussed, monitoring services are of little value. It seems police reports of lost credit cards are ignored as well with the logic being that the card company experienced the loss, so it needs to report the crime. Some suggest you file a report anyway; I will leave that up to you.
I hope you find this information interesting and helpful, assume you have been hacked, and even if you haven't, lock everything down: the storm is coming.