Data breaches and cyber terrorism have been receiving a great deal of attention over the past few years, and for good reason. Businesses and organizations around the world have been targeted by hackers who are looking to steal financial information and even more sensitive identifying information for monetary gain. Educational institutions, hospitals, insurance companies, government agencies, and financial institutions have all experienced security breaches lately.
According to the Identity Theft Resource Center, 1,093 breaches occurred in 2016 alone. These events leaked over 36 million sensitive records that include social security numbers, credit/debit card information, emails, passwords and usernames, and protected health information.
Receiving a notification that your personal information has been exposed can be a terrifying experience. To help you through this process, there are a few steps you should take after receiving such a warning. The first step is to measure your level of exposure by considering the nature of the information that was compromised.
Bank Account or Credit Card Exposure
If your bank account or credit card information was exposed, immediately contact your bank or credit card company and ask to have your account information changed. Once this information has been changed, your vulnerability is greatly reduced, if not eliminated.
Vigilantly monitor your accounts and statements for any fraudulent transactions that could have been initiated prior to changing your account information. If you detect any discrepancies, contact your financial institution immediately. Monitoring your statements is something that should be done on a weekly, if not daily, basis regardless of whether your information has been exposed. The earlier fraud is detected, the easier it will be to resolve.
Do not forget to notify any companies with which you have set up direct deposit and auto-draft payments. This may be the most time-consuming and difficult part of the process, but you will need to be thorough about updating your information in order to both re-secure your information and avoid any missed payments, late fees, etc.
Username and/or Password Exposure
When login credentials like usernames and passwords have been exposed, the process to reduce both current and future risk is simple but time consuming as well. Your best defense is to change the exposed username and/or password anywhere you may have used it. No, this does not mean to merely add a number to the end of your old password. You need to start over with entirely new credentials. While updating your account settings, check to determine if any fraudulent activity has already occurred.
What should you do if, while attempting to update your account, you discover you are not able to log in? What if the exposed username is your email address? You will need to contact the company you have this account with for further assistance. Keep in mind you may be asked to provide documentation to verify your identity. This could include answering security questions or sending a copy of the letter you received notifying you about the data breach.
If the exposed login credentials were used with a financial institution, you should act as if your financial information has also been exposed and follow the steps explained in the previous section. This may seem like an aggressive approach, but you might be able to determine if someone was able to log into your account and retrieve account numbers or other sensitive financial information.
Exposure of Sensitive Identifying Information
If particularly sensitive information (such as your social security number) was exposed, the process to remedy the situation is much more involved. With this information someone can pretty much do anything they want, including assume your complete identity. Here are a few steps that should be taken to reduce this risk.
Initiate a Credit Freeze
Placing a freeze on all three of your credit reports is a solid defense against new account fraud. If you are not planning on obtaining new credit, refinancing, changing or setting up phone or utility services, or any other credit-related events within the next year or two, then this is your best bet. A freeze prevents new creditors from seeing your credit report. In most cases, lenders will refuse to issue new credit without a full credit report. A freeze does not interfere with the ability to use current accounts, such as credit cards or other lines of credit.
To initiate a security freeze, you must contact each of the three credit bureaus (Experian, TransUnion, and Equifax) directly. You will be asked questions to verify your identity. A few of these inquiries may be based on the information listed on your credit report, so it is advised to have these records handy when making these calls.
If a credit freeze is not a convenient option for you, then you should, at a minimum, place a free 90-day fraud alert on your credit reports after any of your sensitive personal information is exposed. This places a disclaimer on your reports requiring potential lenders to verify the consumer’s identity prior to issuing credit. Make sure to add your contact information to the alert so prospective creditors can get in touch with you.
To place a fraud alert, simply contact one of the credit bureaus and ask them to notify the other two on your behalf. Personally, I prefer to contact each credit bureau directly so that I can request free copies of my credit reports in the process. Don’t forget to verify the mailing address they have on file while you’re at it!
File an IRS Identity Theft Affidavit
Your exposed sensitive information could be used to file a fraudulent tax return. By filing an IRS Identity Theft Affidavit (form 14039) with the Internal Revenue Service (IRS), you are putting them on notice that there is an elevated risk of tax return refund fraud associated with your social security number. Send the form to the IRS by fax or certified return receipt. Both the fax number and mailing address are located on the form.
Social Security Concerns
If you have ever had reportable income, you have the option of establishing an online account with the Social Security Administration (MySSA) or choosing to opt out of electronic access, thereby blocking anyone from establishing an online account using your sensitive information. Failure to do one of these leaves you and your benefits vulnerable to fraudulent activity. To learn more about the MySSA account or how to opt out, visit www.SSA.gov.
Free Credit Monitoring
Compromised companies will often provide free credit monitoring to consumers who were affected for up to a year or two. Since this service is free, the only harm in signing up is that at the end of the free period you will be solicited by the monitoring company to register for a paid plan. However, these services are limited. There are a few things to consider before signing up for the free service.
One thing to keep in mind is that these free services can only monitor for credit-related identity theft. They cannot protect you from becoming a victim. They merely notify you when there has been a change to your credit report, usually after fraudulent activity has already occurred.
Another thing to consider is that the free services may only monitor one credit report. You will want to keep track of your reports from all three bureaus in order for this to be truly effective. Some companies might not offer full restoration services either. This means that you will be notified of fraudulent activity, but you are then left to do all the work involved in restoring your identity. They might provide you with a hotline where someone will tell you what needs to be done to remedy the situation, but you must navigate the remaining steps yourself.
Receiving a data breach notification letter can leave you with many questions. Your best defense is to make your information less attractive to thieves by making it more difficult for them to use. By following the steps above, you will reduce your risk of future identity theft.