Tag Archives: SSN

Was Your Data Taken in Experian Breach?

A breach to one of Experian‘s servers – discovered on Sept. 15 – has resulted in 15 million compromised records with personal information like names and Social Security numbers. The breach included information about T-Mobile customers from as far back as 2013. Here are the details and action steps you can take if you think you’re a victim.

The server that was attacked housed records of those who applied for T-Mobile’s services between Sept. 1, 2013, and Sept. 16, 2015. Overall, the compromised information included…

  • Names
  • Addresses
  • Dates of birth
  • Driver’s license numbers
  • Social Security numbers
  • Passport IDs

The affected server was not part of Experian’s consumer credit bureau; nevertheless, a data breach is good reason to check your defenses when it comes protecting your personal information, and there are plenty of ways you can protect yourself.

Make sure hackers didn’t steal your information and use it for their advantage. Annually check your credit reports and bank statements for suspicious activity, like a new line of credit or purchases you didn’t make.

Be cautious! When a breach like this occurs, fraudsters may call the victims and say they’re from the affected companies. They may ask you for your personal information, so they can “help” you. Keep in mind that T-Mobile and Experian made it clear that they will not send a message or call and ask for personal information connected with the incident.

Consider some of the major data breaches we’ve had in the past couple years:

  • JP Morgan Chase – 76 million customer records
  • Anthem – 87.6 million
  • Home Depot – 56 million
  • Target – 110 million

Whether or not you think you’re a victim, employing an identity theft protection plan is relevant and important.

Ironically, T-Mobile is offering resolution services through Experian’s ProtectMyID, for those who were affected by the data breach; however, full, continuing coverage demands an identity protection service that has more robust features than those provided through the complimentary membership.

ProtectMyID’s complimentary membership includes SSN and credit-card monitoring, but you also need monitoring for high-risk transactions and data sweeps. ProtectMyID includes credit monitoring and an Experian credit report upon entry, but you also need your credit score and identity risk score (showing how vulnerable you are to identity theft). ProtectMyID has lost wallet/purse assistance and alerts for suspicious activity, which is good. It is backed by $1 million identity theft insurance coverage, too, but you also need coverage that will reimburse you for the expenses you incur while returning your life to normal. ProtectMyID has fraud resolution agents who can offer assistance to victims, but you also need a financial consultation, a legal consultation and more.

You need stronger layers of protection against identity theft, help creating an action plan and professional assistance with addressing compromised information and accounts.

The Experian data breach is a big reminder of how a robust identity theft protection plan is absolutely necessary.

Why Credit Monitoring Isn’t Enough

Having credit monitoring instead of identity monitoring is like putting a security system in the elevator but not in the whole office building. The scope of security is limited and leaves the workforce vulnerable. Thus, understanding how monitoring programs differ, how they work and why it matters is critical for safeguarding your identity.

Why should you care?

Victims of identity theft deal with increased stress, hours of work rebuilding their reputation and recovering from major financial losses; all of which have major consequences in other areas of life – like decreased productivity and performance on the job.

Given the statistics, if you haven’t dealt with the crime in some capacity, it’s only a matter of time.

The good news is that arming yourself with credit monitoring and identity monitoring gives you a better chance of stopping identity theft before it gets out of hand, thereby diminishing the negative effects that follow.

What is credit monitoring? How does it work?

There’s a broad range of credit monitoring services available in today’s market, and each program varies. Credit monitoring is a reactive approach to identity theft that involves checking credit reports for fraudulent activity. Because a credit report shows past activity, it will only reveal fraud or theft that has already affected the victim. That’s why it’s like only having security in the elevator: Once you realize the culprit is there, he has already infiltrated the building.

Credit monitoring programs will pull a member’s report, often quarterly or annually, from any number of the three major credit bureaus and make it visible to the member. On top of that, programs watch credit reports, transactions and activity for changes that could be criminal.

Another aspect of credit monitoring is resolution and recovery assistance, but, again, the levels of assistance vary from product to product. For instance, credit monitoring services will alert a member if they find fraudulent activity on the credit report(s), but some services don’t inform the credit bureaus on behalf of the member.

What is identity monitoring? How does it work?

Identity monitoring takes a more active approach. It not only focuses on credit reports but broadens the security sweep to account for name, birth date, address, email, driver’s license, Social Security number and more. Think of it as a security system for the whole office building, with security officers at every door and window.

Top-notch identity monitoring programs will check national databases for suspicious activity, watch out for questionable transactions and ultimately try to keep the member informed with real-time alerts about a data breach or fraudulent act. Touch points could even include scanning criminal record databases, sex offender registries and public records.

Identity monitoring can also give people peace of mind about their biggest worries: More than 70% of consumers are concerned about their Social Security number, credit card, insurance and driver’s license number, while less than 60% are concerned about their credit score and transaction history. People want more protection than what’s offered by credit monitoring alone, and identity monitoring is the answer.

What is the difference?

One major difference between identity monitoring and credit monitoring is accuracy. The all-inclusive nature of identity monitoring allows for a more accurate assessment of susceptibility to identity theft. For example, credit monitoring may not detect problems like tax fraud or medical identity theft because credit reports don’t necessarily show those types of information. Because identity monitoring is more robust, it can discover anomalies and provide protection for more than the financial aspects covered by credit monitoring.

Simply put, identity monitoring provides more coverage than credit monitoring.

For more information, visit clcidprotect.com.

Identity Theft Services Explained

As thieves discover more and more ways to steal personal information, it is critical that people use identity theft protection services that involve a wide security sweep of all personal identifiable information and high-risk activity. The marketplace for identity theft protection now includes all kinds of monitoring services and features. Make the best choice by understanding each feature available, how they differ from each other and their capacity for sustaining protection.

Credit Monitoring

Credit monitoring is the process of reviewing a consumer’s credit activity with the credit bureau. It monitors the activity and changes to a credit report, including inquiries made by a creditor to request a copy of a report. Monitoring provides an alert system for potential fraudulent activity or accounts being established. Credit monitoring provides an alert system to activity affecting your credit report and credit score. Monitoring enables you to stay on top of fraudulent activity so that you can address the inaccuracies immediately. It also reduces the financial impact that identity theft can cause, by reporting the fraud earlier and reducing potential out-of-pocket losses.

Identity Monitoring

Identity monitoring looks at more than just credit information; it encompasses all personal identifiable information: name, birth date, address, email, phone number, Social Security number, etc. This could include monitoring the Internet, national databases, credit files, public records and more. If thieves have your personal identifiable information, it’s the perfect cover for their crimes because everything will point to you, not them. Even kids can become victims of identity theft: Each year, more than 140,000 identity theft cases involve children.

Social Security Number Monitoring

It’s exactly how it sounds – protection for one of the most important pieces of information that a person has. This type involves monitoring hundreds of millions of records for unauthorized use of a Social Security number (SSN). 70% of people are worried about the safety of their SSN. Monitoring an SSN is particularly important for children because thieves have plenty of time to use the child’s information for their own gain before the child finds out by applying for an account or a line of credit and is denied because of the thieves’ damage.

Data Sweeps

Unlike previous monitoring services that focus on particular data or activities, data sweeps encompass a plethora of touch points and personal information. Data sweeps monitor the Internet for instances of criminals using stolen phone numbers, addresses, birth dates and more. How many data points are included and how often the data sweeps occur vary from plan to plan. Data sweeps cover the information that consumers are worried about, like mailing addresses (50%) and phone numbers (60%). It can also help a person feel more secure about online presence because data sweeps can lead to removing exposed personal information on the web.

Credit Card Monitoring

The lending institutions that issue credit and debit cards will usually monitor transactions and notify cardholders of suspicious activity. Credit card monitoring, as offered through an identity monitoring service, will monitor the Internet for fraudulent activity involving credit card and debit account numbers, PIN numbers and other personal information in Internet hacker chat rooms and the dark web. Credit card monitoring looks at activity outside of the credit report and outside of activity monitored by the cardholder’s bank or issuing institution. As a result, it can detect fraud that may or may not make it to a credit report or be captured by the bank.

Recovery Assistance

Most services will not only keep you informed but help you resolve any suspicious activity. Features could include assistance from a credentialed professional. Some assistance features may only provide victims with next steps or resources, while others may actually take on some of the activities a victim must complete to rebuild his or her reputation. 47% of victims who spent 6-plus months fixing the issue(s) felt severe emotional distress vs. the 4% of victims who felt that way after resolving issues within 24 hours. Victims can limit the health and financial costs of recovery by using a protection plan that includes assistance from professionals who know how to get quick results.

Lost Purse or Wallet Assistance

Whether you misplace your wallet or it actually gets stolen, most identity theft protection services will help you contact the correct institutions and minimize the damage if a thief tries to use your stolen information. Despite the growing threat of malware and hacking, physical theft is still a problem, and 43% of physical theft happens at work.

Service Guarantee

Most companies have a service agreement that provides some sort of refund for customers if there’s a defect in the company’s service. New technological advances are made every day for security and thievery, so you need to make sure that a company will help you if its protection services can’t keep up with thieves’ new tricks.

Some identity theft protection services go above and beyond with the layers of security and assistance they offer, in addition to the commonly included products listed above. Some of those extra special features are:

Additional Databases

While most services monitor your personal identifiable information online or on credit reports, not all of them will monitor databases like criminal records and sex offender registries. Some companies charge extra for monitoring these additional databases. Thieves don’t just use your personal information to empty your bank account. Thieves will steal reputable citizens’ identities and use them as aliases when committing crimes.

Medical Fraud Assistance

Monitoring for medical fraud involves protecting insurance records from criminal use and assisting victims when a thief tampers with a victim’s medical history or racks up medical debt. The crime rate for medical identity theft increases by 32% each year, and more than $12.3 billion in out-of-pocket expenses were spent in the past year because of medical identity theft.

Tax Fraud Assistance

Products include giving victims an action plan and providing forms and contact information for working with the IRS. Services that actually do recovery work for victims must have certified tax specialists who are approved for working with the IRS on behalf of the victims. In 2014, the FTC’s 1.5 million fraud-related complaints revealed that consumers have paid a total of $1.7 billion because of fraud, and a third of those complaints were tax-related. Tax fraud could include IRS phishing schemes, phone scams and stealing taxpayers’ information to file phony tax returns and get their refunds.

Family Coverage

Protection plans may allow members to add family members to their plan; however, adding family members often comes with additional charges. When family members share accounts (e.g. bank, music, email), passwords, etc., everyone feels the consequences if one of them becomes a victim.

Other

Other pieces of your personal information that may or may not be included in the common types of monitoring: loan/lease information, driver’s license, computer security, bank account information, passports, etc. Thieves’ use of hacking, malware and social media have skyrocketed over the past few years. As fraudsters improve their tactics, they gain access to more and more information.

Each type of monitoring covers important information that could lead to serious damage if taken into the hands of a fraudster, and no one type covers everything. Likewise, each feature has importance, but they’re most effective when working together because they create sustainable, comprehensive coverage.

People need to make sure that their identity theft protection plan includes all the necessary data points with multiple types of monitoring, assistance and recovery features, so their information stays secure.

Social Security Numbers Are Dead

I am a senior citizen. While this distinction entitles me to a variety of perks like discounted movies and bus fare – as well as the occasional free doughnut (seriously) — it’s also a ticket to the identity theft lottery.

Turning 50 gets you an invitation to AARP, and turning 65 gets you a Medicare card. What’s this have to do with identity theft? Take a close look at a Medicare card. The identification number? It’s a combination of the cardholder’s Social Security number and one or two letters.

Health insurers no longer include Social Security numbers on the cards they issue to people. The concern was that using SSNs needlessly increased the risk of identity theft, which was, and continues to be, rising exponentially. When health insurers made the change, they stopped being co-conspirators in what has become a national epidemic.

According an article by reporter Robert Pear in the New York Times, private insurers under contract with Medicare are not permitted to use SSNs on insurance cards when providing medical or prescription drug benefits. But in a serious case of “Do as I say, not as I do,” Medicare has used Social Security numbers on more than 50 million benefit cards, heedless of the warnings of privacy advocates, consumer protection officials, federal auditors and investigators working on identity theft cases.

Section 501 of the Medicare Access and CHIP Reauthorization Act of 2015, a bipartisan provision written by Rep. Sam Johnson (R-TX) and Rep. Lloyd Doggett (D-TX), signed into law recently by President Obama, finally mandates the removal of Social Security numbers from our Medicare cards. (Well, let’s just say it begins the process — and, like all processes in Washington, let’s hope it actually gets done before my toddler is eligible for Medicare.) The new law is clear: Social Security numbers must not be “displayed, coded or embedded on the Medicare card.”

More than 4,500 of my fellow seniors enroll in Medicare every day. It is estimated that over the next 10 years, some 18 million more of us are projected to qualify, which will bring the total Medicare enrollment to 74 million by 2025.

What Lit the Fire?

After years of begging, cajoling and warning to no avail, what finally forced both parties in Washington to get off their butts and get it right?

Pear speculates that is wasn’t one thing but a set of circumstances starting with the nearly universal digitization of medical records and, of course, ending with a culture plagued by highly effective hackers. Consider that in just the first quarter of 2015 more than 91 million Social Security numbers were exposed to unauthorized persons in just two data compromises: Anthem and Premera.

What the new system will look like is still anyone’s guess. Here’s what we know, according to the New York Times article: SSNs will be replaced by a “randomly generated Medicare beneficiary identifier.” Additionally, Medicare officials have eight years to get the new system completely up and running—four years to issue cards to new beneficiaries and four more years to reissue cards to existing beneficiaries. It was unclear whether those two four-year items were to happen simultaneously, but since we’re talking about a government timeline there is an argument for erring on the side of forever.

Like all major government initiatives, this will be no small feat. But it is a critical one if we are to stop hearing the pitter-patter of scammer feet tap dancing on the finances of senior citizens.

Why did it take so long? Why does the IRS still require SSNs? Because we’re talking about the government.

The record speaks for itself:

  • 2004 – The Government Accountability Office warns we must reduce our dependence on Social Security numbers as individual identifiers.
  • 2007 – The White House Office of Management and Budget directs federal agencies to “eliminate the unnecessary collection and use of Social Security numbers” within two years.
  • 2008 – The inspector general of Social Security calls for the immediate removal of Social Security numbers from Medicare cards. The departments of Defense and Veterans Affairs launch major initiatives to delete Social Security numbers from their identification cards.

How about the Department of Health and Human Services, which supervises the Medicare program? Well, let’s just say that according to the Times, the GAO felt that HHS was moving—shall we say—glacially and that it really was all about money. (Forget the fact that identity theft costs America and Americans billions annually.)

The Medicare agency is no small operation. It pays close to 1 billion claims from 1.5 million healthcare providers every year. While I understand that the HHS has considerable budgetary and logistical issues when dealing with the identification quagmire, it is nothing compared with the expense and uproar caused by identity theft in the lives of the people HHS serves. That’s a long way of saying that this identification card “modification” is long overdue.

In the meantime, what can you do if you’re concerned that your Social Security number is in the wrong hands? Because the number can be used to perpetrate many types of crimes, not just credit-related, the problem can be difficult to track. But it’s still important to check your credit reports regularly for signs of fraud — like new accounts you didn’t authorize. You can get your free annual credit reports from AnnualCreditReport.com, and you can get a free credit report summary, updated every month on Credit.com, to watch for changes.

That said, we are not living in a “So it is written, so it is done” age. Congress has to sit on the HHS to get 100% compliance with the law as it was passed. And we have to sit on Congress. And while we are sitting on our favorite 535 federal lawmakers, perhaps they can ask the IRS what’s taking it so long to make some changes — including killing the SSN as identifier — so Americans can stop being such sitting ducks in the sights of miscreants.

Cloud Apps Routinely Expose Sensitive Data

An alarming number of cloud-based apps used by enterprise employees don’t encrypt data at rest or require two-factor authentication.

And an astounding number of employees are still uploading highly sensitive data to the cloud and sharing files on unsecured platforms, according to the Cloud Adoption Risk Report Q4 2014 from cloud security vendor Skyhigh Networks.

Security & Privacy News Roundup: Stay abreast of key developments on cybersecurity and online privacy topics

The recent breach of 80 million records at health insurer Anthem was an example of how cloud services that don’t encrypt data leave personal records exposed to savvy cybercriminals.

The Q4 report was based on usage data from 15 million employees at 350 companies worldwide. It found that the average company used 897 cloud services in the fourth quarter of 2014, up from 626 the year before.

Data at Risk

While the number of cloud providers that have invested in key security features more than doubled last year, still only 11% encrypt “data at rest” — inactive files stored in data bases. Only 17% have multifactor authentication.

“In light of the recent breaches, that’s alarming,” says Kamal Shah, Skyhigh’s vice president of products and marketing.

“The Anthem breach is a great example of how, if you’re not careful, cloud services can be used to exfiltrate data out of the organization,” he says.

More than a third of users uploaded at least one file with sensitive information to a file-sharing cloud service, Skyhigh found. Some of that information included customer Social Security numbers (SSN), date of birth, credit card or bank account numbers and personal health records.

Skyhigh also found that 22% of files uploaded to cloud-based file sharing apps had sensitive or confidential information. At the same time, 11% of documents were shared outside the enterprise, and 18% through third-party email services like Gmail, Yahoo and Hotmail, which don’t encrypt data at rest.

File-Sharing Exposure

The growing trend in file sharing is driven by the limitations of email, Shah says. Besides having size constraints as files get larger, email is a static environment.

“File-sharing is much more active — a living, breathing space,” he says.

Less surprising in the study was the number of compromised identities — especially given the record number of breaches and vulnerabilities in 2014. Skyhigh found that 92% of companies have compromised credentials, with 12% of users affected, on average, at each company.

“A lot of people use the same passwords for their work life as they do for their personal life, and when they’re compromised, those credentials can be used to steal corporate data,” Shah says.

The trends driving the rapid cloud adoption are driven by legitimate business needs, Shah notes. Which means the old way of doing business — by simply restricting app usage — no longer works for IT managers.

“Shadow IT is not bad because employees are using these cloud services for the right reasons,” he says. “The old way of blocking services is no longer effective.”

What that means for IT administrators is the need to educate their employees about the risks of apps that are not enterprise-ready, he says. (Skyhigh’s definition of enterprise-ready includes cloud services that rank one to three on a scale to 10 based on attributes like encryption, two-factor authentication, legal condition of service and so on.)

Despite all the breaches, the use of cloud adoption will continue to accelerate rapidly, Shah says.

“For enterprises, there’s urgency to take action before it’s too late,” he says. “If you don’t act now, the problem will get bigger and bigger.”

This article was written for ThirdCertainty by Rodika Tollefson.