Update September 14, 2017
What do Anthem, Home Depot, Premera Blue Cross, Target, T-Mobile, and Equifax have in common? They are part of a growing list of companies to have suffered data breaches in the past couple of years. In each of these, millions of customers were affected as the attackers made off with names, addresses, birthdates, medical histories, credit card numbers, and--worst of all--even Social Security numbers.
With so many news stories month after month, it’s easy to do one of two things:
Grow numb to all of it, and thereby fail to take the necessary actions to protect your personal data in a real emergency; or
Spend every waking moment freaking out about how pretty much everything but your genetic code is online (oh wait, that too?) and in the process of being stolen as you read this very sentence.
Surely there's a middle way, you think, something that is neither defeatism nor constant vigilance. There isn't! You should be constantly vigilant about this stuff because the frequency of attacks is growing, especially when it comes to health data.
The U.S. Department of Health & Human Services keeps a list of health record breaches that affect 500 or more individuals at a time. When the Washington Post looked at this data mid-2014, over 30 million customers had been affected. In the 8 or so months since then—and helped by the massive attacks on Anthem and Premera over the past few months—the number of individuals affected has exploded to over 133 million.
It’s clear, then, that you should have some idea of how to respond if the worst happens, the same way you have an emergency plan in case a fire breaks out in your home. (You do have a plan, right?) But how vigilant you should be is the question, and it's an important one because the answer may mean the difference between staying on top of things and catching problems early, or burning out on the whole topic after a couple of months of unnecessary panic and letting something important slip past you.
Since we’re a blog about reducing risks, let’s try to reduce both of the risks contained in the paragraph above—the risk of not taking enough precautions, and the risk of wasting valuable hours of your life on unnecessary worry. We present to you:
The Identity Theft Index
A guide to how much you should freak out about the latest identity theft fiasco
Below are some common scenarios that involve a data breach, and our estimation of the relative threat level for each one, with 1 being, "That's annoying, but I'm moving on," and 10 being, "Aaaaaaa!"
I just found out that a company I do business with suffered a data breach…
Threat level: between 1 and 8
Start low, but be prepared to escalate the threat once you get a better idea of what actually happened.
Set up a Google news alert
Bookmark or subscribe to Brian Krebs’ blog and start checking in on it periodically. Krebs is an independent journalist and security expert and a good source of information. (For example, he and not Target broke the story about Target being hacked in late 2013—it’s likely that Target found out about the breach roughly the same time the public did.) Krebs is a good middle-man in terms of translating the latest insider news into something regular people can understand.
Take mainstream media news on the topic with a grain of salt. Remember that the media doesn't talk about every breach that happens, only the biggest or most dramatic. At the same time, once a story takes off, lots of news outlets will over-dramatize it for ratings.
When the story first breaks, you won’t have enough information to know how to react, so remain calm as you look for answers to these questions: How many records were stolen? Was the data encrypted? If so, how? What specific data was included in the theft? Also, look at who broke the story. If it’s the company, then it probably has some idea of what was stolen. If it’s a third party like Brian Krebs, the company might not yet have a good idea of the scope of the theft.
One thing to remember: when the news first breaks, the company will probably describe the attack as sophisticated and unstoppable, but take that with a grain of salt until more details come out. That language could very well be a PR tactic to paint the company in a better light—it’s much better than saying, "We didn’t take the necessary precautions and left ourselves vulnerable."
…and I’ve been told they only took credit card information
Threat level: 2
Watch for suspicious charges but don't worry about personal liability.
Keep a close eye on your bank and credit card accounts and contact your bank or card issuer at the first sign of suspicious activity.
Keep following the story using the steps above in case the company discovers more data was stolen.
While credit card theft is not good, if that’s all the criminals took then you’re not going to be exposed to that much risk in terms of identity theft. If they didn’t steal the PIN, the data is pretty worthless. But even if they're able to make purchases with your card info, you're free from liability if your card information is stolen through a data breach. (Note that this is a more lenient policy than what's applied to physical cards, which you have to report lost or stolen immediately in order to limit your liability.)
…as well as email addresses
Threat level: 3
Your exposure to risk is starting to expand, so take some basic precautions.
Consider replacing your current email password with something more secure. (Search for "how to create a secure password" if you want help with this—or just use a password manager.)
If it's feasible, visit any other accounts where this email address is on file and switch to a new email address.
Contact the people who are in your email address book to let them know that your email address was stolen and that they should be cautious about any unusual looking communication from you in the coming months.
Read this page on how to identify phishing attacks. Even if you think you already know enough to not be tricked, read it. Just in case.
The biggest risk that comes from a stolen email address is that you or someone you know might be targeted by phishing attacks, which accounted for 20 percent of recorded data breach incidents in this year's annual Verizon Data Breach Investigations report. Less likely but potentially more damaging is that a criminal might be able to figure out your password and take over your email account, but if you practice good password hygiene you can reduce this risk dramatically.
…but they also stole names, mailing addresses, and phone numbers
Threat level: 6
Criminals have enough information at this point to open accounts under your name, so head 'em off at the pass.
Consider putting freezes on your credit reports so credit checks can’t be made. This will make it much harder to open a fraudulent account under your name.
If you don’t want to freeze all three credit reports, ask one of the bureaus to place a fraud alert on your account, which will warn future creditors to look closely at any new credit applications. The fraud alert will show up on all three credit reports, so you only need to do it once.
In both cases, the service should be free if you can prove you’re a victim of identity theft.
If you don’t freeze your credit reports, then use the free credit report federal law (you can get one free credit report from each of the 3 main agencies per year) to stay on top of things. If you only pull one report at a time, you can keep checking in every four months.
You should also start to make it a regular habit to check in on your credit score via a third-party service. Your credit card company or bank may provide this, or you can find it through a site like Credit Karma or Credit.com. (We don't vouch for these sites—we're just letting you know that they exist.) The actual score isn’t important—what you want to look for is an increase in hard credit checks, which are the kind that happen when you open a new account somewhere, and this kind of information is usually included in a credit score report.
…and I’ve been told they took my SSN
Threat level: 9
This is a pretty good time to be freaking out, unfortunately.
Visit the FTC's website identitytheft.gov and start filling out forms.
Pay a visit to your local police station.
The problem here is that once a person gets your SSN, he or she can start causing some real trouble. Beyond opening lines of credit in your name, someone can use your SSN to get a job (which means the IRS will think you didn't report all of your income), or even file a tax return in your name, and you won't discover the tax fraud until either you try to file your real return or the IRS sends you snail mail saying there's a problem. (Tip: the IRS will never contact you about important stuff like this over the phone or via email.)
When dealing with a stolen SSN, eventually you'll always end up being directed back to the FTC's checklist of things to do. Part of this checklist includes filing a local police report, which may not be something you'd normally think is applicable to online theft. But not only will it help you prove your identity to the IRS, it will also make it easier for you to get the credit bureaus to cooperate when you go to them to request a credit freeze or fraud alert.
One strategy that probably won't work is to try to get a new SSN. You'll have to meet some pretty severe hardship requirements before the Social Security Administration will even consider such a request, and "normal" identity theft scenarios don't cut it.
…and I’ve been told they took health information
Threat level: 5-10
Could range from bad to really bad, so look for more details.
Set up the news alerts and look for more information as you would in the first scenario on this list.
But be prepared to engage the FTC and your local police station if starts to seem like your most valuable personal info was part of the breach.
Stolen health information can vary from "just a few personal details"—for example your name and phone number, which are likely publicly available anyway—to "everything about me including my medical history," which would make this another situation where you need more information to know how to respond. So treat it as you would an initial report of a breach described at the top of this index, but know that there's a chance the theft included everything a criminal needs to steal your identity, and that you'll be visiting that FTC site.
Below are some scenarios that you might encounter even without any of the above happening, either because the breach has gone undetected or the info was stolen another way (for example via a personal phishing attack).
I found a new account on my credit report that I didn't open
Threat level: 7
While it's not always the case, the odds are high that this is a sign of identity theft.
This is not a good sign. Although it’s possibly just an error, the odds are good that it's a sign of identity theft. Either way you'll want to contact the credit bureaus to get it cleared up, but to be safe you should treat it as evidence of a bigger problem and act accordingly.
I found other information on my credit report that isn't mine
Threat level: 2
It's likely to be an error and not a sign of something criminal.
Unlike a new account, other incorrect entries—like old credit card accounts, employers you don't recognize, and addresses where you never lived—are most likely basic errors. Again, you’ll have to contact the credit bureau to get it fixed, but for now don't get too freaked out about identity theft.
Money has been taken from my bank account
Threat level: 9
This is a pretty good time to be freaking out, unfortunately.
This is bad! Stop whatever you’re doing and immediately call your bank so they can freeze your account.
In all of the scenarios described above, it's reasonable to assume that the bank will know as much or more about the data breach as you do. (If you skim through Brian Krebs's blog, you'll start to notice that often the first warning signs of a large-scale data breach come from banks.) But that's not always the case, and there will be times when you'll be the first one to notice something is amiss, for example when you wake up to find that there's a debit of $2,850 on your account. Contact your bank as soon as you notice the problem, because if it turns out your actual card was lost or stolen, the amount you'll be liable for will be based on how quickly you sounded the alarm.
Steps you can take to reduce the risk of identity theft
After all this doom and gloom, there is some good news here, which is that there are steps you can take on your side that will help reduce the risk of identity theft and mitigate the damage when it does occur. You've heard most if not all of these, but they're worth repeating because you probably aren't doing all of them.
If your employer is one of the growing number of companies that offer some kind of ID theft protection, take it. ID theft protection isn't a guarantee against identity theft, but it's analogous to installing an alarm system in your home. But don’t just set it and forget it—like a home alarm system, it's not a replacement for locking your doors when you leave for work.
Use different passwords. Isolating access to each of your online accounts is one of the easiest ways to reduce the chance that a criminal will take over everything in one fell swoop.
Many people find the idea of multiple passwords daunting. If you're one of them, use a password manager. They're easy to use and will make your life a lot simpler while amping up your security.
Use two-factor authentication. Most big internet companies now offer this, which means when you log in (especially from a new location) you'll have to provide a second passcode that's sent to your phone via text message or produced via an app that only works on your phone. If you've connected the online service with a bunch of other services, this one can be harder to pull off, but use it wherever you can. Gmail and Facebook are the two most important ones for most people; other companies that offer it include Apple, Yahoo!, Microsoft, and Dropbox.
Use a VPN service when you’re in a coffee shop, airport lounge, hotel room, public library, subway platform, and so on. You don’t really need to know what it is or what it does to make it work, but if you're curious: it prevents anyone else on that same shared network from stealing your passwords as you enter them. Witopia is a VPN service that's easy to set up and use. Here are some others.
Don’t click links in emails. Just don’t. It’s an easy rule to remember. You’re going to receive at least one worrisome email this year that looks like it’s from your bank or another company you do business with. It’s going to cause you anxiety and you’re going to want to deal with it immediately. It might even be an email warning you about a phishing attack or data breach. DO NOT CLICK ANY LINKS. Open a browser window and type in the actual URL of the company and look for help that way, or call a customer service representative. If you call, call the number printed on your card or statement, or go to the website and find a number there. Don’t use any of the contact info on the email just to be safe.
This sounds basic and it is, but phishing takes advantage of that eternal bias we all have where we're convinced we are too smart to be conned by simple tricks. Your brain thinks that and your brain isn’t correct. Remember that white-gold/blue-black dress? Honestly, do you think you can trust a brain that will clearly make up a color on the spot and refuse to budge?
- Bookmark the FTC guide to repairing identity theft so you know where to go at the first sign of identity theft. If you suspect your identity has been stolen, the last thing you want to do is wonder what you should do next.
This index will be updated periodically to reflect new developments in the world of freaking out about identity theft.
In the meantime, if you have tips on how to handle scenarios like the ones above, or if you've battled identity theft in the past and can offer first-hand advice, let us know in the comments section.
Did you have your identity stolen in a data breach? Learn more about identity theft insurance.
Photo: Robert McGoldrick