Tuesday, May 22, 2018

There’s been a breach


Note: This post was originally published in 2015. It has been updated with new information relating to the topic. 

Last week Twitter announced a breach of passwords. Twitter claimed that no personal data was released and encouraged users to change passwords. Since the big breaches from the fall of 2014 it seems like every month we have heard about a new breach. If not banks then major retailers or healthcare systems. The private information we entrust others to keep safe is being violated on a regular basis.

Try as you might to stay off the “grid” by paying cash, getting paper statements, or banking in person, eventually you will be a victim of identity theft or some sort of financial intrusion. Either because of convenience or because a company demands you use an electronic system. It is difficult to navigate in today’s world without having some portion of personal data stored on an institution’s computer.

Personal data

Ever check out at a store that you shop infrequently and they ask for your address, phone number, or name, and you’re in their system? Freaky right? At some point you’ve provided them with your personal information. Larger companies own smaller companies…your personal data is bought and shared daily.

Tax season just passed and it’s a good bet that when you filed your taxes, electronically of course, your return was rejected by the IRS because, surprise, the return associated with your social security number has already been filed.  

The IRS estimates that more than 122 million returns were filed electronically in 2017. While the IRS has seen a decline in personal tax fraud, falsified business returns have increased. The IRS identified 10,000 compared to 4,000 fraudulent business returns in 2016.  The IRS doesn’t publish everything it is doing to combat tax identity fraud. Some of the public efforts are tightening access to private sector filing software and more thoroughly scrutinizing refunds. When your SSN has been compromised the IRS issues you an electronic identification number for future filings. This solution should keep your tax information safe, as it is a unique number. But so was you’re your SSN at the time it was generated. 

We use to worry about someone stealing a driver’s license or credit card. If that didn’t happen you didn’t have much to worry about. Years ago, while working as an undercover detective, and when I say “years ago” I mean before there was a computer in every home and a world-wide inter web of computers.  A senior administrator had a briefcase stolen that contained contact information for all of the detectives. Not just name and phone numbers but addresses, birthdays and yes the coveted social security number. Not sure what we called it then, but it wasn’t a breach. But in today’s terminology, the breach compromised so much personal information what could one do? You couldn’t completely change everything. In those days though we were more concerned with operational security than identity theft. Yes, identity theft occurred, but not on the level or frequency as today. The criminals at that time weren’t as sophisticated in that skill set as they are today. Plus, copying and sharing was a literal concept. The documents would have to be photocopied and personally distributed. 

We knew that if we worked hard and fast to recover the documents, we could determine the extent at which the information had been distributed. The faster the culprit was caught, the less chance the information could be distributed. Today, your information can be stolen from a third party vendor’s database by a criminal in another country and uploaded to a distribution network all from a keyboard, in a matter of minutes.

Document, document, document

The tenets of the paper world of long ago still hold true. Identify the breach and work fast to stop the leak.
Once you’ve identified a problem, you need to start working to quickly plug the leak. Contact the source in which you became aware of the breach-credit card, driver’s license, IRS, etc. Get that entity started on resolving the issue. File a complaint with the Federal Trade Commission, your State’s Attorney Generals Office, even the FBI if you seem to be apart of a larger breach. File local police reports also. It may seem for naught but you’ll have a record of the report and a case number to go with any other complaint filings. Most of the entities you will deal with, including law enforcement, have online complaint forms. It doesn’t take long and you can get it done in less than a day.

Document, document, document, everything you do and the entities you’ve contacted. Keep your notes for future reference.

Consider a monitoring program. There are lots of companies out there that perform this service. Of course do your research and choose wisely. If the breach occurred from a major retailer, financial, or health institution, they may offer some sort of credit monitoring or identity repair service for free. Take advantage of it.

Update, update, update

If you get notification of a password breach or hear it on the news, such as the recent Twitter breach, don’t ignore it. Like Twitter, companies publicize that no personal data was infiltrated but passwords “may” have been compromised. It is important to regularly change passwords as a matter of routine. However, when a company has had their password database specifically breached it is important to act quickly and update your settings. It is equally important to update other accounts in which you use that same password. Maybe get in the habit of updating passwords whenever there is a breach in the news. 

We should have different passwords for every account but let’s face it no one does that. So when one password is compromised the other accounts that use that same password are now in danger of being hacked. Cyber-criminals have highly sophisticated search processes. They may not be searching for you, specifically, but once they get your logon or password they can use that to find other accounts. Once they have one piece of the puzzle it is isn’t that difficult to break the rest.

No comments:

Post a Comment