Some 57 million Uber users’ personal information was exposed in October 2016 when the car-hailing company experienced a cyber attack, the company announced Tuesday — more than a year after the occurrence of the incident.
Some 57 million Uber users’ personal information was exposed in October 2016 when the car-hailing company experienced a cyber attack, the company announced Tuesday — more than a year after the occurrence of the incident.
Bloomberg reported the company paid $100,000 to the hackers responsible for the attack to keep the breach private.
Dara Khosrowshahi, Uber’s new CEO who was appointed by the board in August, said in a statement that two people outside the company “inappropriately accessed user data stored on a third-party cloud-based service that we use.”
The attackers stole data of the 57 million people across the globe, including their names, email addresses and mobile phone numbers. About 600,000 U.S.-based drivers were among 7 million Uber drivers whose license numbers and names were exposed in the breach.
The data breach was the latest in a string of high profile cyber attacks that weren’t revealed until months or years later. Fortunately, it doesn’t appear that Uber users have to worry about any of their financial information being exposed. Khosrowshahi said no evidence indicated that trip location history, credit card numbers, bank account numbers, or dates of birth were stolen.
What was done?
After the attack happened, Uber “took immediate steps” to safeguard the data and blocked further unauthorized access to the information, according to Khosrowshahi. The company identified the hackers and made sure the exposed dada had been destroyed. Security measures were also taken to enhance control on the company’s cloud storage.
“None of this should have happened, and I will not make excuses for it,” Khosrowshahi said. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
The company let go two employees who led the response to the incident on Tuesday, according to the statement. Uber is also reporting the attack to regulatory authorities.
What can you do?
Uber said no evidence shows fraud or misuse connected to the data breach.
If you are an Uber rider…
The company said you don’t need to take any action. Uber is monitoring the affected accounts and have marked them for additional fraud protection, Khosrowshahi said. But you are encouraged to regularly monitor your credit and Uber accounts for any unexpected or unusual activities.
If anything happens, notify Uber via the Help Center immediately. You can do this by tapping “Help” in your app, then “Account and Payment Options” > “I have an unknown charge” > “I think my account has been hacked.”
If you are an Uber driver…
If you are affected, you will be notified by Uber via email or mail and the company is offering free credit monitoring and identity theft protection.
You can check whether your Uber account is at risk here.
Check out our guide on credit freezes and other steps you can take to protect your identity if personal information is compromised in a data breach.
Having your Social Security number or card stolen isn’t quite like getting your bank account information taken—though granted, both are stressful experiences. The major difference is that you can get a new bank account number, while the Social Security Administration very rarely issues new Social Security numbers.
Why You Need a Social Security Number
If you’re unsure what an SSN is, the Social Security Administration loosely defines it as a nine-digit number for identity-tracking purposes. Whenever you start a new job or apply for government benefits, you need your Social Security number: it will be used to verify your identity and record earnings. You can locate your Social Security number on your Social Security card—if you can’t find your card, make sure you reach out to the Social Security Administration directly.
How Social Security Number Theft Occurs
How someone finds out and steals your identity (or Social Security number) can happen in a variety of ways. They could gain your Social Security number by exploiting data breaches, sifting through the trash for personal documents, or using any number of other approaches. The thieves can then sell your identity to the highest bidder on the dark web.
What Happens When Someone’s Identity Is Stolen
Once an identity thief has your Social Security number, they can commit all sorts of financial fraud with it, potentially leaving you on the hook for their misconduct.
Look at it this way: Social Security numbers are wrapped up in most aspects of Americans’ lives—employment, medical history, taxes, education, bank accounts, and so on. Below is a list of just a few things someone can do with your SSN if they get their hands on it.
1. Open Financial Accounts
Your Social Security number is the most important piece of personal information a bank needs when extending you credit or opening an account. With that number, a thief can get credit cards or loans, and when it comes time to repay them, they won’t, damaging your credit in the process. Those missed payments are tied to your Social Security number, so they’ll end up on your credit report and could impact your ability to apply for any type of loan or new account in the future.
Once you spot suspicious transactions, you can use your credit scores and credit reports to detect fraud and put an end to it. Unfortunately, it could take years for the fraudulent information to be removed from your credit report and, as a result, for your credit scores to recover.
2. Get Medical Care
Someone using your Social Security number could also undergo medical treatment, effectively tainting your medical records. Inaccurate medical records can have deadly consequences—for example, imagine what could happen if you received treatment based on a false history listing the wrong blood type. Additionally, it’s possible for thieves to poach your health insurance coverage, which could leave you in a bind when you need it.
So the sooner you file your taxes, the more likely you’ll get your refund before an identity thief has an opportunity to take advantage of your stolen identity. You’ll know someone stole your identity if your return is rejected as a duplicate—then you get to start the process of resolving the fraud and, if necessary, getting the refund you deserve.
4. Commit Crimes
Getting your Social Security number might just be a fraction of the thief’s crimes. If the identity thief gets arrested for another crime and gives your Social Security number to law enforcement, you’ve become tangled in their criminal history. Their criminal record could prevent you from getting jobs or interfere with anything else that requires a criminal background check.
5. Steal Your Benefits
A thief could also use your Social Security number to file for unemployment or Social Security benefits, depleting those resources and preventing you from accessing that assistance when you need it later on.
How to Find Out If Your Social Security Number Has Been Stolen
Thieves can operate under your identity for years without discovery, and some of these crimes are very difficult to detect. One of the best things you can do is regularly check a free credit report. Review your credit report thoroughly for unauthorized accounts or public records not related to you. These red flags could indicate clerical errors or identity theft. Either way, you want to watch out for it and act as soon as you see something suspicious. You can also check out these other ways you can find out if you’re a victim of identity theft.
Some time ago, the popular show Mythbusters wanted to find out if the Lone Ranger was right about silver bullets being better than lead ones. Turns out silver bullets are actually slower and less accurate.
When it comes to cybersecurity, quick-fix silver bullets are also less effective than tried-and-true approaches. The most effective cybersecurity strategies begin with two certainties: mistakes will be made, and breaches like the one that hit Equifax will keep happening.
The 143 million consumers exposed in the Equifax breach provide plenty of evidence that there’s still no effective “silver bullet” when it comes to both chronic and acute threats to our collective cybersecurity.
While the Equifax breach is by no means the largest hack to date (that distinction still belongs to Yahoo), it definitely stands out as the breach with the greatest potential to harm its victims.
The Equifax hackers got the most complete data dossiers possible on millions of people. Those dossiers are worth about $30 on the black market and include Social Security numbers, names, addresses, birth dates, and, in some cases, driver’s license numbers. Additionally, the credit card numbers of 209,000 consumers were lifted.
What can be done with this information? Just about every sort of identity theft imaginable.
Credit lines and credit-worthiness can be destroyed overnight, health care records can be polluted with the information of thieves using your benefits illegally, and it can be nearly impossible to get medications filled in a timely manner. Crimes can even be committed in your name, since the thieves have all they need to create a driver’s license with your information and someone else’s photograph.
No Easy Fix
If there were any easy way to solve the data-breach problem, we’d be seeing fewer newsworthy compromises. But as yet, nothing works.
Take, for instance, biometrics. Fingerprints, retina scans, body weight, and shoe size—they offer a great addition to the various ways we authenticate ourselves to the systems storing our data. But they are not a true fix. If a security patch released by a software provider is not installed, as happened in the Equifax breach, it doesn’t matter how many body parts you scan.
Picture the mailboxes in the lobby of a city dwelling—the individual boxes can be opened with one master key so the letter carrier can slot the mail for all the apartments at the same time. It doesn’t matter how well you protect the key for your one apartment’s mailbox if a thief gets access to the master key. The same goes for individual cyber hygiene in the face of a breach.
One of the most promising solutions was once thought to be tokenization—a system of referents that create an impenetrable security trail—but it suffers from the same issue that was behind the Equifax hack: human beings messing up.
Tokenization systems have to be secured and validated using security best practices. That’s where the fallibility part creeps in. Those best practices still need to be implemented by fallible humans with busy lives who have not been told—and consistently reminded—that they are the only solution to the data breach problem.
Data breaches and the identity-related crimes that flow from them are the third certainty in life—right after death and taxes—because there will always be that fallible human element. Education can help mitigate the risks, but even the savviest populace will make mistakes.
Senator Elizabeth Warren has set her sights on the three credit reporting bureaus, specifically demanding that they offer credit freezes for free. The looming threat of credit hijacking is made possible by the hoarding of information—the credit reporting bureaus’ daily bread. It seems logical, then, that the bureaus should have to pay for the most common crime that data can lead to: credit fraud.
While new laws are good, education is the only real solution.
Practicing the Three Ms continues to be the best way to keep your personally identifiable information from being used in identity-related crimes.
Minimize your exposure. Don’t click on suspicious or unfamiliar links; don’t authenticate yourself to anyone unless you are in control of the interaction; don’t overshare on social media; be a good steward of your passwords; opt for two-factor authentication whenever it’s offered; safeguard any documents that can be used to hijack your identity; and freeze your credit.
Monitor your accounts. Check your credit reports religiously (you can check your credit report for free on Credit.com); keep track of your credit scores; review major financial accounts daily if possible (better yet, sign up for free transaction alerts from financial services institutions and credit card companies); read the Explanation of Benefits statements you receive from your health insurer; and seriously consider purchasing a sophisticated credit- and identity-monitoring program.
Manage the damage. Make sure you get on top of any incursion into your identity quickly and enroll in a program where professionals help you navigate and resolve identity compromises—oftentimes available for free, or at minimal cost, through insurance companies, financial services institutions, and employers.
The odds of President Trump giving his entire fortune to the NAACP are probably better than the chances that we’ll be experiencing fewer big breaches in the future. An individual’s security protocol is only so useful, but an individual’s actions make all the difference.
Less than a week after the Equifax data breach was made public, it seems scammers are already looking for opportunities to prey on concerned consumers.
The Federal Trade Commission posted a scam alert Thursday warning consumers to not give their personal information to anyone who calls and claims to be an Equifax representative. Over the summer, hackers breached the Atlanta-based credit bureau’s database and accessed the personal information of about 143 million consumers, including sensitive information like Social Security numbers.
But Equifax is not calling those affected by the breach, so if you get a phone call from someone saying they represent Equifax and want to verify your account information, the FTC advises you hang up. It’s ironic, in a way, to target victims by posing as a concerned Equifax representative. The company has been criticized widely for its sluggish response to the breach, which occurred sometime between mid-May and July but wasn’t discovered until July 29 and wasn’t announced until more than a month later.
In response to the security failure, the House Committee on Energy and Commerce has demanded Equifax answer several questions about the breach, including why the company put off announcing the breach for so long. Equifax has until Sept. 22 to respond to the committee’s questions, and the committee plans to hold hearings on the breach in September or October.
In a company statement, Equifax CEO Richard Smith said the breach was a “disappointing event.”
“Confronting cybersecurity risks is a daily fight,” he added. “While we’ve made significant investments in data security, we recognize we must do more. And we will.”
In the breach, people’s Social Security numbers, dates of birth, addresses, and other personally identifiable information (PII) were compromised, so it’s understandable you’d be worried and are looking for help.
Here’s what you can do to take control of protecting your identity.
Assume you’re affected
While you can go to Equifax’s website and go through a multistep process to see if your information has been compromised, you can also just assume someone has their hands on your personal information. (It’s also worth noting the Equifax site reportedly isn’t reliable for telling you if you’re affected, and many consumers have reported the site is slow to load or doesn’t load at all.) Even if you weren’t among the 143 million whose personal information was compromised in this breach (and the odds aren’t in your favor), chances are it has been or will be in a breach at a different company or organization. With that in mind, you’ll want to focus on how to detect signs of identity theft and how to respond to them.
Monitor your credit
Equifax responded to the breach by offering free credit and identity monitoring to everyone — not just those affected — for a year through TrustedID Premier. You must go to equifaxsecurity2017.com to enroll, which requires entering your last name and the last six digits of your Social Security number. You’ll then be given an enrollment date, which may be several days after you start the enrollment process, at which point you can return to the site to continue enrollment. You’ll need to set a reminder to continue the process, as Equifax won’t send you a notification when it’s time.
You have many other ways to find out if someone has misused your personal information. Several companies offer free credit scores — Credit Karma, Discover, Capital One, Mint, LendingTree (our parent company), etc. — either to everyone or to their customers. To help you choose, we put together this guide to getting your free credit score. Credit Karma also offers a free credit monitoring service, and Discover cardmembers can sign up for alerts when their Social Security numbers are detected on suspicious websites. You can also pay for credit monitoring services from a number of providers, including the three major credit bureaus Equifax, Experian and TransUnion, as well as credit scoring giant FICO.
Consider a credit freeze
You can also freeze your credit so no one, not even you, can apply for new credit using your information. If you do this, you have to initiate a freeze with each of three major credit bureaus, as well as “thaw” each report when you want to apply for a new credit account. Every time you freeze and thaw your credit you may be charged a fee, which varies by state. This only protects you from credit fraud and does not prevent things like taxpayer identity theft, criminal identity theft, medical identity theft, and insurance identity theft.
On Sept. 15, Equifax announced it is waiving the fee for removing and placing credit freezes on Equifax credit reports through Nov. 21, 2017. Anyone who paid for an Equifax freeze at or after 5 p.m. EDT on Sept. 7 will receive a refund, the company said.
Have a plan for responding to identity theft
One of the best ways you can prepare for identity theft is to detect it early. After that, you need to know how to resolve it. You can do this yourself by filing a police report, disputing fraudulent accounts on your credit reports, and making the phone calls necessary to correct any problems stemming from the fraud. Or you could pay someone to help you with this time-consuming task. Check with your employer to see if they offer identity theft insurance or identity theft resolution services as an employee benefit, and if not, consider paying for it.
More than anything, remain calm as you sort through the fallout of this breach. Focus on making a plan for protecting yourself from and responding to identity theft and making sure you only deal with trustworthy service providers.
About 143 million consumers’ sensitive information has been compromised in what was one of the worst data breaches to date in size and potential impact on consumers. Credit reporting agency Equifax announced the breach Thursday, more than a month after detecting the intrusion.
Equifax is one of the three national credit reporting agencies (the others being TransUnion and Experian) and collects a wide variety of consumers’ sensitive and personally identifiable information (PII). The information on credit reports determines credit scores and is used in lending decisions, among other things.
The breach exposed the names, Social Security numbers, birth dates, addresses, and, in some instances, driver’s license numbers of about 44 percent of the current American population. Hackers also took the credit card numbers for about 209,000 U.S. consumers and dispute documents for 182,000 U.S. consumers.
In its announcement, Equifax said “criminals exploited a U.S. website application vulnerability to gain access” to the files. In addition to the millions of U.S. consumers affected, the company says the criminals had access to limited personal information of some U.K. and Canadian residents.
The Atlanta-based reporting agency said the thieves had access to the data from mid-May through July 2017, but it didn’t discover the breach until July 29. Equifax announced the breach more than a month after discovering it and hiring a cybersecurity firm to investigate.
The company says it’s also working with law enforcement authorities and that its investigation will be complete soon. Equifax has not said who they believe attacked their database.
What the breach means for consumers
The breach isn’t the largest to date, but it’s close. In 2016, Yahoo announced an attack that affected 500 million users. Another breach, announced just a few months later, involved 1 billion users. In those breaches, hackers stole users’ phone numbers and passwords.
The Equifax breach could be worse in impact, given the sensitive nature of the consumer data the company has on file. In its release, Equifax said it had found “no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.” That doesn’t necessarily mean the information hasn’t been misused or that it won’t be misused, as signs of identity theft may not immediately show up on a credit report.
“If you were going to rate this breach from one to 10, this is a 10. The amount of sensitive info that is contained in the Equifax database is staggering,” says Adam Levin, founder of CyberScout and author of “Swiped,” a book on how and why consumers can protect themselves from identity theft.
When this level of information has been compromised, it “opens up the door for thieves to commit many different other types of identity theft. Not just financial, but criminal, government, medical theft as well,” says Eva Velasquez,the president of Identity Theft Resource Center.
Levin adds, when Social Security numbers are part of a database that’s been exposed, all of the individuals who have their numbers in that database will need to be “looking over their shoulders for the rest of their lives.” The Social Security Administration rarely changes someone’s Social Security number.
What to do now
First, don’t panic.
“People really feel violated when things like this happen,” says Velasquez. “Direct your energy from being angry or upset and feeling powerless to actually doing something and taking some steps to feel more empowered.”
Levin says the breach may add to “breach fatigue” — how the drastic rise in security breach causes consumers to believe breaches are inevitable and react to them apathetically instead of with urgency.
“But it shouldn’t,” Levin says. “It should be a clarion call. Unfortunately, as consumers we have to think of this as as if we’re alone. The government has failed us. The financial industry has failed us, and frankly we have failed ourselves. It’s important that we develop a culture of privacy and security.”
Find out if you are one of the impacted
Given the increasing threat and frequency of data breaches, everyone should be proactive in detecting identity theft. For this breach in particular, Equifax set up a website to see if you’re one of the people affected and how to enroll in the free year of credit monitoring it’s offering victims.
You’ll see a page with a large, rectangular button that says “Check Potential Impact” and a few lines of text.
The text explains that if you click on the link that says “Check Potential Impact,” you’ll be taken to a form that asks you to provide your last name and the last six digits of your Social Security number.
Based on that information, you’ll then be shown a message that says whether your personal information may have been impacted by the breach.
Regardless of the message you see, Equifax will give you the option to enroll in a credit monitoring service from TrustedID Premier. Beware: if you enroll, you’ll have to agree to waive some of your rights to sue Equifax. The arbitration clause is written in all caps in the company’s terms of service, but consumers may miss the language. The Washington Post reports Equifax on Friday updated its terms to incorporate a way out of the arbitration clause.
Consumers can be excluded if they let Equifax know within 30 days in writing they would like to be excluded from the arbitration clause, but must first accept the agreement.
If you choose to enroll, you’ll be given an enrollment date. There’s quite a backlog of people enrolling, so you have to take it upon yourself to return to the site on your enrollment date. In short: You have to take your protection into your own hands. Equifax isn’t doing it for you.
Sign up for credit monitoring
Equifax is offering one year of free credit monitoring through TrustedID Premier to all U.S. consumers, regardless of whether they were affected by the data breach. There are five services under the program:
Get a free copy of your Equifax credit report.
Sign up for credit monitoring and automated alerts to be notified of key changes to your credit report on any of the major big three reporting agencies.
Put a freeze on your Equifax credit report.
Scan suspicious sites for use of your Social Security number.
Get up to $1 million of identity theft insurance to help you pay for any costs you may incur if someone commits identity fraud against you.
Even if you don’t want to enroll in Equifax’s service, you should enroll in a credit monitoring service, like free options offered through Credit Karma, Discover, Mint, Wells Fargo, and Capital One® — there are lots of ways to keep tabs on your credit.
Some identity theft protection services like the ones offered through myFICO, charge a monthly fee to monitor your credit year-round and provide identity theft insurance.
Regularly review your credit reports
You’re entitled to a free annual credit report from each of the major credit bureaus, which you can get through annualcreditreport.com. Carefully check your credit report for any accounts or recent activity you don’t recognize.
Make a plan to respond to identity theft
Detecting identity theft as soon as possible is crucial to minimizing the damage and stress it can cause — that’s where credit monitoring and reviewing your credit reports comes in. But the next step is just as important: Know what to do when it happens.
You can dispute errors on your credit report, file a police report documenting the identity theft, and do the legwork of resolving any problems it causes. You can also pay for identity theft insurance or identity theft resolution services (some employers offer this as a benefit, so check with your human resources department). Here’s a guide on identity theft resolution, so you know what to do in case you see anything suspicious. Even if you don’t see anything out of the ordinary, you should continue to remain vigilant in monitoring your credit activity.
Freeze your credit report
Velasquez says a credit security freeze is an option impacted consumers should look at. It prevents any application for new credit without first verifying your identity. If you want to apply for new credit, you’ll have to “thaw” your credit reports. The credit bureaus charge a fee, which varies by state, every time you freeze and thaw your credit report.
“While that does create some added inconvenience, the level of protection is worth it,” says Velasquez.
Be alert for unusual activity
Now is the time to practice what Velasquez calls good “identity hygiene.”
“Being vigilant about your identity is just a part of the world that we live in,” says Velasquez. “ If being involved in a data breach is the catalyst that brings that to the top of your mind, then we can see that as a positive.”
Velasquez recommends consumers act proactively and remain cognizant of anything that may involve using or verifying their identity. For example, if you receive a notice from a government agency about benefits or some weird explanation of benefits, pay attention to it.
Even after you do things like enroll in credit monitoring and freeze your credit, continue to do your best to watch out for signs of abuse. Don’t wait until you start receiving strange calls from government agencies and debt collectors.
When tax season rolls around, file your return as soon as possible. Identity thieves frequently use Social Security numbers to get fraudulent refunds, and if they file before you do, it will further complicate your tax-filing process.
At the least, go through your financial statements regularly (the more often, the better) to look for anything out of the ordinary. While protection is top of mind, sign up for any alerts you can set up on your mobile banking app to receive transaction notifications.
No payment card or banking information was compromised in the latest 1 billion-user breach at Yahoo, according to expert reports. But what if there had been? The truth is that for most users it would be annoying, but not the end of the world.
So, why is this big news?
First of all, Yahoo can now claim two of the biggest security breaches in history. It is noteworthy that such a distinction should be attributable to a single entity. The response to the latest breach news has been huge. Ask any three experts and you’ll probably get three different figures, but according to ZDNet, the users exposed in the two Yahoo breaches exceed the total number of records compromised between 2005 and 2013 by nearly double. (Yahoo did not immediately respond to Credit.com’s request for comment.)
The post-breach news commentaries have been many and various. There are some experts who advocate foregoing any digital connection to the security-challenged giant. Others predict that the latest bad news will negatively impact Yahoo’s sale to Verizon further, if not kill it. Within days of the breach, there were various articles advising how you could replace Yahoo services and delete your Yahoo account. That said, Yahoo is not the problem per se.
First of all, let’s be crystal clear: This latest news does not refer the to 500 million Yahoo users who were affected by the breach reported this September. While there may be some overlap, this is a different breach with different issues. It occurred way back in 2013, but that’s not really even the bad news here, though, yes, it is less than awesome that user information — including poorly encrypted security questions and passwords that could be used in an account takeover — has been out there for three years.
The bad news here is not limited to the fact that Yahoo didn’t know about this breach until law enforcement officials told the company that their stolen user data was offered for sale on the dark web. The bad news is not even, as PC World reported, that in a separate incident an intruder was able to crack Yahoo’s proprietary code and forge cookies, which would allow a hacker to get access to user information without a password. This last frightening bit of news seems to be related to the state-sponsored hack reported in September.
The bad news here is that this unsettling state of affairs — of having your information out there at the fingertips of bad players looking to make a quick buck — is not confined to Yahoo users. The real bad news is that we are all willing and/or unwitting conspirators in the exploitation of our own information, which has been sloshing around the hold of a virtual — and somewhat unmanned — freighter for years.
It Always Already Happened
There is, however, a bit of good news here. There are ways you can better protect yourself. All the subscriptions to identity theft monitoring cannot replace your active participation in your own defense. You are your best guardian.
Whether or not you choose to stay with Yahoo, it’s a good idea to change your behavior to stay safe, and that means changing your outlook and approach to the digital world. The main point is this: We are always about to “get got.” You don’t need breaking news coverage to know that you are exposed. With literally billions of compromised files floating around, you have to be exceedingly lucky not to be within easy reach of a sticky-fingered thief looking to make bank at your inconvenience.
While there is no way out of the information inferno we all inhabit, there is a way to live in it peaceably. I go into the details more thoroughly in my book, “Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves,” but the basics of the practice I explain there can be summed up by three Ms: Minimize, Monitor and Manage.
Minimize Your Risk of Exposure: This can be anything from how you use the internet to what you choose to carry in your wallet. The goal is to decrease your attackable surface.
Monitor Your Identity: Get a free copy of your credit reports from each of the major credit reporting agencies at least once a year (some states permit more than one) at AnnualCreditReport.com. Consider subscribing to a credit and identity monitoring service. Set up transaction notices with your bank and credit card accounts, and pay attention. If you stay on top of things, you make it harder for crooks to get a foothold into your financial life. And if you have reason to believe you’ve been the victim of identity theft — unexplained accounts and mysterious addresses are two warning signs — don’t ignore it. You can view two of your free credit scores, updated every 14 days, on Credit.com.
Manage the Damage: Notify the authorities if you have become a victim. Get an identity theft incident report that you can use to straighten out your credit and identity issues. Check with your insurance agent, financial services rep or the human resources department where you work to see if they offer an identity theft protection services program and if you are enrolled. You may be pleasantly surprised to learn that they do and you are enrolled free, or can access it at a discount as a perk of your relationship. You may also want to consider freezing or placing a fraud alert on your credit as well, depending on what’s been compromised.
Never forget — the ultimate guardian of the consumer is the consumer, and no one has a bigger stake in protecting your economic security and well-being than you.
Yahoo confirmed a massive data breach Thursday that compromised an estimated 500 million users’ personal details.
The announcement follows a Yahoo investigation into claims that a hacker going by the name “Peace” was trying in early August to sell the usernames, passwords and dates of birth of Yahoo account users on the dark web.
The investigation found that “certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor,” Yahoo said in a news release. “The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.”
The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected, Yahoo said. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter.
Yahoo is notifying potentially affected users and has taken steps to secure their accounts. These steps include invalidating unencrypted security questions and answers so they cannot be used to access an account and asking potentially affected users to change their passwords. Yahoo is also recommending that users who haven’t changed their passwords since 2014 do so.
Keeping Your Information Safe
If you ever have reason to believe a password to any of your accounts has been compromised, it’s a good idea to change it immediately. And you’ll want to do that across any account that shares the same password (not a best practice, by the way) as the affected one since hackers who obtain one username and password may try to use it to gain access elsewhere.
Remember, to keep passwords long and strong by using alphanumeric characters and phrases that can’t easily be guessed via social media (like, say, your pet names.) And, if you ever have reason to believe your personal information was hacked, it’s a good idea to monitor your credit for signs of identity theft. You can view a free credit report summary, updated every 14 days, on Credit.com.)
Remember a couple of years ago when the Target data breach was in the news? Here’s a refresher if you don’t. In December 2013, Target announced that hackers may have accessed 40 million credit and debit accounts used in their stores late that year.
With so many people affected, it would seem logical that consumer behaviors around card usage might have changed. Turns out, that isn’t the case, according to a recent report by Claire Greene and Joanna Stavins of the Federal Reserve Bank of Boston.
Greene and Stavins looked at survey data collected by the Survey of Consumer Payment Choice (SCPC) before the breach and then after consumers were made aware of the hack. In the survey, consumers were asked about the security of their personal information tied to debit cards and, on average, they saw it as 11.3% less safe after the Target breach.
Based on this information, the authors expected to see a decline in debit card usage. However, the authors reported “no statistically significant change in the adoption or shares of payment instrument use of debit cards in the long run.” Meaning, they don’t believe the Target breach announcement caused any long-term affects on how people use their plastic.
What to Do If Your Information Is Stolen
It’s generally a good idea to keep a close eye on your credit card statements for any suspicious activity. (Tip: make sure you’re doing this through a secure Internet connection so you don’t open yourself up to any additional threats.) If you spot fraud, report it to your issuer right away and, if your card gets lost or stolen, it’s in your best interest to call up your issuer and have the card replaced with new account numbers.
If your personal information gets compromised during a data breach (or otherwise), it’s a good idea to check your credit scores for sudden changes, like a sudden score drop or unfamiliar accounts in your name, as these are signs of identity theft. You can see two of your credit scores for free, updated each month, on Credit.com.
[Offer: If you need help fixing your credit, LexingtonLaw can help you meet your goals. Learn more about them hereor call them at (844) 346-3296 for a free consultation.]
If you purchased something on computer manufacturer Acer’s website over the last year, your credit card information may have been stolen.
Hackers made off with the names, addresses, card numbers, expiration dates and three-digit security codes of a reported 34,500 customers. So far, there is no reported evidence that usernames or passwords were compromised during the unauthorized third-party access.
Acer acknowledged the data breach, which reportedly happened more than a year ago, in a letter prepared for customers. Customers who purchased products on the site between May 12, 2015 and April 28, 2016 might have had their data compromised.
“Safeguarding your personal information is important to us,” Mark Groveunder, vice president of Acer customer service, wrote in the letter. “We took immediate steps to remediate this security issue upon identifying it, and we are being assisted by outside cybersecurity experts. We have reported this issue to our credit card payment processor. We have also contacted and offered our full cooperation to federal law enforcement.”
You can also consider freezing your credit until you’re certain you’re in the clear. When you freeze your credit, no one can open a new credit card or loan — not even you. Once you need access to your credit, you have to thaw it before a potential lender has the ability to review your application. You can continue to use your existing accounts, and a freeze won’t keep you from getting your free credit reports or credit scores.
Over the past few years, we’ve experienced more ginormous data breaches than any of us can, or would even care to, remember. Against this backdrop, reflect upon the fact that political campaigns know as much, if not more, than advertisers about us — what inspires us and what will move us to vote.
The Wild West
Consider the various kinds of information a campaign crunches to determine who might be persuaded into voting for their candidate and the parallel to advertising and marketing becomes instantly clear.
Many campaigns don’t “only” (and I use the term advisedly) collect things like your name, email address, postal address, phone number, mobile number, credit card information, location, what you’re called on social media sites (your handles) and other contact or identifying information you choose to provide when you go to make a donation or sign up for their emails. There’s also often a cornucopia of data collected when you use a campaign’s site — cookies, your IP address and other digital no-see-ums. While that information would be horrible to leak, it’s nothing compared to the granular details that campaigns purchase from data mining companies.
“This is the Wild West,” Tim Sparapani, a data privacy consultant and former director of public policy for Facebook, recently told the Los Angeles Times, “There is nothing that is off-limits to political data mining.”
They Have WHAT?
This is not just about social media, but it definitely starts there. Data mining companies have long scoured social media to glean information about potential customers, proponents, fans, outraged citizens and any other manifestation of subjective choice “out there.”
There are too many instances to bring up here, but a report in Bloomberg late last year can serve as a general example. It was about a data mining firm that was working for former presidential candidate John Kasich’s Super PAC to create “a ‘social graph’ of possible supporters by scanning high school yearbooks, small-town newspapers, and sports-team rosters.”
If a yearbook is OK in the land of deep dives, what other records could be put to use? Like rose petals in the wind, data is scattered about everywhere, and there is no place too insignificant for a data mining company to potentially send employees to scour for useable bits.
What’s the Big Deal?
What may not be as obvious is that the type of information they collect is often of significant value to hackers and their clientele. Hackers, advertising executives and political operatives constantly search for ways to move a person to take a particular action. With hackers, the action is to click a link that downloads account or sensitive personal information-grabbing malware or otherwise provides access to money or services using your information. Politicians simply want your vote.
Concern that hackers will compromise political campaign databases seems like a prudent response to the current information security landscape, yet disappointingly, at least for those of us in the data security community, the conversation between candidates about security has been largely focused on the “Great Wall of Mexico” and whether or not ISIS should be nuked.
Were a major campaign hack to go down, it would not only create a very unfortunate political situation, but also the information of millions of voters would be at risk for phishing attacks and identity theft. If one of these data-heavy campaign databases were to fall into the wrong hands, there is no end to the scams that creative, sophisticated and persistent fraudsters could pull off with it, or the havoc they might wreak.
The attacks could be based on a familiarity with the target and/or target group—phishing, spearphishing, picking purchases that go unnoticed, cooking up scams involving known networks of friends gleaned from voter data married to social networking accounts — but I digress.
As things stand, there is no solution. Data breaches are the third certainty in life, right behind death and taxing presidential elections.
To be completely honest (isn’t that a refreshing concept in a presidential election?) in order to be almost cyber bulletproof, you would have to live in a log cabin on Loon Lake and never associate with anyone or anything. That said, there is a point in the drive to be careful with your information where you have to also live life.
Bottom line: As I mention in my book “Swiped: How To Protect Yourself In a World Filled With Scammers, Phishers and Identity Thieves” – practice the 3Ms: Do everything you can to minimize your risk of exposure, monitor aggressively so that you know as quickly as possible if you have a problem and have a plan to manage the damage. (You can check for signs of identity theft by viewing your free credit report summary each month on Credit.com.)
Don’t assume that your candidate of choice, no matter how much you think you can trust him or her, actually has your back. Frankly, in this decidedly insecure digital world, they don’t even have their own.
This story is an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its partners.