ID theft stings, but it’s hard to pin on specific data hacks
Presbyterian breach hit 183,000 clients, patients
NEW YORK — Equifax 2017. Marriott 2018. Capital One 2019. Presbyterian Healthcare Services in New Mexico in May.
Data breaches are distressingly common these days, and personal details about you can lead to identity theft, such as credit cards and loans in your name. But it’s hard to pin the blame on any specific hack, as the most sophisticated criminals combine data from multiple attacks to better impersonate you.
“That’s why fraud can be emotionally challenging,” said Kyle Marchini, of financial research group Javelin. “It just comes out of the blue, and there’s no way to identify where it came from or what I could have done to prevent that.”
While the number of reported breaches decreased slightly last year to 1,244, according to the nonprofit Identity Theft Resource Center, the total number of records exposed more than doubled to 447 million. That suggests hackers are focusing on larger organizations with bigger payoffs. Last year’s figures include data on about 383million. Inspectors suspect the Marriott breach was tied to the Chinese government. Criminal rings often buy datasets from multiple hacks to commit fraud. The idea is to collect enough information to get past ID verification and authentication checks that banks and other institutions employ. One database with your Social Security number might have your old address, but hackers can simply sub in your current one from a more recent database.
“We’re in this vicious cycle,” said Eva Velasquez, the ID theft center’s CEO. “We create and capture and use more and more data points about a specific individual in order to fight fraud and authenticate people. That, in turns, makes data more valuable to the thieves, so they are going to increase the efforts to get that data.”
Fraudulent card charges are relatively easy to reverse, and U.S. law limits credit card liability for consumers. But fraud involving new accounts is tougher to deal with.
Javelin estimates that the average victim spends 18 hours dealing with the fallout, including convincing collection agencies and credit-ratings agencies that the accounts weren’t really theirs. Javelin estimated that more than 3 million U.S. adults were victims of new account fraud last year, nearly triple the number in 2013.
Much of the increase can be attributed to the cumulative effect of breaches and the types of information stolen.
Credit card numbers and passwords can be changed, but birth dates and Social Security numbers stay with you for life. Hackers in the 2017 breach of credit monitoring firm Equifax got some or all of that from 147 million people. Equifax agreed last week to pay at least $700 million in the case.
Just a few days later, the bank Capital One disclosed a breach of personal information of 106 million Capital One credit card holders or applicants in the U.S. and Canada. The data included self-reported income, credit scores and account balances. The breach further increases worries about leaked data — in this case, the very types of information needed to submit credit card applications.
Beyond financial applications, personal data can be useful for telemarketing and email phishing scams, as fraudsters try to trick you by claiming they already know you. And criminals armed with such data can impersonate you on calls with financial institutions to get money transferred or a mailing address changed.
You can take such precautions as freezing your credit, which stops thieves from opening new credit cards or loans in your name. Doing so is now free, though you’ll have to temporarily unfreeze your credit if you apply for a new credit card or loan.
Signing up for a credit monitoring service alerts you when someone is pinging your credit report, a precursor to opening a new account. There are also ID protection services that will scan the internet underground for signs your personal data is for sale.
In the Presbyterian Healthcare Services case reported in the Journal on Saturday, the insurer reported a data breach that allowed unauthorized access to personal information belonging to around 183,000 patients and health plan members.
On Friday, Presbyterian began mailing letters to alert the members and patients affected by the breach.
The breach allowed access to names, dates of birth and Social Security numbers after a Presbyterian employee responded to a “phishing” scam designed to gain access to private information. Most of the victims were New Mexico residents.