Hack of data that people can’t change could put victims at lifelong risk
Hackers might have info you can’t change
The data breach at Equifax that exposed 143 million Americans’ personal information to hackers could put victims at risk for identity theft for the rest of their lives.
When a credit card is stolen, it can be canceled and replaced, curtailing the fraud threat. But if it’s a name, Social Security number and birth date — data likely to stay the same forever — hackers can use that for years.
Beyond credit-related fraud, hackers can obtain medical service, leaving victims with bills and muddled medical records; they can file tax returns, ensnaring victims in IRS trouble; and they can create IDs using data from several people, making the fraud harder to track.
When a credit card gets stolen, it’s easy for the victim of the crime to shut down the card, get a new account number and avoid monetary loss. But financial peril rises and can persist for years when personal data likely to stay the same forever — like Social Security numbers, names and dates of birth — get stolen like they did in the cyberattack on credit-reporting service Equifax.
Once hackers gain access to these key pieces of personal data — akin to the DNA of a person’s digital self — they are at the cyber thieves’ disposal forever to cause harm.
“It’s very problematic for hackers to have all that important information all in one place,” said John Ulzheimer, a credit expert who once worked for Equifax and credit-score firm FICO. “This information is perpetually valuable. You are not going to change your name or date of birth or Social Security number. In five years they will be the same, unlike a credit card that takes five minutes to cancel over the phone.”
An estimated 143 million Americans, or nearly half of the U.S. population, had their personal data stolen in the Equifax cyber heist, according to the company.
The bad news is that “this data will be used for years,” said Avivah Litan, a security analyst at Gartner. “So, as a consumer, you need to be hypervigilant.”
Instead of looking at your bank and investment statements monthly, for example, review them weekly, Litan advised. And if you see any fraudulent activity, report it immediately.
With such a rich trove of personal data at their disposal, cyber thieves have a greater chance of successfully committing financial crimes.
“This opens the door for total identity theft,” said Robb Reck, chief information security officer at Denver-based Ping Identity.
Not only can hackers potentially gain access to your financial accounts, such as checking and savings accounts and 401(k)s, and withdraw money, but also “they can use this information to create a new ‘you,’ ” Reck warned.
Armed with your digital history, hackers can file tax returns using your name and social security number to claim a refund. The might file fraudulent medical expense claims, attempt to open credit cards, rent an apartment, apply for electric service, or get a loan and buy a house in your name without your knowledge.
“These types of things can bleed over into your life,” Ulzheimer said. That’s why he advises people to check their credit reports on a “monthly basis.”
And while worries about a damaged credit score, hijacked credit cards or thieves opening fraudulent accounts are among the first things cyber-crime victims think of after a data breach becomes public, there are other damaging uses of personal data of which they might not be aware that are “far more challenging for consumers to detect and more costly and difficult to repair,” warned Steven Bearak, CEO of IdentityForce, a Framingham, Mass., firm that offers identity, privacy and credit protection to consumers, businesses and government agencies.
Bearak offered some examples of non-credit-related illegal uses of victims’ personal data.
Medical ID theft: With the cost of health care rising, a new trend is for identity thieves to go into hospital emergency rooms with IDs created from stolen data to pay for surgeries and other procedures. This creates all sorts of problems for the identity theft victim, who can get stuck with the balance of the bill, insurance woes and flawed medical records.
Tax fraud: Fraudsters
armed with names, addresses and Social Security numbers are increasingly filing fraudulent tax returns in an effort to profit illegally from refunds. This creates a major headache for the victimized taxpayer, who must resolve the theft with the IRS, wait for a desperately needed tax return that has been delayed, and often pay an accountant to help resolve the issue.
Synthetic ID theft: In this scam, the fraudster takes different pieces of personal data from numerous victims and blends them all together to “create a new ID,” Bearak said. For example, the hacker may use one victim’s name, another’s Social Security number, another’s address and another’s birth date to create a fake identity.
“That one is really hard to detect,” Bearak said. “And the new ID impacts many people.”
Another risk is that bad guys stealing your data and identity could get arrested, putting unsavory arrests, such as armed robbery or sexual assault, on your personal record.
Getting your identity back and putting your financial life back in order is frustrating and can take up a lot of time.
“It is very, very time-consuming,” said Chris Burchett, vice president of client security software at Dell.
Trying to convince financial institutions that you have been a victim of identity fraud and aren’t the one who ran up a fraudulent hospital bill or withdrew every penny from your bank account isn’t an easy task, Ulzheimer said.
“To some extent, you are guilty until you can prove yourself innocent,” he said.
“These types of things can bleed over into your life.”
John Ulzheimer, a credit expert who once worked for Equifax and credit-score firm FICO