— We’ve all heard about the recent Sony and Citibank hack attacks. But most breaches never make the national news. In fact, security experts tell me the majority of them are never made public. That means the people whose personal information is compromised don’t find out about it.
“What you’re seeing now is hackers gone wild,” says Hemanshu Nigam, a former federal prosecutor and founder of the online security company SSP Blue. “It’s time for America and the world to wake up to this horrible situation.”
I don’t know about you, but I’ve had it with the seemingly endless string of data breaches. My wife and I found out earlier this year that our personal information (including Social Security numbers) may have been compromised. We’re watching all of our accounts carefully, but it’s such a helpless feeling. And I know we’re not alone.
The Privacy Rights Clearinghouse just published an updated list of known data breaches. It shows that more than 534 million personal records (SSN or financial account numbers) have been compromised since 2005. This year alone, 273 breaches have been reported involving 22 million sensitive personal records. (The Sony breaches involved more than 101 million records, but most of them were e-mail addresses.)
“I don’t think anybody can have faith that their personal information is held securely by any entity — companies, universities, non-profits or government agencies,” says the group’s director, Beth Givens. “It’s a leaky boat.”
Most of the cyber thieves breaking into these databases want money — credit card and bank account numbers. But some are after Social Security numbers, so they can steal your identity.
“It’s been hell,” says Andrea Parker, a 38-year-old single mother living in Arizona, who had her identity stolen when her Social Security number was snagged. (I agreed not to use her real name because of security concerns.)
The thief got a driver’s license and passport in Parker’s name and even opened a bank account using her identity.
“Basically, she’s been doing everything and anything she can do with my name. She’s living as me.”
The ID thief also committed felonies using Parker’s name, which is making it hard for her to find a good job. Whenever she applies for work and the company does a background check, she’s tagged as a former felon.
“I would not wish this on anyone,” she says. “It’s horrible.”
It’s time for a change
There’s no question hack attacks are on the rise. One reason: Cyber criminals are getting better at it.
“It’s a lot easier way to make money than physically robbing banks,” says Avivah Litan, security and fraud analyst at Gartner Research. “And the chance of getting caught is less than 1 percent.”
Companies that don’t take steps to protect their data only add to the problem. James Lyne, director of Technology Strategy at Sophos, a corporate security company, says that’s obvious if you look at some of the recent cyber break-ins.
“They weren’t high-end attacks where the bad guys came up with something brilliantly new and clever,” Lyne says. “They were using basic techniques that have been understood for some 15 years. And those companies failed to patch and close those loopholes.”
Cyber security consultant Linda Criddle points out in a recent blog that Sony, which claims it had tight security before any of its breaches, stored customer’s passwords, addresses and birthdates as plain text. It was not encrypted. “AARGH!” she writes in frustration.
There really isn’t anything you or I can do to prevent our personal information from being stored carelessly or stolen by a hacker. But there are steps we can take to reduce the damage should this information be compromised.
Many people use the same password for all of their online activity.
“That’s dangerous,” says Adam Levin, chairman of Identity Theft 911. “If the bad guys get that password, you’re in a lot of trouble.”
Levin and every other security expert I spoke to for this column told me the same thing: You need to have different user names and passwords for your various online accounts.
“If you do any kind of financial transactions online, don’t ever use that password or user name anywhere else,” warns Pam Dixon, executive director of the World Privacy Forum. “It’s simple, but effective.”
I know you’re heard this before. Me, too. And to be honest with you, I haven’t always followed this advice. But after Dixon explained to me how the bad guys use the information they steal in a breach, I’m going to spend the weekend creating new passwords. And I’m going to start changing them on a regular basis.
Here’s why: If a hacker gets your user name and password, they’ll see if they can use that information to break into a bank, PayPal or other financial accounts. They don’t do this by hand; they have sophisticated programs that do all the work. If they’re successful, you’ll get hosed.
But how can I possibly remember all those passwords? The new password vaults that are part of the latest browsers make it real easy. They remember for you. In many cases, these vaults can be password protected. So that’s the only code you need to remember. One more bonus: If you’re not typing in passwords, they can’t get snagged by a keystroke logger that might sneak onto your machine.
You can also write down your passwords and keep the list in a safe place. Trust me on this. The odds of someone breaking into your house and getting that list are minuscule compared to your risk of a data breach.
With what’s going on right now, you need to be constantly on the lookout for malicious activity. Check your financial accounts at least once a week, if not every day. The quicker you report a problem, the better.
Get your free credit report every 12 months from each of the big three credit bureaus. You do at this site: annualcreditreport. It’s the one set up by the federal government. Do one credit bureau every four months for year-round protection.
Should you pay for a 24/7 credit monitoring service? It all depends on your level of comfort. Many consumer experts say it’s not necessary. And even the best services won’t catch everything.