Personal data theft occurs when an unauthorized third party gains access to personal information about another party such as their name, address, telephone number, date of birth and Social Security number. Unfortunately, nobody is safe from personal data theft. The FTC published its findings of the number of people, per age group, that filed complaints about personal data theft and the results are pretty even. Even if you do not conduct any business online, an identity thief can find another way to get access to your personal data like through the mail.
What Is Identity Theft and What Is Taken?
Identity theft is categorized as when a person or persons gain unauthorized access to your personally identifiable information, this may include; your name, address, telephone number, email address, date of birth, social security number, place of birth, mothers maiden name, health records, military records, income tax filing records, or banking information and uses that information to impersonate you for the purposes of fraud or theft of your; identity, income tax fraud, healthcare fraud or other criminal acts.
Identity thieves stole $16 billion from 12.7 million U.S. consumers in 2014. And as shocking as those figures are, there is actually improvement from the previous year whereby cyber criminals made off with $18 billion leaving more than 13 million victims in their wake.
Who Is at Risk for Identity Theft
Source: Federal Trade Commission Consumer Sentinel Network Data Book, 2014
Identity theft is an equal opportunity crime striking working people of all ages nearly equally. Below is a breakdown of identity theft complaints filed with the FTC in 2014.
Victims who filed complaints (by age groups):
- 18 percent were 20-29.
- 18 percent were 30-39.
- 19 percent were 40-49.
- 19 percent were 50-59.
- 13 percent were 60-69.
- 7 percent were 70 and over.
- 6 percent were 19 and under.
How Often Does Identity Theft Occur?
Identity theft remains the most common cause or motivational factor in cyber breaches that occur, accounting for as much as 75% percent of unauthorized access of personally identifiable information. There were 1,540 significant data breaches and in excess of one billion data records exposed in 2014, an increase of 46% percent from 2013. It has been reported that 32 data records were lost or stolen every second in 2014. According to the Breach Level Index in the first half of 2015 there were; 245,919,393 records breached, 1,358,671 every day, 56,611 every hour, 16 every second. As shown by these statistics hackers demonstrate their ability to adapt and exploit network vulnerabilities as they continue to circumvent current security protocols of individuals, corporate, governmental, military and other entities alike.
In the first six months of 2015 identity theft remained the leading type of data breach with 472 breaches attributed to identity theft as the cause, that amounts to 53.2% percent of all attacks in those first months and 74.9% percent of unauthorized access of data records. Of the top ten breaches for that same time period five of the top ten were related to identity theft. It would appear by the data that the frequency of identity theft figures for the first six months of 2015 will mirror the figures of 2014 with a few minor fluctuations.
It would seem the question is no longer will my information be compromised, but when?
What Do Cyber Thieves Do with Personal Information
There are numerous crimes a cyber criminal can commit once they have obtained your personal information ranging from; obtaining identification in your name such as an identification card, drivers license, passport, social security card to applying for credit cards, car or home loans, committing healthcare or tax fraud, or of committing criminal acts and using your identity when they are ticketed or arrested, then never appear for court creating arrest warrants or civil judgments in your name and vital statistics.
Most cyber crime is perpetrated for monetary gain, globally exposure of personally identifiable information falls into three categories, here is a breakdown of the statistics; 47% percent is intentional for the purpose of malicious or criminal intent, 29% is due to a system glitch, and 25% occurs from human error according to the Cost of Data Breach Study conducted by the Ponemon Institute.
Who Steals Your Information and Why
In years past before the internet existed, people who stole your personal identification typically had only two reasons, to assume your identity to hide their own or for financial gain, typically in a very small way such as forging checks, that is no longer true in the global cyberspace world we now live in.
The internet has changed the image of the thief in a bandit’s mask into the anonymous screen names that hack into your computer stealing your personal information to rob you rather than holding a gun to your head and demanding your wallet. The results however are the same only worse, because with that one cyber intrusion they can rob you again and again for years to come without you even knowing.
The cyber criminals of today, whether an individual or organized hacking group hides anonymously in the internet to commit their crimes which in present day are not limited to monetary gain or creating a new identity. The cyber criminals of today’s culture can still be motivated by greed yes, but it has also become fertile ground for political, military and even worse for terrorist purposes and cyber espionage. This is why we must be more diligent than ever before in doing our utmost to protect our personally identifiable information, because like it or not its not just your garden variety hacker you have to worry about, it’s all of the above.
How Is Personally Identifiable Information Transmitted
There are many different types of personally identifiable information (PII) and it is not limited to businesses or banks that by law must safely store and transmit your sensitive information. Universities, schools, government entities, retailers, healthcare providers, hospitals and facilities just to name the most obvious, but there are many other entities and organizations that record, process, acquire and store highly sensitive information that are required to do so safely. Today most PII is transmitted electronically/digitally, but there are still occasions that the postal service is the method of transfer.
With the innovation of technology, it has become much easier and faster to pay bills, manage data, make purchases and the list goes on, but with the new found flexibility of technology comes risk of data loss. Data loss can be intentional (malicious) or accidental caused by human error or poor cyber security processes. Entities that are in possession of PII have an ethical and legal obligation to properly store and transmit PII or may be subject to fines, criminal and/or civil liabilities and of course eminent damage to their reputation and business standing if they are found liable for a PII data breach.
In the criminal cyber world when a hacker(s) steal your PII they typically will try to extort money from the entity they breached to gain access to your information or they will sell your personal information on the dark web or underground/black markets.
What You Can Do to Protect Yourself from Identity Theft
There is no bullet proof vest when it comes to identity theft, but there are some steps you can take that will greatly reduce the chances of you’re becoming a victim, consider the steps below.
- When you register online to a website always create a strong password. A strong password consists of at least eight random mixed case (upper and lower case) letters, numbers and symbols. Do not use dictionary words, birthdates, children’s names etc. random numbers, symbols and letters are best and the longer the better.
- Install antivirus and antispyware software or protection i.e. Norton or McAfee and keep your computer updated with the latest security update patches. Make certain your firewall is fully operational when you log on. Use secure wireless networks.
- Do not share personal information on social networks like Facebook, Twitter, LinkedIn and the like. Cyber thieves troll the internet collecting personal information to compile as much info as they can before they attempt a hack. Never post your address, phone number, birth place, family member’s names, birth dates, educational information or Mother’s maiden name or obituary notices.
- You’re entitled to one free copy of your credit report every 12 months from each of the three nationwide credit reporting companies, you can take advantage of this to monitor your credit for any abnormalities. If you find anything unusual request a fraud alert from each of the three reporting agencies; Experian, Equifax, and TransUnion. If your identity has been compromised put a freeze on your files and information.
- Secure your mobile devices with a strong password and by using your auto-lock feature so that if your phone is lost or stolen no one will be able to access your personal information.
- If you have received a notice of a password reset from any web site you may want to consider that as a red flag for phishing scams. Naturally you should always use best practices when it comes to the internet, but if you have received a password reset notice you should be hyper vigilant. Password resets typically follow a security breach of some type. Monitor your credit card statements extra carefully, do not click on any links in emails no matter how authentic they look and never give personal information by phone, email or hard copy correspondence. If you think it may be a legitimate request contact the company or entity directly to verify its legitimacy.
- Never use the same password for multiple sites, create a new unique password EVERY time you register. Store your passwords in a safe secure place out of eyesight of others or use a reputable online password manager.
- Guard your personal information ids carefully such as health insurance card, social security card, passport and any other sensitive information, do not carry these items in your wallet, purse or glove box.
- Before you sign on that dotted cyber line you need to carefully read the Terms of Service of any company you are considering registering with. You should know what their policy is for notifying customers or users of a security breach and whether or not your information will be removed from their database if you should choose to unsubscribe. Read that fine print and make sure their policies put their customers or users best interest and protections first, rather than their desire to retain your information.
- Never share your passwords with anyone, no reputable firm will ever ask you for your password in an email or over the phone if they do it is likely a phishing scam to gather more information on you for the purpose of identity theft.
How A Company Should Respond To A Security Breach
As compromised credit cards and data breaches have become an everyday occurrence it has become routine to see corporate announcements or receive an email telling you that there has been a mandatory password reset due to a cyber attack, often months or even years after the cyber breach has occurred. This delay in information can be very troubling for the consumer whose personal information has been unlawfully accessed not only financially, but in terms of peace of mind in the future.
It seems every day we learn about another company, bank, retailer or government agency that has fallen victim to a cyber security attack, it has become so common place that we are no longer shocked when it’s revealed that 55 million credit card numbers and expiration dates have been exposed unlawfully along with the customer’s personally identifiable information.
But what is shocking is when a company or entity doesn’t seem to put the actual victims at the top of their priority list. A lack of transparency on the company’s part (when it is breached) is one of the top consumer complaints from identity theft victims that resulted from a corporate cyber breach. But what should a consumer reasonably be able to expect from a company when they have experienced a cyber intrusion? Immediate and strategic action following a breach will enhance the company’s and its victim’s recovery, this typically comes in three stages.
Three Stages of Recovery From A Cyber Breach
Investigation & Assessment – Upon learning of suspicious activity or a cyber attack an internal investigation should be initiated immediately, which may include temporarily shutting down the network system database. Law enforcement should be notified and a team of forensic cyber security experts should be brought in to determine the origin of the incident, what needs to be done to eradicate the means of unauthorized access and what steps need to be taken towards strengthening the cyber security defenses to prevent attacks in the future and a detailed plan for implementing them. Notify all financial institutions that may be affected by the breach if appropriate to the breach.
Notification – Depending on the circumstances of the breach, unless advised otherwise by law enforcement, an immediate public announcement of the breach, preferably within 24 hours of its discovery, should be posted on the web site with a description of what occurred and who may be affected. The notification should include notice of a forced system wide password reset, not all companies do this initially, but they should and even if they don’t you should reset your password for any entity you are registered with that has been breached. Emails should be sent to notify victims of the breach and or letters sent to the victim’s homes (when possible) to ensure that potential victims are aware of the breach and can take appropriate protective measures. The announcement should include a toll free number for victims to call if they have questions or need assistance. In most cases notifying the media can be very useful to getting the word out to possible victims and should be utilized.
Mitigation of Damage – It is incumbent upon the entity that was breached to minimize the damage to the victims. In a cyber security breach of personally identifiable information this would include providing free identity theft protection and resolution services, typically for 12 to 24 months to the individuals who were affected. Posting a Frequently Asked Questions (FAQ) tutorial link which addresses the victim’s questions and concerns is a common courtesy that should be made available to the victims. The FAQ should provide a detailed explanation of the timeline and events of the breach, how many people and whom were possibly affected. It should also address what steps have been taken to reinforce the cyber security defenses to ensure this doesn’t happen again, and what progress has been made in the investigation, the current status of it, whether it is complete or ongoing and any details there may be as to who committed the crime and how.
Every reputable e-commerce web site or entity offers information about their Terms of Service (TOS) and should contain within it how it protects your personal information as well as how they will notify you if they experience a breach of security. This is your first line of defense, if the entities you are registering with does not adequately protect its members in their TOS you may want to reconsider becoming a customer, member, or user with this entity.
You can also learn from a company’s past performances, were they transparent and report the breach in a timely manner to the victims, did they offer free credit monitoring and identity theft assistance, help lines and links for question resolution. Did they inform the victims in a timely manner? These are all points you should consider before you give your personal information to any entity and if the companies you currently do business with don’t have a TOS that protects its customers first and foremost it is never too late to reconsider them too.
Cyber crime is on the rise and it has become an environment of not if an entity will be breached, but when. Not all companies or entities have policies and TOS that is in the best interest of their customers or users and many, many more need improvement in their response to a breach. But the only way to effect this change is if consumers demand more. Protecting your personal information should not be an option, but instead an obligation they must meet. And if they don’t, find an entity that does and will.
In closing it is incumbent of you to also be a good steward of your personally identifiable information by practicing safe internet behaviors. Make your self a harder target by using best internet practices, create new unique strong passwords, change them every six months and never share your passwords with others.