As is the case with many government screw-ups, the Office of Personnel Management (OPM) hack reported last week has now been revealed to be much more worse than originally thought. Instead of four million civilian federal employees having their PII exposed, investigators now believe as many as 14 million prospective, current and former employees have been exposed. In addition to the usual PII (name, address, Social Security #, DOB, etc) the information also included background investigations which are known to include things like arrest records, financial history, medical problems, as well as information about colleagues, friends, neighbors and relatives.
What this means for you:
Given the large number of current and former government workers, it’s highly probable you or someone you know falls into the 14 million compromised in this attack. There are things you or they should be doing, not the least of which are the following:
- Set up credit monitoring for you and your family – take advantage of the free services offered, or set up something independently.
- Freeze your credit file – Krebs on Security has an excellent explanation of how to accomplish this.
- Review the Federal Trade Commission’s recommended actions.
- Watch your important online accounts like a hawk and investigate any suspicious activity immediately.
In 1986, Ronald Reagan is quoted as saying, “The nine most terrifying words in the English language are, ‘I’m from the government. I’m here to help you.'” As relevant as that sentiment was in his day, it’s still ringing true, this time with at least three government websites that are doing you no favors in terms of protecting your identity. Krebs on Security has an alarming report of identity theft and fraud via the IRS.gov website wherein he shares the story of a taxpayer who discovers someone has already filed a fake tax return under his name, for the purposes of stealing his tax refund. At fault is a identity authentication standard known as KBA, or “knowledge-based authentication” which is pretty widely used in the credit reporting and finance industries. Basically, you prove you are you by answering questions that supposedly only you would know, including former addresses, loan amounts or payments, and other personal data that is – surprise, surprise – readily found on the internet. By anyone.
What this means for you:
Ironically, people avoid creating accounts on websites because they are afraid of their data being leaked. And now you get to be afraid of NOT creating an account on a website for fear of someone else creating it for you, with the added “bonus” of this fake account further decreasing the probability of you being able to prove you are actually who you say you are. “Invasion of the Body Snatchers” anyone? What makes this situation alternately terrifying and ludicrous is that it’s our own government creating this mess in an effort to provide better reporting, accountability, and accessibility. The other two sites that are also potentially weak to this “account snatching”? How about the Congress-created AnnualCreditReport.com and another federal behemoth: the Social Security Administration website. Brian Krebs’ recommendation is to make sure you get an account established for these three website pronto, if only to prevent someone else from pretending to be you and creating accounts that will be used to commit fraud and money laundering. Unfortunately for most of us, the surge of interest created by this article (and blogs like this one) have essentially paralyzed (are you surprised?) the account creation process of these websites, but keep trying, if only to let them know we actually care about our identities enough to want properly secured government websites.
America’s biggest bank JP Morgan Chase announced last week that it was the latest victim of a major security breach. According to their regulatory filing, data from nearly 80 million customers was exposed in a successful hacking attempt earlier this year. Though the bank was quick to emphasize that our money and most sensitive bits of info such as dates of birth, social security, passwords and IDs weren’t stolen, names, addresses, emails and phone numbers were – all which could be used to facilitate an identity theft, but which aren’t considered protected or sensitive in most cases. While it’s troubling that the country’s number one bank got hacked, what’s even more worrying is that the media, the public, and even Wall Street seemed to shrug it off and carry on.
What this means for you:
Americans seem to be developing what some analysts are dubbing data breach fatigue: everytime we look up, yet another high-profile company or livelihood staple has been hacked. The list reads like a modern family’s honey-do list: Target, Home Depot, Neiman Marcus, EBay, UPS, Apple, Nintendo, Sony, Albertsons, SuperValu, CHS, etc. There have been nearly 600 data breaches reported this year, up 27% over last year, and we aren’t even done with 2014. Fortunately, only a small percentage of the total population have been negatively impacted in a signficant way, though most of us have probably had one or more credit cards get canceled and replaced for fraudulent activity. What this is leading to is the general perception that these data breaches are “bad” only in a vaguely annoying way, and there is not much that an average person can do to protect themselves, “Heck, if JP Morgan can’t figure out how to keep the hackers at bay, how can I ever stand a chance?”
While it’s true you can’t stop JP Morgan from getting hacked, you can make it harder for cybercriminals to hack you: don’t give in to the fatigue – make them fight for every bit they try to steal from you. Change your passwords regularly, and use unique passwords for your important accounts. Keep a close eye on your credit card statements and your credit history. Make sure your all computers you use have up-to-date and functioning antivirus software. Avoid email attachments and unfamiliar websites. What was once considered “paranoia-level” precautions are the new standard of online safety. Considering that nearly half of Americans adults have had some form of their personal data stolen through an online breach, it’s safe to say that “they” are out to get you – paranoia or not.