Protecting Yourself From the Consequences of Anthem’s Data Breach
By: Tara Siegal Bernard (New York Times) February 2015
Given the steady beat of security breaches, consumers may assume that a cybercriminal already has at least some of their personal information. But in the latest intrusion, at the health insurer Anthem, hackers got their hands on an especially valuable collection of sensitive information on millions of people.
Anthem, which offers several Blue Cross and Blue Shield plans across the country, said the database that was breached included names, Social Security numbers, birthdays, addresses, email and employment information for as many as 80 million people, including some of its own employees.
That is what you call the “keys to the kingdom,” security experts said.
“All of the information stolen is enough to open new accounts or take over someone’s accounts,” said Julie Fergerson, chairwoman of Identity Theft Resource.
STEPS TO TAKE So what should consumers do right now? Anthem created a website, www.AnthemFacts.com, and a toll-free number, 1-877-263-7995, to respond to questions. The company said it would provide free identity repair services and credit monitoring for up to a year.
But individuals can also employ some strategies now, all of which involve greater vigilance and at least some degree inconvenienceof. Even if you do not expect to be affected by the latest breach, most consumers should think about how to protect themselves from the next intrusion.
EXISTING ACCOUNTS What’s worrisome about the Anthem breach is that criminals have enough information to try to gain access to your financial or consumer accounts by posing as you over the phone, security experts said. Using your address and other identifying information, they could try banks near you or check with various service providers or retail outfits.
“They could call in and pretend to be you and would probably be able to answer the security questions based on the information available here,” said Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse, a consumer group. Take it one step further, and a thief could say he had lost the password, then create a new one, potentially locking you out of your own account.
To avoid this, ask your financial institution (or any other account provider) to attach a secret word or code to your accounts, Mr. Stephens suggested.
Some companies are also beginning to offer something called two-factor authentication, which helps provide protection for online accounts. The system typically combines something you know — like a password — with something you have (a special token, for instance, or a numeric code sent to your smartphone). “It would make it extremely difficult to accomplish an account takeover,” Ms. Fergerson said.
You can keep tabs on your credit-related accounts by obtaining a copy of each of their three credit reports free at least once a year through AnnualCreditReport.com. By pulling a report every four months, you create your own monitoring service, though it won’t stop a thief from opening an account in your name.
NEW ACCOUNTS There is a more extreme option, known as a “security freeze.” This is one of the strongest tools against theft because it prevents someone from trying to open a new account in a consumer’s name. When you freeze your reports, the three big credit bureaus generally will not release your credit reports to any company that does not already have a relationship with you. Financial providers and other companies typically request such reports before issuing a new account.
Consumers need to approach each of the three credit bureaus — Equifax, Experian and TransUnion — and may need to pay a small fee, depending on where they live. The process can be involved because the freeze has to be “thawed,” or lifted, to apply for a new credit card, for instance, or for a mortgage and even some types of insurance. (But the extra effort may be less burdensome than cleaning up after an identity thief.)
SOCIAL SECURITY NUMBERS That Social Security numbers were stolen is particularly unwelcome since, unlike credit card or debit card numbers, they are hard to change. The Social Security Administration wants some evidence that you have tried everything possible to protect your number before it agrees to assign a new one.
But “even if you try to change it, oftentimes you get linked back to the old one,” Ms. Fergerson said. “Social Security numbers are not just a financial issue. You use that for Medicaid, Medicare, unemployment compensation, child support. You have to think of the entire picture and keep your eye on everything.”
OTHER VULNERABILITIES These types of breaches leave consumers vulnerable to spear phishing — a type of attack in which thieves send sophisticated emails (or voice or text messages) to specific individuals to try to extract more information, like user names or passwords.
And since this latest breach yielded income information, the criminals could use that to further tailor their appeals. As with all cyberattacks, it is hard to know whether or when stolen information may be used, which means more vigilance and monitoring should become routine.
“It is extremely advisable for consumers to monitor all of their accounts,” Mr. Stephens said. “And it goes well beyond your credit. If you have a 401(k), a stock brokerage account, savings accounts, they are all going to be vulnerable as a result of this breach.”
