Data Breaches: When to Worry
They’re a dime a dozen, but some are more of a threat.
If you shopped at Home Depot or Neiman Marcus, ate at P.F. Chang’s or Jimmy John’s, banked at JPMorgan Chase, or used an American Express card in 2014, then chances are good that some of your personal information was exposed in a data breach. You probably knew that. The question is, how much should you care?
It’s easy to understand why consumers are starting to yawn in the face of a steady stream of data-breach notifications. Through early December, the Identity Theft Resource Center had counted more than 700 data breaches in 2014 -- representing a 26% increase over 2013 and surpassing the high set in 2010.
A 2014 survey conducted by the Ponemon Institute found that nearly one-third of consumers had received at least two notifications of a breach in the previous two years; 10% had received more than five. And although 76% of victims felt stress about the breach, more than half did not take any steps to protect against identity theft afterward.
Such inaction may not lead to disaster. Remember, a data breach does not mean you’re a victim -- or will be a victim -- of identity theft. Nor is all ID theft harmful to the same degree. The key is to distinguish the truly dangerous breaches from the merely annoying ones.
Take it seriously if your Social Security number is compromised. “That’s the golden ticket for an identity thief,” says Becky Frost, senior manager of consumer education at Experian’s ProtectMyID, an identity-monitoring service.
You’re actually more likely to become the victim of ID theft if your credit or debit card info is exposed than if your Social Security number is divulged. That’s because thieves can start racking up charges immediately; making money from a stolen Social Security number is a multistep process.
But the consequences of a stolen Social Security number can be enormous. Your liability is limited for unauthorized charges on your debit or credit card. But with a Social Security number, a thief can get into existing accounts, open new ones, take out a loan, get a job, file a fake tax return or gain access to health care. Getting a new Social Security number is cumbersome and impractical. “I don’t even recommend you try,” says Al Pascual, director of fraud and security for Javelin Strategy & Research.
Passwords, usernames and e-mail addresses are frequently compromised. But unless the exposure includes personally identifying information in combination with other info (think name and account number, or log-in plus password), you may not even be notified. Still, theft of such data puts you at risk for so-called phishing scams, in which ID thieves try to gain additional info via e-mail or phone. You also might be in trouble if you’ve used the same usernames and passwords on multiple sites.
Resist the tendency to ignore a data-breach notification. If you are offered free credit monitoring, take it. And, especially if your Social Security number was exposed, consider stepping up the protection to include alerts when new accounts are established using your info. Place a 90-day fraud alert on your credit report by notifying one of the three major credit bureaus: Experian, Equifax or Trans-Union. Change account numbers on affected financial accounts, monitor statements closely and report any fraudulent activity immediately. Limit damage from stolen e-mail or log-in information by using unique passwords and changing them regularly. You can keep on top of data breaches at www.idtheftcenter.org.