The credit data agency Experian could be facing criminal investigations, fines and class action lawsuits, after a hack that compromised the records of 15 million people, all of them customers of the wireless carrier T-Mobile.
And while this may appear just like any other hacking story — there’s a breach, a promise of free credit monitoring, investigations — this time Social Security numbers were among the data compromised. When it’s not just a credit card number, stolen data can create all kinds of headaches.
People can have fake tax returns filed in their name, fraudulant car loans and even mortgages.
And when it comes to identity theft, the onus is on the victims. When the fraudsters don’t pay up, banks and loan collectors can come after the victims, instead. And it could take victims of fraud years to clear their name and financial histories.
“Law enforcement can’t deal with the volume” of fraud, said Chester Wisniewski, a senior adviser at the security firm Sophos. “If you approach the FBI, they’re not really interested if the crime is less than $1 million.”
It’s a very different story than straightforward credit card theft, when banks step in and consumers aren’t held liable. Security experts say in the case of identity theft, consumers have few options. The best is to freeze your credit with the reporting agencies — Experian, Equifax and TransUnion — not just to monitor it. That way most fraudulent activity can be stopped before it happens.
Consumers can also purchase identity theft protection services, which can’t stop theft, but can at least help them negotiate the complex process of clearing their names, which often requires lawyers.
But as we go from one hack after the other, the problem is becoming untenable, in terms of maintaining our current way of identifying people, to qualify them for everything from student loans to wireless phone plans, said cybersecurity analyst Avivah Litan of Gartner Research.
“This is becoming an epidemic problem,” Litan said, adding that some state tax agencies have told her that they have more taxpayers with compromised identities than without.
“We need to stop using the Social Security number as a secret,” said Christopher Soghoian, a privacy researcher at the ACLU. “Everyone’s Social Security number at one point or another now has been hacked and stolen.”
Soghoian said companies should face criminal punishment for hacks if they are found negligent in securing data. Regulators should play a more assertive role, so that there is more corporate accountability, he said.
While the rampant data breaches are calling into question the very ways we securely identify people, consumers rarely face financial problems due to identity theft, Litan said.
She estimated that only about 6 percent of consumers whose identities are stolen end up facing financial fraud. In almost all cases, she said, hackers are more apt to sell stolen identity data to other countries looking to spy on Americans.
It is a game of six degrees of separation: “You may help a nation-state get some military plans,” Litan said, “because your kid happens to go to school with a defense contractor’s kid.”
In that example, you might get hacked, a legitimate-looking email might be sent to the defense contractor, who opens it because it looks like it’s from you, and the hackers are able to get into the contractor’s computer system, potentially stealing defense secrets.