How to Protect Your Identity After a Data Breach

By February 16, 2015 Security News One Comment

Another massive data breach has millions of Americans worried about how to protect themselves from identity fraud and hacking. Recently, the second-largest health insurer in the country, Anthem, disclosed a security breach that may have exposed sensitive information for up to 80 million customers.

According to Anthem, the leaked data  included information from current and former customers, “such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data.” It also appears that the data was not encrypted. Given the size of the company and the scale of the data breach, tens of millions of Americans are at risk for identity theft and fraud.

Perhaps the most frustrating part of these data breaches is the fact that no amount of password auditing and safe browsing practices on your part could have stopped this. However, there are several things you can do to minimize any damage and remain vigilant going forward.

Arm Yourself Against Phishing Attacks

The immediate fallout of this incident is that phishing scams are flooding in for Anthem customers. Phishing attacks are generally designed to get more information out of you (like usernames, passwords, and credit card details) or to steal money.

Using information the cybercriminals already know, like your name and email address, they might email you, call you, or try to get you to download something by impersonating a company or trustworthy entity.

In the past, you could try to spot a phishing email by keeping an eye out for bad spelling and grammar, suspicious-looking attachments, malicious links that are hidden in seemingly-valid links, and messages that try to get you to take action immediately by threatening or intimidating you. The cybercriminals will pretend to be a legitimate service or website but will redirect you to scam sites or to download something to try to get more information out of you.

In this example from Microsoft, here’s what phishing emails may have looked like in the past:

phishing_email_example

However, phishing attacks have become more sophisticated over the years, and poorly-constructed emails are being replaced by much more realistic communications.

Anthem indicated they will be mailing (not emailing or calling) customers who were affected and to provide next steps. Many Anthem customers have reported receiving variations on the below phishing email as well as calls from fraudsters:

anthemphishThe above email looks much more convincing. If you suspect you have received or opened a phishing email, here’s what you should do:

  • Don’t click on any links or attachments.
  • Report the phishing attempt to the company that is being impersonated.
  • File an FTC Complaint (for US residents) or the equivalent for your country.
  • When in doubt, go directly to the website of the service, and login to check your account.
  • On the company’s website, look for blog posts, alerts, or other information on any security incidents and how they will be responding.

Having a strong, unique password for every single one of your online accounts will also help you minimize damage from one leaked or phished account. Use the LastPass Security Challenge features to audit your passwords and update ones that are weak or reused.

Put a Fraud Alert on Your Credit Report

Setting up a fraud alert on your credit report means that any time a creditor or lender tries to pull your credit report, they will need to take extra steps to verify your identity. You’ll still be able to go about your daily activities, but the fraud alert would make it much more difficult for anyone trying to use your identity to open a credit card, set up a bank account, or update your mailing address for your accounts.

You only need to contact one of the three big credit bureaus to request a fraud alert on your credit reports, which will last for 90 days. Here’s where to get that information for each credit bureau:

Once you receive your free credit report from each agency, you can review it for any changes you didn’t make and use it for reference if you need to file disputes in the future.

Sometimes fees are involved with fraud alerts, especially if you extend past the free 90 day mark. Be sure to take advantage of any free credit monitoring that a breached company may be offering before paying for extended fraud alerts.

Be Proactive in Monitoring Your Credit

Even after using the free fraud alerts on your credit report, there’s a risk that the fraudsters will strike after the standard free 90 days expires. In that case, you’ll want to consider free credit alert options.

LastPass users based in the US, for example, can take advantage of free credit monitoring alerts. By setting up a Form Fill Profile with your personal information and enabling free credit monitoring alerts, you can proactively manage for any changes that may affect your credit score.

If an alert comes through and you know you haven’t done anything to cause the alert (like opening a new credit card or applying for a loan) then you can take action immediately to follow up with the credit bureaus or upgrade to LastPass’ Premium credit monitoring service to investigate and resolve any issues.

It’s also important to proactively monitor banking and credit card statements for any suspicious transactions. Here are some other recommendations for monitoring your credit for free (via Lifehacker).

Stay Vigilant and Informed

In a breach like this, once the data is out there, remaining proactive and staying vigilant are really the most important things you can do. That means following best password practices, enabling two-factor authentication, being smart about who you share information with, and running up-to-date antivirus tools.

Remember, your email address is also the gateway to your online life. In addition to protecting the accounts you store in your password manager, make sure you’re doing everything you can to protect your email account. Turn on two-factor authentication, use a long unique password, and be vigilant about what you click and download from your email.

It remains to be seen what the long-term effects of the Anthem breach will be, and we’ll continue to monitor the situation. Even if you’re not an Anthem customer, though, don’t wait for the next company to get hacked before you take action. Now is the time to be proactive in protecting your personal identity and financial security, and help friends, family, and colleagues do the same.

One Comment