Hi, nice to meet you. Here's my birthdate, credit card number, where I stopped for gas yesterday, my PlayStation Network login and handle, and where to email me about my bank balances and upcoming sales at Best Buy.
Talk about oversharing. Most people wouldn't disclose such details even on a fifth date. (Even people who simply clicked the "I accept" user agreement terms for their Android phone or iTunes account feel overexposed.)
So imagine how the victims of the recently publicized data breaches -- the Sony (NYSE: SNE ) PlayStation Network breach and Epsilon Data Management's customer email database hack -- feel knowing total strangers are scrutinizing the intimate details of their credit card charges and Mortal Kombat moves.
The only good thing about data breaches is that it gets consumers to double-check the locks on their personal and financial information.
- Remember when Paris Hilton's privates were exposed when her T-Mobile Sidekick was stolen?
- I still think about the fact that it took crooks one stolen change-of-address form for thieves to steal $90,000 of equity from Joel Albert's mortgage.
- And then there was the guy who found himself in the midst of a male-version of "Single White Female." His roommate was gathering what he needed for identity theft, hoarding pre-approved credit card offers, pay stubs, a list of names, addresses, phone numbers and maiden names of family members. That's what happens when you unknowingly split rent with one of America's Most Wanted.
Mild exposure vs. major exposure
The March 30 breach at Epsilon Data Management LLC (part of Alliance Data System (NYSE: ADS ) ) exposed 2% of its clients' email addresses and/or customer names to n'er-do-wells. (Epsilon clients include Citigroup (NYSE: C ) , JPMorgan Chase (NYSE: JPM ) , US Bancorp, Best Buy, and Walgreen.) This particular breach merely exposed client names and email addresses. I say "merely" because there are a lot worse things than unsolicited email when your information gets into the wrong hands. (Review list above.)
The Sony PlayStation breach could be much more serious. Hackers there got a lot of bang for their breach -- a fertile database of consumer information.
The company says that an unauthorized person has obtained the following information about PlayStation Network/Qriocity account holders: Name, physical address, email address, birth date, PlayStation Network password, login, and handle/PSN online ID. The company is still investigating if hackers got to account holders' purchase history, billing address, credit card number (excluding security code) and expiration date.
Access to such information is bad enough. But even worse is how much time went by before the breach was detected, giving the "unauthorized person" plenty of time to enjoy the spoils of their crime spree.
Sony's 1-week reporting lag
When it comes to credit violations, it's the same as with disease and crummy boyfriends: Early detection is your best defense.
Sony didn't exactly give customers a prompt head's up about the "intrusion," which it says took place between April 17 and April 19. It says it identified the breach on April 19 and temporarily shut down the PlayStation Network and Qriocity services on April 20. Customers weren't informed until April 26 -- nearly one full week after Sony spotted the security breach. (I imagine the letter went something like this parody "Dear Valued Customer" note.)
As any decent identity thief will tell you, that lag time between identification/inspection and announcement is prime crime-committing time. But it's not just corporate entities that are slow on the draw: Unless you're keeping vigilant eye on your financial Fort Knox it can be weeks (or longer) before you figure out you've been a victim of a credit crime.
How to spot a breach before you've been told
To help you spot if anything's awry in your credit file, heed these seven potential warning signs:
- Strange charges on your credit card or bank debit card statement: Charges from stores you don't frequent are a sure sign something's fishy. But even if you do recognize an establishment's name, be sure to look at the amounts charged. A colleague of mine wasn't surprised to see a charge from Zappos on her credit card -- what was alarming was that it was for $850 of merchandise. Small charges for a few bucks or a few quarters at someplace with an unrecognizeable name is another sign that thieves are testing the account -- and your attention to detail.
- Missing bills: It's not uncommon to misplace a paper bill. But it is uncommon when several months go by without a service provider requesting payment. If an expected invoice fails to materialize, it could mean that a crook has changed your address.
- Snubs from lenders: The first sign of trouble may come in the form of a rebuff from a lender to whom you've applied for credit. The good news? Being denied that Puppy Palace MasterCard earns you a free credit report! The bad news: It may be a sign that something's awry. If you haven't checked your credit rap sheet in a while, do so by going to annualcreditreport.com.
- Brain freeze at the ATM: When your PINs and other access codes stop working, it may mean that either you neglected to crack the windows enough when you were painting the walls or someone changed the codes on you.
- A case of mistaken identity: You know who you remind me of? That other guy named Joe Smith Jr. Not all identity mishaps are part of an evil plot. People with common names -- or those who are a Jr. or II to a Sr. or I in the family -- often find other people's information in their file. To prevent this from happening, make sure to always use your middle name or initial on applications.
- Dramatically different credit scores from bureau to bureau: There are a lot of reasons your credit score might seem wacky, some of which are quite innocent. Don't immediately assume that something's amiss. But occasionally, a big difference in your score from one credit reporting agency to another (50 points or more, for example) may be a sign that something's fishy.
- Angry phone calls: When angry sounding strangers call to demand that you cough up the payment on something that you didn't actually buy, gather all the information you can from the demanding party and start investigating.
Been breached? Here's what to do right now
If you think you have been a victim of credit fraud or identity theft here's a quick rundown of what to do now. (Click here for the more detailed version.):
- Notify the three credit bureaus and have them put a freeze on your credit file (which will force any entity trying to issue credit in your name or access your credit file to contact you directly for permission).
- Close the accounts that have been fraudulently accessed.
- Change IDs and passwords on all of your other accounts.
- File an identity theft report with the police and the FTC.