The Unhackable is Unthinkable

Is there any entity that exists that cannot be hacked?

Even one of the three largest credit reporting agencies in the United States – Experian – that holds millions upon millions worth of consumer data, yep hacked.

Global information services group Experian announced Thursday that one of its business units had been hacked. The breach occurred on a server that contained data on behalf of one of its clients, T-Mobile. The data includes personal information for a combination of about 15 million customers and applicants in the U.S. who at one point may have applied for T-Mobile service. The company said that the incident did not impact its own consumer credit database (Source: Nasr, R., CNBC NEWS, 1 Oct 2015).

Am I supposed to be comforted by Experian’s statement that the breach did not impact its own consumer credit database? Here is a company that according to its website “…help businesses to manage credit risk, prevent fraud, target marketing offers and automate decision making.” Is it opposite day at Experian? In addition to Experian being responsible for massive amounts of consumer data, let’s underline the fact they sell identity theft protection. Yet Experian is so inept they cannot prevent identity theft within their own system.

I have not heard much about this occurrence, in fact hardly anything. When in reality, there should be uproar. These organizations have zero accountability. Even when our own government data is hacked, let’s say the bar has not been set real high.

Who can you trust to safeguard your information; at this point I think it is safe to bet that you can trust no one to safeguard your information. 

It is clear we have no idea what we are doing when it comes to utilizing technology. And by organizations and the like continuing to roll out and adopt the latest in technology that they do not understand they are continually putting us at a real risk. Yet, what is their risk?

If you aren’t 100% percent certain the data you collect is protected – then your organization should not be utilizing technology it does not fully understand. We are too far into these discussions and awareness of security issues for an organization to claim they are a “victim”, or for this to be occurring at all. It’s high time that organizations are held accountable – both organizations that allow your information to be stolen, and organizations that do not conduct proper due diligence and allow fraudulent information to be used.

Experian should immediately get out of the business of selling identity theft protection when they cannot even protect the data that they monitor. Lucky for the T-Mobile customers concerned with identity theft looks like they are being offered two years of free credit monitoring and identity resolution services through...Experian. So the same company that put your personal information at risk is your option for monitoring the aftermath? 


photo by martin belum

EENIE, MEENIE, MINEY, MO: The Sophisticated Go-To Formula When Responding To a Hack

So your organization has been hacked. Well, if only there had been a warning that there is an eminent threat that exists against entities large and small. People should be doing more stories warning of identity theft, hacking, data breaches and the like. We just don’t hear much about it these days.

Since you have been completely blindsided, and are clearly a victim in all of this, take some time to figure out what could have went wrong. But before you announce to your stakeholders, customers, employees and their family, partners, sponsors, etc. that their personal information, and the fact that the organization itself has had its insides examined in the hands of thieves – whatever you do, don’t tell them right away – give it at least a good month or two. Or tell them initially it was just one or two people and when that wears off, say just kidding it affected thousands – the formulas for revealing the hack are endless – time to put that creative juices hat on. After all, it’s just people’s livelihoods that are at stake, there are more important things to do right now, like think about how you’re going to make yourself not look too shabby in all of this.

First things first, since you haven’t been made aware that there is a problem of epidemic proportions concerning hackings and the like, not only have you not protected the sensitive data that you hold, you most certainly don’t have a crisis communications plan in place. As those things are most effective, throw it together – just look around your office and grab one or two people (or we have found eenie, meenie, miney, mo is effective) and have them put together a plan on how to tell everyone how the organization cares deeply about its stakeholders, customers, employees and their family, partners, sponsors, etc. but has put zero safeguards in place and that their personal information is now in the hands of thieves (for inspiration check your local greeting card aisle, there may be a section now devoted to this area – perhaps under Sorry for Your Identity Loss).  Put something about identifying gaps too, and how you’re going to now protect their personal information – be unwavering, yeah that sounds good. Hmmm, maybe offer some monitoring protection, because monitoring once something goes haywire with their personal information is the way to go – that’ll be a lot more helpful then it would have been protecting them in the first place.

Whatever you do, make sure you position yourself as a victim in all of this, and lucky for you, you have company! You can cite all of the other victims who also didn’t see it coming…the government, major insurance companies, large corporations, mom and pop stores – all blindsided.

Going forward be glad this doozy is behind you. View it as something you will be stronger from experiencing. Sure now you have to dole out some extra time and money to put some haphazard safeguards in place for appearances sake and maybe add a line to your organization manual, but when it happens again, chances are your stakeholders, customers, employees and their family, partners, sponsors, etc. have already had their information compromised someplace else too, so no harm done.

Fortunately, for you, this is commonplace.


photo by clyde robinson

Who Really Benefits in Reward Programs?

Back in 2013, I wrote a post about my disdain for “reward” cards. I was reminded today why I still don’t like this marketing approach and I question in this day and age why so many of us are willing to have our buying habits monitored.

Since my last post on this subject, another trend has emerged. The “if you don’t participate in our rewards program we are going to charge you more” approach.

It was one thing to not get the “perks” associated with your purchases, now stores are charging you more if you don’t sign-up for their program.

That right there should tell you how valuable it is to these companies to monitor your buying habits. It is a very bold statement. You either give us your personal information or you pay more.

I had to make that decision today. Pay more, or sign-up. I paid more.

After discovering I was a victim of identity theft, I am no longer comfortable participating in these programs, and have not signed-up for any new reward programs since.

I have grown tired of everything having this caveat of participating in a program. I don’t want to participate in any program, I just want to buy what I want to buy at the best price possible.

As consumers, we don’t seem to accept this approach. We want to feel like we are getting a deal and enjoy reveling in knowing that some sucker paid more than we did for the same item, and if it means signing-up for a program, we will do it.

Reward cards are an invited invasion of privacy, not to mention they are a hassle to the consumer, turning the easiest of errands into a series of complex steps.

Let’s start with the hunt before you go to the store.

The bulk of reward programs come with a card that you get to make sure you don’t lose. Hopefully, the card is on your keychain. If not, you get to tear your house apart looking for that little laminated piece. And whatever you do, don’t grab the wrong key set. Then you get to either bypass your rewards accumulation, or you get to try the “15” phone numbers that the card could be registered under.

Then at the store you have to think about what rewards you have accumulated and what you can buy with them. If you don’t participate in the rewards program, then you have to try and figure what price you get to pay.

It usually looks something like this:



At checkout, you are immediately asked if you have the reward program card. If you don’t have the card you are asked to sign-up for one. And, if you graciously decline, you get to repeat saying no thank you to the cashier's “top ten” reasons why you need one.

Companies large and small have demonstrated that they are not capable of protecting our information; therefore they have a responsibility to not put consumers in a position where we need to furnish our personal information in order to pay a lower cost. It’s too high a price to pay for the consumer.

P.S. I don’t want to hunt for 15 minutes for your promo code either. 

photo by osseous

There is Nothing “Secure” About Your Social Security Number

Not 24 hours after I posted my most recent blog about protecting consumers against identity theft, reports that thieves stole tax information of 100,000 taxpayers from the IRS surfaced.

How does this even continue to occur? It doesn’t seem as if there are any competent organizations capable of protecting sensitive data. This instance is all the more infuriating because information is being stolen from an entity that by law we are required to furnish it to for tax purposes.

While the use of social security numbers has evolved over the decades, it is apparent that the technology and safeguards required to protect us are severely lagging.

The Social Security number (SSN) was created in 1936 for the sole purpose of tracking the earnings histories of U.S. workers, for use in determining Social Security benefit entitlement and computing benefit levels. Since then, use of the SSN has expanded substantially. Today the SSN may be the most commonly used numbering system in the United States. As of December 2008, the Social Security Administration (SSA) had issued over 450 million original SSNs, and nearly every legal resident of the United States had one. The SSN's very universality has led to its adoption throughout government and the private sector as a chief means of identifying and gathering information about an individual. (by Carolyn Puckett Social Security Bulletin, Vol. 69 No. 2, 2009)

What are you doing to protect your consumers from identity theft?

There hasn’t been some large scale hacking story in the news, so I guess all identity theft issues have been solved.

Thanks, it’s been real.

Uh, not so fast.

It’s just a matter of time until we’ll hear about another hacking. While the large scale occurrences are the ones that typically make the news, data compromises can happen anywhere and anytime where there is sensitive data stored, including social security information.

With hackings and the like becoming commonplace, they become less newsworthy while the ramifications of the crime remain the same.

The time to take a look at the safeguards you have in place at your business is not when you learn that information has been hacked or compromised.

Much too often we do not hear of businesses taking a proactive response to the threat of identity theft. It is not until information has been compromised that entities then decide to “identify gaps” and place stronger policies or mechanisms in place.

You need to assess those weak access points yesterday.

A good place to start is to address some basic questions including:

  • What data do you require that could be deemed “sensitive”?
  • Is it vital for your organization to collect this information?
  • Where is sensitive data stored?
  • How is sensitive data protected?
  • How long is sensitive data retained?
  • How is sensitive data destroyed?
  • Who has access to sensitive data?
  • Who is ultimately responsible for monitoring the protection of captured sensitive data?
  • Do you have a sensitive data policy that you communicate both internally and externally?

I've posted these nine questions in a one-page document that you can use as a worksheet to get started. 

marketing identity theft with humor isn’t funny to me

There isn’t a day that goes by that I don’t see an identity theft product that is marketed in some shape or form. Not surprising as identity theft is big business these days. Companies are lining-up and showcasing the ways in which they can help protect you.

There is an increasing approach to marketing identity theft that startles me.

Major companies, with seemingly large marketing budgets, have settled in droves that with identity theft the current approach to selling products is to evoke humor.

They are either taking this approach for one of two reasons (or both):

  • instead of utilizing the traditional campy scare techniques, they went in the complete opposite direction and are instead warming you up to the idea of these new product offerings by infusing a relaxed humor;
  • they have no idea what identity theft is really all about, including the complexity and severity of this crime.

These marketing tactics have failed miserably in capturing the true essence of identity theft. And even if purposely, they are trying to make something, something that it’s not.

By using the humor route these companies advertise loud and clear that they have no idea what identity theft is and that they don’t care or they wouldn’t choose this tasteless approach.

Let’s not forget that identity theft is a crime. In my state it’s a felony. Since when is a crime a laughing matter.


Protecting Children Against Identity Theft

Kudos to the state of Maryland for leading the way in protecting children and their credit.

In 2012, the governor of Maryland signed into law The Maryland Child Identity Lock bill that gives parents and guardians the opportunity to create and proactively freeze their minor children or dependents credit.

Contrary to belief, a credit report is not created upon birth or the issue of a social security number, rather it is created upon establishing credit. Criminals are stealing the identities of children who are not discovering the fraudulent activity until much later in life.

Other states (16 to date) have followed Maryland’s lead. Florida recently adopted a similar law, the Keeping I.D. Safe (KIDS) Act.

Illustrating the significance of this crime against children, Ashtavia Maddox spoke in support of the Keeping I.D. Safe (KIDS) Act. As a young girl in the foster care system Ashtavia's identity was stolen and not protected while living in the state of Florida. She faced many challenges in trying to clear her name.  

But, these crimes are not isolated to 16 states. These crimes occur against children across all states.

As a victim of identity theft in the state of Ohio, this is legislation that I urge be swiftly adopted by Ohio and by all states. Parents and guardians should have resources available to them in order to protect their children’s credit.

The Federal Trade Commission recently released their list of consumer complaints, and topping the list for the 15th year is identity theft. Heading toward two decades of this crime dominating consumers’ lives, children too deserve to be safeguarded from this crime and parents and guardians should have the right to protect and preserve their child’s future.

Fifteen Years

It appears as though identity theft is the Meryl Streep among the contenders for consumer complaints recorded by the Federal Trade Commission (FTC).

The FTC released its top consumer complaints for 2014, and for the 15th consecutive year identity theft tops the list.

This is worrisome considering the issue only seems to be getting more widespread, with an exponential amount of people becoming victims.

Are we waiting for identity theft to be the top complaint for two decades before we move into serious action to derail this crime?

Let’s hope more is done to prevent identity theft so the subsequent “consumer complaints” in this area are not topping the list in 2015 and beyond.

…makes one wonder the purpose of filing a consumer complaint if after all of this time the issue does not seem to be receding from the top spot.

10 Things I Have Learned as a Victim of Identity Theft

You can do everything right and still become a victim of identity theft. There are untrustworthy people who have access to your information, and in this day and age of technology, it is an easy crime to commit, with damaging consequences only to the victims.

There is never a break. You cannot take a break when you discover that you are a victim of identity theft. You have no choice but to be constantly on the ball, either making calls or sending correspondence to clear your name. It is a snowball that you have to be way out in front of in order to minimize the damage.

Erroneous information will override your actual information on your credit report. You may think that your credit report reflects you and that changing any of the information on there would be a difficult task-nope, it’s actually very easy to override your information with that of a criminal. The criminal who used my information used it in conjunction with her actual identifying information. So her previous places of employment, showed up in my employment history…places she lived, showed up as places I lived…phone numbers, were listed as my contact information…you get the picture. 

Live in a community where the police department includes a detective bureau or a detective. If I didn’t happen to live in a community with a detective bureau who had dedicated officers looking into my case, I do not believe the criminal in my case would have been apprehended and eventually sentenced for the crime. If I ever move, a community must have a detective bureau. 

The importance of taking detailed notes and mailing everything certified. Criminals typically don’t try your identity out with one or two entities; they will use it repeatedly in an attempt to access goods and services, whatever is there for the taking. In my case, the criminal even took out a subscription with the local newspaper-nothing is off limits. You are going to be calling the credit bureaus (multiple times), and each and every company the thief came in contact while using your information (multiple times). The entities will turn to you to provide information proving your identity. It is a back and forth process, a timed one at that, and since you don’t uniformly discover all of the fraudulent activity, it is usually staggered so it is of the utmost importance to keep detailed information in order to keep some semblance of order when clearing your name, and ensuring you meet the deadlines of submitting required documentation.

File a police report. I had to supply a copy of my police report for each and every instance of identity theft. The other document that was almost always required was a FTC (Federal Trade Commission) affidavit. This document goes into a little more detail about the circumstances surrounding the identity theft. Don’t be surprised if you supply these documents, and you are provided a company’s affidavit to fill out as well.

You may seek the guidance or resources of a government entity and you will quickly discover that nobody knows where to direct you. You will be tossed around from agency to agency. One agency tells you to go here, another tells you to go there. None of the agencies know what the other is doing, and none of them have been any remote of help to me, except the detective bureau in the local police department. 

Freeze your credit immediately upon discovering that you are a victim. Originally, I hesitated to do this, even though a criminal had destroyed my reports, for some reason I felt as if a freeze would tarnish it as well, so I placed a fraud alert. I did eventually freeze my report; this does seem like the only true way these days to prevent thieves from infiltrating your report…however, I have learned that fraudulent inquiries will continue to show up.

Credit reports are not established at a certain age, rather they are established when credit is created. This is how children are discovering fraudulent accounts on their credit report later in life. Companies that have weak or non-existent due diligence procedures are extending credit to criminals on children’s nonexistent credit.  I strongly support all children having their credit frozen until the time when they need to access it-this option is not available in all states, and should be. Until this is an established practice, check your children’s credit to ensure they are not victims.

Be prepared to be treated like you are trying to get out of something. As a victim of identity theft you are immediately thrusted in the position of having to defend yourself, having to prove you are who you say you are. I recall a collection company that I spoke with after receiving a notice that a fraudulent account was in default. Knowing the drill, I explained to the collection company that I was a victim of identity theft and asked what documentation I needed to submit, and they responded by aggressively questioning if I was really was a victim. I cannot convey how maddening that moment is. Companies treat you like you are trying to get out of something. It was like this with nearly each and every entity. These are huge national companies, companies you very well may do business with. They lack the sophistication (or don’t put safeguards in place) to prevent identity theft, excuse themselves from the issue by claiming themselves also as victims, then turn to you and treat you like you have the time to invest in creating a scheme in order to get out of paying for a good or service. It is an amazing juxtaposition to be going through a crime as a victim, and having to defend, explain, and document how you are not a thief. All the while you are at the mercy of these companies, the exact same entities who allowed this to occur to you in the first place.

Not If, But When

It's simply not a matter of if you will experience identity theft, it's when.

Constantly, we hear of or experience occurences of stolen personal information resulting in identity fraud, credit card fraud, tax fraud, medical fraud, the list goes on. If it has not already affected your life, it will. And be ready for a rude awakening when you find yourself a victim. The burden is on you. Think you'll just need to make a phone call or two, think again. In some cases, just set aside a few years of your life and you may have some of the time, energy, and effort covered that you will find is necessary to try and restore your name.

The burden is not with the criminal and not with the entities who allow the theft to occur, it rests solely on you.

I do not under any circumstance have any amount of sympathy when an entity declares that they have been hacked.

The news is always followed-up with that they are doing "all they can do". What does that mean? What this really means is that they didn't think it would happen to them, or they didn't want to spend the money to put safeguards in place to protect you, and now they are doing "all they can do". 

In the latest hacking case health insurer Anthem says hackers infiltrated their computer network and the hackers were successful in accessing personal information, including social security numbers. 

Anthem has now hired an internet company to improve its defenses.

Isn't it a little late for that?

Here you are a health insurer who not only holds personal information, but also included in that access to some or all of your customer's medical history.

This is inexcusable. The mindset that they too are victims is wrong. They clearly were not doing all they could do, because now after the fact they have reached out to "improve their defenses" and "identify potential gaps".

Anthem, as well as other entities, is gambling that this will not happen and it does, daily. And, even if they thought this might occur, what is the worst that could happen? They would not be stuck cleaning-up the mess-no, that is left to you, and they would come out looking like victims of the crime, when clearly they are not.

Anthem is no stranger to this, in 2013 the company agreed to pay $1.7 million to resolve federal allegations of security weaknesses. And even with this most recent occurrence admitted the stolen information was not encrypted in their database. 

As for praising them for their rapid response to the hack, we need to start praising companies for their pro-active response instead of praising entities that operate bad business at our expense.