34 KIPLINGER’S PERSONAL FINANCE^ 05/2019MONEY
One of the largest breaches disclosed last year was at Marriott International,
which admitted in November that its Starwood guest reservation database had been
hacked starting in 2014. That exposed up to 383 million guest records (though the
number of guests affected is likely smaller because of multiple records). Many records
contained data such as passport numbers, addresses, dates of birth and, in some
cases, customers’ payment-card information. Quora, an online question-and-answer
platform, also discovered a breach of account information including names, e-mail
addresses and passwords of up to 100 million users. Hackers may try to enter stolen
usernames and passwords into other sites—say, those of banks or retailers—in hopes
that some customers reuse their log-in details across several accounts. “The chances
that some of those credentials will work on one or more other websites are exception-
ally high,” says Velasquez.
Fortunately, none of those 2018 breaches involved Social Security numbers—a key
piece of information a thief can use to run away with someone else’s identity. But the
2017 Equifax data breach exposed the names, Social Security numbers, birth dates
and other sensitive data of more than 145 million Americans. Those bits of info are
permanent pieces of your identity, and they may sit idle for years before a criminal
puts them to work.
The overall number of fraud victims fell significantly last year from 2017, thanks
largely to a decline in fraud against existing credit and debit cards, according to a
Javelin Strategy & Research report. But in both 2017 and 2018, the number of victims
who faced some liability for fraud more than doubled from 2016, and so did the vic-
tims’ out-of-pocket costs. Incidents of fraud in which criminals open new financial ac-
counts in a victim’s name or take over existing non-card accounts, such as brokerage
or retirement accounts, were well above historical levels in 2017 and 2018 and “are
much more difficult, and frequently expensive, for victims to resolve,” says Javelin.Sophisticated schemes. Imposter scams, in which crooks claim to be representa-
tives of the IRS, Social Security Administration or other entities in attempts to glean
personal information or money from their targets, topped the list of consumer com-
plaints submitted to the Federal Trade Commission in 2018—the first time such scams
have reached the number-one spot. Scammers are taking aim at both consumers and
businesses with increasingly realistic “phishing” e-mails, persuading individuals to
click on links or attachments that could infect their computers with malware or
prompt them to send sensitive information.
In early 2017, Pooja Raval found out that a staff member of the community health
center where she worked as a physician had been tricked into e-mailing the employ-
ees’ W-2 tax forms—which contain a treasure trove of personal info, including Social
Security numbers, addresses and income information—to a crook. Thieves can use
such valuable pieces of data to impersonate victims in several ways—and since
the breach, Raval, of Cambridge, Mass., has encountered a few of them. A criminalattempted to file a tax return and collect a refund in her
name; the IRS noticed that something was amiss and
sent Raval a letter before issuing the refund. She was
instructed to bring the letter and various identifying doc-
uments to an IRS center so that she could get an Identity
Protection PIN to file with her tax return. (Before she
could make it to the center, the IRS sent her the PIN.)
Someone has repeatedly tried to use Raval’s in-
formation to get health insurance. And a credit card was
fraudulently opened in her name—despite freezes she
placed on her credit reports, says Raval. Rather than being
able to take steps to prevent identity theft, she says
she has had to “wait and fix it retroactively.” Raval says
she lacked support from her employer in repairing the
damage, and she left the company early last year.Stronger protections. If there’s a bright spot among
the bad news, it’s that policymakers are paying atten-
tion. The Equifax data breach “has created a lot of inter-
est in legislation both at the state and federal level to
provide consumers with greater protection from iden-
tity theft,” says Paul Stephens, director of policy and
advocacy for the Privacy Rights Clearinghouse.
Last September, a federal law that made credit
freezes free for everyone went into effect (see page 42).
The same law also requires the Social Security Adminis-
tration to offer financial institutions a more streamlined
system to ensure that the Social Security number a
customer provides matches up with the name and birth
date associated with that SSN. The measure is designed
to cut down on synthetic identity fraud, in which crimi-
nals piece together real SSNs—often of children—with
fake names and other bits of personal info to create
new identities. More federal data-privacy laws may
be on the way, too. The Senate Banking Committee
recently sought input on the collection, use and protec-
tion of sensitive personal information by financial regu-
lators and companies.
Private companies and the government have a big re-
sponsibility in taking better care of your personal data.
But you can take steps to safeguard your identity, too.A
s new research on identity theft continues to roll in, it paints an unsettling picture of how good
crooks are getting at their craft. Although the number of U.S. breaches fell in 2018, the number of
records exposed containing sensitive, personally identifiable information (such as Social Security
and financial-account numbers) spiked by 126% from the year before, according to a report from
the Identity Theft Resource Center. “That tells us thieves aren’t committing less crime—they’re
just getting better at it,” says Eva Velasquez, president and CEO of the ITRC.