Repercussions from some data breaches are easily remedied, but victims of insurance company Anthem's breach will have to remain vigilant against fraud for the rest of their lives.
The insurance company announced Wednesday that its database had been hacked, exposing personal data on as many as 80 million records for current and former customers and employees. The information accessed includes names, birthdays, Social Security numbers, street addresses, email addresses and employment information, including income data, according to the company. There is currently no evidence that financial or medical information was compromised, Kristin Binns, a vice president for Anthem, said in a statement.
That's a treasure trove of information, said Tom Gorup, security operations center manager for Rook Security. It's enough to commit identity theft, or bypass security questions to lock you out of existing accounts. And the risk isn't short term, like when a credit card number is stolen. "Just because the attacker stole the data today doesn't mean they'll sell it tomorrow," he said. "They could sit on this information for years."
(If there's a silver lining, it's that medical information wasn't included in the theft. Had claims data, test results or other medical data been stolen, it could also have opened the door to bribery, said Kevin Epstein, vice president of advanced security and governance for security firm Proofpoint. Any number of salient health details, from mental health issues to addiction treatments, could have been leveraged against victims.)
Still, if you're one of the millions of Anthem health insurance customers whose data might have been stolen, you're probably feeling pretty helpless right now. There are steps you can take to protect yourself though.
Monitor your existing accounts
The first thing you want to watch out for is someone using the information to trick a call center into letting them take over or transfer money out of your existing accounts, said Avivah Litan, an analyst at Gartner Inc. Criminals will try to get through the security questions using information that was stolen in this breach, including the last four digits of your social and street address. This kind of "cross channel" fraud accounts for 30 percent of all fraud, said Litan, up from almost none a decade years ago. Watch for any unauthorized activity or transfers on your current financial accounts, including 401(k) and brokerage accounts.
Sign up for credit alerts and identity theft protection
Anthem has pledged to offer free credit monitoring and identity protection services to all affected customers. These services will keep an eye on your reports for known indicators of identity theft and send you alerts, look for changes of address, and alert you when someone else tries to use your identity. "All impacted members will receive notice via mail, which will advise them of the protections being offered to them as well as any next steps," said Darrel Ng, a spokesman for Anthem, Inc. More information on those measures will be posted at AnthemFacts.com.
But don't wait for Anthem to complete its investigation, said Gorup. "It could be some time until individuals are informed," he said. It's better to sign up for service on your own, now, to thwart any immediate attempts.
Sign up for fraud alerts
A fraud alert cautions lenders and other to take special care to ensure your identity before issuing new credit. It won't necessarily stop a fraudster but it will raise a red flag to take extra steps, including potentially contacting you directly.
Contact each of the three major credit bureaus—Experian, TransUnion and Equifax—and ask that a fraud alert be placed on your file. That will stay on your report for 90 days. By then, you should have a credit monitoring service in place, Gorup said—either one provided by Anthem, or another that you sign up for on your own.
A more extreme measure is a credit freeze, which will stop any kind of credit being extended at all. Don't take this step without thinking it through. Besides stopping crooks, it also means that you yourself won't be able to get any kind of credit card, including in-store credit card, or get a loan, without notifying the bureaus first.
No one knows when or where or if the stolen identities will be used so affected consumers will simply have to stay mindful... forever. "Your Social Security number is not going to change," said Gorup. "This is going to stick with you for life." One tip to avoid fallout from bad guys using the stolen personal information is to never use personally identifiable information as answers to your "secret questions" on your online accounts, said Dwayne Melancon, CTO of Tripwire, a security software company.
"Make up your own questions and answers, or use answers that are fictitious but memorable to you to prevent criminals from guessing their way into your online accounts, "said Melancon.
What's troubling is that while it's relatively easy to reissue 80 million credit cards and put those compromised accounts on a blacklist, identity theft is much more complex. "When someone steals my identity they can't just go and reissue my identity," said Litan. "I can't just be born again."