Home > Identity Theft > Who’s to Blame for Identity Theft? Everyone

Comments 0 Comments

The other day a reporter asked me who’s to blame for the growing epidemic of identity-related tax fraud. I almost replied, “the government and the bad guys,” but I caught myself before committing to that inaccuracy. “We’re all to blame,” I said.

I believe that breaches, and the identity theft that flows from them, have become the third certainty in life, right behind death and taxes. While it may seem like hyperbole, more than 1 billion consumer records containing some form of personally identifying information (PII) have been exposed to hackers, identity thieves and spies (forget, for the moment, the NSA) over the past 10 years.

Anthem, the second largest healthcare insurer in the nation, recently joined the burgeoning list of mega corporations that have suffered massive data breaches. In a revelation that beggars the imagination, the hackers accessed unencrypted databases containing the sensitive personal information of some 80 million current and former Anthem policyholders and employees, potentially putting millions of people in harm’s way. When Anthem’s CEO pointed to the cyber intruders’ failure to get health records, credit cards or financial data, one can only assume he was trying to spin a nightmare scenario, because they did manage to get their grubby little fingers on names, physical and email addresses, birthdates, medical IDs, phone numbers and employment information.

Last time I checked, that’s pretty much all that someone needs to commit identity-related fraud, or at the very least, to expose their targets to the panoply of “ishings” (phishing, spear phishing, smishing and vishing). If that doesn’t bother you, perhaps this will: the information stolen included the skeleton key to everyone’s life – Social Security numbers.

Unlocking Your Identity

Often what’s lacking in the aftermath is perspective. Anthem did a very good job of getting out in front of the breach. They were forthcoming, and notified customers quickly. But they did not do a great job spelling out to customers the predicament they are now in as a result. So, here it is. Everything a criminal might need to obtain medical treatment, devices or medications in your name, tainting your medical files in the process is now “out there.” In other words, you are one act of fraud away from having a medical file become a murder weapon. When your healthcare is used by a fraudster, their information gets mingled with yours—a cocktail for life-threatening decisions. And, while we’re on the subject, anyone with access to the information stolen can also file fraudulent tax returns and divert your refunds (we’ll get to the recent Turbo Tax ulcer-inducing event in a moment); anyone can obtain personal loans, credit cards and mortgages using your credit profile accessed with your information; the same data could be used to empower undocumented workers to get jobs – the income from which will be reported to federal and state tax authorities under your SSN and costing you even more. Your child’s identity can now be stolen if their SSN was taken in the breach; crimes can be committed leaving a trail of breadcrumbs back to you.

In a twist of fate that would make a person think February is privacy and data-security awareness month, we learned that Intuit was forced to shut down the state tax filing on TurboTax for almost a day after detecting a large number of fraudulent filings. Minnesota refused to accept TurboTax e-filings, Alabama and Utah issued taxpayer warnings and Vermont halted refunds. To be clear, the TurboTax platform hadn’t suffered a data breach. Rather, identity thieves were e-filing and attempting to divert millions of dollars in refunds using precisely the kind of information that was leaked in the Anthem breach, and countless others over the past decade. How could this happen? A staggering amount of purloined data from breaches, scams, social network over-sharing and individual compromise has been aggregated—and the fraudulent e-filings on TurboTax are a manifestation of that reality.

Now, it’s easy to blame public and private sector organizations for their continuing failure to accord our sensitive personal information the privacy and security it deserves. Judging from the seemingly endless parade of reported breaches, our contempt and enmity has been well earned. Organizations’ inability or lack of desire to encrypt the PII they gather and store is inexcusable. We have a serious problem when a sitting governor explains the failure to encrypt a breached database containing the tax information of every citizen in her state by saying, “Encryption is hard.” A recent Government Accountability Office report confirms that a significant percentage of federal agencies are not secure. Sadly, many businesses and institutions have yet to harden their defenses or encrypt their data even after they have suffered at least one breach. After the near extinction-level breach of Sony Pictures, I am hopeful that many political leaders and corporate board members are finally coming to the realization that the threat is real, the odds are not in their favor and that there must be a paradigm shift in the way they approach privacy, data security, breach preparedness and incident response.

But the fault lies elsewhere. We live in a very connected world where convenience continues to trump security – often in the name of innovation. We’ve also learned the hard way that no system is more secure than its weakest link and that humans are the weakest link. Bad practices and lousy data-hygiene is the enemy. A few months ago, the Ponemon Institute conducted a survey of nearly 100 medical providers. Eighty-eight percent reported that doctors and other medical professionals were allowed to connect personal devices to their systems (BYOD – bring your own device). More than 50% said that this practice raised serious security concerns, yet only 38% said they were doing anything about it.

Lest we forget Washington (and I acknowledge that many would like to permanently forget Washington), at least three administrations and scores of federal legislators have talked about doing something meaningful in the areas of privacy, cyber-security and identity theft, yet we have little to show for it. This year, at least, through executive order and his State of the Union Address, President Obama has put those issues squarely into the spotlight. “We are seeing momentum” is the two-party line, at least for now.

Everyday Security Failures

But while we’re pointing fingers, I would be remiss were I not to suggest that each of us stand in front of a mirror. No one is blameless here. We expose our most sensitive personal information any time we:

  • pick up a phone, respond to a text, click on a link or carelessly provide personal information to someone we don’t know;
  • fail to properly secure our computer or mobile device (smartphone, tablet or laptop);
  • discard, not shred, a document that contains PII;
  • respond to an email that requests we call a number we can’t independently confirm, or complete an attachment that asks for our PII in an insecure environment;
  • save our User ID or password on an app as a shortcut for future logins;
  • use the same User ID or password throughout our financial, social networking and email universes;
  • answer quizzes that subtly ask for information we’ve provided as the answers to security questions on various websites;
  • take pictures with our smartphone or digital camera without disabling the geo-tagging function;
  • fail to replace a manufacturer’s default password with a long and strong one of our own on any “connected” appliance or electronic device that we put in our homes;
  • permit our email address to be our User ID, if we have the option to change it;
  • use easily decipherable PINs or passwords;
  • fail to annually obtain, review and correct our credit reports;
  • choose not to do a daily review of our bank and credit card accounts to make absolutely sure that every transaction we see is familiar;
  • put off enrolling in free transactional monitoring programs offered by banks, credit unions and credit card providers that notify us every time there is any activity in our accounts;
  • use a free WiFi network, without confirming it is correctly identified and secure, to check email, or financial services websites that contain our sensitive data.

In each of these instances, we leave ourselves vulnerable to those who consider the theft of our identity as their day job. We are also contributing our personal data to folks who are hoping to someday launch the equivalent of a denial of service attack on our economy to take us down.

The bottom line is that we’re all in this together. In the ever-evolving connected world, it’s impossible to duck, bob or weave your way past the bad guys. Even a proactive measure to protect your identity like monitoring your credit regularly is no guarantee your identity won’t be stolen or used in a way that won’t show up on your credit report, like medical identity theft. (You can get your credit reports for free once a year under federal law and you can see your credit scores for free once a month on Credit.com to spot any identity theft red flags.)

It should go without saying that government and businesses should have to protect our PII by law, and if they fail to do their duty, they should be held accountable. That said, each of us has a responsibility to minimize our risk of exposure, to be as alert as possible to signs of an identity-related problem and to have a damage control program to put ourselves back together in the event we are compromised.

This story is an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its partners.

More on Identity Theft:

Image: Digital Vision

Comments on articles and responses to those comments are not provided or commissioned by a bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by a bank advertiser. It is not a bank advertiser's responsibility to ensure all posts and/or questions are answered.

Please note that our comments are moderated, so it may take a little time before you see them on the page. Thanks for your patience.

Credit.com receives compensation for the financial products and services advertised on this site if our users apply for and sign up for any of them.

Hello, Reader!

Thanks for checking out Credit.com. We hope you find the site and the journalism we produce useful. We wanted to take some time to tell you a bit about ourselves.

Our People

The Credit.com editorial team is staffed by a team of editors and reporters, each with many years of financial reporting experience. We’ve worked for places like the New York Times, American Banker, Frontline, TheStreet.com, Business Insider, ABC News, NBC News, CNBC and many others. We also employ a few freelancers and more than 50 contributors (these are typically subject matter experts from the worlds of finance, academia, politics, business and elsewhere).

Our Reporting

We take great pains to ensure that the articles, video and graphics you see on Credit.com are thoroughly reported and fact-checked. Each story is read by two separate editors, and we adhere to the highest editorial standards. We’re not perfect, however, and if you see something that you think is wrong, please email us at editorial team [at] credit [dot] com,

The Credit.com editorial team is committed to providing our readers and viewers with sound, well-reported and understandable information designed to inform and empower. We won’t tell you what to do. We will, however, do our best to explain the consequences of various actions, thereby arming you with the information you need to make decisions that are in your best interests. We also write about things relating to money and finance we think are interesting and want to share.

In addition to appearing on Credit.com, our articles are syndicated to dozens of other news sites. We have more than 100 partners, including MSN, ABC News, CBS News, Yahoo, Marketwatch, Scripps, Money Magazine and many others. This network operates similarly to the Associated Press or Reuters, except we focus almost exclusively on issues relating to personal finance. These are not advertorial or paid placements, rather we provide these articles to our partners in most cases for free. These relationships create more awareness of Credit.com in general and they result in more traffic to us as well.

Our Business Model

Credit.com’s journalism is largely supported by an e-commerce business model. Rather than rely on revenue from display ad impressions, Credit.com maintains a financial marketplace separate from its editorial pages. When someone navigates to those pages, and applies for a credit card, for example, Credit.com will get paid what is essentially a finder’s fee if that person ends up getting the card. That doesn’t mean, however, that our editorial decisions are informed by the products available in our marketplace. The editorial team chooses what to write about and how to write about it independently of the decisions and priorities of the business side of the company. In fact, we maintain a strict and important firewall between the editorial and business departments. Our mission as journalists is to serve the reader, not the advertiser. In that sense, we are no different from any other news organization that is supported by ad revenue.

Visitors to Credit.com are also able to register for a free Credit.com account, which gives them access to a tool called The Credit Report Card. This tool provides users with two free credit scores and a breakdown of the information in their Experian credit report, updated twice monthly. Again, this tool is entirely free, and we mention that frequently in our articles, because we think that it’s a good thing for users to have access to data like this. Separate from its educational value, there is also a business angle to the Credit Report Card. Registered users can be matched with products and services for which they are most likely to qualify. In other words, if you register and you find that your credit is less than stellar, Credit.com won’t recommend a high-end platinum credit card that requires an excellent credit score You’d likely get rejected, and that’s no good for you or Credit.com. You’d be no closer to getting a product you need, there’d be a wasted inquiry on your credit report, and Credit.com wouldn’t get paid. These are essentially what are commonly referred to as "targeted ads" in the world of the Internet. Despite all of this, however, even if you never apply for any product, the Credit Report Card will remain free, and none of this will impact how the editorial team reports on credit and credit scores.

Your Stories

Lastly, much of what we do is informed by our own experiences as well as the experiences of our readers. We want to tell your stories if you’re interested in sharing them. Please email us at story ideas [at] credit [dot] com with ideas or visit us on Facebook or Twitter.

Thanks for stopping by.

- The Credit.com Editorial Team