By Shane Cummings, CFP®, AIF®, Wealth Advisor & Director of Technology/Cybersecurity
National Public Data, a data broker firm, announced in August that a breach occurred back in December 2023 that resulted in the theft of 2.9 billion identity-related records. One of the most concerning facts is that the data that was stolen contains U.S. Social Security numbers and other information for many Americans. The exact details are still murky; however, some estimates suggest the total number of people whose info was stolen could be 1.3 million – and up to 134 million unique email addresses (source CNET).
Proactively protecting your personal information
While details are scarce, it’s difficult to know what specific action, if any, you can take if your Social Security Number (SSN) was stolen. The website https://www.npdbreach.com/ attempts to help you determine if your information was stolen. Your SSN is used as a way to verify your identity with financial institutions, cell phone companies, and many other places. In most cases, it is the primary piece of information used to verify that you are who you say you are. If a criminal has it, it can make it much easier for them to steal your identity. Most common are criminals opening accounts fraudulently in your name, or using an SSN to attempt to hack your existing accounts.
To make matters more frustrating, the U.S. government does not reissue SSNs that are stolen. Once your SSN is known on the Dark Web or to criminals, there’s no easy way to remedy that. And in spite of everyone in positions of authority knowing about this vulnerability, there is no movement to replace the use of SSNs for identity verification with anything more private or less vulnerable.
Ultimately, regardless of whether or not your SSN was stolen in this breach, it would be to act as if it was – this could very well happen in future breaches. You should take action now. Cybercrime has increased substantially and hackers are getting very bold. Many companies, many of them data brokers, possess sensitive information like SSNs on most Americans without your permission. In fact, you have to contact them proactively to request they delete your data.
Take control of your credit reports
The Federal Trade Commission’s (FTC) online checklist on how to protect yourself if your information was stolen is available here: https://www.identitytheft.gov/Steps. One of the first steps to take is to freeze your credit with the three major credit bureaus – Experian, Equifax, and Transunion.
Freezing your credit means new accounts or major transactions like bank accounts, credit cards and loans typically can’t be initiated without your report being unlocked first. It will create some extra steps for you when you legitimately want to open new accounts for yourself. Still, the inconvenience is hugely preferable to the headaches and clean-up required if you unexpectedly find someone has taken out a credit card in your name – or worse!
You will want to periodically request your credit report to review open lines of credit and make sure all are ones you recognize and not accounts that were opened in your name without your knowledge. You can also subscribe to credit monitoring services that will automate some of this work for you.
What people can do with your Social Security number
There are some other prudent steps to take as well. Registering for an account online at the Social Security Administration (SSA) can be important to make sure someone doesn’t use your SSN to register for retiree benefits and have them sent elsewhere.
Additionally, someone can use your SSN to file a tax return on your behalf and try to get a refund issued to them via an electronic transfer. Some criminals will do this right after tax filing season opens at the beginning of the calendar year and hope that the taxpayer does not spot it in time. Sometimes taxpayers only learn of this when they go to file their taxes and learn that a return was already submitted for the same tax year.
One proactive step to take here is to establish a PIN for filing your tax return with the IRS. If someone doesn’t have the unique PIN code, they won’t be able to file a tax return in your name. Keep in mind that if you use a CPA and you don’t share the PIN with them, expect your tax return to get bounced back.
What can you do if your data was impacted?
If a criminal has stolen your information and used it to open new accounts, you’ll want to take action immediately. Hopefully you will be notified by a financial institution if a new account is opened in your name, or if a large unexpected transaction was made. If so, it’s critical to contact the financial institution immediately to notify them of fraud and to open a case to freeze the account and reverse the transactions. Failure to do this in a timely fashion may make resolving the issue more difficult later.
Other steps recommended by the FTC include placing a fraud alert on your account with the three credit bureaus and filing an identity theft report with the FTC. Given that your data has been used fraudulently, the odds of it happening again are increased, and you would be well advised to periodically review your credit reports to look for any anomalies. Freezing your credit (as well as the fraud alert), should hopefully prevent the opening of new accounts in your name.
Ongoing vigilance is critical to protect your personal information
If you are the victim of identity fraud, the FTC website referenced above can be a resource to start your investigations. There is a process to file a report with them and determine next steps. Optionally, you could file a police report with your local police department, but don’t expect that to result in much. Given the nature of internet crime, it can be difficult for local police to prosecute a criminal, especially if they are based overseas – as many are.
This is also a good time to review your account security settings. Multifactor authentication (2FA) is important for protecting your security online. Important websites like banks and financial institutions are going to be targets for criminals, and 2FA may be the most important tool to stop someone from using your identity data to break into your accounts. One-time passcodes (OTP) or authenticator apps are more robust than SMS codes, as even cell phone companies may be tricked into moving your cellular service to a fraudster’s device.
Data security and identity protection are now a permanent part of our lives. They require your ongoing attention. Working with your advisory team here at HH is a valuable element of this effort. We can help you monitor and review important steps. All of us need to be aware that fraudsters will use stolen SSNs and email address info to target our financial accounts online. Your team here can assist you in efforts to help keep those safe – and educate you on how to help fortify your defenses.
Disclosure:
Halbert Hargrove Global Advisors, LLC (“HH”) is an SEC registered investment adviser located in Long Beach, California. Registration does not imply a certain level of skill or training. Additional information about HH, including our registration status, fees, and services can be found at www.halberthargrove.com. This blog is provided for informational purposes only and should not be construed as personalized investment advice. It should not be construed as a solicitation to offer personal securities transactions or provide personalized investment advice. The information provided does not constitute any legal, tax or accounting advice. We recommend that you seek the advice of a qualified attorney and accountant. All opinions or views reflect the judgment of the author as of the publication date and are subject to change without notice. All information presented herein is considered to be accurate at the time of writing, but no warranty of accuracy is given and no liability in respect of any error or omission is accepted.
