CA Security Advisor Research Blog

The day after I got back from a 16 day trip to Europe, I opened a letter from an unknown company who informed me that information about my bank account had been removed by one of their employees. The employee sold the information to a data broker who then sold the data to some direct marketing companies. I was one of a group of consumers whose banking information had been compromised.

As an anti-spyware researcher, I am always on the lookout for signs of malware on my computer, using firewalls, malware scanners, and careful surfing habits to prevent infections. I always imagined that the real threat to identify theft would be from a trojan or keylogger or password stealer. I never thought my personal information would be compromised through employee misconduct.

I had viewed a transaction log of my bank account just hours before opening the letter. So I was reasonably sure no one had tried to gain access to my bank account. To be careful, I called my bank to inform them of the compromised information, and they issued me a new debit card and pin number as a result. They also recommended that I give them an extra password that anyone requesting information by phone must have to gain access to my account information.

The state I live in doesn't have a law requiring a company to report compromised information. So I could easily have never known about my stolen information since the company had no obligation to report the theft to me. 35 states have data breach laws at the time of posting (http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm).

I have been lucky so far. There are no signs that my information has been used to gain access to financial accounts. The company whose employee sold my personal data initiated an investigation and has seen no fraudulent activity involving my account. Nevertheless, I will continue to monitor my bank account on a weekly basis and put a fraud alert on my consumer credit file by contacting all of the three national credit reporting agencies. By putting a fraud alert on a consumer credit file, any lender is supposed to confirm the consumer's identity by a phone call to the consumer or by requesting the consumer's identification before issuing any type of credit in the consumer's name (http://www.fightidentitytheft.com/flag.html). Please be aware that a fraud alert will make it more difficult to open new credit because of the need for the lender to obtain your identification or contact you by phone.

In addition to the fraud alert, a consumer who may be a potential victim of identity theft or credit fraud should review their credit report right away. You can get a full credit report for free once a year from any of the national credit reporting agencies. It is a good idea to review your credit report once a year under any circumstances. When reviewing your credit report, you should look for:

• old accounts that should be closed and are still open,
• accounts that you have open that can be closed,
• accounts that are open that you never requested,
• inaccuracies in any personal information/financial accounts history, and
• inquiries for information in your consumer credit file.

By reviewing your credit report, you can look for ways to improve your credit security and credit score, and make it more difficult for anyone to steal your identity or commit fraud with your credit. The Federal Trade Commission has a lot of helpful information about consumer protection (http://www.ftc.gov/bcp/index.shtml).

If necessary, you can put also put a credit freeze on your consumer credit file. This prevents credit agencies from sharing your file with any lenders or creditors without your permission. You can find information about credit freezes, fraud alerts, and credit reports from the national credit reporting agencies:

Equifax (http://www.equifax.com)
Experian (http://http://www.experian.com)
TransUnion (http://www.transunion.com)