Identity Theft Protection Following the Equifax and Capital One Data Breaches

Identity theft protection is an insurance service that provides coverage for damages related to stolen identity which utilizes technology to protect personal information, monitor private and public records, and offers assistance to resolve breaches in consumer credit, legal and financial records.

Identity theft protection may be offered free of charge by some nonprofit organizations, but the costs associated with identity theft protection services typically provide monitoring and recovery services as well as regular access to your credit reports or credit scores.

Visit IdentityTheft.gov to locate free identity theft protection services and assistance.

What is Considered Identity Theft?
Identity theft is a crime that can be prosecuted as a misdemeanor or felony depending on the State and severity of the offense in which a criminal fraudulently acquires all or a portion of personally identifiable information (e.g. social security number, driver license number, etc.) for the purposes of impersonating someone else to unlawfully obtain money, property, credit, services, U.S. citizenship, or to commit acts of domestic terrorism.

Identity theft may also be criminally charged and prosecuted as impersonation or fraud.

The dollar amount or value of stolen property is the distinguishing factor between a misdemeanor or felony.  State law establishes the minimum amount or value of the property usually between $500 to $1000 to be considered a felony theft.

According to Smarter Shredding, Inc. the following facts are related to identity theft:

• Nearly 70% of identity theft cases involve rogue employees.
• Fraudulent charges now average more than $90,000 per name used.
• The average time spent by victims of identity theft is 600 hours.
• It takes more time and money for victims of identity theft to remove negative information from their credit reports.
• The majority of identity theft crimes committed involve opening new credit cards (73%) and accessing (the use of) credit cards (27%).
• The emotional impact of identity theft has been found to parallel that of victims of violent crime.

But identity theft crime is not just about credit fraud. A criminal armed with your personal information like social security numbers and your date of birth has unlimited access to wreak havoc on every area of your life and for many years to come.

Consider what can be done with that type of information?  For example, filing tax returns, stealing money from your bank or investment accounts, getting medical care, or even committing other crimes, to name a few.

Personal information like your name, birthdate, and social security number are permanently attached to your identity and will never change.  That is why data breaches are so problematic when credit files are compromised.  Criminals can assume and use your identity for an indiscriminate number of years long after the breach.

Identity theft protection will either prevent or, at least, minimize those damages.

Consumer data breaches are more common than most realize.  Since 2008, there have been eight (8) major data leaks affecting over 100 million consumers each.

The two most recent, Equifax in March 2017 and Capital One in July 2019 caused consumers to become increasingly concerned with identity theft and securing identity theft protection.

In fact, the growing demand for identity theft protection is largely due to aroused consumer awareness of the nearly incessant corporate data breaches in recent years, most scarcely reported.

The Capital One Data Breach
The latest to fall victim to a data hack was Capital One, again, affecting 100 million people in the U.S. and 6 million in Canada.

Capital One alleges that the breach was manufactured by a single software engineer. Paige A. Thompson, formerly employed with Amazon Web Services (AWS).

It is reported that Thompson was able to exploit a misconfiguration in Capital One’s AWS server (a credit application firewall stored on an Amazon Web Services cloud) through an incognito browser and private IP network which conceals one’s online activities to access the data.

Amazon confirmed Thompson’s employment which ended in 2016, yet the breach is alleged to have taken place between March and July 2019.

The Capital One breach is probably the most egregious because it impacted individuals and small businesses that applied for credit with the company during an extended period of time between 2005 and early 2019.

It also involved a more extensive theft of consumer records that would be most advantageous to criminal assumptions of consumer identities.

Financial analysts surmise the potential for political and regulatory actions including penalties up to $150 million against Capital One as the compromised server was under its direct management.

According to Capital One’s statement, approximately 140,000 social security numbers and 80,000 linked bank accounts were compromised.

Due to the size and frequency of data leaks, cyberattacks have become the biggest threat to the U.S. financial system.  Most companies have taken great strides in cybersecurity to prevent outside attacks but have little defense against inside hackers.

As a result, consumer data vulnerabilities will come into question among tech companies, cloud firms and banks as to how they will limit and control access to consumer data and detect potentially rogue employees.

In the meantime, consumers must be proactive in protecting their identities and minimize the damages of criminal activity.

The Eight Largest Data Hacks of the 21st Century
The following are the eight (8) largest data hacks of the 21st Century, according to Markets Insider (July 2019).

• Yahoo

Date: 2013 – 2014
Number of people affected: 3 billion user accounts
Data released: Names, email addresses, dates of birth, and phone numbers

• Marriott International

Date: 2014 – 2018
Number of people affected: 500 million
Data released: Names, contact information, credit card numbers, passport numbers, Starwood Preferred Guest numbers, and travel information

• Adult Friend Finder

Date: October 2016
Number of people affected: Over 412 million
Data released: Names, email addresses, and passwords

• eBay

Date: May 2014
Number of people affected: 145 million
Data released: Names, addresses, dates of birth, passwords

• Equifax

Date: July 2017
Number of people affected: 143 million
Data released: Social security number, birth dates, addresses, and driver license numbers

• Heartland Payment Systems

Date: March 2008
Number of people affected: 134 million
Data released: Credit card information

• Target

Date: December 2013
Number of people affected: 110 million
Data released: Credit/debit card and contact information

• Capital One

Date: July 2019
Number of people affected: 106 million
Data released: Names, addresses, self-reported income, phone numbers, some credit card data status including credit balances and limits, payments, and transaction history –credit card numbers and log-in credentials not compromised.

The Equifax Data Breach
The Equifax data breach of 2017 compromised 143 million credit files and it recently reached a class action settlement proposal with the Federal Trade Commission (FTC) of $700 million to compensate consumers pending federal court approval in December 2019.

The class action settlement offer presents two (2) reimbursement options to customers:

1. One-time payment of $125 Alternative Reimbursement Compensation
2. 10 years of free identity theft protection and credit monitoring services

If you are applying for the Equifax class action settlement be sure to document your identity theft protection activities in order to be compensated when claiming damages.

Follow the link provided below in the Related Posts section to the article for more information on the Equifax Data Breach Class Action Lawsuit.

How to Freeze or Lock Your Credit to Protect Your Identity
The best way to protect yourself against identity theft is to place a security freeze on your credit and the service is offered by all three major credit bureaus free of charge.

A security freeze is designed to prevent credit, loans and services from being approved in your name without your consent but may also delay or interfere with or prohibit the timely approval of any subsequent requests or application you make regarding new credit, loans or services. 

Take the following two (2) steps to freeze your credit:

1. Sign up with a credit monitoring service such as MyFico or through one of the credit bureaus but there will be a fee.  Credit Karma and Credit Sesame offer credit monitoring services free-of-charge. (You will need credit monitoring to ensure your credit information is not compromised in the future).
2. Contact Experian, Equifax, and TransUnion to request a credit freeze.

Please note: Credit Karma and Credit Sesame only monitor your Vantage credit score and not the FICO score which is more commonly used by lenders.

The Vantage Score will not be an accurate depiction of your credit rating and how lenders determine risk in extending credit.
​
If you decide to purchase credit monitoring services with expanded features (e.g. security freeze, identity theft insurance, etc.) it is not necessary to purchase more than one (1) service at a time. Also, make sure that you have access to your credit report and score multiple times a year upon request with your purchase.

Credit Bureau	Online	By phone	By mail
Experian	https://www.experian.com/freeze/center.html	1(888) 397-3742	​Experian Security Freeze, P.O. Box 9554, Allen, TX 75013
Equifax	https://www.equifax.com/personal/credit-report-services/	1(800) 685-1111; NY residents call 1(800) 349-9660	​Equifax Security Freeze, P.O. Box 1057888, Atlanta, GA 30348
Trans Union	https://www.transunion.com/credit-freeze	​1(888)909-8872	​TransUnion, LLc, P.O. Box 2000, Chester, PA 19016

To request a credit freeze by mail, you must submit your request by certified mail with all applicable attachments as required per each credit bureau.

Each credit bureau offers a Fraud Alert option which allows you to keep your credit file open to creditors but receive notifications when a credit lender accesses your credit file or opens a new account in your name.

The Fraud Alert option is used as a more convenient identity theft protection strategy to avoid going through the process of lifting a credit freeze each time you apply for new credit or loans.

How to Lift, Unfreeze, or Thaw a Credit Freeze
A credit freeze may be temporary or permanent at your discretion.  But, once you have frozen your credit and decide to apply for a new loan, line of credit, or utility account the freeze must be lifted for lenders to access your credit file.

If you opt to lift a credit freeze by phone or mail, you will be required to provide a PIN number, password, or other personal information to verify your identity.

The PIN number will be provided to you at the request for a credit freeze.  If you lose or forget your identifying information (e.g. PIN, password, etc.) you may access this information by visiting the credit bureau’s website (listed in the chart above) or by phone.

Use the chart above to contact each credit bureau for specific instructions.

The Identity Theft Protection Loophole
The loophole in consumer financial records involve the lesser-known credit reporting agencies that store and share consumer credit and other important financial information.

The number of these “specialty” credit reporting agencies and the extent of data they retain remains a looming threat to consumers even with identity theft protection strategies in place.

There are literally dozens (about or at least, 30) of said credit agencies according to a CBS News report (May 2018) that retain credit files on consumers.

It is recommended that you contact each of these agencies that may be retaining data files of your financial information to initiate a credit freeze or lock as appropriate.

One of which may apply to most everyone is the National Consumer Telecommunications and Utilities Exchange (NCTUE).

The National Consumer Telecom and Utilities Exchange (NCTUE) is a member association database, powered by Equifax through which its “member companies” exchange consumer source-anonymous information such as:

• New connection requests
• Payment histories
• Historical account data and status
• Fraudulent telecommunication activities

The NCTUE association also share consumer payment data from utility bills, including:

• Cable accounts
• Utility accounts (electric, gas, and water)
• Telephone accounts

NCTUE is one of many credit reporting agencies that warehouse consumer credit, payment, and banking data to determine risk in extending credit or opening new accounts.
Consumer data is stored with these “specialty” credit reporting warehouses for a myriad of transactions, including but not limited to:

• Purchasing a home
• Renting an apartment
• Opening a bank account
• Purchasing auto insurance
• Opening new utility accounts
• Applying for employment
• Medical records and payments

A link is provided below for a list of “specialty credit reporting agencies” published by the Consumer Financial Protection Bureau.

It should be noted that although NCTUE is powered by Equifax, it is technically a separate organization from the credit bureau and freezing your credit file with Equifax does not affect your NCTUE file.

This means that criminals may still access and open new utility, cable, or telephone accounts in your name if you fail to take measures to protect your identity with NCTUE.

You will need to contact the National Consumer Telecom and Utilities Exchange (NCTUE) to place a security freeze on your Disclosure Report.

The three options for sealing your Disclosure Report with NCTUE are:

• Security Freeze
• Fraud Alert or Active Duty Alert (for military personnel)
• Opting Out

You may contact NCTUE to inquire if it maintains a file of your financial information at:
            NCTUE Disclosure Report
            P.O. Box 105161
            Atlanta, GA 30348
            PH:      1(866) 349-5185

For instructions on how to place a voluntary security freeze on your NCTUE data file:
            NCTUE Security Freeze
            P.O. Box 105561
            Atlanta, GA 30348
            PH:      1(866) 343-2821

To place a fraud alert or active duty alert on your Disclosure Report:
            NCTUE Alerts
            P.O. Box 105425
            Atlanta, GA 30348
            PH:      1(866) 349-3233

To opt-out of the Disclosure Report:
            Exchange Services Center: NCTUE Opt-Out
            P.O. Box 105398
            Atlanta, GA 30348-5398
            PH:      1(888) 327-4376

It is important to note that opting-out of the NCTUE Disclosure Report will also prevent you from receiving pre-approved credit offers.  You may also be required to submit your name, address, social security number, and data birth with your request for a security freeze.

The National Consumer Telecom and Utilities Exchange (NCTUE) consumer reporting agency is regulated by the Fair Credit Reporting Act (FCRA) and subject to its statutes.

See the link below to the NCTUE website for more information and instructions.

Identity Theft and Assumption Deterrence Act
The Identity Theft and Assumption Deterrence Act of 1998 established identity theft as a federal crime regulated by the Federal Trade Commission (FTC) with penalties up to fifteen (15) years in prison and a maximum fine of $250,000.

The law identifies the person whose identity was stolen as the true victim where only the credit grantors who suffered monetary losses were previously considered the victims.

The legislation further enables the Secret Service, Federal Bureau of Investigations (FBI) and other law enforcement agencies to combat identity fraud crimes and allows financial restitution to victims of identity theft if there is a conviction.

Identity Theft Penalty Enhancement Act
The Identity Theft Penalty Enhancement Act of 2004 establishes penalties for aggravated identity theft or identity theft in connection with the commission of a felony.

Aggravated identity theft is punishable by a minimum sentence of imprisonment for two (2) years or by imprisonment for five (5) years if it relates to a terrorism offense.

According to the Congressional Research Service, CRS (2015) “The two-year offense occurs when an individual knowingly possesses, uses, or transfers the means of identification of another person, without lawful authority, during and in relation to one of more than 60 predicate federal felony offenses (18 U.S.C. 1028A). Section 1028A has the effect of establishing a mandatory minimum sentence for those predicate felony offenses, when they involve identity theft.”

The sentencing court, therefore, has the discretion not to “stack” multiple aggravated identity theft counts and may impose a sentence of less than the mandatory minimum.

A link is provided below for more information on the Identity Theft Penalty Enhancement Act.

Related Posts:
How to Claim $125 From the Equifax Data Breach Class Action Lawsuit Settlement
https://www.canmichigan.com/blog/equifax-data-breach-class-action-lawsuit-settlement

How to Avoid DTE Utility Fraud: Beware of Telephone Imposters
https://www.canmichigan.com/blog/how-to-avoid-dte-utility-fraud-beware-of-telephone-imposters

Links:
Capital One is the latest company to get rocked by a massive data breach. Here are the 8 largest hacks of the 21st Century.
https://markets.businessinsider.com/news/stocks/8-largest-hacks-and-data-breaches-of-the-21st-century-2019-7-1028399924

The Capital One breach is unlike any other major hack, with allegations of a single engineer wreaking havoc
https://www.cnbc.com/2019/07/30/capital-one-hack-allegations-describe-a-rare-insider-threat-case.html

Capital One shares dive after data breach affecting 100 million
https://www.cnbc.com/2019/07/30/capital-one-shares-dive-after-data-breach-affecting-100-million.html

How to freeze your credit with Equifax, Experian and Trans Union
https://clark.com/credit/credit-freeze-and-thaw-guide/

​This Equifax credit database can boost your risk of phone fraud
https://www.cbsnews.com/news/equifax-managed-nctue-credit-database-can-boost-your-risk-of-phone-and-utility-fraud/

What are specialty consumer reporting agencies and what kind of information do they collect?
https://www.consumerfinance.gov/ask-cfpb/what-are-specialty-consumer-reporting-agencies-and-what-kind-of-information-do-they-collect-en-1813/

Disclosure Reports Provide Consumer Information Contained in Their Data Report (NCTUE)
https://www.nctue.com/Consumers

Identity Theft Protection following the Equifax data breach
https://www.consumerfinance.gov/about-us/blog/identity-theft-protection-following-equifax-data-breach/

Federal Trade Commission: Identity Theft and Assumption Deterrence Act
https://ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/identity-theft-and-assumption-deterrence

Identity Theft Penalty Enhancement Act
http://www.smartershredding.com/identity-theft-penalty-enhancement.php

Mandatory Minimum Sentencing: Federal Aggravated Identity Theft
https://fas.org/sgp/crs/misc/R42100.pdf

​President Signs into Law H.R. 1731, The Identity Theft Penalty Enhancement Act
https://www.ssa.gov/legislation/legis_bulletin_072004.html