The Wall Street Journal is the most recent in a long line of corporations that have fallen victim to intentional hacking events, but what sets the WSJ apart from some of the other victims is its quick response upon discovering the breach.

Despite not having much verification as to what information was accessed and how widespread the infiltration may have been, the paper’s parent company, Dow Jones & Co., took its major computer systems offline, including even its photo data base, in an effort to contain any possible damage.

According to sources like Forbes and PC World, the Wall Street Journal and Vice magazine were only the most recent victims of the same Russian hacker, a man who calls himself “w0rm.” This hacker also recently broke into CNET, with the same motive: selling user information from his own online store. His asking price for access to each of these companies’ databases? One Bitcoin, the digital cash currency that is currently valued at around $620US each.

To back up his statement, w0rm has posted screenshots of his handiwork to social media sites like Twitter and been found bragging on the site about his other cyber escapades.

But in this case, WSJ handled it correctly by taking down their systems the moment they learned about the breach. All too often, companies who’ve fallen victim to a hacker take weeks to investigate the issue before ever even telling their customers, the very people whose data was accessed. By then, the potential for serious damage has come and gone, and the victims were unaware that their sensitive and identifiable information had fallen into the wrong hands. This type of quick response from WSJ demonstrates that businesses are becoming more aware of the dangers of cybercrime, and have plans in place to respond.

A spokesperson for the newspaper has stated that there appears to be no threat to the WSJ’s customers; if anything at all, they believe the hacker seems to have only accessed the customers’ email addresses and blocked passwords. That wouldn’t be enough information for identity theft or other forms of fraud, but would make the overall databases valuable when sold to other hackers. These hackers then use those email addresses to distribute spam, malware, and viruses to a large user base, and they’ll happily pay people like w0rm for the privilege.

This is where the public comes in. By ensuring that they’re very careful with their online behaviors, users can help protect their computers and their accounts from harm if their information was sold.

First, making sure their anti-virus software is installed is only scratching the surface of protection. Those pesky little updates that request permission to run after the computer boots up are actually designed to block the most recent threats; these threats are created practically every day, so companies produce regular updates in response to new threats. By clicking out of the update without installing it, users are actually leaving their computers vulnerable to the latest hacking tools.

Also, smart users need to remember not to fall for emails that contain strange messages or links. Even emails that come from people they know could contain malicious links, since the hackers who purchase the names on the WSJ database will use those accounts to send spam to those individuals’ address books. The recipients of the resulting second-level emails will see a message that seems to have originated from someone they know, so they’re more likely to click on a harmful link.

Finally, users must remember to avoid clicking on popup messages that claim to clean up their computers or inform them that their computers have been infected. Those are typical adware and malware scams, and clicking on the button will only install and activate these harmful programs. As greater awareness of the risks associated with computer use spreads to various sectors, hopefully future cybercrimes will end the same way: with very little damage or inconvenience to the victims.

This blog is a part of the ITRC’s ongoing commitment to spreading knowledge and awareness of data breach issues.  This work would not be possible without the generous support of IDT911 and their commitment to keeping the public informed regarding this issue.  The ITRC Data Breach Report is available weekly and all information is free to the public.

Smaller businesses are at risk of ID-theft, but only a small percentage of them have policies and procedures in place to protect against online intrusions. Here are some tips to be prepared.

If a data breach can take down Target’s CEO and cost Target tens of millions of dollars (so far) and the bad guys can crack into eBay’s data as they did just days ago, isn’t this a big red flag of data danger to America’s backbone: small business? Hopefully, the answer is a resounding “yes,” because Symantec’s sobering “Internet Security Threat Report 2014” makes clear that the situation is fraught with danger. Symantec wrote, “Cybercrime remains prevalent as damaging threats from cyber-criminals continue to loom over businesses and consumers.” When we think of data-breach events, we often think of outside hackers. The Symantec Report said that “hacking was the leading source for reported identities exposed in 2013,” causing 34 percent of data breaches.

This means 66 percent of all data breaches were not related to hacking, with other causes of data breaches reported as accidental release of information (29 percent), theft and/or loss of computers and drives (27 percent), insider theft (6 ercent), unknown (2 percent), and fraud (2 percent). Data breaches are a growing risk-management issue — maybe as, or more important, than traditional risk areas. Small- to medium-size businesses are at risk, just as large organizations are, with an ever-increasing volume of customer, employee, and proprietary information acquired and all very desirable to ID-theft criminals.

Yet only a small percentage of companies with fewer than 250 employees have policies and procedures in place to protect against online intrusions, according to a Symantec survey report released in 2013. Earlier this month, I spoke at the Police Officers’ Credit Union Conference in Las Vegas. In my remarks, I said that “no one company can ever prevent itself from experiencing a data breach and that education is the number one tool for protecting data.”

Here are my plan recommendations for the data breach that none of us wants:

1. Breach source. Determine the source and make sure the data compromise is isolated and access is closed. If you cannot determine the source of the breach, you should engage a forensic-investigation company, preferably one that is already familiar with your network topology and information-security and governance policies and procedures.

2. Breach assessment. Determine the scope of the data breach and the privacy and data-security regulatory requirements associated with the type of records for the states in which you conduct business.

3. Response plan. Include internal employee education and talking points, public-relations news releases, customer education and resources; the small business or consumer solution(s) to be considered; and the content and timely release of notification letters.

4. Protection plan. Include the small-business or consumer-protection services to be offered to the compromised record group and the confirmation of professional call-center and recovery-advocate support services.

5. Breach victim resolution plan. Provide access to professional certified identity fraud-recovery advocates that will work on behalf of the victims to mitigate and resolve the issues caused by breach.

Mark’s most important: Get serious about an advance plan for ID theft or a data breach or be prepared for fines, penalties, class-action lawsuits, brand damage and/or loss of revenue that may put your business seriously at risk.

Mark Pribish is vice president and ID-theft practice leader at Merchants Information Solutions Inc., a national ID-theft and background-screening provider based in Phoenix. Reach him at markpribish@merchantsinfo.com.

This article was originally published on AZcentral.com and republished with the author’s permission.

Once again, news has circulated of a missing laptop that may lead to the access of personally identifiable information for several thousand students in Massachusetts and Vermont. Unlike the recent Sterne Agee breach in which an employee’s laptop was simply lost, this incident involves the intentional theft of a laptop from the employee’s vehicle.

In this particular case, the billing company—New Hampshire-based Multi-State Billing Services—allowed a laptop computer containing the complete identities of almost 3,500 thousand public school students to be taken from their facility. The laptop was later stolen, and despite the password protection to turn on the computer, the information it contained was not encrypted.

This information includes the names, addresses, birthdates, Social Security numbers, and Medicaid numbers of nearly three thousand students in grades kindergarten through twelve in nineteen different Massachusetts school districts, and more than four hundred students in Vermont schools. The information, presumably gathered to process reimbursements to schools whose special education students receive services that are covered under Medicaid, is not believed to have been the target of the theft, but rather the physical laptop itself.

And that’s what presents the problem. In cases of cyber crime or data breach, companies have long followed the protocol of informing the possible victims so they can take steps to protect themselves. Companies have even started purchasing insurance policies to cover the cost of cleaning up after a data breach and securing their clients’ information. Once hackers steal private information, the credit reporting agencies will freeze those customers’ accounts for free. But in the case of a stolen laptop that just happened to contain identifying information, the credit reporting agencies do not necessarily waive their fees to put a hold, freeze, or alert on someone’s account, especially a child’s.

One of the chief issues is the access was given to the information in the first place. It was the job of MBS to secure the laptop and the information, and certainly to encrypt the data, not just password protect the computer itself. It would be interesting to know why the laptop ever left the office in the first place and why it was left in someone’s car.

But parents also have to protect themselves and their children by remembering who is entitled to the information. While the school was billing Medicaid for legitimate services and using a widely known billing contractor to handle the paperwork, there is no clear connection between the Medicaid services and the Social Security numbers. The Medicaid numbers had to be provided, and it is possible that the Social Security number had to be given to the Medicaid office when the child was first signed up, but as far as the school or the service provider needing the SSN, there’s no clear reason for it.

Often, requesting a Social Security number is simply a holdover from the days when it was commonly used as an identification number. Now that the dangers of doing so have become clear, many organizations are turning away from the practice, especially considering it’s actually a violation of the Social Security system. The SSN is not to be used for identification or proof of citizenship, as those are not its intended purposes. Any organization which requests your number or your child’s number, without doing so for employment or taxation, is not necessarily entitled to it. Once a breach occurs, though, it’s important to follow through with the help that is offered. In this case, MBS is paying for up to three years of fees on the children’s credit reports, should the three different reporting agencies not waive the fees associated with freezing and unfreezing the reports.

This blog is a part of the ITRC’s ongoing commitment to spreading knowledge and awareness of data breach issues.  This work would not be possible without the generous support of IDT911 and their commitment to keeping the public informed regarding this issue.  The ITRC Data Breach Report is available weekly and all information is free to the public.

Some customers of the financial planning and investment company Sterne, Agee, & Leach received an ominous letter in the mail this week. Apparently, sometime between May 29thand May 30th of this year, a data breach occurred within the company that resulted in the loss of customers’ personally identifiable information, data that included names, addresses, account numbers, and Social Security numbers.

How did this breach happen? The old fashioned way. Someone took a laptop home from work and lost it. While Sterne Agee has been able to figure out that the laptop has not been used to access the servers at their company headquarters where the rest of their customers’ data is stored, the information that was made available to anyone who finds the laptop is out there in the open, all because the customers’ personal information was stored on the laptop itself. So far, they haven’t been able to determine whether or not the laptop has been turned on, or whether the files containing customers’ private information were opened.

So what went wrong? How could the customers have prevented this personal data breach? The simple answer is, they couldn’t have. Short of doing research before signing up with Sterne Agee and finding out their corporate policies on employees being allowed to bring laptops home from the office—or other files, for that matter—the customers couldn’t have prevented their personal information from being shared.

Since customers cannot sign up to invest or save money that will earn interest without providing their full tax identities for reporting purposes, this is one of those times when handing over the Social Security number was required in order to do business. Also, this wasn’t a malicious hacking event or cybercrime that could have been prevented through better technology. It was a simple circumstance that has happened to all of us at one time or another.

The problem here is the non-compliance with best practices. It’s astounding that in 2014 many businesses and corporations still don’t have full safeguards in place. First, the laptop really shouldn’t have left the office, which does admittedly defeat the whole purpose of it even being a laptop. If there is actually work that needs to be done outside of the office or business that needs to be conducted on a portable computer, then the laptop should have been encrypted and it should never, ever store customers’ information. The problem in this scenario wasn’t that an employee took a computer out of the building and then lost it; that could have happened to anyone. For that matter, the computer could have been stolen right off the employee’s desk by a thief. The real problem is that the computer stores private information in the first place.

Fortunately for its customers, Sterne Agee recognizes the full potential of what harm this one event can cause. The letters that customers received about the breach provided step by step instructions for what action to take to protect themselves in the (hopefully) unlikely event that whoever has the computer now realizes what a goldmine he’s sitting on. The first step is to sign up for the credit monitoring services that Sterne Agee has agreed to provide. That membership will give the customers copies of their credit reports, will cause an alert to be sent to the members if any suspicious activity occurs on their credit, covers the members with $1 million worth of insurance for issues that stem from this breach, and more.

The letter also points out that customers need to stay on top of their credit reports and request further copies over a period of time; the reporting agencies and their addresses are provided in the letter for consumers’ convenience. Finally, the letter suggests taking steps that the ITRC has supported for quite some time, which is to put a fraud alert or even a security freeze on their credit files, which will thwart attempts to open new lines of credit or accounts.

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit http://www.idtheftcenter.org/anyone-3.

Cellular and digital service provider AT&T has had to inform an undisclosed number of customers of a security breach in which three contracted workers accessed personally identifiable information. Apparently they were intent on finding the correct information needed to “unlock” cell phones, so one assumption from the company is that only customers whose phones have been stolen are under threat. These workers were authorized to access AT&T’s customer information, but not for these purposes.

AT&T is one cellular service provider that allows its customers to “unlock” their phones from AT&T’s network in order to switch to a new service provider. This is actually a very generous policy on the part of the phone company, because it means a customer whose service contract has expired is free to take his phone to another company without having to purchase a new one or sign a contract to receive a discounted phone.

However, in order to “unlock” his phone from the network, the customer must be able to provide all of his secure data to the AT&T representative who is assisting him. This prevents thieves from stealing a phone, calling the company to unlock it, and initiating service elsewhere.

The company believes the contractors were attempting to steal the necessary information to unlock previously stolen phones by looking up those specific customers’ accounts. Unfortunately, that information includes addresses, Social Security numbers, and more, so the threat of a full identity theft is still possible.

While the company has not announced how many customers this breach affected, California law requires a company to inform the state attorney general if the number is higher than 500, and AT&T has alerted the AG’s office of this breach.

The company mailed letters to the customers who may have been impacted by this, outlining the steps they should take at this point. Unfortunately, the breach occurred in April of this year, and while AT&T has not explained why it waited so long before informing the public, the affected customers will be granted one-year paid access to a credit monitoring service in light of the loss of personal information.

What makes this data breach most troubling is the exposure of Social Security numbers. While many of the breaches that have been making major headlines recently have a much larger number of individuals affected, this breach has the potential to be much more dangerous.  Breaches where card information is exposed are annoying and can lead to financial identity theft and fraud, but once a consumer knows that their card has, or has the potential to be used fraudulently, they can cancel the card and get a new one.

When a Social Security number is exposed there is the potential for serious identity theft to occur including medical, governmental and criminal identity theft.  These types of identity theft, along with the ability of identity thieves to continue to use the Social Security number to open up new lines of credit, are a lifelong problem and a year of credit monitoring is not going to be sufficient to help victims who have their Social Security number used by identity thieves.

That being said, let’s hope that the purposes of these specific thieves were to just “unlock” cell phones and not for far more nefarious purposes.

This blog is a part of the ITRC’s ongoing commitment to spreading knowledge and awareness of data breach issues.  This work would not be possible without the generous support of IDT911 and their commitment to keeping the public informed regarding this issue.  The ITRC Data Breach Report is available weekly and all information is free to the public.

It’s kind of melodramatic to say that identity theft isn’t a matter of if, but when, but watching news reports and talking to friends and family members who’ve fallen victim to a personal data breach can make it feel like that’s the case. Having a plan of action in place for a cybercrime or hacking event can help you feel like you know what to do should the seemingly-inevitable idea actually happen.

For individuals and their personal data, your plan should involve knowing what to do to both prevent identity theft and recover from it quickly should it happen. Steps to prevent a data breach should include securing your accounts with strong passwords, changing those passwords frequently, safeguarding your information, and shredding sensitive documents before discarding them. You’re more likely to discover you were hacked in a timely fashion if you’re staying on top of the documents and reports that come to your house. Routine checkups on your credit report with the three reporting agencies from time to time can also help.

But what do business owners need to plan for? What are the steps you must take if your business is hacked, and you have vendors, suppliers, and customers all wondering if their sensitive information—which a hacker took control of through your company’s network and computers—is safe?

The first step is to take a multi-layered approach to your network security. Have you installed antivirus and antimalware software? Great! That’s only one layer, though. Do you have email scanning software to check incoming and outgoing emails for potential threats? Do you have web blocker capabilities that alert you if any of your computers is accessing a website that may be designed to steal data?

Next, you need working relationships in place with outside agencies who will help you in the event of a data breach. The time to learn the name of the agent or officer who can help you is not while the rest of your staff is fielding phone calls from your customers, all of whom are screaming that their accounts were hacked. Check in with different reporting agencies from time to time to make sure that your plan is up-to-date and that you’re aware of any new regulations or guidelines.

While you’re checking on your working relationships with these agencies, go ahead and put in a call or contact letter to your company’s attorney and get a checkup on your liabilities and the legal ramifications of a data breach. Again, this is not a step to take after the fact.

Finally, one of the most important things you can do is publicly acknowledge a breach as soon as you’re aware of it. Cybercrimes are a known and understood occurrence, and the public understands that hackers are very good at what they do. But the longer you sit on information, the longer time frame identity thieves have to wreak havoc with your customers’ personal information. By immediately getting the word out, you’ll enable your customers and vendors to lock down their own personal data to prevent further damage. Keeping quiet about it will make you and your company look as though you had something to hide, which can have a lasting negative impact on your company.

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit http://www.idtheftcenter.org/anyone-3.

Citizens in the state of Connecticut had reason for alarm recently when news broke of a security breach of the state’s Affordable Care Act agency. While not the same as the federal HealthCare.gov website that has been at the center of so much technological criticism and concern, the state’s agency—known as Access Health CT—allowed people to sign up through the state office for health care coverage.

But the Hartford-based Access Health CT office received a call from local law enforcement officials about a potential data breach when a backpack filled with handwritten note pads was found across the street from the agency’s offices. The notepads contained the names, Social Security numbers, and other personal information of more than four hundred applicants.

This recent security breach isn’t a political issue or a show of support or condemnation for the ACA, but hopefully reminds the public of an even bigger threat to their personally identifiable information. Whether we like it or not, opportunistic criminals are everywhere and can be found in just about any industry. The combination of low wages and high debt can lead people to take advantage of an opportunity that sits right in front of them on their computer screens, eight hours a day.

There seems to be no workplace that is completely immune from the danger of an employee stealing its customers’ identities. The hotel and restaurant industries are actually the single largest source of “inside job” identity thefts, but many other workplace environments lend themselves to this kind of crime. Medical offices are notorious for incidences in which billing office staff or medical transcriptionists—two positions that are often outsourced to third party companies or individuals—gather personal information and sell it to identity thieves. Public schools have also been the subject of multiple investigations, and reports have surfaced that staff members had stolen and sold the Social Security numbers of as many as four hundred students in one Florida elementary school alone. Even police officers have been arrested for using the state’s driver’s license database to steal citizens’ identities.

But if this kind of crime happens without the victim’s knowledge, what are you supposed to do to protect yourself?

First, make sure that any agency or office that you give your personal information to actually has a right to it and a need for it. Doctors’ offices, schools, and private businesses are not entitled to your Social Security number, but many of them ask for it as a means of identification or in order to turn you over to collections if you fail to pay. Remember, that number is not to be used for either of those purposes, and businesses, schools, even your child’s day camp do not have the right to ask for it.

But some agencies or institutions will need it, such as a bank or the DMV. Be sure you know who is receiving that application and what will happen to it once it leaves your hands. Sometimes, just indicating to the person that you want to know how they plan to protect your information is enough to keep them from letting it be used against you.

Most important of all is to check your information periodically for any suspicious activity. Check your bank and credit card statements for charges you’re not aware of, check your health Explanation of Benefits and confirm that those payments were for actual medical visits for you or your family.. Request your credit report annually and review it closely for unauthorized debts or accounts you didn’t open. When your Social Security report comes each year, look at it carefully for any sources of income that don’t belong to you and that could indicate someone is using your number.

These steps can help you put a stop to criminal activity associated with your identity in a timely way, and hopefully before too much damage is done.

This blog is a part of the ITRC’s ongoing commitment to spreading knowledge and awareness of data breach issues.  This work would not be possible without the generous support ofIDT911 and their commitment to keeping the public informed regarding this issue.  The ITRC Data Breach Report is available weekly and all information is free to the public.

Music subscription site Spotify made a surprising announcement recently when the company announced that a hacker had broken through their security protocols and gained access to private information that had been submitted by its users.

Unlike recent data breaches with major companies like Target and eBay, Spotify stated that it had confirmed some positive news: no financial or sensitive personally identifiable information like Social Security numbers had been obtained.

That wasn’t the only good news, of course. Again, unlike cybertheft events like the one involving eBay in which about 145 million users’ names, addresses, emails, passwords, and PayPal connections may have accessed for criminal purposes, the damage in Spotify’s case is thought to be far less widespread.

One person.

Yes, the tech leaders at Spotify believe that their recent cyber attack involved one individual, and that this individual’s sensitive information wasn’t accessed at all.

If that’s the case, why inform people in the first place? If one person had his account hacked and all the would-be thieves got for their trouble was his user name and maybe an email address, why go to the trouble of issuing a statement at all?

The first answer is accountability. eBay is still reeling from the poor criticism and bad press associated with their attempts at not being very forthcoming about their data breach. The site posted a minor news blurb on their corporate site, a site which a tiny percentage of their users look at, and even then tried to downplay the seriousness of the issue by simply telling users it would be a good idea to change their passwords.

The second reason, though, may have more to do with the confidence the company places in its technical security. When a hacking event occurs and is overwhelmingly unsuccessful, companies have a choice to make. Do they tell people and possibly alarm them, all while inviting copycat hackers to see if they can do a better job? Or do they quietly hush it up and sweep it under the rug?

Hopefully, companies who want to keep their consumers’ trust will choose the first one. Even if the event is minimal and barely requires sending out an email about the breach, it’s important that the companies we trust with our secure information let us know when something goes wrong. The only way consumers can protect themselves after the fact is by following up with the three credit reporting agencies, and by changing and resecuring any passwords. Without the knowledge to begin those processes, thieves can continue to benefit from your data until such a time as you discover the problem.

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit http://www.idtheftcenter.org/anyone-3.

By now, news of a major corporation like a retail chain or internet-based platform being hacked is hardly news. Companies like Target have been attacked in recent months, and the end result was that millions of customers’ personally identifiable information fell into the wrong hands. How a company responds to this kind of data breach is important, and it can tell consumers a lot about the type of corporation with whom they are doing business.

Typically, when a data breach occurs, a company alerts its customers so they can be vigilant about securing their personal information. This lets those customers whose accounts have been compromised keep a close eye on their bank accounts, their credit card statements, even their credit reports. If the customers do find suspicious activity involving their finances or identities, they can take swift action instead of waiting to find out after months of nefarious spending has happened.

Unfortunately, there’s sometimes a mind-set to downplay an incident or minimize the so-called “bad press” that stems from this kind of hacking event. In those cases, corporations sit on the information and consumers are none the wiser, which can lead to a farther reaching net of criminal activity involving the accessed information.

One such company is eBay. When a cyberattack led to the breach of some 145 million user accounts during the week of May 19th, eBay’s response was to wait several days and then post a cryptic message about the breach on its lesser-trafficked corporate website. After widespread complaints about the message that simply told users to change their PayPal passwords, only then did eBay admit to the breach on the main website, almost a week after the attack.

How serious was the cyberattack? Names, addresses, emails, home phone numbers, and encrypted passwords were accessed, all of which were tied to users’ PayPal accounts. Those accounts are also linked to the users’ bank accounts in order to send and receive payments.

So how are consumers supposed to trust corporations if their interests aren’t being looked after in a timely way? First, and this may seem unfair, the only way to know for certain that you’re being kept in the loop about your safety and security is to assume that companies won’t tell you about a data breach, either because it’s bad for business or because they simply don’t know about it themselves. Taking action like not providing all of your information without just cause can help, such as not providing your real birthdate to social media sites or not giving your home phone number to retail companies.

Savvy consumers have actually started to keep smaller accounts for their online transactions, such as keeping a bank account that isn’t connected to your main checking and savings accounts, or signing up for a low-balance credit card for online use only. Those are tedious steps, but they can help minimize the damage and the work that you have to put into clearing up the effects of a corporate cyberattack.

Make changing your passwords from time to time a part of your online behavior. Frequent password changes can help you stay ahead of any damage an identity thief may attempt. Of course, passwords can only work securely if you use different passwords on different websites, and if you make sure that they are strong, untraceable combinations of letters, numbers, and symbols. Never use an app that stores all of your passwords in your phone or tablet, and make sure that you don’t check the box to remember your password on any computer or device that can be accessed by others.

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit http://www.idtheftcenter.org/anyone-3.

Most tech-savvy consumers are aware of the dangers of sharing personal information online. By now, the horror stories of stolen identities have circulated far enough that (hopefully) and internet-based request for your Social Security number or checking account number would be an automatic red flag.

But with the seemingly daily reports of hackers working their way into major corporate accounts, consumers are becoming more and more wary of even using their cards in physical locations. Target is one of the largest and most widely recognized companies to have suffered an account breach that left an unknown number of customers’ accounts at risk; citizens in California who used the state’s streamlined online payment system to renew their driver’s licenses and license plates were possibly at risk of having their account information stolen. The extent of the damage in both of those cases is still uncalculated, and they are far from alone.

Short of never shopping or renewing your license again, what’s a consumer to do?

First, you can take preventive measures by keeping your accounts and your passwords secure. Don’t follow the increasingly popular trend of generating one password that only changes one letter or number for each different site you use; that practice is courting identity theft danger, especially if you’re consistent about it.

Also, be sure to keep routine tabs on your accounts. Don’t wait for an evening news story to tell you that your personal information may have been accessed. Read your account statements carefully to look for suspicious activity, and check your credit report each year to ensure that no new credit cards have been opened in your name without your knowledge.

There are a few proactive things you can do as well. With the availability of free checking accounts and low-interest credit cards, some savvy shoppers have taken to establishing low-limit accounts that they use specifically for online transactions. By linking the smaller cards or checking accounts to their online shopping and then only transferring money to those accounts when they make purchases online, they’re limiting the amount of damage and hassle that a thief can cause.

Questions about identity theft? Connect with the ITRC through our toll-free call center at (888) 400-5530, live chat feature or on-the-go through our IDTheftHelp app for iOS and Android.