Every year at about this time, technology reporters typically recount the big computer crimes from the past 12 months and proclaim “The Year of the Hacker” or some such moniker. This year, it fits.
Two years ago, the Target hack ushered in a new era of credit card theft awareness and ultimately helped inspire a big change in the way Americans use plastic. But as we all know, theft of credit and debit card information has a limited impact on consumers (fraud liability generally falls to the merchant or financial institution, if reported in a timely fashion).
On the other hand, theft of Social Security numbers, health care data and even fingerprints, by the millions … well, that’s a much bigger big deal. And that’s what U.S. consumers faced in 2015.
Data theft has moved far beyond credit card fraud. Today, millions of Americans have to live with the fact that agents acting allegedly on behalf of a foreign government now hold their SSNs and fingerprints — identity markets that are difficult, if not impossible, to change. And loss of that data makes them vulnerable, potentially, forever. That’s the real story of 2015.
A More Personal Breach
“This year proved once again the breaches have become the third certainty in life because the bad guys have proven they are more persistent, creative and increasingly sophisticated than the good guys,” Adam Levin, co-founder of Credit.com and author of new book, Swiped, which chronicles the extent of the ID theft problem, said. “While consumers, government and business are more aware of the issues, there is still a lack of understanding as to what needs to be done, resistance to allocate the proper resources to do what needs to be done and countless legacy systems that impede our ability to do what needs to be done.”
The Identity Theft Resource Center says there were 750 announced data leaks in 2015, and all tallied, 178 million records were lost or stolen. Also a headline from 2015: hackers’ new focus on healthcare data. Nearly 122 million healthcare records were stolen during 264 reported breaches, the most of any industry, the ITRC says. Government records were the second most commonly stolen — 24 million in 59 leaks. Comparatively speaking, the 5 million records lost in 69 leaks by the financial industry seems small.
The year in hacking got off to a fast start, when health insurance provider Anthem Inc. revealed it had been hacked in early February. Ultimately, the firm said that up to 80 million consumers were impacted. There were plenty of reports blaming China for the attack. While hack “attribution” is often an inexact science and the FBI rarely makes its conclusions public, it wouldn’t be the final allegations against Chinese hackers.
Nor would it be the last major health data hack. A month after Anthem’s announcement, Primera Blue Cross revealed that hackers stole data on 11 million consumers. There were plenty of reports that the same hackers were involved in both incidents, meaning the Chinese government might have been involved, but again, the allegations were denied by China and clear evidence was never made public.
Then, the big one hit.
Hackers Hit Home
In June, the Office of Personnel Management — Uncle Sam’s Human Resources department — revealed it had been hacked and 4 million government employees were at risk. Later, the number was raised to 18 million. Then 21.5 million. And the at-risk pool was expanded to former government workers and potentially anyone who had been used as part of an federal employee background check. Stolen data ranged from Social Security numbers to security clearance information to, in 5.6 million cases, fingerprints. Once again, reports blamed Chinese hackers. Once again, the culprits remain at large.
The hacking incident dominated tech headlines for months, and the federal government is still notifying victims. Meanwhile, all these alleged China-led hacker attacks became a major topic of discussion when President Obama and Chinese President Xi Jinping met in September. The two world leaders announced the U.S. and China wouldn’t attack each other through the Internet, though many security firms are skeptical the announcement had any real impact.
It certainly had little impact on computer criminals trying to gain illegal access to large consumer databases. Only a few weeks later, in October, T-Mobile revealed that its credit check provider Experian had been hacked and 15 million consumers were put at risk.
Meanwhile, big numbers aren’t the only reason consumers should be concerned. Smaller hacks can have a bigger impact, depending on the data that’s been leaked. The IRS “Get Transcript” service was hacked this year, and eventually, the agency had to reveal in August that criminals accessed more than 300,000 taxpayers’ accounts. Given the focused nature of the attack and the precise data stolen – old tax returns – victims are at serious risk for full-blown identity attacks.
Also this summer, password-storing service LastPass announced that criminals had gained access to encrypted passwords belonging to potentially 7 million users. The thieves still faced the uphill battle of cracking the password file’s encryption, so the incident was not quite the disaster it sounded like at first. Still, consumers were told to change master passwords immediately, and were put on notice once again about the fragility of seemingly safe computer systems in the 21st century.
More Big Breaches Ahead?
No doubt, 2016 will bring even more cautionary tales.
“As breaches have become the third certainty in life and the identity theft that flows from them is the new norm, businesses and consumers need to follow the 3Ms: minimize the risk of exposure, monitor and manage the damage,” Levin said. “Business leaders need to shore up their cyber defenses by instituting data segmentation, encryption, employee training on security protocols and penetration testing. Consumers need to remain vigilant and adopt a culture of self-monitoring. They should check their accounts on a daily basis, sign up for transactional monitoring from their bank and use long and strong passwords that don’t repeat across accounts.”
Just about every consumer involved in all these hacks received some kind of free credit monitoring offer. They are always worth accepting, but it’s important to know that credit monitoring can offer only limited protection against identity theft. In the end, consumers are ultimately responsible for discovering ID theft themselves. The best way to do that is regular monitoring of credit reports through AnnualCreditReport.com and use of a free credit score tool like the one provided by Credit.com.
More Money-Saving Reads: