The other day a reporter asked me who's to blame for the growing epidemic of identity-related tax fraud. I almost replied, "the government and the bad guys," but I caught myself before committing to that inaccuracy. "We're all to blame," I said.
I believe that breaches, and the identity theft that flows from them, have become the third certainty in life, right behind death and taxes. While it may seem like hyperbole, more than 1 billion consumer records containing some form of personally identifying information (PII) have been exposed to hackers, identity thieves and spies (forget, for the moment, the NSA) over the past 10 years.
Anthem, the second largest healthcare insurer in the nation, recently joined the burgeoning list of mega corporations that have suffered massive data breaches. In a revelation that beggars the imagination, the hackers accessed unencrypted databases containing the sensitive personal information of some 80 million current and former Anthem policyholders and employees, potentially putting millions of people in harm's way. When Anthem's CEO pointed to the cyber intruders' failure to get health records, credit cards or financial data, one can only assume he was trying to spin a nightmare scenario, because they did manage to get their grubby little fingers on names, physical and email addresses, birthdates, medical IDs, phone numbers and employment information.
Last time I checked, that's pretty much all that someone needs to commit identity-related fraud, or at the very least, to expose their targets to the panoply of "ishings" (phishing, spear phishing, smishing and vishing). If that doesn't bother you, perhaps this will: the information stolen included the skeleton key to everyone's life -- Social Security numbers.
Unlocking Your Identity
Often what's lacking in the aftermath is perspective. Anthem did a very good job of getting out in front of the breach. They were forthcoming, and notified customers quickly. But they did not do a great job spelling out to customers the predicament they are now in as a result. So, here it is. Everything a criminal might need to obtain medical treatment, devices or medications in your name, tainting your medical files in the process is now "out there." In other words, you are one act of fraud away from having a medical file become a murder weapon. When your healthcare is used by a fraudster, their information gets mingled with yours--a cocktail for life-threatening decisions. And, while we're on the subject, anyone with access to the information stolen can also file fraudulent tax returns and divert your refunds (we'll get to the recent Turbo Tax ulcer-inducing event in a moment); anyone can obtain personal loans, credit cards and mortgages using your credit profile accessed with your information; the same data could be used to empower undocumented workers to get jobs -- the income from which will be reported to federal and state tax authorities under your SSN and costing you even more. Your child's identity can now be stolen if their SSN was taken in the breach; crimes can be committed leaving a trail of breadcrumbs back to you.
In a twist of fate that would make a person think February is privacy and data-security awareness month, we learned that Intuit was forced to shut down the state tax filing on TurboTax for almost a day after detecting a large number of fraudulent filings. Minnesota refused to accept TurboTax e-filings, Alabama and Utah issued taxpayer warnings and Vermont halted refunds. To be clear, the TurboTax platform hadn't suffered a data breach. Rather, identity thieves were e-filing and attempting to divert millions of dollars in refunds using precisely the kind of information that was leaked in the Anthem breach, and countless others over the past decade. How could this happen? A staggering amount of purloined data from breaches, scams, social network over-sharing and individual compromise has been aggregated--and the fraudulent e-filings on TurboTax are a manifestation of that reality.
Now, it's easy to blame public and private sector organizations for their continuing failure to accord our sensitive personal information the privacy and security it deserves. Judging from the seemingly endless parade of reported breaches, our contempt and enmity has been well earned. Organizations' inability or lack of desire to encrypt the PII they gather and store is inexcusable. We have a serious problem when a sitting governor explains the failure to encrypt a breached database containing the tax information of every citizen in her state by saying, "Encryption is hard." A recent Government Accountability Office report confirms that a significant percentage of federal agencies are not secure. Sadly, many businesses and institutions have yet to harden their defenses or encrypt their data even after they have suffered at least one breach. After the near extinction-level breach of Sony Pictures, I am hopeful that many political leaders and corporate board members are finally coming to the realization that the threat is real, the odds are not in their favor and that there must be a paradigm shift in the way they approach privacy, data security, breach preparedness and incident response.
But the fault lies elsewhere. We live in a very connected world where convenience continues to trump security -- often in the name of innovation. We've also learned the hard way that no system is more secure than its weakest link and that humans are the weakest link. Bad practices and lousy data-hygiene is the enemy. A few months ago, the Ponemon Institute conducted a survey of nearly 100 medical providers. Eighty-eight percent reported that doctors and other medical professionals were allowed to connect personal devices to their systems (BYOD -- bring your own device). More than 50% said that this practice raised serious security concerns, yet only 38% said they were doing anything about it.
Lest we forget Washington (and I acknowledge that many would like to permanently forget Washington), at least three administrations and scores of federal legislators have talked about doing something meaningful in the areas of privacy, cyber-security and identity theft, yet we have little to show for it. This year, at least, through executive order and his State of the Union Address, President Obama has put those issues squarely into the spotlight. "We are seeing momentum" is the two-party line, at least for now.
Everyday Security Failures
But while we're pointing fingers, I would be remiss were I not to suggest that each of us stand in front of a mirror. No one is blameless here. We expose our most sensitive personal information any time we:
- pick up a phone, respond to a text, click on a link or carelessly provide personal information to someone we don't know;
- fail to properly secure our computer or mobile device (smartphone, tablet or laptop);
- discard, not shred, a document that contains PII;
- respond to an email that requests we call a number we can't independently confirm, or complete an attachment that asks for our PII in an insecure environment;
- save our User ID or password on an app as a shortcut for future logins;
- use the same User ID or password throughout our financial, social networking and email universes;
- answer quizzes that subtly ask for information we've provided as the answers to security questions on various websites;
- take pictures with our smartphone or digital camera without disabling the geo-tagging function;
- fail to replace a manufacturer's default password with a long and strong one of our own on any "connected" appliance or electronic device that we put in our homes;
- permit our email address to be our User ID, if we have the option to change it;
- use easily decipherable PINs or passwords;
- fail to annually obtain, review and correct our credit reports;
- choose not to do a daily review of our bank and credit card accounts to make absolutely sure that every transaction we see is familiar;
- put off enrolling in free transactional monitoring programs offered by banks, credit unions and credit card providers that notify us every time there is any activity in our accounts;
- use a free WiFi network, without confirming it is correctly identified and secure, to check email, or financial services websites that contain our sensitive data.
The bottom line is that we're all in this together. In the ever-evolving connected world, it's impossible to duck, bob or weave your way past the bad guys. Even a proactive measure to protect your identity like monitoring your credit regularly is no guarantee your identity won't be stolen or used in a way that won't show up on your credit report, like medical identity theft. (You can get your credit reports for free once a year under federal law and you can see your credit scores for free once a month on Credit.com to spot any identity theft red flags.)
It should go without saying that government and businesses should have to protect our PII by law, and if they fail to do their duty, they should be held accountable. That said, each of us has a responsibility to minimize our risk of exposure, to be as alert as possible to signs of an identity-related problem and to have a damage control program to put ourselves back together in the event we are compromised.