Free identity protection from breached companies falls short
By Frank J. Ohlhorst, ThirdCertainty
Free identity theft monitoring has become something of a de-facto consolation prize for people whose personal information gets stolen by data thieves.
These free services, paid for by the breached company, may help some folks sleep better. But security experts say they may come into play too late – and coverage certainly does not extend long enough — to mitigate exposure to the worst forms of identity fraud.
The latest example: hackers stole driver’s license numbers and other personal data for 50,000 drivers working for the Uber personal transportation service that’s popular in California and several other states.
The company said only a small percentage of current and former Uber drivers were affected. And it announced that those victims are eligible to receive a free one-year subscription to Experian’s ProtectMyID Alert identity-monitoring service.
Uber disclosed this breach in a blog post published Feb. 27. Hackers got into their data on May 13, 2014, but it wasn’t until Sept. 17, 2014 that the breach was discovered.
That means the Uber drivers’ stolen data has been out in the wild for nine months. It also means Uber could have disclosed this, and started delivering fraud protection to the drivers, five months ago.
“What’s most disconcerting is how long it took Uber to inform those impacted by the breach,” says Brett Helm, CEO of DB Networks, a database mapping vendor. Helm added, “Two months of inaction might as well be two years when it comes to personal data exposed in a breach, the potential for damage is almost unimaginable.”
The most worrisome exposure faced by the victims is new account fraud. This is the nastiest type of identity theft. A stolen Social Security number or valid driver’s license number can enable a fraudster to piggyback onto a victim’s good name and credit history to take out new loans, tap medical services and perpetrate other scams. This type of victimization can be very damaging and time-consuming to unravel.
While the breach at Uber may have lasting consequences for some 50,000 company drivers, a much larger breach at Anthem Health reported earlier in February could potentially expose about 80 million of the company’s customers to new account fraud.
Much like Uber, Anthem is supplying affected parties free identity theft monitoring, via AllClear ID, for a full 24 months, twice as long as Uber.
However, two years of monitoring isn’t nearly enough, contends Michael Sabo, marketing vice president at database mapping vendor DB Networks.
“If your credit card is lost in a breach it’s rather easy to get it replaced,” says Sabo. “But your identity is permanent. Another year of identity monitoring is simply not enough. Affected individuals could be at increased risk for decades.”
As with the Uber incident, the breach at Anthem may have started many months before the company realized an attack was underway. Security expert and author Brian Krebs suggests that the breach may have started as long ago as April 2014, meaning that user data was exposed long before any action could be taken.
However, unlike Uber, Anthem was much quicker to respond to the threat once detected. Anthem said that the breach was detected on Thursday Jan. 29 and called IT forensics specialist Mandiant, a subsidiary of FireEye, to look into vulnerabilities of its computer system. What’s more, the company contacted the FBI as soon as suspicious activity was recognized, even though the company was not obligated to report the breach for at least several more weeks.
Anthem received praise for quickly alerting authorities. FBI spokesman Joshua Campbell singled the company out as “a model for other companies and organizations facing similar circumstances.”
The main lesson, according to DB Networks’ Sabo: “The quicker an organization responds to a breach and asks for help, the quicker the company can regain the trust of its customers and employees.”
As for Uber, the company is now pursuing legal means to track down those responsible for the breach. The company is attempting to gather the IP addresses of every person who may have accessed a GitHub repository used by Uber, where it suspects that attackers may have gained access to a security key that could unlock the impacted database.
“Going after GitHub adds insult to injury” said DB Network’s Helm. “Database keys, certificates or other security elements should never be stored anywhere that is accessible by the public. It seems that Uber made a real rookie mistake with that”.
Healthcare data at risk — a three-part series:
Part 1, Jan. 5: Why medical records are easy to hack, lucrative to sell
Part 2, Jan. 7, How thieves and scammers are cashing in.
Part 3, Jan. 9: How the Internet of Things will exacerbate exposures
Guest essay: Why hospitals need to go beyond HIPAA compliance to secure data