If your card data has been breached, your vulnerability — and the right self-defense actions — can vary widely
Data hackers have been busy, doing what they do best: breaching databases and making a mess you’ll have to clean up.
Since the summer of 2012, Barnes & Noble, the South Carolina Department of Revenue and GoTickets.com are just a few of the organizations reporting that data hackers have caused data breaches, potentially putting customers’ debit or credit card information at risk, and opening them up to the risk of full-fledged identity theft.
So far this year, the Privacy Rights Clearinghouse has received reports of more than 200 data breaches involving payment card fraud or hacking, exposing more than 12 million consumer records.
In some instances, the hackers seemed most interested in the thrill of hacking into a system and exposing its vulnerabilities, but in more worrisome cases, Social Security numbers and debit and credit card information were exposed.
“Anybody paying attention to the news lately regularly sees reports of major data breaches,” says John Breyault, vice president of public policy, telecommunications and fraud at the National Consumers League.
If your information was stolen, “your vulnerability varies based on how severe the data breach was,” Breyault says.
While there’s little a consumer can do before a data breach, here’s what you can expect if one happens, and the steps you can take to minimize the hassle and maximize your protection.
How you’ll find out
The first and most crucial step is to notice that a breach has happened and assess your risk. That’s not always easy. No federal law requires you be notified of security breaches involving your personal information.
The National Conference of State Legislatures reports 46 states have laws requiring data breach notification, but if you’re in Alabama, Kentucky, New Mexico or South Dakota, there are no such guarantees.
State notification laws tend to follow a similar pattern, says Sam Imandoust, legal analyst for the Identity Theft Resource Center. If a certain number of people have been impacted by a data breach, the law will require the company or organization to send a letter to everyone who may have been impacted.
In most cases, the letter doesn’t need to go out within a set time frame, but as “expediently as possible,” Imandoust says. Delays are allowed if law enforcement officials are investigating the breach, and public notification might impact their investigation.
The letters typically will contain information on the type of personal information thought to be part of the breach, a description of what occurred, when it occurred, and contact information for credit bureaus, Imandoust says. Because it’s left to the companies to craft the language, in practice, some letters are more forthcoming and clear than others.
What your bank knows
Surprisingly, if you’ve been notified of a credit or debit card data breach, it doesn’t mean your bank has been.
The company that suffered the breach may not be the bank itself, but some third party with its hands in the transaction process. The company that suffered the breach must notify the consumer, as well as bank card associations — such as Visa and MasterCard — which then notify their member banks, says Tom Shaw, vice president of financial crimes management at USAA.
In cases such as the Barnes & Noble data breach, in which credit and debit card information was stolen from PIN pad devices at 63 stores, the incident was kept from the public while the FBI conducted an investigation. USAA knew about the case before the victims did.
But there’s always a chance something can fall between the cracks. Once you learn you’ve been the victim of a data breach, Katie Ross, education and development manager for American Consumer Credit Counseling (ACCC), recommends contacting your bank or credit card company directly to report the breach and make sure there’s been no suspicious activity on your account.
What happens next
A data breach doesn’t necessarily mean your financial institution will issue you a new credit or debit card, USAA’s Shaw says.
Your issuer will look at the type of information that bad guys have in their hands, how often fraud has occurred with other cards that have been part of the same data breach, and then calculate the chances your card could be compromised, he says.
In some instances, “rather than having the customer go through the pain of getting a new card and setting up new recurring payments, we’ll monitor it,” Shaw says. But if you report fraudulent activity on your account, it will immediately be deactivated.
If there hasn’t been fraud, but USAA thinks it might occur, USAA will issue you a new card but your current card will remain active for the short term.
At Wells Fargo, the bank will telephone you if there’s a chance your current card is at risk for unauthorized transactions, says spokeswoman Natalie Brown.
During the call, the Wells Fargo representative will tell you a new card is en route and when your existing card will be deactivated, Brown says. The time frame for deactivation can vary from case to case.
When the new card arrives
When you receive a new card, you should follow the steps the bank requires to activate it. Usually that involves calling a toll-free number from your home phone or activating it online.
|— Tom Shaw|
Vice president, financial crimes management, USAA
While some banks may allow you to make small purchases without activating your card, others, such as USAA, say it’s not possible to use one of their cards unless it’s been activated.
After you’ve activated your new card, be sure to contact all the companies that automatically bill to your credit card, like your cellphone company, Internet service provider and utility company, and give them your new card number, Wells Fargo’s Brown says. Otherwise you run the risk of your transactions not going through.
With your new card, you also might want to set up a “verbal” password on your card to help verify your identity, says Ross of the ACCC. A verbal password is one that must be spoken before you or anyone else can access your banking information by phone.
Then you need to make sure you destroy your old card properly. Taking a pair of scissors to your credit card won’t do the trick. Ross, who conducts identity theft prevention classes, says it’s crucial to use a cross-cut shredder. Otherwise your trash can provide a bonanza for Dumpster divers.
What defenses do you need
Your work still isn’t done. Contact one the three main credit bureaus — Experian, Equifax and TransUnion — and have an initial fraud alert placed on your credit report. The bureau you contact is required to notify the other two.
The fraud alert will remain on your reports for 90 days, and you’re entitled to one free credit report from each agency. Check them diligently for errors, Breyault says.
In many cases, having your credit or debit card information stolen won’t develop into a full-fledged identity theft case, Shaw says. In these cases, the thieves simply want to run up as many purchases as they can.
“They just want your credit card number,” he says. “They are agnostic as to whose name is embedded in the magnetic stripe.”
To be safe, place a security freeze on your credit report, locking out anyone who tries to get new credit in your name. The only ones who can view your report are lenders with whom you do business, Breyault says. You can opt to have the freeze lifted temporarily or permanently.
Another safeguard is to sign up for free alerts if there is suspicious activity on your debit or credit card, he says.
If you’ve been the victim of a data breach, the organization that has been hit is likely to offer you free credit monitoring service for a set period of time, Breyault says. Once that period expires, you’ll have to pay for the service.
He frowns on paying for a third party to monitor your credit report. “They’re often incomplete and have a lag time in data. They’re not the same ones the lenders see. It’s really not worth the money to get them.”
Instead, he recommends, “be aggressive in getting your credit reports and checking them repeatedly for errors.”