The emails may already have reached your in-box: Valued customer, we regret to tell you that your name and email address may be in the hands of hackers.
All over the country, companies big and small are scrambling to warn their customers in the aftermath of what appears to be one of the biggest data breaches in recent times. But with some simple steps, you can protect yourself from the increased risk of identity theft that can follow a data breach.
The breach occurred at Epsilon, an Irving, Texas, firm that says it sends out 40 billion emails each year in "permission-based" marketing campaigns for corporate customers. These are campaigns that you opt into when you do things such as registering at a company website or writing down your email address on a warranty card.
On April 1, Epsilon announced that an "unauthorized entry" into its giant database had exposed consumers' emails and names to the intruder. It did not name the corporations whose records had been compromised, but in subsequent days it became clear that they included some of the largest businesses in America.
According to the trade publication SecurityWeek, the list includes Target, Kroger, TiVo, US Bank, JPMorgan Chase, Capital One, Citi, Home Shopping Network, Ameriprise Financial, LL Bean Visa Card, McKinsey & Company, Ritz-Carlton Rewards, Marriott Rewards, New York & Company, Brookstone, Walgreens, Disney Destinations, Best Buy and the College Board, the company behind SAT tests for college-bound students.
The companies are contacting customers through emails as well as "tweets" and announcements on their Web and Facebook pages. Generally, the messages stress that only names and email addresses were compromised. There was no loss of sensitive financial information such as credit card or Social Security numbers.
So now what? The immediate danger could be that you will receive "phishing" emails or telephone calls that purport to be from the companies but are actually seeking your personal information.
How to stay safe:
- Don't reply to requests seeking personal information, such as passwords or information on bank or credit card accounts. Even if you're told that your account was comprised — and the Epsilon breach is specifically mentioned — ignore these incoming "notifications." Instead, check out the claim yourself at the company's website or toll-free customer service number that you look up yourself.
- Don't open attachments or click on links in incoming emails that promise to take you to the company's sign-on form. Scammers may be setting up bogus websites under the companies' identities to capture log-in or account information. You should change your passwords, but do this only on the company's own website, which you reach by typing in its name yourself or finding it through a search engine, not by clicking on a link.
- Never use your email address as a log-in ID or password.
- Even if your name wasn't among the list exposed at Epsilon, know this: If you're subject to any kind of data breach you are four times more vulnerable to suffer future identity fraud, with a one in five chance of being victimized within 12 months of that notification, according to Javelin Strategy and Research.
- So if you're notified, or just suspect, that your data has been breached, keep particularly close tabs on your credit report at Annual Credit Report.com, the only place on the Web where you can get your credit reports free with no strings attached.
Within a month of a breach, it's a good idea to get one of the three free annual reports you're entitled to, and another about four months later. Look for new accounts opened in your name. Every four months, check a free report from a different credit reporting agency — Equifax, Experian and TransUnion — but report suspicious activity on any report to all three.
If a breach involves your credit or debit card, PIN or online banking numbers or health insurance, immediately contact the provider to freeze and replace that account or other identifier.
If it's your Social Security, driver's license or passport number that's been taken, you may also consider identity theft insurance or other protection services. You can also place a fraud alert or credit freeze on your credit report.
A fraud alert is free, easy to establish and can be renewed every 90 days. When it's in place, you're supposed to be contacted whenever new credit or services are applied for in your name. It's not foolproof, but simpler and easier than the stronger step of a credit freeze.
A freeze costs $5 to $20 per placement or removal if used as a preventive measure. It blocks potential lenders or service providers — including utilities and insurance companies — from checking your credit file at all, preventing credit from being taken out in your name. But it also means that if you're applying for credit or services, you'll need to lift the freeze temporarily so that company can look.
- If you haven't already, set up a dedicated email account on such free services as Gmail, Hotmail or Yahoo to use for your dealings online with companies such as Epsilon's clients. This way, if you're barraged with spam — or subject to future email data breaches — at least it won't affect your primary email address.
Sid Kirchheimer is the author of Scam-Proof Your Life, published by AARP Books/Sterling.