It is the largest case of identity theft in the country. More than 41 million credit and debit card numbers were stolen by an international ring that hacked into the computer networks of nine national retail chains, including Barnes & Noble, BJ's Wholesale Club, OfficeMax and TJX Cos.
Last week's indictments serve as a warning to consumers. But they also can serve as a reminder to take a few simple steps to protect yourself from this kind of crime, which affects as many as 8million Americans each year, costing billions of dollars and countless hours to correct the problems it creates.
By law, when a data breach occurs, a company is required to send a letter to notify customers of their possible exposure, said Steve Ely, a divisional president for credit reporting company Equifax Inc. But he said companies often downplay the problem to minimize damage to their reputation. “Ninety-nine percent of the time (breach letters) look like a piece of junk mail, and people throw them away.”
That's a mistake. Such a letter may be the first indication that your personal information has been compromised.
And indictments like those announced Tuesday aren't likely to prevent your data from getting into the hands of other criminals, warned Paul Stephens, director of policy and advocacy at Privacy Rights Clearinghouse, a nonprofit in San Diego.
“Even though they may have found the individuals,” said Stephens, “that is no guarantee that that information is not out there and available to people to use for fraudulent purchases.”
Whether or not you've received a letter, there are simple steps to help prevent, or at least minimize the problems that can arise if you become a victim:
Limit access to information
Carry as few credit cards as possible, and leave your Social Security card at home. Never give out personal information by phone, mail or on the Internet unless you initiated the exchange and are clear why you're sharing such details.
Other important steps include emptying your mailbox as soon as possible; shredding or tearing up credit card offers, bills and other personal papers before discarding them. Also make sure Web sites used for online purchases are secure – one good sign is that the address bar turns green in the most recent versions of Web browsers.
Minimize use of debit cards
It's advised that you limit or eliminate use of debit or check cards linked to bank accounts, especially online.
“Our recommendation to consumers is that they never use debit or check cards,” Stephens advised. “Once that information has been compromised, it provides criminals with a direct pipeline into their banking.”
One reason he advises against using debit cards is it's harder to recover losses than with credit cards.
Review credit card statements
Routinely review statements for unauthorized purchases. If you spot one, a call to the credit card company will start an investigation and the questionable purchases will be reversed under most circumstances. Companies will also issue new account numbers upon request.
Ely warned that one tactic thieves use is changing the billing address on existing accounts to delay their detection. “If for some reason you don't get your statement on time, that would be a red flag,” he said.
Monitor your credit report
Upon request, federal law requires each of the national credit reporting companies – Equifax, Experian and TransUnion – to provide consumers with one free credit report each year. The reports can be obtained at www. annual credit report. com or by mail. Consumer advocates recommend rotating requests among the three companies, obtaining a report every four months.
Request a credit alert or freeze
If you believe there may be a problem, you can ask the credit reporting companies to put a fraud alert and possibly a security freeze on your credit information. A fraud alert requires potential creditors to contact you or use “reasonable policies and procedures” to verify identity before issuing new credit in your name. They are free, but last for only 90 days. They can be renewed repeatedly, but it's up to a consumer to contact the companies after the first alert has expired.