Data Hacking Victim? Why and How to Monitor Your Credit Reports
If you’ve been the victim of a cybersecurity breach, here's what to know and do
One every two or three days. That’s how often a major data breach happens in the United States according to James Trainor, acting assistant director of the FBI’s Cyber Division.
Recently identity thieves hacked into no less than the Internal Revenue Service (IRS) and stole personal data on approximately 100,000 taxpayers. Earlier this year, the insurance giant Anthem, Inc. discovered that cybercriminals stole from its corporate database the personal information of up to 80 million people.
When hackers steal someone's personal information, they usually sell it on the black market to other criminals, who will use it to commit fraud in your name. In the IRS case, they will likely use it to file fraudulent tax returns early in the tax season. This way they can collect a refund before you, the real taxpayer, has a chance to do so. (This is an increasingly common scam and a good reason to file your tax return as early as possible.)
More commonly, criminals will use your credit card or other information to make purchases for themselves. When they don't pay off the debt, the creditors will report your name to the credit reporting agencies as a deadbeat debtor — and your credit score will suffer.
Related: 5 Ways to Avoid Computer Viruses
Monitoring your credit reports
The IRS is offering free credit monitoring to people whose data was hacked, and breached companies often do the same. Keeping an eye on your credit report can help you spot evidence of fraud and identity theft so you can act on it before the damage gets worse.
Three separate credit reporting agencies, Equifax, Experian and Transunion, keep logs of your borrowing and payment activity. These are private companies that collect this data legally and sell it to businesses that want to check your credit, such as potential lenders, employers and landlords. They don't have identical information about you because each agency's data collection method is unique.
Here’s how to monitor your reports.
- If you haven’t already been offered free credit monitoring due to a breach, request a free credit report from each of the three major reporting agencies once every twelve months. You can request all three reports at the same time at AnnualCreditReport.com, an industry-sponsored site that is approved by the federal government. If fraudsters caused false information to appear, creditors have taken adverse action against you, a loan application is denied or you're on welfare or unemployed, you may be entitled to a second free report. As a result of a recent legal settlement, the same goes if you have any disputes with the reporting agencies.
- If you're not comfortable making the request online, you can download a paper form and mail it in or call (877) 322-8228.
- Want to check your credit report more often? You can buy copies by contacting each agency. Contrary to popular myth, you can check your own credit record as often as you like without it affecting your credit score.
What to do if you find errors or evidence of fraud
If you find a problem that you suspect might be evidence of fraud, call that reporting agency and discuss your options with them. You may want ask for an “initial fraud alert,” advises the Federal Trade Commission. If you do, the agency will then advise the other two agencies of the alert. For the next 90 days — or longer if you ask for an extension — any business that wants to issue you credit has to verify your identity, possibly by contacting you directly.
If you find any other errors in the credit reports:
- Write a letter to the reporting agency whose report contains the error. Include copies (not originals) of any relevant documents and send it via certified mail with return receipt requested. Here is a sample letter that you can use.
- If you haven't heard back from them within a month or so, contact them again and ask for an update on the status of your dispute.
- Also send a similar letter and documentation to the company that provided the agency with false information in the first place — for instance, a department store that claims you never paid a bill.
For more details on the process of monitoring and fixing your reports, download the Federal Trade Commission’s handbook, Disputing Errors on Credit Reports.
Another good reason to monitor your reports: Fraudulent collection agencies have been known to report phony debts to credit reporting agencies in an effort to intimidate you into sending them money. People in the process of trying to get a loan may feel forced to pay in order to keep their credit report clean. Instead, you should report the fraud immediately.
Also check your bank and credit card accounts
Want to keep an eye on your credit but don't want to keep paying the agencies for updated reports? Check your bank and credit card accounts regularly, advises the Consumer Financial Protection Bureau. Report any suspicious activity immediately. Especially keep an eye out for small dollar amounts, because criminals will often test the waters by making a tiny purchase to see if anybody notices.
Sometimes criminals will advertise victims' credit card information on a website that is hosted outside of the United States. Don't visit such a site to see if your information is listed there, warns the Identity Theft Resource Center. Doing so might infect your computer with malware that could lead to even more stolen information.
Guarding against future breaches
According to the IRS, the criminals used detailed personal information they gathered from non-IRS sources to execute the hacks — a good reminder to keep all your personal information as private as possible.
Those non-IRS sources haven’t been identified, but popular hunting grounds for such information include social media sites. Much as you might like to share online, keep personal information — especially info used in identity verification questions, such as the name of your first pet or childhood best friend — to yourself.
Also, be deeply suspicious of anyone who calls on the phone and asks you to verify personal information, even if they claim they’re from the IRS. The IRS is contacting affected taxpayers via mailed letters and will not ask for personal information in these letters. If anyone calls or emails claiming to be with the IRS or any government agency, don't take the bait.
Related: 7 Tips for Filing Your Taxes Safely