Has Your Identity Been Leaked in a Security Breach?

Has Your Identity Been Leaked
in a Security Breach?

Most likely, yes, which means your identity is on the Dark Web. If cybercriminals don’t have your personal and financial information yet, they will keep trying to get it so they can sell it on the Dark Web to buyers who could destroy your life.

One survey found that only 8 percent of adults in the US have heard of the Dark Web, and 23 percent have heard about it but don’t know what it is. In the article “Dark Web Cyber Threats,” the writer explains: “Cybercriminals routinely harvest sensitive information through data breaches, phishing scams, and malware attacks, then sell this stolen data on Dark Web marketplaces to the highest bidder.” To see how vulnerable we are now, check the Cyber Security Ventures website to find a list of dozens of major hacks in 2024.

Last November, I learned the hard way about the financial implications of having my identity on the Dark Web. Although there’s nothing we can do to protect our sensitive information from being leaked in a corporate security breach, there are many things we can do to “stop the bleed” and prevent identity theft. (See this Lifelock article on “How Common is Identity Theft in 2024?” and this related article, which warns that AI is opening the door to new scams and new types of Cybercrime in 2025.)

Sorry for the length of this message,
but it couldn’t be split into two parts.

My Ongoing Dark Web Experience

Since 2008, my information has been leaked in more corporate data breaches than I can count, including the Capital One and Equifax Credit Union breaches in 2019 and the DuPage Medical Group in 2021. But two 2024 breaches finally leaked the last pieces of my identity and now all of it is on the Dark Web.

Cybercriminals will be trying to steal my identity as long as I live and probably beyond, as evidenced by the letter I received last September from an ambulance company. They apologized when saying my late husband’s date of birth and Social Security number were leaked when “certain files” were stolen. Harry died in 2005, and I was stunned and angry to learn they had kept this kind of sensitive information for 19 years when most medical files are usually deleted after 5-10 years. Now someone will surely use his information to steal his identity, and I can do only so much about protecting my SSN.

One of my most damaging breaches was the Feb. 21, 2024, massive cyberattack on Change Healthcare, which I reported on in my September Bulletin. This company processes 15 billion claims annually, and reports were that a substantial portion of the people in America could have had some protected health information leaked in this incident. Until I received a letter from Change Healthcare on October 5, I didn’t know I was one of them. Only then did I learn that everything related to my healthcare, insurance companies, claims, and billing procedures—including my SSN and bank account number where my house, car, and supplemental insurance premiums are automatically drawn each month—had been in hacker’s hands since February. Think about it: It took over 7 months to notify people whose identity had been leaked!

Following Change Healthcare’s apology was the offer of two years of credit report monitoring and alerts about where my information is showing up on the Dark Web. I’ve had a Lifelock/Norton account for years, but I set up an account with IDX Identity Theft protection plan because they offer some services that Lifelock doesn’t. Both do scan the Dark Web searching for whatever information we want monitored.

My worst data breach was still to come. In August, an email from Kim Komando alerted me to the National Public Data Breach that leaked information on nearly 2.9 billion people, making it one of the largest data breaches in history. This company collects and sells personal information used for background checks. About it, the nonprofit National Cybersecurity Alliance said, “It is likely everyone with a Social Security number was impacted.”

The next time I logged into Lifelock, I found a page listing 29 “people-finder websites” selling my name, address, primary email address, and phone numbers—clearly connected to the National Public Data breach. It’s almost impossible to get your name off one of these sites, let alone 29. And I expect this number to soon be overwhelming.

I got another surprise in November when someone used my Bank of America credit card in a store in NJ and charged $154+. Bank of America knows how I use this card, so they denied the charge and contacted me to confirm it was a hacker. I had a new credit card two days later, but when my November statement arrived, it included two other charges later made by hackers in NJ that were immediately removed from my statement when I reported them. Assuming my Capital One card was also on the Dark Web, I then asked for and received a replacement card.

Time to Batten Down the Hatches
with a “Digital Security Fence”

I spent hours in November logging in to all my business and financial accounts to change my User name, set up a different email address to receive alerts and add two-factor authentication where needed. I also changed or double-checked the strength of my passwords, which Kaspersky’s Password Checker tells me would take three or more centuries to crack. (I never save passwords online but keep them on paper sheets stapled together and backed up on a thumb drive.) I also did these things:

I pulled a credit report and checked the freezes and fraud alerts I put on my credit union accounts. Normally, I’ve used the free Annual Credit Report site to pull a report from one credit union every four months, but now I can get them through my Lifelock account and by logging into the accounts I set up with Equifax and TransUnion to monitor when I need to renew fraud alerts or credit freezes on my credit union reports. (It helped that I could simply call Experian and put a freeze on my information without the need to open an account.) Below are links to freeze/unfreeze your credit:

Equifax. Visit the Equifax website and follow the steps
to freeze online or call 1-888-298-0045.

TransUnion. Add a freeze online on the TransUnion
website or call 1-888-916-8800.

Experian: Visit the Experian Freeze Center
or call 1-888-397-3742.

I locked my Social Security account. Shortly after I learned my Social Security number was on the Dark Web, I found the article below explaining how to block some access to my SSN with a “Social Security Number Lock.” To do this, call 800-772-1213. There was a two-hour wait before someone could help me, but they offered to call me back when my turn came up, and they did. After I gave them the identity information they needed to confirm I owned my SSN, they put a block on my information.

The article, “How to Lock Your Social Security Number” explains the blocking process and also what to do if you are a victim of identity theft. (Taking steps to prevent it is different from actions you must take if fraud has already made you a victim.) Note that locking your Social Security number prevents anyone—including you—from changing or accessing your Social Security record. It also means you can’t access your SS account unless you call and ask them to remove the block.

How Your Email Address
Can Be Used by Others

Lately, I’ve been getting postal advertising mail or donation requests from companies and organizations I’ve never interacted with before, confirming that stolen email addresses end up on mailing lists anyone can buy.

In September, I started getting emails and text messages from places trolling for people interested in working online. The first was from Monster Staffing, saying their research showed I was qualified for this kind of work. At first, I laughed and marked it as spam. When I went in to delete the junk mail, I was amazed to see messages saying someone wanted to buy my house, set me up in an online bank where I already “had favor,” and invite me to submit my claim for the Katz privacy settlement (a legitimate case that had closed by then.)

I don’t send or receive emails on my cell phone but only on my computer. Occasionally, I do WhatsApp videos with friends, so it took a while for me to see that someone found my email address on my cell phone and signed me up in a WhatsApp Cyber Wealth Investors group as well as several breakout groups in that organization. There were telephone numbers linked everywhere but none of them answered my call. I figured out how to get unsubscribed from these groups and changed the settings to indicate that only people on my Contacts list could do this sort of thing. (Of course, I don’t want anyone signing me up for anything, but I found no option for how to specify that as a setting.) All this is to say that dealing with all this “tech stuff” is taking hours of my time every month.

It takes discernment to look carefully at every email and be sure you know who’s sending it because even emails from companies you know may be phishing scams. Never open an attachment or PDF document or click an email link unless you know the sender. “Think before you click” should be emblazoned on our foreheads because it takes only one wrong click to open the door to identity theft.

I wish I could close with good news, but identity theft concerns are going to get worse with AI in the picture, so stay alert. I hope the steps I’ve taken to increase my identity security will help you do the same. Thanks for any feedback I might share in a follow-up Real Life Bulletin.

Recommended article: How to Prevent Identity Theft: Warning Signs, Protection Services and More

First published as a Brabec Real Life Bulletin on January 6, 2025.

Back to
Money Matters T/C

All Articles T/C

Brabec Bulletin & Personal Blog Posts

HOME

Leave a Reply

Your email address will not be published. Required fields are marked *