What Victims of Identity Theft Can Do

If you haven’t heard, Equifax, one of the three big credit reporting agencies in the United States, announced that it suffered a massive data breach. More than 143,000,000 records were compromised, including email addresses, names, social security cards and credit card numbers.

If you believe you were the victim of identity theft, here’s what you can do:

  1. Close the accounts that you believe may have been tampered with or opened fraudulently. Use the government’s Identity Theft Report, which can be found at www.identitytheft.govIdentity Theft
  2. File a police report and get a copy to submit to your creditors and others who may require proof of the crime. If you have proof of identity theft, be sure to take that proof with you when you go to file your police report.
  3. File your complaint with the FTC at www.consumer.ftc.gov. The FTC maintains an identity theft database that law enforcement agencies use for investigations. Filing a complaint also helps the FTC better assist you, as the commission learns more about online theft of identities and the problems it creates.

If you are a business owner with an SSL certificate but without protection from hackers, contact Trust Guard, the leader in website security to protect you and your online visitors from hackers.

Yahoo Hack Calls for Improved Passwords and Security

Although the Yahoo hack took place in 2014, it was just yesterday, the first day of Autumn 2016, that they fessed up to it.

Yahoo acknowledged that hackers stole the account information of at least 500 million users. Information intercepted by the Yahoo hack included names, email addresses, telephone numbers, birth dates, passwords, and security questions.Yahoo Hack

Security experts say the incident could have far-reaching consequences for users beyond Yahoo’s services. This is because access to Yahoo could also provide login information (including passwords) to other sites as well. This could include access to social sites, sure. But it could also include bank accounts and domain and hosting accounts for small business owners.

If you had/have a Yahoo account, you should assume that your PII (Personally Identifiable Information) was stolen. Changing Yahoo passwords will be just the start for many of you. Comb through other services — especially those for which you provided a Yahoo email address to create an account — to make sure passwords used on those sites aren’t too similar to what you were using on Yahoo. Change passwords for sites that contain sensitive information like financial, health, business, or credit card data.

Never use the same password across multiple sites. Protect your username and passwords – even from friends or co-workers that you think you trust. Try a password manager like 1Password or LastPass. These sites create a unique password for each website you visit and store them in a database protected by a master password that you create. Password managers reduce the risk of reused passwords or those that are easy to decode.

You should already be treating everything you receive online with an abundance of suspicion, in case hackers are trying to trick you out of even more information. Looking for links to SSL-protected websites is a start. Don’t click on any links without knowing where they go.

When on a website, look for trust seals from trusted third-party vendors like Trust Guard who can verify the site’s privacy policy, legitimacy as a business, and even its safety by running periodic security vulnerability scans. These scans can detect issues the company might have and help the business resolve them before hackers get the chance to mess things up. Sites using these services go the extra mile, making every possible attempt to keep your PII safe and secure.

What is PII?

PIIWith so much emphasis on the security of our personal data lately, with Pokemon Go being the latest culprit (see article here), Personally identifiable information (PII) is something we all should understand.

PII is any data that could potentially distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII.  To be sure, this article isn’t talking about the pie you eat or the one associated with mathematical equations.

NIST Special Publication 800-122 defines PII as “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.” So, for example, a user’s IP address is not classed as PII on its own, but is classified as linked PII (see Section 3.3.3 Under “Identifiability” for more detail) Also see federal judge ruling in the District of New Jersey dismissed on the pleadings a VPPA claim against Viacom on the grounds that device identifiers, cookie IDs, and IP addresses, when linked to video titles are not personally identifiable information.

The concept of PII has become prevalent as information technology and the internet have made it easier to collect PII through breaches of online and network security and web browser security leading to a profitable market in collecting and reselling PII. PII can also be exploited by criminals to stalk or steal the identity of a person, or to aid in the planning of criminal acts. In hacker slang, the practice of finding and releasing such information is called “doxing”.  It is sometimes used to deter collaboration with law enforcement. On occasion, the doxing can trigger an arrest, particularly if law enforcement agencies suspect that the “doxed” individual may panic and disappear. To protect your site from hackers, we suggest that you monitor the security of your site with industry leader Trust Guard. As a response to these threats, many website privacy policies specifically address the gathering of PII and lawmakers have enacted a series of legislations to limit the distribution and accessibility of PII.

However, PII is a legal concept, not a technical concept. Because of the versatility and power of modern re-identification algorithms, the absence of PII data does not mean that the remaining data does not identify individuals. While some attributes may be uniquely identifying on their own, any attribute can be identifying in combination with others. These attributes have been referred to as quasi-identifiers or pseudo-identifiers.

The following data, often used for the express purpose of distinguishing individual identity, clearly classify as PII under the definition used by the National Institute of Standards and Technology.

PII

 

 

  • Full name (if not common)
  • Home address
  • Email address (if private from an association/club membership, etc.)
  • National identification number
  • Passport number
  • IP address (when linked, but not PII by itself in US)
  • Vehicle registration plate number
  • Driver’s license number
  • Face, fingerprints, or handwriting
  • Credit card numbers
  • Digital identity
  • Date of birth
  • Birthplace
  • Genetic information
  • Telephone number
  • Login name, screen name, nickname, or handle

The following are less often used to distinguish individual identity because they are traits shared by many people. However, they are potentially PII, because they may be combined with other personal information to identify an individual.

  • First or last name, if common
  • Country, state, zip code or city of residence
  • Age, especially if non-specific
  • Gender
  • Name of the school they attend or workplace
  • Grades, salary, or job position
  • Criminal record
  • Web cookie

When a person wishes to remain anonymous, descriptions of them will often employ several of the above, such as “a 34-year-old white male who works at Target”. Note that information can still be private, in the sense that a person may not wish for it to become publicly known, without being personally identifiable. Moreover, sometimes multiple pieces of information, none sufficient by itself to uniquely identify an individual, may uniquely identify a person when combined; this is one reason that multiple pieces of evidence are usually presented at criminal trials. It has been shown that, in 1990, 87% of the population of the United States could be uniquely identified by gender, ZIP code, and full date of birth.PII-chart_FINAL