Most recent retail store data breaches have resulted in thieves only obtaining credit and debit card numbers; it makes a mess, but an easy one to clean up and the few consumers who become fraud victims are quickly made whole. The credit and debit card laws that go into effect in "existing account fraud" are quite strong. Also, bank card security systems are usually quick to detect attempted fraud (our Target breach tips explain what to do in retail fraud circumstances and include the advice "Don't Panic"). In some cases, such as the Target breach, the thieves may also obtain email addresses and phone numbers. With these additional data points, the thieves can use "phishing" emails or "social engineering" phone calls to attempt to get you to give up the additional information needed to commit the more serious problem called identity theft.
The Anthem hackers, on the other hand, reportedly obtained that mother lode of information on up to 80 million consumers all at once -- including employers, birth dates, social security numbers, medical account numbers, phone numbers, and home and email addresses (but no medical records).
These data points could be used to commit a variety of more serious frauds, including obtaining your tax refund, obtaining medical care in your name and also committing financial identity theft, when new accounts are opened in your name by the thief.
Here are some consumer tips:
1)Don't open or click on any emails claiming to be from Anthem. Anthem did send out one official email to its customers on February 5th, on the same day that the media story broke. However, it is typical to see phishing scams following any breach. These emails will purport to be from Anthem but are designed either to install malware on your computer or get you to give up financial details that will allow them to access your accounts or open new ones in your name. (People who don't have Anthem coverage will likely also receive these emails. Any spammer with an email list can send these out.)
2) Anthem has committed to contacting you by postal mail if you are impacted by the breach. They have also set up a special website (Anthemfacts.com) with more information.
3) Monitor Your Credit Reports and Bank Accounts: All consumers have the right to a free credit annually from each of the three big credit bureaus as explained on this U.S. Federal Trade Commission (FTC) website, which describes how to go online at the government-mandated free credit report website or how to call or mail if you don't like webpage links. Citizens of seven states -- Colorado, Georgia (2/year), Maine, Maryland, Massachusetts, New Jersey and Vermont -- can obtain an additional annual free report under state law (you generally need to call each credit bureau, Equifax, Experian, and Trans Union). If you stagger these three or six (or in Georgia, nine) requests over a 12-month period, you essentially have a free credit report monitoring service.
4) Consider a Fraud Alert Now: Consumers who suspect they are identity theft victims can add a 90-day, renewable initial fraud alert to their credit reports (which also entitles you to an additional free credit report). If you know you are an identity theft victim and file a police report or FTC affidavit demonstrating this, you can request a permanent fraud alert. More on fraud alerts from the authoritative Privacy Rights Clearinghouse.
5) Consider the "Peace of Mind" of a Security Freeze on Your Credit Reports: Ten years ago U.S. PIRG, along with Consumers Union, drafted a model state security freeze law, and with the help of AARP and others, it rapidly became law in 47 states until the credit bureaus finally capitulated and agreed to provide freezes in all jurisdictions. A security freeze prevents "new" credit from being issued in your name but allows your existing creditors to look at your report. It's the only way to prevent financial identity theft, since new creditors who cannot see credit scores or reports will not open new accounts. A freeze requires more work by you; if you want to apply for a new credit card or a home re-fi, you'll need to temporarily "lift" the freeze (you can do this on a targeted creditor basis). A typical freeze costs $10 ($30 for 3) and $5-10 each time it is temporarily lifted. A few states offer free security freezes for identity theft victims or senior citizens. Learn more here from Consumers Union.
6) Don't Pay For Expensive Credit Monitoring, But Take It For Free From Anthem: A freeze is much less expensive, and 100% more effective, than over-priced "credit monitoring" services sold by the credit bureaus and other firms for as much as $19.99/month (also, the FTC has fined Experian, a credit bureau, and Lifelock, an identity theft service, for misleading sale of these products and has warned numerous others). We will be "monitoring" Anthem's expected offer of "free" credit monitoring, and will strongly oppose it if it is set to automatically convert to paid credit monitoring at the end of the free offer. Nevertheless, due to the serious nature of this breach, it's ok to take it for free.
7) Update Critical Passwords: It's always a good idea to use different, robust passwords for all your important accounts. And it's a good idea to update them regularly.
8) Several State Attorneys General and Other Officials Recommend Filing For Tax Refunds as Soon As Possible: See, for example, this alert from Connecticut officials.
Of course, watch your bank accounts, watch your email and be suspicious of any phone calls. By the way, never give out information to an incoming caller. Hang up and call the number on your Anthem card or your credit card. Watch carefully for any additional information from Anthem as the story continues to develop. We expect that state Attorneys General will be demanding additional steps be taken by the firm. CALPIRG Education Fund has additional identity theft tips here.
There is one other twist to this story. Some suspect that this breach may have been state-sponsored hacking, possibly by China. Some experts suspect that the real target is specific individuals working for specific companies. The hacked information will be used to conduct "spear-fishing attacks," which, just as they sound, are not random. Anthem customers may be only be a secondary target. Getting into another firm, with better security, for espionage purposes, may be the hackers' unconfirmed goal.
Please be vigilant. This is a serious breach, but don't panic.