Hackers have my social security number. Now what?
May 14, 2021 10:08 PM   Subscribe

My name, street address and social security number were accessed in the Accellion hack. What can I do to mitigate potential damage?
posted by anonymous to Grab Bag (6 answers total) 8 users marked this as a favorite
Get a copy of your current credit reports from all three credit bureaus (it's free once a year), then freeze your credit.
posted by erst at 10:32 PM on May 14, 2021 [3 favorites]

What erst said above and in the meantime it might be helpful to get clearer on what you mean by ‘potential damage’. It sounds like this is understanding of damage is a bit nebulous at the moment. What are you specifically concerned about and what can you do about that? What are the real risks here and how much do each of those impact you personally? If you understand this, you’ll have a better sense of which actions are your priority, for both damage control and future risk mitigation/prevention. This should guide your next steps.
posted by iamkimiam at 12:36 AM on May 15, 2021

This article lists important online accounts you should make sure you own.
posted by davcoo at 2:09 AM on May 15, 2021 [1 favorite]

It's scary when this happens, but the main thing to do is to sign up for an identity monitoring service. (I used Identity Guard for the past five years, but they recently stopped giving scores from all three credit bureaus so I'm exploring other options).

After the Equifax hack, all of our social security numbers are publicly accessible, so I wouldn't necessarily be too concerned about it -- it might even be overkill to freeze your credit. Identity Monitoring will protect you against almost any malicious use of your SSN, and early detection is the most important thing.
posted by jtothes at 6:51 AM on May 15, 2021 [2 favorites]

1. Freeze your credit, as noted above. Caveat: If you plan to request any credit in the next year or two (mortgage, car, job, new apartment, etc.), make absolutely sure you understand the ramifications this has for you and how it will complicate that process. Also make sure you understand the difference between a Fraud Alert and a full-blown Freeze:
- Fraud alert: Lenders are supposed to contact you (using the information you supply in your request) upon any inquiry or request for credit, at which point you can say no, this is not me. That doesn't happen all the time though so it's still possible for fraud to occur.
- Freeze: Your profile is straight up locked down. Nobody can pull your credit, period - until you (usually in writing) request the freeze to be removed. Makes it much more secure but harder on you if you plan to need it.

2. Check out a service like myFICO which provides frequent updates whenever anything in your report changes (very customizable). It was very helpful to me when I was going through full blown ID theft issues.

#1 will help prevent usage of your information to gain credit in your name. #2 will help identify it as quickly as possible if/when it does happen. Also note that obtaining credit in your name doesn't always mean credit cards, etc. In my case, power company and cable TV accounts were opened in my name. Originally I only knew this when the collection letters started coming, but 2 years later after getting this service, when they tried it again I knew within hours when I was alerted to the inquiry.
posted by SquidLips at 9:31 AM on May 15, 2021 [1 favorite]

Social security numbers weren't very secure to begin with, but having the rest of the PII to go along with it means that your identity is more readily spoofed by lazy hackers who go only for the lowest hanging fruit. I still don't know which source was (or sources were) used when my identity was stolen. There are two steps to take right away:

1) Set up a 90 day fraud alert through any one of the three major credit reporting services (Equifax, Experian, and TransUnion). When you do this at any one, they are required by law to let the other services know, and the other services are required by law to turn the corresponding alert bit on in their systems. This will automatically expire after 90 days, but it gives you time to do the next step:

2) Freeze your credit at all three agencies. This used to be more difficult, but you should now be able to do it online. They'll provide you with a PIN you'll need to save securely, possibly online, possibly by mail (I just came across my TransUnion PIN where I keep important mail, for example). You will need to do the freeze at each agency individually; it does not propagate the way the 90 day alert does.

Once you've done both of those steps, and possibly built into the interfaces at this point, you should pull your credit reports at all three agencies and make sure no accounts have been opened using your information. If fraudulent accounts have been opened, you'll have to report them to the agency or agencies that list them.

From now on you'll have to explicitly unfreeze your credit report whenever you do anything that requires a credit check (opening a new account, getting a mortgage, etc). All three of the agencies now have web interfaces on this where you log in and say whether you want the unfreeze to be permanent or temporary, and if you say temporary they'll ask you what day to restore the freeze. I just did this last week because we switched cell phone providers. The new provider's online application failed because of the freeze, but they told me which agency to unfreeze with and gave a phone number to call once the freeze had been lifted. It was less convenient than a one click application, but it wasn't hard.

Every few months I get a paper notice from a lender that they were unable to process "my" credit application because my credit report is frozen. I just file those away in my "identity theft" folder because nothing will happen with them without manual intervention, and they'll expire.

It's possible (but unlikely) that someone could try to file a fraudulent tax return using your information. In that case the IRS will provide additional security measures for you, but they won't provide them preemptively. The most common way to find out if that's an issue is when you file your own taxes (this happened to a dozen people at a company I used to work for the same year my own identity was stolen, but not specifically to me).

In very rare cases you can get a new SSN, but the government doesn't like to do that and they'll try to steer you towards the IRS's additional security measures. I'm not sure how much it would really help in the end, because as I said at the start social security isn't very secure. Even a new number is easy to attain.

Sorry this happened to you. I'm still living with this problem, and it sucks. Your identity never gets un-stolen.
posted by fedward at 10:19 AM on May 15, 2021

« Older Recommendations for Asian American young adult...   |   How serious are the problems with this property? Newer »
This thread is closed to new comments.