You think you've done everything right. You carefully guard your personal information. You never — except in the most extreme circumstances — give out your Social Security number. If you are asked for personal data, you do not give it out until you have verified why it is needed and how it will be protected. You reluctantly transact online but are always suspicious that the data you give might be stolen.
But despite all this, now you find yourself an identity theft victim. How is it possible? It's all too easy I'm afraid, and it can happen through no fault of your own.
This has been discovered some 279,000 students, employees, and applicants at Northwest Florida State College (NWFSC), and applicants to a statewide scholarship program. The school's computer system was systematically hacked (or "illegally accessed" as the school put it) and the information on some 76,000 students and alumni, 3,000 current and retired employees, and around 200,000 state of Florida Bright Futures scholarship applicants was stolen.
This was not some act by a mischievous computer science student out to show the system's vulnerability. This was a professional job done by identity thieves. The school's database of student and employee information was exposed for nearly four months and the hackers siphoned off Social Security numbers, birthdays, names, and, for employees of the university, direct deposit banking information and bank account numbers.
According to authorities, some 50 university employees and students have already become ID theft victims, including the university's president.
In another case, the University of Georgia acknowledged that some numbers of personnel records were hacked sometime in late September. The University is calling it a "criminal act of computer trespass."
"This appears to us to be a planned intrusion by someone who knew enough about our operations to know which accounts to attack and where the sensitive information was located within the system," UGA Vice President for Information Technology Timothy Chester said.
But while records can be stolen by criminal hackers, many times the records are inadvertently exposed. In recent days:
- The personal information of 71,000 registered Robeson County (NC) voters was exposed after a break-in at the County Board of Elections and five laptop computers containing the personal information of all voters were stolen.
- A "mailing error" revealed the Social Security numbers of more than 9,000 University of Chicago employees when they were openly listed on postcards that were sent to the employees.
- TD Bank has begun notifying about 260,000 customers from Maine to Florida that the company says may have been affected when computer tapes containing personal information, including account information and Social Security numbers, were "misplaced" in transit.
- A "printing error" by the Centers for Medicare and Medicaid Services (CMS) exposed the personal data of 13,412 Medicare recipients.
These kinds of inadvertent exposures of personal data happen almost daily. There is little you can do to protect yourself. In almost all cases, the entities or institutions that have lost data offer free credit report monitoring to victims to try to protect them if their personal information is used by the thieves.
In a future blog, I will address the fact that such credit report monitoring alone is of only limited use, and if you find yourself in this situation you will need to do much more than simply keep track of changes on your credit report — and you will need to do it quickly.