When a credit card gets stolen, it's easy for the victim of the crime to shut down the card, get a new account number and avoid monetary loss. But financial peril rises and can persist for years when personal data likely to stay the same forever -- like Social Security numbers, names and dates of birth -- get stolen like it did in the cyber attack on credit-reporting service Equifax.
Once hackers gain access to these key pieces of personal data -- which is akin to the DNA of a person's online digital self -- it is at the cyber thieves' disposal forever to cause harm.
"It's very problematic for hackers to have all that important information all in one place," says John Ulzheimer, a credit expert who once worked for Equifax and credit-score firm FICO. "This information is perpetually valuable. You are not going to change your name or date of birth or Social Security number. In five years they will be the same, unlike a credit card that takes five minutes to cancel over the phone."
An estimated 143 million Americans, or nearly half of the U.S. population, had their personal data stolen in the Equifax cyber heist, according to the company.
The bad news is "this data will be used for years," says Avivah Litan, a security analyst at Gartner. "So, as a consumer, you need to be hyper-vigilant."
Instead of looking at your bank and investment statements monthly, for example, review them weekly, Litan advises. And if you see any fraudulent activity, report it immediately.
With such a rich trove of personal data at their disposal, cyber thieves have a greater chance of successfully committing financial crimes against victims.
"This opens the door for total identity theft," says Robb Reck, chief information security officer at Denver-based Ping Identity.
Not only can hackers potentially gain access to your financial accounts, such as checking and savings accounts and 401(k)s, and withdraw money, "they can use this information to create a new 'you,' " warns Reck.
Creating a new you
Armed with your digital history, hackers can file tax returns using your name and social security number to claim a refund. Or file fraudulent medical expense claims. Or attempt to open credit cards, rent an apartment, apply for electric service or get a loan and buy a house in your name without you knowing.
"These types of things can bleed over into your life," says Ulzheimer. That's why he advises people to check their credit reports on a "monthly basis," just like balancing a checkbook.
And while worries about a damaged credit score, hijacked credit cards or thieves opening fraudulent accounts are among the first things cyber-crime victims think of after a data breach becomes public, there are other damaging uses of personal data they might not be aware of and is "far more challenging for consumers to detect and more costly and difficult to repair," warns Steven Bearak, CEO of IdentityForce, a Framingham, Mass., firm that offers identity, privacy and credit protection to consumers, businesses and government agencies.
Some examples of non-credit related illegal uses of victims' personal data, Bearak says, include:
*Medical ID theft. With the cost of health care rising, a new trend is for identity thieves to go into hospital emergency rooms with IDs created from stolen data to pay for surgeries and other procedures. This creates all sorts of problems for the identity theft victim, who can get stuck with the balance of the bill, see their insurance deductible used up as well as be stuck with flawed medical records.
*Tax fraud. Fraudsters armed with names, addresses and Social Security numbers are increasingly filing fraudulent tax returns in an effort to profit illegally from refunds. This creates a major headache for the victimized taxpayer, who must resolve the theft with the IRS, wait for a delayed tax return they might desperately need and often pay an accountant to help resolve the issue.
*Synthetic ID theft. In this scam, the fraudster takes different pieces of personal data from numerous victims and blends them all together to "create a new ID," says Bearak. For example, the hacker may use one victim's name, another's Social Security number, another's address, and another's birth date to create a fake identity.
"That one is really hard to detect," says Bearak. "And the new ID impacts many people."
Another risk is bad guys stealing your data and identity could get arrested, putting unsavory arrests, such as armed robbery or sexual assault, on your personal record.
Getting your identity back and putting your financial life back in order is frustrating and can take up a lot of time.
"It is very, very time consuming," says Chris Burchett, vice president of client security software at Dell.
Trying to convince financial institutions that you have been a victim of identity fraud and aren't the one that ran up a fraudulent hospital bill or withdrew every penny from your bank account isn't an easy task, adds Ulzheimer.
"To some extent, you are guilty until you can prove yourself innocent," he says.