Even among the hundreds of data breaches that occur each year, the hacking of card processor Global Payments stands out.
The Atlanta-based company, which processes credit and debit card transactions for Visa and MasterCard, recently revealed that hackers gained access to no more than 1.5 million card numbers.
Visa and MasterCard quickly announced that the accounts are being monitored and cardholders won't be liable for any fraudulent charges.
But the Global Payments breach is another reminder that despite all of our attempts to keep personal information out of the hands of thieves — shredding documents and frequently changing passwords — we still are vulnerable.
"We talk so much about what to protect our computer from —
and not going to the wrong site and giving away your passwords. Then the server that has all the credit cards gets compromised," says Avi Rubin, a computer science professor at the
. "All of that protection we tell the consumer to take with their own data goes out the window."
For years, security experts say, companies wrote off identity theft fraud as a cost of doing business. Only after such theft began to heavily eat into profits did businesses — usually large ones — start taking security seriously.
But plenty of others need to catch up. Data breaches that potentially put us at risk of financial identity theft occur on average at least once a day — often at hospitals and schools.
The Privacy Rights Clearinghouse has tracked such breaches since 2005, and has recorded more than 3,000, involving 546 million records. Some are sophisticated attacks, but many are the result of simple carelessness. For example, one of the 591 breaches reported last year occurred in the Texas comptroller's office, which had publicly posted for a year or more the Social Security numbers of 3.5 million workers.
And what happens to consumers who have their identities stolen? A new report from the Federal Trade Commission says some victims who contact credit reporting agencies for help complain that the companies push them into buying fraud prevention products.
More than products, consumers need companies and organizations to invest in security technology and train their employees to keep our information safe.
Of course, not all data breaches are equally serious or lead to identity theft.
Breaches that expose names, addresses and emails are the least worrisome.
"You only have to worry about phishing," says Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse. That's where con artists send you an authentic-looking email from a company or agency, trying to trick you into revealing sensitive information.
The most serious cases occur when thieves steal Social Security numbers and birth dates.
"That really allows a fraudster to pose as us and open accounts in our names," says Steve Coggeshall, chief technology officer for ID Analytics, a risk assessment company.
The Global Payments breach — exposing card numbers and expiration dates — falls somewhere in between, experts say.
"With this particular breach, the consumer could be exposed to existing account fraud," Stephens says.
That means thieves could go on a shopping spree using your current account, but can't open a new line of credit. This type of fraud also won't be picked up through credit monitoring services that look for new account fraud, Stephens says.
Security experts say we may never know if the Global Payments breach leads to identity theft.
"Most victims of identity theft have no idea how they became a victim," Stephens says.
Some thieves act quickly, while others sit on victims' information for months.
Eduard Goodman, chief privacy officer with Arizona-based Identity Theft 911, recalls a breach in which medical students' stolen information still hadn't been used by the time the thief was apprehended many months later. The thief told authorities he was waiting for the students to become doctors, Goodman says.
Maryland, like most states, requires businesses to notify consumers if their information has been compromised.
If you're notified of a financial breach, quickly take steps to protect yourself.
Start by carefully scanning your credit card and bank statements for unauthorized charges and immediately report any suspicious charges to the lender or card issuer. Online banking customers have an advantage here because they can check their account frequently and respond faster when they spot suspicious activity.
Don't overlook tiny transactions, which may be a thief testing out the card, Goodman says.
Goodman's own debit card was compromised in February, and the thief made a dozen or so $1 purchases over a few hours before escalating to transactions of about $100 each.
(Here's one reason to use credit over debit cards: A thief can remove money directly from your checking account with a debit card and the bank has 10 business days to return the cash while it investigates, Stephens says. With a credit card, a consumer won't be out any money while the issuer checks out the fraud.)
If your Social Security number has been exposed, take action to prevent thieves from opening new lines of credit.
Place a "fraud alert" on your credit report. "It's helpful, but not foolproof," Stephens says.
The alert warns creditors they should take extra steps to verify the identity of anyone trying to open credit in your name. It stays on your file for 90 days and can be renewed. Still, creditors can ignore the alert.
A far more effective measure is to freeze your credit file with the three bureaus — Experian, TransUnion and
. The freeze blocks new creditors from seeing your file. This stops them from opening new accounts — even for you unless you lift the freeze.
You will pay a small fee — $5 for Marylanders — to freeze a file or temporarily lift the freeze so a new creditor or prospective employer can view your report.
Regularly check your credit reports for unusual activity. Federal law allows you to receive one free report annually from each of the three bureaus at annualcreditreport.com.
State law also entitles Marylanders to free yearly credit reports. As a result, Marylanders can receive 6 reports each year, two from each credit bureau. By ordering one report every other month, Marylanders can monitor their credit files for free.
That beats paying $15 or so a month for a credit monitoring service.
Identity theft victims can have credit reporting agencies permanently block inaccurate information from their reports that is the result of that fraud. This right is available to victims who have filed a police report on the theft. The FTC, which surveyed more than 630 consumers who say their identity was stolen, says most didn't know they had this right.
And remain vigilant because security experts say security breaches are now part of our lives.
"It's not something that is going way," says Coggeshall, of ID Analytics. "It is just going to continue."