Keep identity under a virtual lock and key

Times Staff Writer

News this month that hackers broke into a UCLA computer system, gaining access to 800,000 personal records of people connected to the university, was a startling example of the growing problem of maintaining database security.

Security breaches exposing more than 100 million records have been logged since February 2005, when the Privacy Rights Clearinghouse, a San Diego-based consumer advocacy group, started keeping track.

What can you do if you are a victim of a security breach? And what should you be doing to prevent identity theft?

Experts in consumer privacy and data security offer advice.

How do I know if my personal information has been accessed?

Twenty-six states, including California, have passed laws in recent years that require the government, companies and nonprofits to notify people when their personal information may have been compromised. In many cases, you will receive a letter or an e-mail alerting you to the problem.

But some breaches go undetected or affect people in states without disclosure laws, so some consumers may never know their personal information was taken.

What are hackers looking for?

Names, dates of birth and Social Security numbers are the main targets. With this information, hackers "have the basic keys to the vault," and may use them to apply for credit cards and take out loans for cars and houses, said Melanie Bedwell, spokeswoman for the California Office of Privacy Protection.

The state maintains a website with consumer information:

What do I do if I suspect I am a victim of identity theft?

First, place a fraud alert on your credit reports. You can do this for free by contacting one, or all three, of the major credit reporting bureaus: Experian, Equifax and TransUnion. With the fraud alert in place, you will be called if someone tries to open new credit under your name.

All three credit bureaus can be accessed through

If you have no immediate plans for major purchases or loans, you may also place a credit freeze, which will prevent anyone -- including you -- from opening new credit under your name until you authorize a "thaw."

How do I know if my information has been used?

The vast majority of compromised records are never used for fraud. But when they are, typical indicators are unusual charges on credit card statements. Unanticipated phone calls from collection agencies or problems going through a credit check also can signal that your name and Social Security number have been used by someone else.

What do I do if someone has stolen my identity?

Contact the police and the Federal Trade Commission to report that you are a victim of identity theft. The trade commission's website is

Provide credit reports as evidence. Insist on a copy of the police report, even if the police don't commit to an investigation. Then, contact the creditors with whom the thief opened fraudulent accounts. Provide the police report as documentation.

If a thief used your existing bank accounts or credit cards, close them immediately and report the problem to the credit bureaus.

What can I do to reduce the risk of identity theft?

Experts suggest checking your credit reports three times a year. You are allowed one free report every year from each of the three major credit bureaus. That means you can stagger your requests and get one every four months.

Review your bank and credit card statements with an eye for withdrawals or purchases you didn't make.

Shred all of your financial documents, including old checks and credit card and bank statements -- even unsolicited offers of preapproved credit cards you may receive. Consumers can also call (888) 567-8688 to stop companies from sending preapproved credit card offers.

How can I protect my personal information online?

Shop only on websites with order-page addresses starting with "https," not just "http"; the "s" assures that personal data is encrypted.

Don't provide personal information to any company unless you made the first contact and can verify the business' authenticity. Don't give more information than you need to; there's no reason a simple purchase should require your Social Security number.

Make sure you have good virus protection software and strong passwords.

What can I do to minimize the impact of online fraud?

Consider using a separate credit card with a lower credit limit for online shopping. That's what Stan Stahl does, and he's president of Citadel Information Group, a Los Angeles-based information security firm.

"It's much better to have to deal with a $500 fraud than a $5,000 fraud," Stahl said.

He also makes online purchases carefully.

Stahl trusts larger retail websites with his information more than small operations, because the large companies undergo strict audits by credit card companies.

How do I protect my Social Security number?

Don't carry your Social Security card with you, and be wary of giving out your number.

If a reputable organization, such as a bank or a healthcare company requests it, ask if you can create your account with an alternate numerical ID.

What are colleges and universities doing to better protect personal data?

Many universities are now requiring students to change their passwords more often and install anti-virus and firewall software before they connect to campus networks.

Some, including UCLA, are phasing out the use of Social Security numbers as school ID and restricting their use to when they are required by law, such as for financial aid and payroll.

Educational institutions are also spending more money monitoring activity on their networks and limiting staff access.

Data breaches are not solely technical problems, said Stahl, whose security has worked with universities.

"It's ultimately about leadership and management," he said. "One of the big holes we regularly find is that someone gets fired from a company, but no one notifies the IT department."

What is the government doing to prevent identity theft?

On the federal level, not enough, some say. There is an "urgent need" for federal legislation to protect consumers from identity theft, Rep. Edward J. Markey (D-Mass.), co-chairman of the Congressional Privacy Caucus, said in a statement Dec. 12, the day the UCLA breach was disclosed. "It is unacceptable that Congress adjourned last week without taking the necessary action to thwart data pickpockets," he said.

More states, however, have recently taken steps to protect consumers. California and many states allow consumers to request credit freezes, but some states do not.

In 2007, California businesses will no longer be allowed to print full credit card numbers on receipts. Identity theft arrests in California will also now be reported to the Department of Justice, making fraud activity easier to track, said Russ Heimerich of the state Department of Consumer Affairs.


Copyright © 2019, Los Angeles Times
EDITION: California | U.S. & World