Hackers give a boost to credit monitoring firms

Hackers give a boost to credit monitoring firms
The California Department of Motor Vehicles said that it was alerted to “a potential security issue within its credit card processing services” but that there was no direct evidence its computer system had been breached. Above, a DMV office in Los Angeles in 2012. (Luis Sinco / Los Angeles Times)

Increasing activity by data hackers has produced millions of victims and one clear winner: the credit monitoring business.

Services with names such as BillGuard and Identity Guard report a surge in sign-ups from people anxious to be protected. Nervous consumers worry that the parade of data breaches involving credit card, debit card and other personal information could leave them vulnerable to fraud and identity theft.


The latest incident was revealed Saturday when the California Department of Motor Vehicles said it was "alerted by law enforcement authorities to a potential security issue within its credit card processing services." The agency said it launched an investigation out of an "abundance of caution," but stressed that "there is no evidence at this time of a direct breach of the DMV's computer system."

The potential DMV incursion, which may have affected online transactions between Aug. 2 and Jan. 31, follows a recent string of high-profile data breaches.

Late last year, a massive attack on Target Corp. exposed up to 40 million customer payment card accounts and the names, addresses and email addresses of as many as 70 million shoppers. The breach is probably the largest cybercrime ever perpetrated against a single U.S. retailer.

In January, upscale department store chain Neiman Marcus said hackers had potentially accessed information on more than 1.1 million customer payment cards. Arts and crafts retailer Michaels said soon after that it was probing a possible system breach. This month, cosmetics and hair products seller Sally Beauty Holdings Inc. said that fewer than 25,000 payment cards were affected by a cyber break-in.

Businesses and government agencies are required by California law to notify state residents whose unencrypted personal information may have been acquired without permission. Cases involving more than 500 people must be shared with the California attorney general's office, which posts the alerts online.

Nearly 40 of these breach alerts have appeared this year, including notifications from Coca Cola, Home Depot, UC Davis Medical Center, East West Bank and the County of Los Angeles. Among the five notifications posted last week: San Francisco public health officials reporting the theft of computers from a billing vendor in Torrance and the shop at the Rosenthal winery in Malibu noting that malicious software had been installed on its credit card processing systems.

Hackers are getting bolder, targeting larger organizations and snatching more information.

Back-to-back breaches have wary consumers increasingly turning to credit monitoring services and identity theft trackers.

Intersections Inc. said its Identity Guard identity theft protection and credit monitoring service generated $42 million in revenue in 2013 and is expected to exceed $100 million by 2017. The number of subscribers to the service soared 16% year over year.

The number of AAA Southern California members opting in for the club's identity theft monitoring service — whether for free or for an extra charge — boomed in January, up 58% from December and up 32% from January 2013, spokesman Jeffrey Spring said.

"I have to believe part of it was these different data breaches that have been occurring, people being concerned about that," he said.

The BillGuard credit card monitoring application, launched in July, uses crowd-sourced reporting from its members to issue alerts about possible payment card security concerns. Since the Target breach, the app's user base has ballooned by nearly half a million participants and identified $1 million in fraud, Chief Executive Yaron Samid said.

After hearing of the DMV investigation, BillGuard checked its records and alerted 5,000 users who had participated in an online transaction with the agency between early August and late January. The identifying billing description was "STATE OF CALIF DMV INT," Samid said. Some of those users have since reported fraudulent activity on their accounts, he said.

"It's almost a terrible thing to say, but these kinds of situations raise awareness of the need to protect yourself and to be more vigilant in checking your transactions," Samid said.


As Americans come to expect convenience from government and corporations, more interactions will occur online.

Californians conducted more than 11.9 million transactions through the DMV's website in 2012, a 6% increase from the year earlier, according to the agency.

The American Bankers Assn. said banks prevented $13 billion in fraudulent transactions in 2012 — or $9 of every $10 attempted. Debit card fraud made up 54% of industry loss, with check fraud constituting 37% and online banking and electronic transactions accounting for 9%.

Michael Moebs, a cost consultant to banks, said card issuers and transaction processors have spent hundreds of millions of dollars dealing with electronic fraud in the last three years.

"The view is data breaches and hacking have become a way of life, and the industry must get used to it," he said.

Instead of raising interest rates, card issuers are more likely to impose or increase annual fees to recoup their costs, he said.

Consumer groups note that credit card breaches are generally less damaging to bank customers than those involving debit cards. Someone who uses a debit card without authorization can drain the owner's bank account, while banks and merchants are on the hook financially in case of credit card fraud.

It may take banks several weeks to reimburse customers the costs of a debit card fraud, notes the Privacy Rights Clearinghouse in San Diego, which advises consumers to avoid using debit cards at all.

Until then, Christine Lu, 38, hopes to evade a repeat of the months following the Target breach. The Montebello entrepreneur and mother said her debit card was illegally accessed during that time.

She discovered the card had been canceled while pumping fuel at a gas station, she said. Bank of America sent a replacement within days, but she's still dealing with the many auto-pay bills she's missed for her cellphone, e-commerce subscriptions, Netflix and more.

Lu said she's afraid she'll face more of the same if she's caught up in a DMV breach. She renewed her vehicle registration in August online and renewed her driver's license through the website in January.

"I just went through all this, and I can't imagine having to go through it all over again," she said. "It's been a nightmare."

Twitter: @tiffhsulatimes

Twitter: @scottreckard