PII Compromise and Identity Theft, How Freezing Credit Can Help

What is PII?

According to the National Institute of Standards and Technology (NIST), Personally Identifiable Information (PII) is defined as any information about an individual, including:
(1) any information that can be used to distinguish or trace an individual's identity, such as name, Social Security number, date and place of birth, mother's maiden name, or biometric records; and
(2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

A subset of PII is Sensitive Personally Identifiable Information (SPII), which if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.

PII Compromise, Identity Theft, and Fraud

PII may be accessed and stolen without your knowledge or permission. The majority of data breaches involve the loss, theft, or compromise of PII, especially Social Security numbers. Thousands of data breaches occur each year, executed via phishing attacks, impersonation scams, credential-stuffing attacks, brute-force attempts, malware attacks, and other methods in order to compromise vulnerable systems and networks. If a breach occurred today and your PII was compromised, it could be sold or used right away, tomorrow, next month, or years later. Compromised PII can be used or sold for identity theft schemes and other fraudulent activities, such as draining your bank account, running up charges on your credit cards, opening new accounts, and filing a tax refund in your name to steal your refund. Threat actors can also use compromised PII in social engineering attempts via phishing emails, vishing, smishing, compromised websites, and social media scams in order to steal additional PII or bank account information, access computer networks and resources, and perform further cyber-attacks.

Recommendations

The NJCCIC recommends the following to protect PII:

Consider placing a credit freeze your credit profile, which restricts access to your credit report and prevents anyone from opening a new credit account using your information. A credit freeze does not affect your credit score, prevent you from getting a free annual credit report, or prevent fraudulent transactions on existing accounts.

• To freeze your credit at no cost with the three major credit bureaus, visit the links or call the numbers detailed below. You will need to provide your name, address, date of birth, Social Security number, and other personal information.
• Equifax
  Equifax.com/personal/credit-report-services
  800-685-1111
• Experian
  Experian.com/help
  888-EXPERIAN (888-397-3742)
• Transunion
  TransUnion.com/credit-help
  888-909-8872
• Each credit bureau will provide you with a unique PIN (personal identification number) or password, which will be required if you need to lift the freeze permanently or temporarily when opening a new account. Be sure to keep the PIN or password in a safe and secure place.

If freezing your credit is not an option at this time, contact the national credit bureaus (via the contact information above) and request a free fraud alert to be placed on your credit file. These alerts notify you of suspicious activity when new credit accounts are opened in your name or changes are made to existing accounts. Fraud alerts do not prevent fraudulent transactions to existing accounts, so it is important to continue to monitor your accounts for suspicious activity.

• There are three types of fraud alerts:
• Fraud alert: credit protection for one year.
• Extended fraud alert: credit protection for seven years.
• Active duty military alert: credit protection for one year while deployed and can be renewed for the length of deployment.

In addition, individuals are reminded to:

• Exercise caution with unexpected or suspicious communications, including phone calls, text messages, and emails.
• Refrain from divulging personal or financial information without verifying the requestor via a separate means of communication before taking any action.
• Do not click on links or open attachments that come with unverified emails as they may be used to download malware or direct you to malicious websites to steal credentials.
• Navigate to websites directly by manually typing the URL into a browser, instead of clicking on links delivered in emails, to ensure you are visiting the legitimate website.
• Keep all software and hardware up to date. Only download and install software from known and trusted sources.
• Use strong and long passwords and enable multi-factor authentication where available.
• Safeguard sensitive electronic files using encryption and keep offline backups of important files.

If your PII has been compromised and/or identity theft has occurred, please take the following steps:

• Monitor all personal and financial accounts (including banking and credit institutions) and report any suspicious activity or fraudulent charges immediately.
• Change passwords for all affected accounts, refrain from using the same password for multiple accounts, and enable multi-factor authentication where available.
• Sign up for any free online alerts offered by your financial institutions to help detect fraudulent activity.
• File a police report with your local police department, as it may be required by financial and credit institutions.

Reporting

PII compromise and identity theft may be reported via the following:

• NJCCIC Cyber Incident Report Form
• FTC IdentityTheft.gov
• Internal Revenue Service (IRS): Impersonation Scam Reporting and Report Phishing and Online Scams
• Federal Bureau of Investigation Internet Crime Complaint Center (IC3)

Additional Resources

• NJCCIC - Tax Scams and Identity Theft: What You Need to Know
• FTC Identity Theft Consumer Information
• National Cyber Security Alliance (NCSA) StaySafeOnline
• Identity Theft Resource Center (IRTC)
• Cybersecurity and Infrastructure Security Agency (CISA): Security Tip on Preventing and Responding to Identity Theft
• Social Security Administration: Identity Theft and Your Social Security Number
• New Jersey State Police: Identity Theft Victim’s Reference Guide
• New Jersey Division of Consumer Affair: Preventing Identity Theft