During the 2008 presidential election, vice presidential candidate Sarah Palin’s Yahoo.com e-mail account was hacked. The hacker used a simple scheme and basic social engineering tools (research on Google and Wikipedia, common-sense guessing) to reset the password on the account and assume ownership of her e-mail.
In addition to denying Governor Palin access to her own account, the hacker had full control to:
- Read every saved and current e-mail in her account (hopefully she never sent her Social Security Number, passwords, or account numbers via e-mail, not to mention correspondence pertaining to her role as candidate for vice president of the U.S.)
- Steal the e-mail addresses and any other sensitive information stored in her contacts (John McCain would have been well advised to change his e-mail address.)
- Send out e-mails as if the hacker were Sarah Palin, or worse yet, send out official e-mails under the auspices of Alaskan Governor, Sarah Palin
Here is an overview of the steps I would recommend should this happen to anyone within your company:
- Before closing down the compromised account, review all of the e-mails and contacts to which the hacker had access. Any account numbers, passwords, pin numbers, or other personally identifying information that she sent via e-mail should be handled on a case-by-case basis. For example, if you e-mailed a credit card number, that account should immediately be closed. This is a perfect example of why you shouldn’t send any information by e-mail that you don’t want published on the front page of a newspaper.
- The compromised employees should subscribe to an identity surveillance service so that they can monitor the illegal use of one’s identity beyond standard credit report tracking. Remember, less than 20 percent of identity theft touches your credit report, so it is important to monitor other sources of risk, including non-credit loan reports, cyber-trafficking of your personal data, and court, criminal, or government documents posted online. The compromised data may not be used for years, so it is important to keep a watchful eye over time and not resort to a one-time credit check.
- Employees whose e-mail has been hacked should monitor their credit reports for free. This is important because it will allow the victim to establish a baseline credit file. In other words, a person will know what the credit portion of their identity looks like before the thief has a chance to take advantage of it. That way, when the credit file changes (and she is alerted to the change by the surveillance service in step 2), the ID theft victim will immediately recognize the change and be able to take further action.
- Place a fraud alert on the victims’ credit files with Experian, Equifax, and TransUnion. I recommend going one step further and actually placing a complete credit freeze on one’s social security number. This will keep any identity thieves from setting up new credit accounts in one’s name by assigning a password to the credit file. It is slightly inconvenient and can cost a few dollars, but it is the best step for someone whose identity has been knowingly stolen. Make sure to sign up for the identity surveillance (step 2) before freezing credit, as this makes the monitoring process more difficult.
- Change habits. The longer-term solution to this problem is for each of us to stop revealing so much personal information (to corporations, on the Internet, etc.). Identity thieves collect personal information about you in small pieces (a birthday from Wikipedia, your address from Google, your home value from mypublicinfo.com, and private details from your blog or Web site). Changing how we understand and protect all pieces of our personal identity is not an easy task. But a bit more discretion on the part of each member of a company — as employees and as consumers — will go a long way toward reducing the risk of a serious identity theft incident.
John Sileo became America’s leading identity theft speaker and expert after he lost his business and more than $300,000 to identity theft and data breach. His clients include the Department of Defense, Pfizer, and the FDIC. To further bulletproof yourself and your business, visit John’s blog at Sileo.com and receive a free white-paper: “Privacy Means Profit: Safe Data = Profitable Data.”