After the Hack

Victims of data breaches often get free access to identification protection services. Is that enough?

hacker victim id protection.


It’s a sequence of events so familiar it can almost seem choreographed. First, there’s a prominent hack, with thousands or sometimes millions of accounts containing vital personal information breached. Think Sony Pictures, in which hackers (alleged by U.S. intelligence officials to be connected to North Korea) released everything from employees’ Social Security numbers to their passwords and medical information. Or last year, at the U.S. Office of Personnel Management, where hackers are thought to even have accessed confidential federal employee background checks.

Almost immediately, the organization responsible for keeping the data safe turns to the identification theft prevention industry, a business with annual revenues of $2.6 billion in the United States, according to market researcher IBISWorld. For one or two or three years, the victims of the hack get free credit- or identification-monitoring services as protection.

Phew. Problem solved, right? After all, industry leader LifeLock promises to “use proprietary technology to protect and alert you to a range of identify threats.” AllClear ID, the service offered to the people impacted by the Sony data dump, touts its professionals as “[e]xperts you can trust.”

Can you? “There is some value in [monitoring services] if you are the victim of a hack,” says Avivah Litan, a vice president and analyst specializing in security issues with Gartner, a technology research company. “But the really bad things? They can’t help you.”

Identity theft takes many forms, from opening a credit card in a consumer’s name to taking out a fraudulent mortgage or filing a falsified tax return to collect a refund. Many credit-monitoring services excel at alerting consumers when someone applies for credit using their name. Respond quickly and you may well halt the attempted crime.

But despite their confidence-inspiring marketing language, there are limits to what identification theft prevention companies can do, and it starts with credit. Not all of these services monitor all three major credit bureaus—TransUnion, Experian, and Equifax—for inquiries. According to reporting by the Orange County Register, when a hack compromised the information of more than 78 million Americans with files at health insurer Anthem Inc., the company responded by offering the impacted customers a product line from AllClear ID that only used information provided by TransUnion. “If you’re not simultaneously monitoring all three [credit bureaus], it’s possible you’ll miss incidents of fraud or ID theft,” warned David Lazarus, the Los Angeles Times’ consumer affairs columnist.

Meanwhile, there are other types of identification theft where monitoring companies can only provide limited protection at best. Fraudulent tax returns can’t be detected by identity-theft services, since they don’t have access to Internal Revenue Service databases. In these cases, you’re dependent on the IRS to flag the false return—another thing that could be more robust. A Government Accountability Office study says the current model of detecting false returns is so flawed that it is not convinced the IRS is capable of gauging the full extent of the filing fraud that’s occurring. (If you’re wondering, your best defense here is to file early, before the bad guys can do so.)

Then there’s the claim made by some identify-theft services that they hire experts to scour the dark web—that is, the parts of the internet that can’t be accessed via search engines—to alert you when identifying information about you is available and for sale. Sure, they’ll almost certainly do a better job here than you could. But Litan says it’s all but impossible for them to catch everything. “It’s better than no protection, but it’s marginal,” she told me. “You have to be a super sleuth to have access to it.”

The quality of ID protection can also vary depending of how much you or your employer fork over. The experience of Aaron Udler, a Maryland business owner, is instructive. He signed up for LifeLock about a decade ago. “I originally purchased it for peace of mind,” he told me. “The informercials scared me, I thought this is some kind of must.” Earlier this year, Udler’s identity was stolen. LifeLock notified him when someone attempted to use his personal information to open an account at Sears. What LifeLock didn’t know:  Someone had used his information on a fraudulent driver’s license too. Udler only learned of that act of fraud after Virginia police stopped a man carrying it. The authorities realized the man possessing the license wasn’t Udler, because the real Udler had received a speeding ticket in their jurisdiction a few years earlier and the photos didn’t match.

As it turned out, Udler had signed up for a basic LifeLock plan costing a little more than $100 annually. More encompassing protection that would have monitored for driver’s license fraud would’ve cost $300 a year.

Moreover, once information is out there, it’s out there. It’s not like an identity theft protection service can un-release things like your Social Security number, former addresses, passwords, medical information, and mother’s maiden name. This is the sort of stuff that in combination could open up access to your existing accounts. “It’s shocking how easy it is to call a bank and if you have just a little information on someone get a PIN number changed,” says Adam Levin, the author of Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves.

In fact, the case for identity-theft insurance is so far from settled that the GAO is studying the services to see how effective they are in helping victims of hacks, a report that’s currently scheduled for release in December. “Questions have been raised, however, about the usefulness and adequacy of credit monitoring services in protecting victims’ credit following a breech,” read the letter from six congressmen—representing both parties!—requesting the study.

Nevertheless, these services seem to inspire trust and relief. That might be because until 2010, when the Federal Trade Commission cracked down and fined LifeLock $12 million, the company all but advertised itself as a guarantee. “LifeLock will make your personal information useless to a criminal,” one ad from the time blared. “LifeLock,” proclaimed another, “offers a proven solution that prevents your identity from being stolen before it happens.”

In fact, then-LifeLock CEO Todd Davis claimed to be so confident in his service that he released his own Social Security number in company ads. According to an investigation by the Phoenix New Times, enterprising thieves then used that number at least 13 times to set up bogus accounts, successfully getting approved for everything from a $500 loan to AT&T and Verizon wireless accounts to—my personal favorite—a $312 spending spree at food and gift basket purveyor Swiss Colony. Davis’ response? “We have always said that no one can completely stop identity theft, including LifeLock.”

So why bother with these services? For some, it’s a cost-benefit analysis. LifeLock, for example, offers up to $1 million in insurance to those who sign up so they can deal with the financial fallout from identity theft. Udler, for one, took advantage of that to get the company to pay for an attorney to represent him after he was called to testify in the case against the man caught with his driver’s license.

Moreover, if they don’t quite offer one-stop shopping, an identity-theft service can still make your life a heck of a lot easier. If you’re offered free access to a plan, why say no? It might even be worth paying for, even if you aren’t the victim of a hack (that you know of).

Yes, a person can, as numerous personal finance experts and websites point out, cobble together a do-it-yourself identity-theft service. Those actions would include regularly reviewing your credit report at all three of the major agencies. Federal law ensures you one free copy at each annually. You might also put a freeze on your credit reports. That means no one can access your report unless you give permission via a unique personal identification number.

There are also free credit-monitoring services offered up by such personal finance protection companies like Credit Karma and Credit Sesame, though it’s worth noting that you should probably sign up for multiple free offers since, again, many of these services aren’t all-encompassing.

But all of this will definitely take work. And all too many of us humans are busy. “We all have lives but for hackers and ID thieves, we are their lives. We are their day job,” Levin says. “They can afford to concentrate their time on us, because they win big if they get us.”

This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, follow us on Twitter and sign up for our weekly newsletter.