Not long ago Sarah Palin’s Yahoo.com email account was hacked. The hacker used a simple scheme and basic social engineering tools (research on Google and Wikipedia, common-sense guessing) to reset the password on the account and assume ownership of her email.
In addition to denying Governor Palin access to her own account, the hacker had full control to:
- Read every saved and current email in her account (hopefully she never sent her Social Security Number, passwords or account numbers via email, not to mention correspondence pertaining to her role as candidate for Vice President of the U.S.)
- Steal the email addresses and any other sensitive information stored in her contacts (John McCain might want to change his email address)
- Send out emails as if the hacker were Sarah Palin, or worse yet, send out official emails as Alaskan Governor, Sarah Palin
Here is a sampling of the steps I would recommend should this happen to your company:
- Before closing down the compromised account, review all of the emails and contacts to which the hacker had access. Any account numbers, passwords, pin numbers or other personally identifying information that she sent via email should be handled on a case-by-case basis. For example, if you emailed a credit card number, that account should immediately be closed. This is a perfect example of why you shouldn’t send any information by email that you don’t want published on the front page of a newspaper.
- The compromised employees should subscribe to an identity surveillance service so that they can monitor the illegal use of one’s identity beyond standard credit report tracking. Remember, less than 20% of identity theft touches your credit report, so it is important to monitor other sources of risk, including non-credit loan reports, cyber-trafficking of your personal data, and court, criminal or government documents posted online, etc. The compromised data may not be used for years, so it is important to keep a watchful eye over time and not resort to a one-time credit check.
- Monitor her credit reports for free. This is important because it will allow one to establish a baseline credit file. In other words, one will know what the credit portion of their identity looks like before the thief has a chance to take advantage of it. That way, when the credit file changes (and she is alerted to the change by the surveillance service in step 2), one will immediately recognize the change.
- At the very minimum, place a fraud alert on one’s credit file with Experian, Equifax and TransUnion. I recommend going one step further and actually placing a complete credit freeze on one’s social security number. This will keep any identity thieves from setting up new credit accounts in one’s name by assigning a password to the credit file. It is slightly inconvenient and can cost a few dollars, but it is the best step for someone whose identity has been knowingly stolen. Make sure to sign up for the identity surveillance (step 2) before freezing credit, as this makes the monitoring process more difficult.
- Change habits. The longer-term solution to this problem is for one to stop revealing so much personal information (to corporations, on the internet, etc.). Identity thieves collect personal information about you in small pieces (a birthday from Wikipedia, your address from Google, your home value from mypublicinfo.com, private details from your blog or website, etc.). This is not an easy task. But a bit more discretion on her part will go a long way.
Image credit: Nate Bolt
John Sileo is not your average businessman. After losing his business to data breach and his reputation to identity theft, John Sileo became America’s leading identity theft and data breach speaker. His recent clients include the Department of Defense, the FDIC, Blue Cross Blue Shield, and Pfizer. Learn more at sileo.com.