Signage for a T-Mobile store is pictured in downtown Los Angeles, California in this Aug. 31, 2011, file photo.

12,000 Mainers may have had their data breached. Here’s what they can expect.

“This is organized criminal activity,” Jane Carpenter, founder of Maine Identity Services, said. “This information has value.”

Published Oct. 09, 2015, at 6:29 a.m.     |    

12,000 Mainers may have had their data breached. Here’s what they can expect.

Posted Oct. 09, 2015, at 6:29 a.m.

Twelve thousand Mainers may have had their personal data compromised in the recent data breach at Experian, a national credit agency, which processes credit applications for T-Mobile.

All told, the data breach affected nearly 15 million Americans who were T-Mobile customers or had applied for phone service through the company as far back as September 2013. The company said the breach exposes some of the most sensitive personal information: Social Security numbers, dates of birth, names and addresses.

Earlier this year, a breach at Anthem exposed the data of 531,000 Mainers. And that’s just the start of a long list. Hackers have stolen data in recent years from some of the largest companies in the U.S., including JP Morgan Chase, Home Depot, Target and Kmart, and even the federal Office of Personnel and Management, gaining access to millions of people’s personal data and banking information.

It should come as no surprise that the federal government reports that identity theft is one of the fastest-growing crimes in the country. The Federal Trade Commission reports that 693 Mainers filed identity theft complaints last year, up from 511 in 2013.

Identity theft may affect as many as one in five Mainers, according to Jane Carpenter, founder of Maine Identity Services, a company that advises victims and law enforcement agencies across the country on how to deal with identity theft, and an eight-year veteran of the Consumer Protection Division of the Maine attorney general’s office.

But fewer than 8 percent of the 17.6 million Americans age 16 and older whose identities were stolen in 2014 ever filed a police report, according to the U.S. Bureau of Justice Statistics.

“This is organized criminal activity,” Carpenter said. “This information has value.”

Last year, identity theft victims lost a combined $15.7 billion, according to the Bureau of Justice Statistics. Most of this cost was the result of criminals using victims’ bank accounts and credit cards to rack up sometimes hundreds or thousands of dollars in fraudulent purchases, which last year accounted for 86 percent of identity theft cases.

Limited liability

While these numbers seem frightening, victims don’t necessarily have to bear the full cost. Federal laws — such as the Fair Credit Billing Act and the Electronic Fund Transfer Act — limit an identity theft victim’s liability for fraudulent purchases and provide a pathway to recoup lost money. Many credit card companies have even adopted in-house zero-liability policies with the same goal in mind, Carpenter said. In fact, the Bureau of Justice Statistics notes that some or all financial losses from identity theft are reimbursed to victims.

Once fraudulent activity occurs, a “stopwatch starts,” Carpenter said, so identity theft victims need to act quickly to avoid being held liable. Under the Electronic Fund Transfer Act, for example, victims won’t be liable for more than $50 in fraudulent activity if it’s reported to the bank within two business days; after two days that liability won’t exceed $500; but if the activity isn’t reported before 60 days the victim may be liable for all fraudulent charges.

As long as people take the appropriate steps — file a police report, contact their bank or credit company — the case is “more often than not resolved in the victim’s favor,” she said.

Most cases, according to the Bureau of Justice Statistics, take less than a month to resolve.

The Maine Legislature also has taken action to help Mainers protect themselves against identity theft. A new state law that goes into effect Oct. 15 offers Mainers free security freezes on their credit reports if their personal data have been compromised by a data breach. With a security freeze in place, identity thieves aren’t able to use someone’s credit to open new accounts without access to a PIN number issued by a credit bureau to the consumer, which is “a highly effective way to keep someone from using your credit,” Carpenter said.

Theft’s changing nature

As banks and individuals have gotten better at defending accounts from misuse, Carpenter said she has seen a transition away from traditional identity theft associated with bank accounts and credit cards because of efforts made to quickly prevent fraudulent transactions.

“Criminals have realized credit card fraud isn’t as profitable as it once was,” she said. “Instead, they are migrating to tax return fraud and stealing Social Security numbers.”

The most recent data breaches — Anthem and T-Mobile, for example — have yielded criminals a treasure trove of Social Security numbers and other information. While the Social Security Administration is mum on how many numbers have been stolen, these attacks have put millions, including thousands in Maine, at risk.

Stolen Social Security numbers “can lead to more significant and long-range problems for victims” because they can be used to open new accounts, file fraudulent tax returns, get medical care and secure government benefits.

And unlike stopping the use of an existing bank account, “you can’t cancel a Social Security number or date of birth,” Carpenter said.

Identity theft victims whose Social Security numbers have been stolen have a hard time bouncing back from the theft. According to the Bureau of Justice Statistics, victims of such identity theft might spend a year or longer repairing the damage.

“We need to be careful as individuals about where we put our information and who we give it to,” Carpenter said. “And the people we give it to also have a responsibility to keep it secure.”

SEE COMMENTS →