The attackers who broke into Anthem Inc. databases absconded with details associated with 80 million people but didn't steal medical records. Still, they took enough personal information that in the wrong hands could make life miserable for affected consumers.
According to identity theft experts, the toxic combination of Social Security numbers, birthdays, addresses, and e-mail addresses is a potent one for carrying out a raft of scams.
The breach itself could be used to trick consumers into giving up even more personal data to bad guys. Now that Anthem has alerted tens of millions of consumers that the company will be in touch if their records were compromised, those members should be on the lookout for correspondence.
"Now the hackers are going to be aware of that and they're going to attempt an e-mail supposedly from Anthem and then attempt to phish for more information," says Brian Richards, identity theft product expert for Protect Your Bubble, a national ID protection insurance firm.
"So that's your highest risk," he says, referring to the practice of phishing in which digital con artists use e-mails to trick people into handing over sensitive information.
These kind of "piggy-back attacks" are a classic approach following a public breach, says Lee Winer, senior vice president of products and engineering for Rapid7, a Boston security firm.
Anthem did alert customers that future correspondence would come by snail mail, a move that it should get kudos for, says Dwayne Melancon, chief technology officer of Tripwire, a Portland, Ore., risk management firm.
But Mr. Melancon recommends caution on that front, too. "Be on the lookout for potentially fraudulent requests for information requested by mail – remember, the criminals have mailing information, as well," he says. "Trust, but verify."
Meanwhile, consumers should be aware that the information already stolen grants criminals the power to carry out a number of fraudulent attacks far more dangerous that phishing, says Mr. Richards of Protect Your Bubble.
"We're worried about them getting into your credit report because they have your social, your e-mail, as well as your address and other key verification pieces," he warns, explaining that from there an attacker could potentially have cards cancelled and reissued to bogus post office boxes or, more frightening, have entirely new cards issued.
"I've seen in the past where hackers will tap your credit limit as far as it can go," Richards says.
The information stolen may also be enough to approach victims' banking institutions and execute wire transfers or take out auto loans. Many financial institutions use social security numbers, dates of birth, and addresses to verify changes to passwords and to verify financial transactions.
In order to protect themselves, says Richards, consumers should think about taking the following steps:
1. Change e-mail contact information with Anthem and other financial institutions.
"E-mail has gotten far more important for verification these days," Richards says. Consumers can take away the potential for phishing or future fraudulent action by essentially burning the email address they had associated with their Anthem account, he said.
2. Contact credit bureaus and set up monitoring
Some experts such as Melancon suggest that consumers potentially affected by the breach consider freezing their credit report altogether.
But that may be extreme unless a consumer has confirmed they're affected and there's already suspicious activities on their accounts, Richards says. At the very least they should set up monitoring and stay on top of new activity on their report, he says.
3. Set up alerts with financial institutions
In the same vein, Richards recommends approaching all of the financial institutions and card companies they do business with and setting up alerts for high-risk transactions within their accounts.
4. Change your challenge questions
Finally, another way consumers can protect their accounts is by changing the challenge or verification questions they use to new questions they've never used before.
"I'd advise they set up those security questions across all of their financial institutions, so their banking institution for accounts, mortgages, auto loans, and so on," Richards says. "That's really important."