Another major hacker attack last week exposed the names and emails of millions of consumers to cyber criminals -- and you might be on the list. As a practical matter, you can't get out of all of the massive data banks that hold your personal data. Even the names of people who opted out might be retained. But you can do your best to minimize your risk.
The latest breach occurred at a company called Epsilon, a division of Alliance Data Systems Corp. Epsilon holds the names, email addresses, marital status, credit data, and other personal information of 235 million people. It mines the names for personal shopping habits, interests, life changes such as marriage or moving, and credit capacity, and sends out targeted marketing pitches. If you get a 30 percent discount offer from Target, to take just one example, it probably came from Epsilon. The company broadcasts 40 billion email messages annually, to consumers it considers most likely to buy.
The hackers who broke into Epsilon's computer systems got names and emails tied to the banks and stores they patronize. That's especially dangerous. Using that information, they can send you notices that evade your spam filter and that you're likely to open. Say, for example, that you get an email apparently from Citibank, warning that your account has been breached and asking you to verify your personal information. If you log on with your password and bank ID, you've opened the door to a crook who can clean you out. The industry calls it "spear-phishing."
Once thieves have your password, they can worm their way into many of your accounts. That's because most of us stick with a limited number of passwords, because remembering different ones is such a pain.
The Epsilon break-in exposed the the customers of at least 43 banks and businesses (and probably more), including the financial institutions Ameriprise, American Express, Barclays Bank, Capital One Financial Corp, Citigroup, JPMorgan Chase, and U.S. Bancorp, as well as BestBuy, Ethan Allen furniture, Kroger grocery chain, the Home Shopping Network, LL Bean,Target, Visa, Walgreens, and the Hilton and Marriot hotel chains. The College Board said that students have also been exposed. You'll find the full list at DataBreaches.net.
Major data breaches occur all the time, they just don't get as much publicity as Epsilon did. You can read about them on websites such as KrebsOnSecurity and SecurityWeek. You're also being phished by phone (vishing), or with lures sent by text message (smishing).
So much of your personal data is swirling around the world that you cannot fully protect yourself. But here are some steps you can take to lower your risk:
1. Get out of marketing data bases. They all allow you to opt out, if you can find them. For example, you can block your name from being used by any of Epsilon's clients, including catalog marketers and retailers. One big problem: The database company might retain your name and just block it from being used. If a thief hacks in, he gets the blocked names, too.
2. Opt out, or Unsubsubscribe, from every commercial email list you're on. "They're required to give you that option," says Greg Aaron, director of domain security for Afilias, an Internet infrastructure company. If you opt-out at the source, your name should be removed from the large, pooled data bases.
3. Stop most direct mail. The Direct Mail Association provides a website, letting you opt out of various types of promotional mail from its members: credit offers, catalogs, magazine offers, requests for donations, and others. That should stop mail from national companies you haven't done business with before. Your opt-out lasts for five years. After than you have to sign up again.
The DMA opt-out won't stop mail from non-members, such as local businesses, charities, or mail from a company where you've shopped. You will have to contact those mailers directly and in writing (phone calls don't work). Be sure to tell them you don't want your name shared with other companies, such as Epsilon, for marketing purposes.
4. Stop your bank from sharing your name. Under the Fair Credit Reporting Act (FCRA), you can tell your bank not to give your name to any of its affiliates for marketing purposes, as well as to outside marketing firms. You have to give notice in writing, citing your rights under FCRA. Ask for a written acknowledgment that you've been taken off the list. These opt-outs, too, might last for just five years.
5. Stop sharing personal information on your FaceBook, LinkedIn, or MySpace pages with the general public. Or, share only what you wouldn't mind seeing in a database, and leave off banking identifiers such as your mother's name. Social networks can be mined, using your email address.
6. Stop phone calls from telemarketers, by signing up with the National Do Not Call registry. When the registry began, you could stop these calls for only a limited number of years. Since 2008, however, you've been able to block them permanently.
7. Opt out of credit card offers. You can stop receiving them by signing up with the OptOutPreScreen, run by the consumer credit reporting industry.
8. Don't be fooled. Never open an email telling you that you've won something, or that you have an unclaimed package, or that there's a problem with your tax return or bank account. Just by opening it, you might introduce malware into your machine, which searches for passwords to financial accounts. If your bank or credit card company apparently sends you an email, asking you to make corrections in your account, delete. It's a cheat. Or call the institution to see if it's legit, before entering any information. With the Epsilon break-in, you might get phony phishing messages from familiar retailers, too. For more tips, check the Privacy Rights Clearinghouse and APWG, an industry organization that fights online fraud.
After taking all these actions, are you safe from international financial thieves? Unfortunately, no. Anyone with banking, retail, email, college, or credit relationships will have their data stored somewhere, and the institution might not have spent enough money to keep it safe. Someday the database industry will be slapped with a massive lawsuit, and then maybe they'll start taking encryption and other advanced security measures more seriously.
More on MoneyWatch: