When your data is on the dark web, there are consequences. Stephen knows all too well.
“I was so paranoid,” he said. “I was, like, ‘How do they keep getting in?’”
NBC Bay Area is not using Stephen's real name or revealing his location because he said thieves launched an all out attack on his identity. He added they hacked his email, drained his frequent flyer account and got cash advances from his credit card. He couldn’t stop it.
“I couldn’t prove that I was me,” he said.
Stephen said the con started when a corporate data breach leaked his social security number. A thief then called his bank. “And successfully impersonated me, using my leaked social security number,” he said.
'New' breaches on the news?
If you watch the news daily, it sure seems that, daily, we’re reporting new data breaches. Data breach complaints to the federal government have skyrocketed. And hackers are impacting virtually every company, including our own parent company: Comcast. But how “new” are the breaches on the news? NBC Bay Area, Telemundo 48 and our sister stations around the country started looking into it.
Local
When a hacker gets into a company’s computer, California law requires a business to notify you and the attorney general, who makes the reports public. Right now, the state’s data breach database contains more than 4,000 reports. Our team analyzed all of them. We looked at the dates. And we found a lag. The average time between the date thieves got into a company’s files and the date the company disclosed the breach was a little more than six months. 27 weeks, to be exact.
“Is 27 weeks fast enough,” asked NBC Bay Area. “No,” said Thorin Klosowski with the Electronic Frontier Foundation, based in San Francisco. “That’s definitely not fast enough.”
Get a weekly recap of the latest San Francisco Bay Area housing news. >Sign up for NBC Bay Area’s Housing Deconstructed newsletter.
Klosowski says when your data is breached, you deserve to know within hours or days. “A lot can happen in that amount of time [27 weeks]. Even in 90 days a lot can happen with that data,” he explained.
Here’s the thing: California’s data breach law is a bit disjointed. On one hand, it’s very specific: the text of the notice must be in a least 10 point font. On the other hand, the law doesn’t lay out a timetable to tell consumers. It says: “the disclosure shall be made in the most expedient time possible and without unreasonable delay.” But the law doesn’t define an “expedient time” or when a delay is “unreasonable.”
A new federal standard -- but not for you
Our colleagues around the country found many other states’ laws aren’t much clearer.
“Are they all doing enough? not at all,” said U.S. Sen. Mark Warner, who represents Virginia. Warner spoke with my NBC Washington consumer investigator Susan Hogan. “We need to have quicker reporting from companies that have been hacked,” Warner said. “i think the reporting needs to be done in days, not weeks.” Warner’s vision is a federal standard. But that’s only to report to the federal government, not you.
The Identity Theft Resource Center, told NBC San Diego’s Sergio Flores that there’s no effort to get data breach notices to you any faster. “If we could wave out magic wand, we would like to see federal legislation, we would like to see minimum, uniform, enforceable standards,” said ITRC’s Eva Velasquez.
Until companies are required to tell faster, what can you do? You can start by making yourself and your data less lucrative targets.
Protect Yourself: Freeze Accounts, Ditch Bios, Add 2FA & Verbal PINs
First, freeze your credit file, so crooks can’t get credit in your name.
Next, stop re-using passwords -- which a lot of folks do. “It’s scary,” said Netgear’s David Henry, in San Jose. Netgear recently surveyed more than 2,000 people and found 67% of them are using the same password for multiple accounts. “If you’re using the same one over and over and over again, all it takes is one of those companies… just one of those companies that gets breached. And, well, that password is now on the dark web,” Henry said,
Henry also recommends two factor authentication -- aka 2FA. “Definitely turn on 2FA across all your accounts,” he said, Yes, another layer to turn on, but it’ll possibly turn off thieves. “If there are a million accounts out there and 100,000 have 2FA, [thieves] will focus on the ones that don’t,” Henry said, “It’s just lower hanging fruit. Why go after the hard stuff when you can get the easy stuff?”
Henry recommends making passwords stronger by making them longer. "Sixteen characters,” he said.
Stephen has taken additional steps to shield his identity-- out of necessity. “Before this, I had a credit freeze, I had two-factor, I had complicated passwords, and none of that mattered,” he said.
So, what’s left to do? He says limit or clean up your online footprint. He even asked at work. “I asked my employer to take my face and bio off the website,” he told us.
Stephen is convinced the ID thieves too easily answered his bank’s security questions -- after they got his breached social security number and simply looked him up online. “It’s enough to steal your identity,” he said.
Stephen also recommends asking about adding a spoken password to access your accounts over the phone. He says his bank recently added that measure for him. It's an added layer of security that might prevent another imposter from making the call that started his nightmare.
“A verbal pin on every account, that is the way you will prevent them from getting hacked,” he said.