Thanks to nonstop data breaches, companies are paying for credit monitoring for many consumers. And while it can keep an eye on your accounts, cybersecurity experts say they aren’t a cure-all.
By Kevin Collier
It’s an email now familiar to millions of Americans: A company was hit by a cyberattack, resulting in the leak of personal information. To rectify the issue, that company is offering to pay for a credit security service to watch for scammers taking advantage of that information.
This breach-and-buy cycle has created a flood of security notifications for consumers while reports of credit card fraud continue to rise.
And while credit check services can offer a way for consumers to ensure credit cards aren’t getting opened in their names, security experts said that the services in general are of limited effectiveness.
“If you freeze your credit, and you manage that appropriately — and it’s not that hard to do it — you really don’t need credit monitoring in and of itself,” said Eva Velasquez, the president of the nonprofit Identity Theft Resource Center.
Credit check services, often called credit monitoring, have benefited from the now-steady drumbeat of data breaches from companies large and small. According to the Identity Theft Resource Center, there have been over 1,000 breaches a year every year since at least 2017. As hackers increasingly go after “supply chain” targets — companies that service multiple businesses and can effectively be a skeleton key to accessing all of them — they’re on pace to break a new record in 2023 by causing about 5.5 breaches a day so far this year.
Just this week, MGM and Caesars Entertainment confirmed they were hit by a cyberattack, with MGM properties suffering major disruptions and Caesars saying customer data had been accessed.
The annual number of individuals affected varies wildly but has remained high for years, ranging from just under 300 million in 2021 to more than 2.27 billion in 2018.
Identity theft checks are offered by many companies, but they all go through the three credit bureaus: Equifax, Experian and TransUnion, which are key cogs in the business world for their role in collecting information about consumers and their finances.
Equifax itself was the subject of one of the largest data breaches on record when hackers gained access to the data of more than 146 million people, which for many included Social Security numbers. Equifax agreed to a settlement with the Federal Trade Commission that included paying $300 million for credit monitoring services through Experian.
“I understand why Experian gets that contract. On the other hand, I think it kind of feeds this industry that is really not helping anybody except for the large credit bureaus,” said Josephine Wolff, an associate professor of cybersecurity policy at Tufts University.
Hacked companies are subject to a patchwork of state regulations related to data breaches including a California law passed in 2003 that requires some combination of a notification to victims or free services. Legal firms that specialize in breach remediation advise victim companies to write a single offer letter to all victims that covers the bases for every state.
Identity theft like credit fraud remains on the rise. FTC data reaching back to 2001 shows that reported identity theft cases have gone up almost every year since 2001. The reports spiked in 2021, during the heat of the pandemic at 1.4 million, but the agency still received 1.1 million reports last year.
There are two basic types of services that hacked companies tend to offer: credit monitoring, which lets a victim know if someone’s taken out a credit card or loan in their name, and scanning services that look across the internet and the dark web to see if a person’s name and information is listed in a database that’s being bought and sold. Some credit monitoring services are free, while others can cost up to $39.95 per month, according to CNBC.
Both services fail to fully protect users from identity theft, experts said, and both alert customers only after things have gone wrong. They do, however, tend to generate a flood of security notifications for consumers.
“You’ve probably gotten some of these notifications — I certainly have — that are like, ‘Your cellphone number’s for sale on the dark web.’ What am I supposed to do with that?” Wolff said.
Michael Bruemmer, vice president of data breach resolution at Experian, said the company has had about 60 million enrollments in its services over the past 10 years. That still means just a fraction of the total number of people who are offered the service actually sign up — a rate that’s currently about 8%, he said.
He said Experian has been particularly busy as recent cyberattacks have sent more customers their way.
“We have been very busy over the last really three months starting in June with multiple organizations in the multiple millions of affected parties,” he said.
Velasquez said that consumers should now assume their basic information including Social Security number have been stolen and therefore focus on security basics that can go a long way to thwarting cybercriminals: using long and unique passwords for important accounts (and a password manager when possible), employing two-factor authentication, and pre-emptively freezing their credit and only unfreezing it when necessary.