What You Need to Know:
In July 2021, fashion retailer Guess?, Inc. notified affected customers of a ransomware attack and data breach that occurred in February 2021. Breach victims learned that several of their sensitive identity credentials — including Social Security numbers, driver’s license numbers, passport numbers and financial account information — were exposed. Without knowing what kinds of identity crimes they might be at risk of, or more importantly, how to protect themselves, they were left to speculate about the best course of action.
Unfortunately, working out how to proceed without specific guidance is where breach victims (and some industry experts) go wrong when it comes to knowing what to do after a breach.
Using artificial intelligence (AI) technology, breach victims no longer need to rely on guesswork to determine if their risk profile has changed and exactly what steps they should take to protect their financial lives.
The Value of Non-Generic and Actionable Breach Notifications
Data compromise is what makes identity crimes possible. If companies and individuals could stop the data from being exposed to criminals, identity crimes would disappear. But the one-two sequence of identity crimes — steal the data, then use stolen data to impersonate the identity-holder — won’t go away. Every breach exposes a unique set of identity credentials to a new set of bad actors, such as contact information, financial account data, government-issued records (such as Social Security numbers) or medical data.
At Sontiq®, a TransUnion® company, we can help them understand the best actions to take based on what personally identifiable information (PII) was exposed and their specific risk profile. Rather than advise consumers to take the same two or three actions for every single breach, we use AI to take a hyper-personalized approach. This empowers consumers to proactively act when their information is breached so they can mitigate potential damage.
The Guess breach is a good example to showcase how our BreachIQ™ feature works. The AI-driven algorithm analyzes more than 1,300 data points of a data breach to assess the risk level. Based on that analysis, a risk score is assigned from 1 (the lowest risk level) through 10 (the highest risk level). It then prescribes specific actions from over 50 distinct possibilities that the consumer can take to protect themselves, giving each affected person an answer to the question, “so what do I do now?”
Personalized Answers for Guess Data Breach Victims
This AI-driven method answers three important questions for victims of the Guess breach.
1. How dangerous was the Guess data breach?
The Guess data breach scored a ‘6’ on our 1-10 scale, so the risk is not trivial.
This score is computed based on the particular risk profile assigned to the particular identity records that were exposed, which include:
- Social Security numbers
- Passport and driver’s license numbers
- Financial account information
- Victims’ names
2. What risks were elevated by this breach?
BreachIQ’s AI algorithm flagged four specific risks as a result of the Guess data breach:
- Fraudulent establishment of new credit (loan) accounts. Financial providers rely heavily on government-issued identity records for verifying the identity of new account applicants.
- Existing financial account access or takeover. Identity criminals often use government-issued ID records to impersonate the identity-holder when claiming that they lost their account password.
- Evading the law. Convicted criminals can sometimes work under an assumed identity to avoid law enforcement officials. BreachIQ’s algorithm calculated this as a risk for victims of the Guess data breach because ID criminals rely heavily on government-issued IDs, which are only rarely exposed in data breaches.
- Phone or utility fraud. A less common form of fraud but, for this breach, it is the fourth-highest risk because large service providers often rely on official ID documents.
3. What actions must victims now prioritize to guard against the change to their risk profile?
- Set up multi-factor authentication (MFA). The additional verification required can help stop criminals from trying to use exposed ID credentials to reset a supposedly lost password in the victim’s name.
- Freeze credit if you are not actively applying for new credit. This step makes it more difficult for fraudsters to gain credit using a stolen identity.
- Set up credit monitoring. To be even more proactive, set up Identity Protection monitoring to keep an eye on personal information in public records, social media networks, the dark web and people search sites.
- Notify the Department of Motor Vehicles (DMV or RMV). This enables state agencies to flag records and alert other government employees to the risk now associated with the compromised ID.
Breaches elevated the risk of identity crimes, which totaled $5.8 billion in the U.S. in 2021. Individuals who proactively take measures to reduce their risk of identity theft with personalized insights and a holistic approach to their protection can be better prepared to counter the threats that come in the wake of a breach.