Like many Americans, I recently received a letter from a financial institution, in this case my bank, informing me of a data breach with one of their third-party vendors called MOVEit.
The MOVEit software is a file transfer system that is used globally. There was a vulnerability in the software that allowed hackers to steal files containing sensitive customer data from many companies including government agencies, healthcare firms, insurance companies, law firms, and major financial institutions. Even companies that did not directly experience a breach of their internal systems may have had data compromised through external service providers.
We should note that some of the largest financial services companies in the world have been impacted, including Charles Schwab and TIAA (TD Ameritrade, which merged with Schwab, was impacted). See Schwab’s statement on the breach here: https://www.aboutschwab.com/international-moveit-hacking-incident
At Level Financial Advisors, some clients have reached after receiving similar letters. At the heart of these communications there is an important question: What should we do now?
Any defensive driving course will tell you that there are things you can control as a driver and there are variables outside your control. You cannot control other drivers or the weather conditions, but you can control the speed at which you drive and the distance at which you follow another car. The same concept applies to cybersecurity. As consumers, we cannot control data breaches but there are actions we can take to safeguard ourselves.
Credit: Monitoring, Freezing, & Fraud Alerts
Many of the companies breached are offering free credit monitoring for consumers impacted by the event. You should consider taking advantage of that monitoring. Regardless of whether you choose to use the services offered, you should be monitoring your credit periodically yourself by requesting a free copy of your annual credit report from each of the credit reporting bureaus.
Additionally, by contacting one of the three credit reporting bureaus, you can set up a fraud alert which will alert future creditors of possible fraudulent activity and require them to contact you before establishing any accounts in your name. Once you contact one credit agency, the other two should automatically update with the same alert.
Alternatively, you could choose to freeze your credit, which would prevent any lines of credit being opened in your name, even if a hacker has your personal data. This option requires you to contact each of the credit bureaus. You should be aware that this does not prevent fraudulent activity on currently existing accounts. There are pros and cons to this option so do your research before making this choice.
Change Your Passwords
Passwords should be updated every 60 to 90 days. They should be complex and random: 16 to 20 characters including special characters and numbers. Long phrases (not common ones) are a great way to create very complex passwords that are easy for people to remember but hard for computers to guess. Passwords should never be duplicated or reused across software or sites. Consider using a password manager to store passwords securely.
Use Multifactor Authentication
In this technology driven world, it is important to recognize passwords are not enough. Multifactor authentication should be set up on every account that offers that option. This adds an extra layer of difficulty in accessing data. It requires both a current login and a second proof of identity. This is often a code sent to your phone, email, or an app. Even if a hacker had access to your username and password, multifactor authentication should block them from accessing an account or changing information.
Account Monitoring and Alerts
You should be reviewing your accounts regularly to check for fraudulent activity. One way to do this is to set up alerts that are sent to your phone, app, or email. Most financial institutions offer the ability to set alerts for transactions, balances, and change of personal data. I would recommend that you set up all the alerts you can for each of your accounts. Because of the increase in SMS fraud, many financial institutions recommend using the alerts on their mobile app.
Update Account Numbers
I suspect we’ve all experienced the pain of having to change our account numbers at some point in our lives. When I lost my wallet a few years back, and later found it, I still had to change my accounts because it was out of my possession for a short period of time. Resetting everything that was attached to my credit or debit card was a time-consuming process. It ultimately was worth the labor. If your account numbers were exposed in this breach, you may want to consider opening new accounts with new numbers.
As often happens with these major cybersecurity incidents, there is ongoing research into what happened and who was impacted. It may be months before consumers know the full scope and consequences of this breach. I predict when the investigation is complete, this will be one of the largest breaches ever experienced.
The key to safeguarding yourself against cybersecurity breaches is creating layers of protection. It should take much more than an exposed account number to make a transaction or change information in my accounts. The other layers of security I have in place should shield me. Things like multi-factor authentication, alerts, updated complex passwords, credit monitoring, and general awareness of account activity should protect my finances even if my data has been exposed. The steps listed above are best practices regardless of whether you personally were impacted by this particular cybersecurity breach.
Bethany Wagner, IAACP®
Assistant Compliance Officer and Technology Specialist