On the one hand, the breach of JP Morgan Chase is not as bad as it could have been. But how do you measure relative “badness” of a breach? If your quantification includes how much stress and wasted time it costs those people affected, this type of breach is worse than it appears.
As with any breach, if you are one of the victims, how much it affects you will vary considerably. I recently spoke with one victim (she requested not to be identified) who is having such a difficult time that it borders on the absurd. Starting in late June or early July, she started getting a bunch of calls from a variety of shady businesses. At first, this was a bit of a mystery, as she does not give this number out to anyone other than people she knows, though she had used it as a contact number for a few different accounts.
When Chase first announced their breach a month ago, which started during the same time-period as this barrage of phone calls began, the pieces of the puzzle began to fit into place for her. She had been a customer of Chase when their breach occurred, and had two accounts which she had accessed via Chase's mobile apps.
You may be wondering what the big deal is… phone calls? Just quit answering, or block the numbers. Problem solved, right? Not so much, when the calls have been coming in roughly once every 30 seconds since the beginning of summer, from a random pool of numbers. At this point, the only answer is to change her number. (Woe betide the poor person to whom that number is assigned after her!)
She’s looked up the numbers of many of the callers, and they are all from a bank of telephone numbers assigned to VoIP (voice over IP) carriers that can’t be traced back to a company or person. And while the calls all appear to be from US numbers, the callers all have very thick foreign accents which might suggest that these are not in fact US-based companies. (Especially since they have not responded to requests to have her number removed from their databases.)
The content of the calls themselves varies somewhat, but they have all been the sort of call that most folks dread getting: There have been requests to complete surveys, offers of “free” vacations, and a variety of “vishing” scams where the caller tries to lure or scare you into revealing (or confirming) more valuable information.
Her response to these calls is notable, from a security perspective: She will neither confirm nor deny the information they present her with. This is the best way to respond to sketchy calls, if you opt to respond at all. As my colleague David Harley suggests in a post about bank card courier scams, “It’s more important for you to be able to verify their identity than vice versa.” And unless you have verified their identity to your satisfaction, you do not need to tell them anything, even if they already seem to have the information.
If you are looking for tips for identifying or responding to common scam calls, the FTC site has some excellent information. If you’re looking for broader information on a variety of different types of frauds, the FBI site has a wealth of both tips and descriptions. The response tips basically boil down to exercising a very healthy dose of skepticism when companies are contacting you, especially from unknown numbers.
While the consequences of identity theft may be more problematic and time-consuming than the consequences of the theft of “mere” personally identifiable information like name and phone number, this does not mean it is a non-issue. All these data have value for criminals.