It wasn't me, I swear

What to do when you're among the millions swept up in a data breach

A mobile phone displaying the United States Federal Trade Commission's identity-theft site

Identitytheft.gov is a helpful resource for reporting and recovering from the theft of your personally identifiable information.

Mike, a Raytheon employee, had a trove of personal information stolen in a cyberattack that affected millions. Here’s what happened and how he dealt with it:

The email came on an August morning.

My identity protection service – the one provided to me and everyone else whose Social Security numbers, travel records and more were stolen in a huge data breach years earlier – wrote to tell me a telecom company was checking my credit.

That was weird; the company was 2,000 miles from my home, and I’d never contacted them to set up service. I called to straighten it out, but nobody knew anything. They just kept bouncing me from department to department. I hung up and forgot about it.

A year later, the collection notices and nasty calls started. I owed $500 on an account someone opened in my name.

I didn’t know what to do – and neither do many of the millions who face this kind of thing every day. I do know what to do today, so here, I’ll walk through how I’ve handled the theft of my identity through the years – including a few mistakes I made and how I’ve corrected course.

Check and alert

I should have called the ID protection service immediately after reading that email. But calling even as late as I did still helped. My case manager put a one-year alert on my credit, meaning the big three credit agencies had to contact me and verify my identity before anyone could open an account in my name. I also had the option to freeze my credit. Both choices are free in most states and are available to anyone at any time.

The ID protection service also helped me file a dispute on the fraudulent credit inquiry. Next, we conference-called the fraud department at the telecom company. They marked the account as fraudulent but refused to stop collections until I filed a form that required my SSN, a copy of my driver’s license and proof of address during the time the fraud occurred.

That was more information than it took the ID thief to open the account in the first place. Having already had my information stolen, I didn’t exactly feel like handing it over again. I took a different tack.

Use the internet to fight back

The internet helped me get into this mess, but it also helped me straighten it out. I went to identitytheft.gov, a free and user-friendly site for victims of ID theft. There, I filed a fraud report with the Federal Trade Commission and signed it under penalty of perjury – a helpful step in showing creditors your claim is legitimate.

I got a theft report, a recovery plan and a customized letter asserting my rights as a victim. I sent the report, letter and proof of my identity to the collection agency, telling them the account was fraudulent and that the law required them to stop collection. It worked. They backed off.

Then I filed an identity theft report with my local police department and utility fraud reports with the appropriate agencies in both my state and the state where it occurred. All three were easy to do online, and they also lend legitimacy: Just like the FTC report, I signed these under penalty of perjury.

I sent all these documents to the telecom – even the fraud form they'd wanted originally. I left my SSN blank and redacted sensitive information on my drivers license and proof of residency.

From there, I checked my ID protection service to see exactly what they were monitoring. They were keeping an eye out for uses of my SSN, email, name and more, but there were a few other unchecked options, like my passport number and my kids’ personally identifiable information, so I selected those as well and ran a scan.

No results found. Phew.

But wait, there's more

As all this was happening, my identity service told me my logins for certain sites had been compromised. I changed the passwords on those sites but failed to realize I was also using them on other sites.

A few months later, we noticed someone had logged into the family accounts on our music subscription service and replaced the names and emails. So I changed the password on the master account, deleted the new fake accounts and set the old ones up again. Then I got a security notification that someone signed into our video streaming service from eastern Europe. I changed the password and signed out of all devices.

I checked the password manager on my phone, and let's just say I had some work to do on my cyber hygiene (more on that from our experts here). I closed accounts I no longer used. For the others, I switched to strong, unique passwords – no duplicates. And whenever a site or service offered two-factor identification, you can bet I enabled it.

Ultimately, it’s up to you

The big lesson here was that, even though I have a service monitoring the use of my identity, the responsibility for this ultimately falls on me. I need to mind the alerts and act on them when necessary. As I learned, when it comes to ID theft, the burden of proof falls mostly on the victims.

At first, this whole thing left me rattled. But now that I’ve changed my approach and improved my cyber hygiene, I feel empowered. I know what’s been taken. I know what to look for. And I know that if I ever get caught up in another data breach, I won’t react with fear or exasperation. I’ll know just what to do.

Last Updated: 12/10/2018