Ep. 27 | The Real-World Impact of Identity Theft

Show Notes

From the immediate chaos of a SIM swap to the long-term exhaustion of reclaiming a stolen Social Security Number, identity theft thrives on both human error and AI-driven deception. Join Michael Bruemmer, VP of Global Data Breach Resolution at Experian, for an essential discussion on the mechanics of modern fraud, real-world cautionary tales, and the proactive measures—from credit freezes to identity restoration—required to safeguard one's legacy. 

If you're interested in learning more, you can request a demo with BlackCloak here, or visit the BlackCloak website. 

Transcript

SPEAKER_01 0:09

Welcome to Uncloaked, a cybersecurity podcast brought to you by Blackloak, the pioneer in digital executive protection and leader in personal concierge cybersecurity. I'm Dan Vasco, and today we are talking about the impacts of identity theft. And joining me for this discussion, I can think of no one better than Mr. Michael Brummer, Vice President of Global Data Breach Resolution at Experian and recent addition to the Black Lok Advisory Board. So thank you so much for being here.

SPEAKER_00 0:38

Thanks, Dan. I appreciate being here.

SPEAKER_01 0:40

Absolutely. Really looking forward to this discussion. It's an important one, and I know that obviously identity theft, we can go on for hours about the different ways that this kind of manifests. But starting off broadly, when we talk about the overwhelming majority of breaches stemming from human error for as far as we can look back, in your experience dealing with identity theft, what is the most common everyday mistake that maybe you see high-profile individuals, companies even, make that inadvertently roll out that red carpet for cyber criminals?

SPEAKER_00 1:21

Well, one of the things that I see probably most often is people don't think they're going to be in the limelight or they're going to be the person that's going to be impacted. So they think there's someone else that might be more exposed, so they're unaware. Second thing, they're not worried about all of their devices, particularly those outside of their work environment. So that may be a home router, it might be your Wi-Fi connection, it might be your kid's laptop, something like that. And then last but not least is exposure in the public view. So anytime a high net worth individual goes out, they need to be protected not only from, let's say, people attacking them, but inadvertently clicking on a QR code or clicking on a malicious link just through the normal course of their business.

SPEAKER_01 2:12

We're also moving into an era now where cyber criminals are working smarter, not harder, mostly to leveraging AI to do so. How are you seeing these tools being used to obviously trick the most vigilant people into giving up their sensitive data or just being used to extract that sensitive data by other means and then ultimately leverage that in an identity theft attack?

SPEAKER_00 2:40

Well, first let me start by explaining AI versus non-AI, because a lot of people think, you know, what is it? So think of a bike and you're riding down the street and you have to push hard to go up that hill. But when you add an e-bike to that and you have a motor in it, you can go up the hill faster, you can go further, and with much less effort. That's what AI does to a cyber attack. So AI makes the attacks more pervasive, they're harder to detect, and they're much more difficult for consumers to be able to unwind that type of threat because AI makes it more complex. Gotcha.

SPEAKER_01 3:24

So when a bad actor does obtain this information, um, particularly social security numbers, uh, what is the next step? What do they do to then implement uh this you know full-fledged um either fraud or uh just other aspects of identity theft? I'm really curious what that process looks like once they have the information.

SPEAKER_00 3:47

So as a fraudster, time is on your side. Once you get a unique identifier, whether it's a social security number, whether it's a passport, whether it's an account number, once you have that information, the first thing they'll do is hold on to it. The second thing, they'll amalgamate other data. So there's other data sets out there that go beyond those unique identifiers that can be still attached to that individual to build a portfolio. And then once they have enough information to be able to execute an attack based on what they're targeting, then they'll go in and they may use some other people to help them go in where they attack, they wait, they look for what they're uh wanting to extract, and then they go out without being undetected, all with the help of AI.

SPEAKER_01 4:44

So, you know, a big part of that is I think perhaps a lot of people think that this is something that occurs in the moment or you know, rapidly, whereas a lot of times it can be the long play that that ends up hurting them the most.

SPEAKER_00 5:01

Absolutely. I would say there there is a relationship to the higher value target, whether it's a high net worth individual, a government official, a network administrator, a CEO. People on the dark side are willing to wait, be patient, get the information, get the attack vectors, find out what their ingress strategy and egress strategy is, and they may wait months or years before they actually execute an attack so that they can end up getting what they want, not getting caught, and then being able to use that data over and over again.

SPEAKER_01 5:42

Can we dive in into some of the impacts for the victim? Um, you know, because some of these last years, they take a really long time to overcome. Can you talk a little bit about um just the real-world consequences of a identity breach?

SPEAKER_00 6:02

Well, one of the breaches that we did back in 2019 impacted about 800 million individuals. You think, wow, that's three times uh the population of the United States. But this database had been kept around for over 20 years, so there were a lot of people that even were deceased, but it contained mortgage information, Social Security numbers, account IDs, wire transfer information, as well as other personal identity information. And of course, it was a treasure trove, as I said with my earlier answer to the question about how people will wait on data because it doesn't go stale. This data today, and we're seven years down the road, is still being used in attacks. It's being bought and resold and used by other players. So a big breach like that will live on forever.

SPEAKER_01 6:58

Yeah. Keeps recycling. Yep. Going off of that, and and honestly, that may be a big answer to this question, but you know, in your many years and dealing with data breaches over 70,000 uh plus at this point, um, what sticks out to you? What are some of those stories that really stick out to you? I know we just talked about one, but um would love to hear some others that um you've remembered over the years.

SPEAKER_00 7:24

Uh a couple fun ones. Uh we did a breach once where we we provided a 1-800 number for people to respond. We sent out the notification letters on behalf of the client, and then we set up a 1-800 number and provided identity theft protection. But the client actually, when they were proofing their letter, gave us the okay to go ahead on the wrong phone number. And it turned out to be a 1-900 porn line that people were calling into, and so what we had to do was we went out to the operator, we said, How much do you want for this number for three months? We'll buy that line from you so we don't have to reroute calls or send out notification letters. So we bought a porn line for three months so that people could call in and get the legitimate FAQ line. That's one of my favorite stories.

SPEAKER_01 8:19

That's a wild one, no question. I'm sure you've seen some crazy things in your time dealing with these. There's never a dull moment, I suppose.

SPEAKER_00 8:28

No. The other one goes back to 2012 when the state of South Carolina and their Department of Revenue breached all of their citizens. Any of the records going back multiple years was over six or seven million people. And unfortunately, during the data breach, the one thing you don't want to do is have a lot of media attention, not only for the client, but so consumers don't overwhelm the call center once they receive the notification if they're going to ask questions. And at the time, the governor, who will remain nameless, decided to go to the media and put our toll-free number scrolling across the bottom of the screen. And it's the only time in history that I was ever accused of blowing up our call center because we were getting 28,000 calls a minute because the governor put out and and she put out the number on uh social media as well. Wow, wow.

SPEAKER_01 9:30

Uh looking towards solutions now, what are some easy ways that people can mitigate their risk of identity theft? And you know, I know we talk about credit freezes and credit monitoring, all that. Would love to get your thoughts on some of those and other practical steps.

SPEAKER_00 9:50

So you mentioned credit freeze, and the the credit freeze right now is the easiest and simplest way to have a blanket of protection. So by applying a credit freeze, you actually stop people from being able to open accounts on your file in your name. I also believe in layers of protection. So think of the defenders in medieval times around the castle. They had burning oil, they had spears, they had a moat, they had a drawbridge, there were layer of protection. So simple things like don't click on any links, don't answer any phone calls, make sure you're using two-factor authentication on sites where it's available. Use a password manager so you don't have to remember all your passwords, you just have to have one master password, and all of those passwords are encrypted. Never use public Wi-Fi. Never click on any QR codes. They're convenient and they came up particularly during COVID because it was easy to go into a restaurant, not touch the menu, and click on that QR code. But you and I, Dan, we can't tell the difference between a good QR code and a bad QR code. And then last but not least, I would say be a chicken little. If it seems suspicious or something doesn't seem right, don't back out of that situation. Don't pick up that phone call, don't read that text, just delete it and walk away.

SPEAKER_01 11:20

Yeah, it's um always good to practice vigilance in these situations. Um, and and to that point as well, the urgency is what everybody preys on largely, right? So uh if it if it's if it seems that uh action is needed instantly and immediately, that's probably the first initial uh red flag. Yes. Going back to credit freezes real quick, do you do you feel that there's uh people misunderstand it? I think uh it seems that a lot of people think it's way more complex of a thing. Uh it almost seems like there's a lot of friction. Um some people even think it it you know sounds um you know uh dangerous or difficult. Um, but really, I mean to your point, it's it's one of the simplest ways and effective ways to curb this.

SPEAKER_00 12:04

Yes. Let me start with the difference between what is a fraud alert and a credit freeze or a credit lock, because it is sometimes confusing. So the credit freeze literally are those uh ballards that pop up in front of you at the stop sign and will not let you go. So a credit freeze stops anybody from getting a new line of credit in your name. A fraud alert, on the other hand, is like a yellow caution sign instead of a stop sign. It tells a potential creditor, hey, you better check the file before you authorize this transaction, but it doesn't stop the bad guy from actually opening an account in your name.

SPEAKER_01 12:47

Gotcha.

SPEAKER_00 12:47

A credit lock is simply just like a credit freeze. It's actually something that we have in our Experian app, credit lock, and it's in the app where you can toggle your credit frozen or unfrozen, and you can do it for a period of time. But a credit freeze, if you call in, you can go ahead and you can unlock it for a period of time. Let's say it's a day or two days so that you can apply for credit and then lock it again. It's free with every single credit bureau. You have to go to each bureau to freeze your credit or unfreeze your credit. But we've made it simple in our Experian data breach product called Identity Works. We actually have a widget in there so you can go directly and freeze your file, make it makes it more convenient for consumers that have been affected by a data breach.

SPEAKER_01 13:37

Gotcha, yeah. So really simple and and easy to unfreeze and freeze all the same. So really good stuff. Before we close out, Michael, any closing thoughts on identity theft uh in general? Um, any any other words of wisdom for the audience?

SPEAKER_00 13:52

Well, I would be remiss since we're sitting at the beginning of April. It's not April Fool's Day yet. That's right. But tax season is right around the corner, and there's still a lot of tax scammers that are out, especially because a lot of high net worth individuals will file right before April 15th or do an extension, and the tax people are targeting, either intercepting the person that's doing their taxes, looking for a site where they're storing their tax data in the cloud, or trying to get them to respond to, oh, by the way, hey, you're late on your taxes, or there's a sense of urgency about not paying your taxes, just disregard all those scams right now. Keep your head down and pay your taxes on time.

SPEAKER_01 14:37

Great stuff. Michael Brummer, really appreciate it. Thank you so much for being here.

SPEAKER_00 14:40

Enjoyed it.

SPEAKER_01 14:42

You can listen to all episodes of Uncloaked at blackcloak.io slash podcasts or on your platform of choice. And if you're interested in becoming a member or want to learn more about how to protect your digital life, visit us at blackcloak.io. Thank you for tuning in, and we'll see you next time on Uncloaked.