Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Have you seen my personal information? It has been lost. Again. - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Have you seen my personal information? It has been lost. Again.
Remember when milk cartons had pictures of lost children on them? I think of those cartons every time I get a notice that my personal information “may have been impacted” as a result of a data breach. As you might imagine, I recently received one of these letters from an organization that needs my personal information in order to provide me with a valuable service. 
These notification letters make me consider the risk of becoming numb to the impact of receiving so many of them. Will we eventually achieve perpetual “Identity Protection Services” elite status that continually monitors for misuse of our sensitive information for the rest of our lives? I wonder if the value of this service has the potential to become a little bit diluted with each and every notice we receive. Is it possible that we will will soon treat these notices like a replacement credit card that arrives in our mailboxes?
What are you doing to reduce your risk after receiving a data breach notification letter in the mail?
Please respond using our comments section.
Russell Eubanks
I will be teaching next: A Practical Introduction to Cyber Security Risk Management - SANS Security Awareness Summit & Training 2022


100 Posts
ISC Handler
Mar 21st 2015
Corporations can no longer be trusted to safeguard the info they hold. Even credit related info holders of personal identifying info have been breached due to poor or non-existant measures to protect such data.

These days your credit reports are available to anyone who pays for them, and some who don't. Including the criminals. It makes very good sense to freeze ones credit access so only the creditors that an individual has can access the credit record. One good side of that measure is the targeting for scams, telemarketing, junkmail, etc. go way down.

4 Posts
I make sure I delay enrolling in the semi-worthless credit monitoring until one from the previous breaches is about to expire. I'd never pay for it myself but I do make sure someone else is paying for it whenever possible.

Oh, and I refuse to have a debit card. I pay the bank $1 a month for that privilege but it's worth it.
Getting some comments about credit freezes. For those interested, make sure that you contact each of the three credit reporting agencies.

Experian -->…
TransUnion -->…
Equifax -->…

Also see the below guidance from the Federal Trade Commission at…


100 Posts
ISC Handler
I froze my credit a few years back. Below is blog I wrote for work last year on the topic....

What? Most of us have seen the commercials about credit monitoring. They sound good on the surface but get pricey at about $18 a month. What many people don’t realize is that these services are only credit monitoring/detection systems. You will only be notified after there has been suspicious activity on your account after the damage has been done.

Instead of waiting to be told your identity has been stolen you can prevent it in the first place and there is no monthly charge. Putting on a credit lock/Security freeze is cheaper and can prevent the problem from happening. You can put a freeze on your credit directly with the credit bureaus. No one will be able to take out new credit in your name without your specific authorization.

Why? Major IT security breaches are in the news every month, (Target being a recent example). The bad guys are not just after your credit card number (those can canceled and can be changed easily). Your credit/identity is worth a lot more and much harder to deal with than a stolen credit card.

How much? It is free to apply the freeze. But, it is $30 ($10 per credit bureau) each time you want to “thaw” temporarily lift the security freeze on your credit.

Who? If you are credit stable (not currently in the market for new credit cards– new auto loans – new home loan etc) and others do not need access to your credit report/score on a regular basis for work you should look into freezing your credit.

How? You will need to contact each of the credit agencies directly. Credit freezes may be done online, by phone or by certified mail - return receipt requested. I highly suggest being connected to a printer so you can easily print out your PIN numbers. It took me about 1/2 and hour to complete all three locks.


Need more info check out
1 Posts
I am not doing anything that I don't always do anyway. I enter my receipts every night before I go to bed, then I reconcile my accounts with the banks and credit cards that I hold, and then check my online trading account to make sure everything is the way I expect it to be. As long as I detect a problem within 24 hours of its occurrance, I should be ok. Besides, I sleep better knowing where my money is. :-)

133 Posts
Moriah - Great job setting a great example for us by reviewing your accounts on a daily basis.


100 Posts
ISC Handler
Thanks everyone for your comments throughout the day. I hope this post caused you consider the reputational risk that may be experienced by us "victims" and not just the company who notified us of our data loss.

Have a great rest of the weekend!


100 Posts
ISC Handler
Reviewing my accoun t daily is no different than reviewing my log files daily. :-)

133 Posts
Regarding monitoring one's finances on a daily basis, I use Quicken.

NOTE: I am NOT affiliated with Quicken other than being a user of it. I am here, I hope, informing readers of the existence of a tool.

I download transactions from banks, credit cards, IRA, etc. on a daily basis. I save my receipts, but they're usually in my short-term memory by the time the transaction downloads. NOTE to non-Quicken users: what you know is your bank, etc. have "downloads" from which you can download transactions. What you might not know is a lot of them (e.g., all my banks and credit cards) also have an automatic download capability. You open Quicken, and say to do the automatic download. It does them all together. Takes about a minute or so for all my accounts. In other words, you do not have to log in to each bank, credit card, etc. to download; Quicken will do it for you. Yes, it maintains a password vault on its servers, and certain of your financial information lives on their servers. But if you want all your finances (ledgers, etc.) in one place, with automatic, timely downloads of transactions, give Quicken a try. The last version I have (Quicken Deluxe 2014) is buggier than the previous version I had (2011). And this newer version knows it has a captive audience when you open the program, so it does dialog-box ads that you have to read and dismiss at times. (I've complained about this disgusting practice.) The bottom line, however, is I maintain two sets of financial records (me and someone else) using Quicken (two separate databases), and it's slick.

8 Posts
Be proactive:
- Monitor your name, domains, IP addresses, usernames on sites like Google alerts are easy to create!
- For online transactions, use pre-paid CC or one-time CC.

My $0.02

697 Posts
ISC Handler
I'm far lazier. I just set online alerts for every account to text or email me on all transactions greater than $0 (or $1 if it won't take a zero). If I know when transactions take place I know if I made them or if I have a compromise situation.
For you open source fanatics, I have been using gnucash for years. It is a true double entry accounting system. It will also download transactions directly from the Internet as well as import data from several formats.

I am not associated with gnucash other that being a user.

I think checking all your accounts daily is the best safeguard. It is exactly like checking your logs daily.


17 Posts

Sign Up for Free or Log In to start participating in the conversation!