Identity Theft Victims Face Months of Hassle

As soon as Mark Kim found out his personal information was compromised in a data breach at Target last year, the 36-year-old tech worker signed up for the retailer's free credit monitoring offer so he would be notified if someone used his identity to commit fraud.

Someone did. The first monitoring report showed crooks opened accounts in his name at Macy's and Kohl's department stores, where they racked up more than $7,000 in charges. "My heart basically sank," he said. Over the next seven months the New York City resident spent hours on the phone, most of a day in a police station filing a report, and countless time sending documents to banks and credit reporting agencies to clear his credit history.

He's hardly alone. The Target hack during last year's Black Friday shopping weekend was just one in a wave of data breaches that have exposed more than 100 million customer records at U.S. retailers, banks and Internet companies. The latest high-profile hack, at Sony Pictures Entertainment, resulted in Social Security numbers and other personal details of nearly 50,000 current and former Sony employees and film actors being stolen and posted online for anyone to see. While cases are difficult to trace, analysts at Javelin Strategy & Research estimate that one in three Americans affected by a data breach ultimately became the victim of fraud last year - up from one in nine in 2010.

Although banks often absorb bogus charges, it's up to victims to clean up their credit histories and recover stolen funds. On top of lost time, money and emotional energy, victims face the frustration of rarely seeing anyone pay for the crimes. Identity theft cases are rarely prosecuted, said Avivah Litan, an analyst who studies fraud and identity theft for the research firm Gartner. Local police have limited resources, and criminals are often overseas, "so unless it's part of a bigger pattern, they're not going to spend much time pursuing it." Kim said a police detective who took his complaint later told him the accounts were opened by someone in California, but Kim never heard any more about the investigation.

In the past year, Target and other major retailers have said they're increasing security. President Obama has urged banks and stores to speed up adoption of "chip-and-pin" payment cards, which are harder to hack. But reports of data breaches continue. And as Federal Trade Commission member Terrell McSweeney said recently, "Disturbingly, the news has seemed to desensitize many people to the real risks created each time an event occurs."

Kim can't be certain Target was the source of the fraud he experienced, he acknowledged. Experts say crooks often steal or buy consumer information from more than one source, and use it to compile a complete dossier on potential victims. That's likely the way hackers last year impersonated the rich and famous to get credit reports on Paris Hilton, Michelle Obama and even General Keith Alexander, then-head of the National Security Agency.

Alexander told a public forum this fall that when he tried to file his taxes, he learned someone else had already claimed a $9,000 refund in his name. Fraudsters also used his identity to apply for about 20 credit cards. The FBI eventually caught a suspect, he said; the FBI declined comment.

Meticulous by nature, Kim documented every conversation with an investigator or company representative. He was fortunate, he added, that his employer let him use the phone and fax machine where he works. "If I worked at a stricter company, it would have been a nightmare," he said. But Kim was never reimbursed for sending affidavits and other documents by certified mail to various banks and agencies.

While identity theft is certainly a global problem, experts say it's difficult to measure worldwide losses. However, a Department of Justice study estimates identity theft of all kinds was responsible for U.S. financial losses of $24.7 billion in 2012 - nearly double the $14 billion lost from all other property crimes such as burglary and theft. According to Javelin surveys in the U.S., when an existing credit card is exposed and then used for fraud, the average loss is $1,251. When a social security number is exposed and then used to open new accounts, the average loss is $2,330.

Banks take the biggest financial hit, but identity theft victims' out-of-pocket losses can range from an average of $63 for misuse of credit cards to $289 for fraud involving social security numbers. Of course that doesn't quantify lost time and stress.

Albert, who didn't want his last name published because he fears being victimized again, learned in 2012 that his personal information was exposed by a data breach at University of Miami Hospital, where he'd gone for minor surgery. After submitting his federal tax return the following year, the 60-year-old Miami resident found the government had already issued a refund to someone else using his social security number.

It took eight months for the airline reservations employee to get his $4,000 refund, which he needed to pay off debts. Albert said he doesn't know if the tax scammer used personal information from the hospital breach or some other source. But experts say health records are a treasure trove for scammers, since they may contain financial information, insurance numbers and personal data that can be used to obtain drugs, medical services or other benefits.

Albert now subscribes to a credit monitoring service and has asked reporting agencies for a "freeze" to block any applications for credit in his name. However, that "freeze" required a laborious process to lift when he later applied for a mortgage and then Internet service from AT&T. He still worries someone will claim the Social Security benefits he's counting on when he retires.

"There's a rage that comes up, when you realize what happened," he said. "You feel violated. You feel attacked."

Kim just got all of the fraudulent accounts removed from his credit history this month. He and other victims say the experience has made them even more careful about their financial data and credit records. Kim, for example, registered for a security alert from the major credit reporting agencies, which advises lenders to contact him if someone tries to get credit in his name.

The alert expires in seven years, but Kim said he "absolutely" plans to renew it.

"I have to be watchful," he added. "I know something else could happen."

Criminals stole personal information from tens of millions of Americans in data breaches this past year. Of those affected, one in three may become victims of identity theft, according to research firm Javelin. Whether shopping, banking or going to the hospital, Americans are mostly at the mercy of companies to keep their sensitive details safe. But there are steps you can take to protect yourself against the financial, legal and emotional impact of identity theft - and most of them are free:

AS A RULE:

- Closely guard your social security numbers - and those of your children - as well as credit and debit card information and account passwords.

- Shred unneeded financial records and credit offers.

DETECTIVE WORK:

- Examine credit card bills for irregularities each month.

- Get a free credit report once a year from at least one of the major reporting agencies (Equifax, Experian, TransUnion), and review it for unauthorized accounts. Ignore services that charge a fee for credit reports. You can order them without charge at www.annualcreditreport.com . If you order from each agency once a year, you could effectively check your history every four months.

DO PAID SERVICES WORK?

- Some experts say there's not much to be gained from a paid credit monitoring service. But if a business sends you a notice of a data breach, it can't hurt to sign up for any monitoring they offer for free. These services will tell you if a new account is opened in your name, but they won't prevent it, and many don't check for things like bogus cellphone accounts or fraudulent applications for government benefits. Some do offer limited insurance or help from a staffer trained to work with credit issuers and reporting agencies.

SOMEONE STOLE MY IDENTITY, WHAT DO I DO?

- The Federal Trade Commission recommends immediately notifying one of the credit agencies and requesting a 90-day credit alert. (Each reporting agency is supposed to notify the others, but you may want to contact all three yourself.) The alert tells businesses to contact you before opening any new accounts in your name. You can renew the alert every 90 days, or you're entitled to keep it in effect for seven years if you've filed an identity theft report with police.

- Contact the credit issuer to dispute fraudulent charges and have the bogus account closed.

- Request your credit report and ask the reporting agencies to remove bogus accounts or any incorrect information from your record. Consider asking the reporting agencies to place a full freeze on your credit. This blocks any business from checking your credit to open a new account, so it's a stronger measure than a credit alert. But you should weigh that against the hassle of notifying credit agencies to lift the freeze - which can take a few days - every time you apply for a loan, open a new account or even sign up for utility service.

- Submit a report through the FTC website: www.consumer.ftc.gov . Click the "privacy & identity" tab, which will walk you through creating an affidavit you can show to creditors.

- Keep copies of all reports and correspondence. Use certified mail to get delivery receipts, and keep notes on every phone call.

___

AP National Reporter Martha Mendoza contributed to this report from San Jose, California.