(405) 919-9901

Identity theft damage control: government agencies

by Dave Moore, CISSP

10/15/2023

Last week, I discussed how possible identity theft victims affected by the “MOVEIt” private information on-line robbery from certain Oklahoma banks, including MidFirst and Bank of America, should put a “freeze” (not a “lock”) on their accounts at all four major credit bureaus in order to head off a full-on identity theft crisis. This week, we look at notifying various government agencies.

Because of the MOVEIt hack, there now exists a full-on bona fide identity theft crisis that cannot be minimized or ignored, and it’s not limited to just banks. Hundreds of businesses, government institutions and schools across the USA have had the personally identifiable information (PII) of millions of their customers stolen. The bad guys have already used this information to steal tons of money, and are set to steal a whole lot more.

After completing Damage Control Step One (moving your funds to unaffected financial institutions) and Step Two (freezing credit bureau accounts), Step Three is notifying various government agencies of the situation. Step Three can go a long way in preventing or assuaging an identity theft catastrophe.

Remember, you do not need to see current evidence that you are in an identity theft crisis. Because you have not experienced horrible consequences does not mean that you won’t at some time in the future. The fact that you’ve done business with an affected institution is all the evidence you need. Tell everyone you contact about the situation that you are concerned about being an identity theft victim, because you know your personally identifiable information has been compromised. Just because you haven’t had a bad car accident doesn’t mean you shouldn’t repair the brakes you already know are shot.

  1. Report identity theft to the Federal Trade Commission (FTC) at identitytheft.gov. Obtain a FTC Identity Theft Report. The FTC is the lead federal agency for reporting and prosecuting identity theft, and there is a wealth of great information and advice on their website.
  1. After you complete your FTC Identity Theft Report, make a thorough list of all personal data and accounts, i.e., SSN, bank/credit card numbers, email addresses, user names, passwords, etc.
  1. Notify the fraud departments of all your creditors and financial institutions in writing of the ID theft, and all details you know about. Request accounts be flagged. Request up-to-date statements. Guidelines and sample letters are on the FTC website. Enclose a copy of your FTC Fraud Report.
  1. Review all statements for suspicious activity: loans, investment accounts, property rentals, utilities, etc. Demand bogus charges and accounts be removed and closed. Ask for a letter stating those things have been done. Contact credit bureaus and correct credit reports. Include a copy of your FTC Identity Theft Report, and proof of ID, like SSN, copy of driver’s license, copy of a utility bill, etc. Request blocking of incorrect and fraudulent information. See identitytheft.gov for more.
  1. If the U.S. Mail Service was involved in the identity theft, or your mail was stolen, report the incident(s) to the United States Postal Inspection Service at www.uspis.gov/report/
  1. If you suspect your SSN has been used by someone else, review your work history at socialsecurity.gov/myaccount. Report errors to your local Social Security Administration office. Do the same thing for other government benefits you may receive (VA, etc.).
  1. Ask the Internal Revenue Service to mark your account to identify any questionable activity by completing Form 14039, Identity Theft Affidavit, found at irs.gov/pub/irs-pdf/f14039.pdf. Apply for an Identity Protection PIN from the IRS at www.irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin. Go ahead and apply for the PIN even if you think you don’t qualify. You should be put on a list to get one in the future.

How seriously you take the situation determines your level of success. Those who ignore the warnings are the ones I hear from the most; I almost never hear from folks who heed the advice and warnings, except for an occassional “thank you,” which is always nice.

Next week: more on placing fraud and identity theft alerts with government agencies.

Dave Moore, CISSP, has been fixing computers in Oklahoma since 1984. Founder of the non-profit Internet Safety Group Ltd, he also teaches Internet safety community training workshops. He can be reached at 405-919-9901 or www.internetsafetygroup.org