As featured in The Wall Street Journal, Money Magazine, and more!
     

An Unauthorized Charge From TransUnion: Was My Identity Stolen?

This article was written by in Credit. 9 comments.


Earlier this year, the university where I studied as an undergraduate, the University of Delaware, announced that the school had been the victim of a security breach. The announcement indicated that personal information of anyone who had been on the university’s payroll might be compromised, and those who were compromised would receive a letter from the university.

I worked for no more than twelve weeks in one of the university’s libraries no later than 1998. I couldn’t believe that the university would maintain a digital database of payroll records fifteen years old, so I didn’t pay too much attention to the breach. Months later, I found out that the university did send a letter to an old address, and my Social Security number may have been compromised. The university partnered with an identity protection service called ID TheftSmart, and the letter suggested I enroll in the program, and that the cost of enrollment would be nothing for three years.

ID TheftSmart is a product offered by Kroll. This service and similar services offered by other companies monitor credit reports from one or more of the credit reporting bureaus, and the company will alert owners who are enrolled in the program if there are any changes to the credit report. It’s a decent way to see, after the fact, if anyone has used your information to open new credit lines.

I don’t think these programs are worth the cost. A much better option, if you believe your credit is or will be compromised, is to put an initial fraud alert on your credit. It’s free, and once you enable the alert with one bureau, the other two bureaus will also enable alerts within twenty-four hours. Did I mention it’s free? The alert remains on file for 90 days.

Nevertheless, I took no action on the news that I was one of the thousands of former university employees whose information might have been compromised. The risk seemed pretty low to me, at least until I next tried to verify my personal identity using information from my credit report.

Last week, I began my application for health insurance coverage through the national exchange put into place by the Affordable Care Act. Thanks to Obamacare, I should be able to reduce my insurance bill from the more than $700 per month I’m paying for insurance for myself through COBRA to a more reasonable amount for the same type of service. In order to see options within the exchange, interested users must verify their identity, and I wasn’t able to do so.

The typical process for identity verification using information from credit reports involves four of five multiple-choice questions, where the questions and potential answers are drawn from past addresses, phone numbers, employers, and loans. Every so often, there is a “trick question;” one of the questions does not have any correct responses or the question would not be applicable.

For example, one trick question I might see might be stated as follows: “In 2008, you opened a mortgage. Which bank services the mortgage?” The choices would be four banks I may or may not have experience with, or “none of the above.” Because I never opened a mortgage, and because that fact would be clear from my credit report, the correct answer is “none of the above.”

Usually, I’ve seen no more than one of these trick questions in the identity verification challenge. But when I tried verifying my identity for the health insurance exchange, there were two. I answered all questions accurately, but the system could not confirm my identity. I tried again, with five new questions. Again, three were from real information in my credit history, and two were trick questions. Again, the identity verification failed.

The federal health insurance exchange offers an alternative method for confirming identity: uploading documents, like birth certificates, Social Security cards, driver licenses, and other items with personal information. Because the healthcare.gov site was overwhelmed by traffic and the website administrators might still be working out bugs, I was unable to upload my documents right away, and my application remained incomplete.

It worried me that I was not able to verify my identity. Maybe it was another bug on the healthcare.gov website, but maybe there’s a problem with one of my credit report. Perhaps my personal information really was compromised due to the data breach at the University of Delaware. I started investigating the issue myself.

I first tried to order free credit reports from AnnualCreditReport.com. I tried Experian first — and after answering identity verification questions, I received a message saying Experian would not be able to provide my credit report online, and that I should call a number. I called, but it was after hours, so there was no response. I started the process again, selected Equifax, but yet again something prevented me from ordering my credit report online.

At this point, I decided I needed to do something more, so I looked at the service the University of Delaware was offering, ID TheftSmart. The pamphlet provided with the letter from the university indicated the service would be free for three years, so I enrolled.

Yesterday, when checking my recent credit card activity, I saw a recent charge for $16.95 from TransUnion. The charge was on the same day as my ID TheftSmart enrollment, but I did not interact with TransUnion, nor did I give my credit card number in the enrollment process. The phone number associated with the credit card charge is 800-493-3292, and I called the number this morning. I expected them to say that this charge was related to my enrollment in ID TheftSmart, but they didn’t; apparently the charge was for a service initiated in mid-September for someone with a different name. Someone named Brenda used my credit card number to enroll in a credit service directly with TransUnion.

With this information, there were four actions I needed to take, which I was able to complete within a span of about thirty minutes:

  • I began the process of getting a refund from TransUnion. This is unfortunately not a very quick process. TransUnion must mail me some kind of form I need to complete and send back before they can issue a refund. The process must be in place to prevent people from requesting refunds illegitimately.
  • I added an initial fraud alert to my credit report. I called the TransUnion fraud department, as instructed by the first TransUnion customer service representative. I enabled the fraud alert with TransUnion, and Experian and Equifax should also reflect a fraud alert within twenty-four hours. That means that if my information is used to open any new credit lines within the next 90 days, the opening will not be permitted without a phone call to me for verification.

    Interestingly, the fraud department indicated the number I dialed initially was not a real TransUnion number, and that the correct number is 800-493-2392 (note the transposition of the 2 and 3). After the call with the fraud department, I called the correct number. Both numbers go to the same company; they both seem to be correct, despite the scare provided by the fraud department.

  • I change my credit card number. The credit card affected was the only personal card I use regularly — my Chase United MileagePlus Explorer card. I informed the Chase customer service representative that my credit card number appears to have been used by someone I don’t know without my authorization, and that there was one charge I’d like to dispute. The dispute process is now underway, and Chase is sending a new card with a new number via overnight UPS service. I immediately canceled my current credit card number.
  • I ordered my free credit report. Although I was unable to order my free credit report online from Equifax and Experian, I was able to order one from TransUnion (via AnnualCreditReport.com, naturally). There was nothing out of the ordinary on this report. There were no unknown addresses and no unknown accounts, new or old. This gave me more confidence that my identity had not been compromised — just my credit card number.

Another action I will take is to check the recent activity in my other credit cards. I have other open credit cards that I haven’t used in years, and it’s possible, if this person truly got a hold of one of my credit card numbers, that she might have others. At times like this, having a simplified personal finance system, with only a few bank accounts, comes in handy; I, on the other hand, have many open accounts thanks to my dedication to writing reviews for Consumerism Commentary.

Here’s what I should have done: At the moment I heard that my personal information was likely breached at the University of Delaware, I should have initiated fraud alerts with the credit reporting agencies. I should have ignored the free offer for third-party credit monitoring.

I’ll continue to monitor my financial accounts to ensure no other information has been compromised. I was ready to assume that this TransUnion charge was just a case of ID TheftSmart not disclosing that TransUnion would be charging me a fee, but with the knowledge that the charge was placed by somebody with a different name for a service that started several weeks ago, it’s clear this was purely a case of someone else using my credit card number. Perhaps the trouble I had confirming my identity for health insurance was just a coincidence.

Published or updated October 7, 2013. If you enjoyed this article, subscribe to the RSS feed or receive daily emails. Follow @ConsumerismComm on Twitter and visit our Facebook page for more updates.

Email Email Print Print
avatar
Points: ♦127,386
Rank: Platinum
About the author

Luke Landes, also known as Flexo, is the founder of Consumerism Commentary. He has been blogging and writing for the internet since 1995 and has been building online communities since 1991. Find out more about him and follow Luke Landes on Twitter. View all articles by .

{ 9 comments… read them below or add one }

avatar Lance @ Money Life and More

That stinks that you might have been hit by fraud. I had a similar experience months ago and wrote about it on my blog. Make sure to keep an eye out as that first charge might have been a test before they try a big balance transfer.

Reply to this comment

avatar Luke Landes ♦127,386 (Platinum)

The whole thing angers me so much. I couldn’t sleep last night, not because I was worried about having to deal with potential fraud, but because someone or some company thinks they can take advantage of me. I have a big problem with this; if someone tried to take me for a fool, I get riled up and it makes me very upset. I’m better the next day, but it takes a while to completely recover. I take it too personally, as if someone wanted to target me because they thought I was vulnerable.

Reply to this comment

avatar Revanche

Oh that would make me furious as well! I can’t believe the University of Delaware kept your records this long and left them vulnerable, and that all the things wrong keep piling on :( I really hope this can be sorted with a minimum of additional fuss and bother.

Reply to this comment

avatar jim

I wouldn’t necessarily conclude that the U. Delaware breech had anything to do with it. Could very likely be pure coincidence. Petty identity theft like individual fraudulent credit card charges are actually extremely common. Some big companies or organization seem to have security breeches or and lose peoples personal information every other week. So its actually pretty likely that you’d have both of those things happen.

Reply to this comment

avatar Luke Landes ♦127,386 (Platinum)

Quite right. The Delaware security breach could be a separate incident from the unauthorized use of my credit card number. And both could be unrelated to the fact that I’ve had difficulty confirming my identity and ordering free annual credit reports. It’s a mess. I’m thankful for zero-liability policies, and I’m relieved no other accounts — and my credit history — seem to be compromised.

Reply to this comment

avatar jim

It is still possible of course that the U Delaware breech got your #’s out there somewhere…

I think sometimes those security breeches are nothing and nothing ever happened. e.g. A breech could be if some employee lost a laptop full of peoples SSN #’s but whoever found the laptop didnt steal all the #’s or even realize they were there. On the other hand sometimes hackers steal the SSN’s. Its impossible for us to know which breeches are really serious and which are just a potential risk.

For the longest time now one of the 3 credit bureaus hasn’t let me verify my identity on line and order the online free annual credit report. I can’t figure out why. My credit scores were all great last time we got a mortgage. I’ve finally decided to send in a paper form to request the records from the bureau in question.

Reply to this comment

avatar Brianne

We’ve had the worst time with identity theft recently. Our old mortgage servicer had two breaches and only told us about one of them. All of a sudden, there was a barrage of activity; fake transfers from our checking account, attempts to open new accounts, and attempts to change our passwords and e-mail addresses on file with brokerage firms, the banks, and credit card companies. We changed every number and put a freeze on our credit report but it’s still a huge bother.

Reply to this comment

avatar Luke Landes ♦127,386 (Platinum)

That sounds like a terrible experience. I’ve been checking my accounts every day over these past few days. Thankfully, I haven’t seen anything else out of the ordinary.

Reply to this comment

avatar Ivan Widjaya

This is one of the reasons I don’t like credit cards. There is also a risk of fraud. If you only spend money that you have, then you will not have problems with this. You also don’t need to spend for security.

Reply to this comment

Leave a Comment

Connect with Facebook

Note: Use your name or a unique handle, not the name of a website or business. No deep links or business URLs are allowed. Spam, including promotional linking to a company website, will be deleted. By submitting your comment you are agreeing to these terms and conditions.

Notify me of followup comments via e-mail. You can also subscribe without commenting.

Previous post:

Next post: