Earlier this year, the university where I studied as an undergraduate, the University of Delaware, announced that the school had been the victim of a security breach. The announcement indicated that personal information of anyone who had been on the university’s payroll might be compromised, and those who were compromised would receive a letter from the university.
I worked for no more than twelve weeks in one of the university’s libraries no later than 1998. I couldn’t believe that the university would maintain a digital database of payroll records fifteen years old, so I didn’t pay too much attention to the breach. Months later, I found out that the university did send a letter to an old address, and my Social Security number may have been compromised. The university partnered with an identity protection service called ID TheftSmart, and the letter suggested I enroll in the program, and that the cost of enrollment would be nothing for three years.
ID TheftSmart is a product offered by Kroll. This service and similar services offered by other companies monitor credit reports from one or more of the credit reporting bureaus, and the company will alert owners who are enrolled in the program if there are any changes to the credit report. It’s a decent way to see, after the fact, if anyone has used your information to open new credit lines.
I don’t think these programs are worth the cost. A much better option, if you believe your credit is or will be compromised, is to put an initial fraud alert on your credit. It’s free, and once you enable the alert with one bureau, the other two bureaus will also enable alerts within twenty-four hours. Did I mention it’s free? The alert remains on file for 90 days.
Nevertheless, I took no action on the news that I was one of the thousands of former university employees whose information might have been compromised. The risk seemed pretty low to me, at least until I next tried to verify my personal identity using information from my credit report.
Last week, I began my application for health insurance coverage through the national exchange put into place by the Affordable Care Act. Thanks to Obamacare, I should be able to reduce my insurance bill from the more than $700 per month I’m paying for insurance for myself through COBRA to a more reasonable amount for the same type of service. In order to see options within the exchange, interested users must verify their identity, and I wasn’t able to do so.
The typical process for identity verification using information from credit reports involves four of five multiple-choice questions, where the questions and potential answers are drawn from past addresses, phone numbers, employers, and loans. Every so often, there is a “trick question;” one of the questions does not have any correct responses or the question would not be applicable.
For example, one trick question I might see might be stated as follows: “In 2008, you opened a mortgage. Which bank services the mortgage?” The choices would be four banks I may or may not have experience with, or “none of the above.” Because I never opened a mortgage, and because that fact would be clear from my credit report, the correct answer is “none of the above.”
Usually, I’ve seen no more than one of these trick questions in the identity verification challenge. But when I tried verifying my identity for the health insurance exchange, there were two. I answered all questions accurately, but the system could not confirm my identity. I tried again, with five new questions. Again, three were from real information in my credit history, and two were trick questions. Again, the identity verification failed.
The federal health insurance exchange offers an alternative method for confirming identity: uploading documents, like birth certificates, Social Security cards, driver licenses, and other items with personal information. Because the healthcare.gov site was overwhelmed by traffic and the website administrators might still be working out bugs, I was unable to upload my documents right away, and my application remained incomplete.
It worried me that I was not able to verify my identity. Maybe it was another bug on the healthcare.gov website, but maybe there’s a problem with one of my credit report. Perhaps my personal information really was compromised due to the data breach at the University of Delaware. I started investigating the issue myself.
I first tried to order free credit reports from AnnualCreditReport.com. I tried Experian first — and after answering identity verification questions, I received a message saying Experian would not be able to provide my credit report online, and that I should call a number. I called, but it was after hours, so there was no response. I started the process again, selected Equifax, but yet again something prevented me from ordering my credit report online.
At this point, I decided I needed to do something more, so I looked at the service the University of Delaware was offering, ID TheftSmart. The pamphlet provided with the letter from the university indicated the service would be free for three years, so I enrolled.
Yesterday, when checking my recent credit card activity, I saw a recent charge for $16.95 from TransUnion. The charge was on the same day as my ID TheftSmart enrollment, but I did not interact with TransUnion, nor did I give my credit card number in the enrollment process. The phone number associated with the credit card charge is 800-493-3292, and I called the number this morning. I expected them to say that this charge was related to my enrollment in ID TheftSmart, but they didn’t; apparently the charge was for a service initiated in mid-September for someone with a different name. Someone named Brenda used my credit card number to enroll in a credit service directly with TransUnion.
With this information, there were four actions I needed to take, which I was able to complete within a span of about thirty minutes:
- I began the process of getting a refund from TransUnion. This is unfortunately not a very quick process. TransUnion must mail me some kind of form I need to complete and send back before they can issue a refund. The process must be in place to prevent people from requesting refunds illegitimately.
I added an initial fraud alert to my credit report. I called the TransUnion fraud department, as instructed by the first TransUnion customer service representative. I enabled the fraud alert with TransUnion, and Experian and Equifax should also reflect a fraud alert within twenty-four hours. That means that if my information is used to open any new credit lines within the next 90 days, the opening will not be permitted without a phone call to me for verification.
Interestingly, the fraud department indicated the number I dialed initially was not a real TransUnion number, and that the correct number is 800-493-2392 (note the transposition of the 2 and 3). After the call with the fraud department, I called the correct number. Both numbers go to the same company; they both seem to be correct, despite the scare provided by the fraud department.
- I change my credit card number. The credit card affected was the only personal card I use regularly — my Chase United MileagePlus Explorer card. I informed the Chase customer service representative that my credit card number appears to have been used by someone I don’t know without my authorization, and that there was one charge I’d like to dispute. The dispute process is now underway, and Chase is sending a new card with a new number via overnight UPS service. I immediately canceled my current credit card number.
- I ordered my free credit report. Although I was unable to order my free credit report online from Equifax and Experian, I was able to order one from TransUnion (via AnnualCreditReport.com, naturally). There was nothing out of the ordinary on this report. There were no unknown addresses and no unknown accounts, new or old. This gave me more confidence that my identity had not been compromised — just my credit card number.
Another action I will take is to check the recent activity in my other credit cards. I have other open credit cards that I haven’t used in years, and it’s possible, if this person truly got a hold of one of my credit card numbers, that she might have others. At times like this, having a simplified personal finance system, with only a few bank accounts, comes in handy; I, on the other hand, have many open accounts thanks to my dedication to writing reviews for Consumerism Commentary.
Here’s what I should have done: At the moment I heard that my personal information was likely breached at the University of Delaware, I should have initiated fraud alerts with the credit reporting agencies. I should have ignored the free offer for third-party credit monitoring.
I’ll continue to monitor my financial accounts to ensure no other information has been compromised. I was ready to assume that this TransUnion charge was just a case of ID TheftSmart not disclosing that TransUnion would be charging me a fee, but with the knowledge that the charge was placed by somebody with a different name for a service that started several weeks ago, it’s clear this was purely a case of someone else using my credit card number. Perhaps the trouble I had confirming my identity for health insurance was just a coincidence.