I received a letter (not an eMail) that is supposed to provide protection from the recent Ticketmaster breach.
A website is provided with a unique code - for me to register for protection free of charge due to the Ticketmaster ‘data security incident.’
The return address on the letter is:
Ticketmaster c/o Cyberscout
PO Box 1286
Dearborn, MI 48120-9998
The letter includes this line - identifying the website to use:
" … please log on to www.mytrueidentity.com and follow the instructions … "
How do I know that this is legit vs someone who got my info in the breach and is trying to trick me into signing in and perhaps giving more info to ‘prove’ who I am.
They’re not a scam company. CyberScout is apparently closely affiliated with TransUnion, one of the big credit bureaus.
That having been said, I wouldn’t want to do business with them (or with TransUnion). Doing a web search on “CyberScout”, I found the first hit was a question on Symantic’s Norton forum from January: Is Cyberscout a legit Company.
The only reply to that question links to an article that doesn’t have anything good to say about TransUnion, and a link to CyberScout’s Better Business Bureau record, which is also not good.
Offers of free identity theft insurance are a nice gesture after a company’s data has been stolen, but if you believe you need this insurance, get it from a reputable company.
FWIW, I have this kind of insurance via Allstate, paid for via a payroll deduction from my employer, in order to get a group-policy discount.
If I was facing a similar situation, I would think about whether I wanted the “protection” package before researching Cyberscout.
For example, I would consider how beneficial the “protection” package would be for me, taking into account the details of the security breach and if any existing monitoring/insurance coverage I have would make Cyberscout’s offering redundant. I also would consider which potential future (say, 3-12 months from now) scenario would make me feel worse and cost me the most time and effort: not signing up for Cyberscout and learning from a non-Cyberscout source that my information is involved in another breach or signing up for Cyberscout and finding out the signup letter was a scam.
My personal view on monitoring services is that most are of limited use because they are backwards-looking. When a service notifies you of a breach, the information has already been stolen.
I agree. My personal details have been stolen in probably a half-dozen breaches over the years, and I have never seen any value in the services the (ir)responsible parties have offered as recompense.
The proactive step is to freeze your credit files, which is the only way to actually prevent any future misuse. And they can be maintained indefinitely, unlike subscription services.
You bring up a key problem with how companies respond to data breaches. The most common offered remedy, by a wide margin, is free credit monitoring and/or identity theft alerts. It has become expectable that most people in the US have had information stolen in multiple breaches, which makes these gestures hollowly redundant, unless the breaches happen far enough apart that the free services don’t have much overlap.
I don’t know what would be a better remedy offer other than cash restitution. But I’m fairly certain that the current method is severely lacking.
Thank you for those resource links, Incompatible. I agree with the credit freeze method. It can be inconvenient in some cases, but you just need to provide a little more proof in certain financial situations, which should almost be the default anyway?
Sadly, this is the “modern” accepted response by businesses providing digital services: Get hacked, compromising customer information, and simply offer 1 or 2 years of credit or “identity monitoring” of dubious value.
To me, it is like offering a coupon for your next purchase when the sandwich you ate put you in the hospital with unknown long-term effects.
Not the best analogy, but it summarizes my feelings, and this “identity monitoring” has been the standard practice for many years. It is next to worthless in my opinion. If it is so “easy” to monitor your identity/personal info for threats, why not put the energy and resources into stronger monitoring and security of the personal information itself?
I have heard anecdotal stories about people who used these services being warned when a 3rd party was actually trying to do something with their ID or credit, but they generally do not stop anything. You must do the work, and there are very little support services for this. The onus is on each individual.
The real issue is not making large corporations who trade in our information actually liable for their misuse of it beyond class-action suits which mostly benefit legal firms.
Agreed. Which is why an insurance policy (or a monitoring service that includes insurance) is more important than just monitoring. If something nasty (e.g. someone opening up new accounts in your name) should occur, a company that can provide (or reimburse the cost of) a professional to repair the damage is going to be a lot more useful than just letting you know after the fact.
I’ve received both the Ticketmaster letter and the AT&T data breach letter this week.
At this point, I could just string free credit monitoring services together for the rest of my life.
But, I found it notable that AT&T Wireless did not even pretend to want to do anything for their customers, even though nearly all of us had call records with our names and telephone numbers stolen in the breach. Since the period when the thefts took place, I’ve received several scam/phishing texts that announce breathlessly:
Dear Matt:
Your AT&T rate is scheduled to increase on [today’s date]. Contact us immediately by clicking this link to learn how you can mitigate this increase before it’s too late.
The scammers have what they need to fool a number of AT&T’s customers.
