ROB CARRICK | The Globe and Mail
Identity thieves once stole a total $500,000 by pretending to be Jennifer Fiddian-Green.
Her story is worth hearing if you want to understand the risks that arise when your personal information is stolen. We’re told endlessly to keep our data private so identity thieves can’t get it. But a data breach at the credit monitoring company Equifax highlights the way people can be vulnerable through no fault of their own.
Ms. Fiddian-Green, a forensic accountant at Grant Thornton LLP, isn’t sure how her personal information was stolen back in 2006. But she does know the thieves were able to secure two mortgages in her name that netted them the $500,000.
In investigating her own case, she learned that the thieves tried to borrow money at 12 or more financial companies. “Ten times, these institutions said ‘no, this is not a good application, get rid of it,’” she said. “But two of them [a bank and a mortgage lender] let it go through.” She realized this only after one of the lenders came looking for repayment.
Equifax has been rightly slammed for its vagueness about how many Canadians were affected by a cyberattack against the Atlanta-based company and the extent to which their private information has been compromised. On Monday afternoon, the company’s website said that only a limited number of Canadians may have been affected, and “it seems” at this point that the information possibly breached includes names, addresses and social insurance numbers.
As a cybersecurity expert, she was able to convince the duped mortgage lenders that they were fraud victims. Now, she has some thoughts on helping others understand identity theft and how to fight it.
To start, people need to understand that the data kept by credit monitoring companies such as Equifax and competitor TransUnion is enough to enable thieves to borrow money or set up accounts in your name. These firms are clearinghouses for data on how people are keeping up with their borrowing – they take in information from financial companies and sell it back to these firms to help with decisions on whether to lend money, and at what rate. You should certainly check your credit file to monitor for fraudulent activity. But there’s also some onus on banks, credit card companies and other lenders to make sure they’re lending to actual customers and not thieves.
Expect to find out by letter, phone call or contact from a debt collection agency if you’re a victim of thieves who have used your identity to borrow money. Ms. Fiddian-Green’s suggested response: “You need to say no, I was not a party to this. I’ll help you figure out the fraud that was conducted on you and your institution using my data.”
Scott Terrio of insolvency trustees Cooper & Co. says people are legally responsible for debts in their name. “But if it’s true fraud, then you’re not legally obliged to pay it. The trick is to prove that it wasn’t you.”
One way to do that is to demonstrate the fraudulent expense or borrowing is not in keeping with your usual pattern of spending. Mr. Terrio notes that credit card companies use fraud detection software that looks for deviations from your usual spending. In the fraud cases he’s seen, banks and card issuers have typically been co-operative in identifying identity theft.
Equifax is pushing a $19.95-a-month service on its website that monitors your credit file and can help detect identity theft. But you can also order a free credit report from both Equifax and its competitor TransUnion. Just google Equifax Canada or TransUnion Canada and “free credit report.”
Some financial firms also provide credit reports to their clients. For example, Royal Bank of Canada clients who bank online can now access their credit score and a credit file showing all their existing accounts and inquiries made by lenders. Scan all of this information for unauthorized activity and contact the firm involved if you find anything.
Even after her experience several years back, Ms. Fiddian-Green says she wouldn’t take Equifax up on its credit-monitoring service. “I refuse to pay to have them tell me they’re taking care of my data.”