Many types of identity credentials are ‘persistent’, meaning that exposure retains power to create identity crimes over the life on an identity-holder. The most common example: it is nearly impossible to change a Social Security number, and few will ever attempt to do so for a driver’s license or passport record as well. While payment card numbers can be changed, they often expose cardholders’ contact information (just enter a few noteworthy card breaches into Breach Clarity’s search engine for proof). The average person changes their street address or other contact information infrequently–and once changed contact identity data retains power to fuel crimes by simply changing from current to prior identity-holder information, which also has utility for identity criminals. With four new breaches occurring in a typical day (source: ID Theft Resource Center), there is a risk of only focusing on the risk from recent breaches, and thereby making the false assumption that breaches have a relatively short shelf life. Unlike the exposure of one’s email, social security number, or even card data, the Ashley Madison breach exposed a particularly unique type of data that can generally be traced back to the source and date of exposure.
The July, 2015 data breach at Ashley Madison generated massive headlines not only because of it’s size, but also because it exposed the identity records and secretive activities of men (mostly) who sought to cheat on their partners. As it turns out, the highly unique nature of what this breach exposed also turns out to be the perfect real-world experiment for proving that breached personal data retains power for as much as five years or more. As this blog post from tech firm Vade Security describes, philanderers caught up in the breach are still getting extortion emails some 56 months after the breach! Naturally, the damage will continue until identity criminals fail to reap a reward from their dirty deeds (in this case, from those who were trying to do dirty deeds as well).
So in the case of this breach, what actions on the part of breach victims would mitigate their risk? The mind reels at the difficulty: they can change their contact information, try to obfuscate or even change your name so that blackmailers cannot locate them through other methods, simply do nothing and lose sleep worrying that their relationship(s) will be ruined, or just pay the bitcoin demanded by criminals and hope the criminals ‘honor’ their commitment to leave them alone in the future. It’s a chilling scenario for sure.
The majority of data breaches expose at least some private data with relatively persistent data. While consumer victims may realize some protection from reissuing payment cards or 1-2 year subscription to various identity protection services, no method of relief ever addresses all risks created. What’s more, risk of identity crimes can endure for the life of the breach victim, and in particular when records such as SSNs, family relationships, or any of the other highly-persistent credentials among the 50+ in the Breach Clarity algorithm are involved.