Free credit monitoring has become the financial services industry’s standard response to data breaches.
Immediately following Desjardins disclosure in mid-June of a massive data breach impacting the personal information of nearly 3 million of its members, the company offered free credit monitoring protection to affected clients, initially for one year but subsequently increased to five years, including access to daily credit reports, alerts of key changes and identity theft insurance.
While helpful, such monitoring captures only a slice of the information compromised in large scale data breaches. Indeed, in this breach, which impacted 2.7m Desjardins members and 173k businesses, the following information was allegedly stolen: customer names, dates of birth, social insurance numbers, addresses, telephone numbers, and email addresses.
How will free credit monitoring be helpful to Desjardins customers if a fraudster uses their stolen name and date of birth combination to create a fake ID? Put simply, it won’t. How will free credit monitoring be helpful when that fake ID is then used to purchase alcohol for a minor, or a firearm for a felon? It won’t.
Credit monitoring’s original intent was to inform consumers when their credit rating is “pinged” for credit purposes, or when their credit cards are used fraudulently (i..e: after a bank has determined the usage was fraudulent). It is not meant to inform customers in real time when their data is used without their knowledge or consent or for illegal purposes.
Moreover, credit monitoring doesn’t address all the other data points of the Desjardins breach: email addresses, addresses, phone numbers, etc.
Identity First, a holistic approach to ensuring Canadians’ safety online, monitors the deep/dark web for instances of email addresses, credit cards, passports, social insurance numbers, and mobile phone numbers appearing online and informs customers in real time when such information appears.