Acting Attorney General John J. Hoffman and the New Jersey Division of Consumer Affairs today urged all New Jersey residents who have been customers of eBay Inc. to change their passwords, as recommended by eBay, and to take other protective measures against identity theft, due to a cyber-attack that reportedly compromised the security of certain non-financial data such as customer names, encrypted passwords, email addresses, physical addresses, phone numbers, and dates of birth.
“Anyone who has been an eBay customer should take proactive steps to ensure that a cyber-attack or data breach does not lead to the far worse problem of identity theft,” Acting Attorney General John J. Hoffman said. “Changing your password is an important first step. Additional measures such as obtaining your credit reports and keeping a close eye on your financial accounts will at least provide peace of mind – and may save you from becoming the victim of fraud.” These further steps are outlined in detail below.
A representative of eBay Inc. today contacted Acting Attorney General Hoffman and Division of Consumer Affairs Acting Director Steve Lee about the cyber-attack, which according to the company took place between late February and early March, and was first detected earlier this month. The attack is believed to have compromised a database that contained eBay users’ encrypted passwords and other non-financial data.
“We strongly encourage all individuals who may have been affected by this event, not just to change their passwords but to take other basic steps for self-protection against identity theft,” Division of Consumer Affairs Acting Director Steve Lee said. “The best protection against identity theft is swift action by those whose personal information may have been compromised.”
EBay states that it has taken steps to shut down unauthorized access to its site and to put additional security enhancements in place, and is cooperating with law enforcement and security experts. The company is asking all users to change their passwords. Individuals who use the same password on other websites, are being asked to also change the passwords on those sites. The company has 145 million active buyers, and states that it will notify all of its users.
The company states that consumers who only visited eBay as guest users do not have passwords on file, but should remain vigilant. Various types of fraud, including phishing attacks, often follow cyber-attacks of this nature. Phishing attack and identity fraud schemes may occur via email, mail or phone call. Criminals may reach out to potential victims, pretending to be representatives of a company, in this case eBay, that has been the subject of a well-publicized cyber-attack, in order to ask for their personal information. Consumers should never provide personal information in response to an email or letter, or over the phone, without first taking steps to independently verify that the request is legitimate.
The Division of Consumer Affairs reminds eBay customers not just to change their passwords, but to take eight additional steps that all consumers should take when exposed to potential identity theft.
These eight steps are outlined in the Division’s Cyber Safe NJ website, www.NJConsumerAffairs.gov/cybersafe, and provided below.
If you are exposed to Identity Theft
File a complaint with the Federal Trade Commission at www.ftc.gov/complaint or 877-438-4338. Your completed complaint is called an “FTC Affidavit.” You will want to bring a copy of the FTC Affidavit to your local police department; see Step 2.
File a report with your local police department, and bring the police a copy of your FTC Affidavit. Once your police report has been filed, request a copy so it will be available to send to credit reporting agencies and creditors.
Obtain a copy of your credit report from all three credit reporting agencies.
Contact them at:
Equifax Credit Information Services
Consumer Fraud Division
Fraud Victim Assistance Department
Tell these credit reporting agencies that you suspect you were exposed to identity theft, and ask that all of your accounts be flagged with a fraud alert.
Keep a close watch on the activity on your credit or debit cards. Many card issuers offer online account access. If you can, check the accounts daily. If you are unable to access this information online, call the numbers on the back of the affected cards.
Contact all credit card companies, creditors, banks, and any financial institutions with which you do business. Close the affected credit card and bank accounts, and get replacement cards with new account numbers. Change any passwords on the accounts, including PINs. Follow up all telephone contact with a written confirmation.
Contact the United States Social Security Administration at:
Social Security Administration
Social Security Fraud Hotline
P.O. Box 17768
Baltimore, MD 21235
TTX: (866) 501-2101
Keep a complete set of records. Keep a log with notes on all telephone conversations with credit reporting bureaus, creditors, or debt collection agencies. Confirm all telephone conversations in writing. Keep copies of all paper or electronic correspondence you send and receive related to the suspected identity theft. Send correspondence by certified mail, return receipt requested. Keep a record of the time spent and any expenses you incurred, in case it one day becomes possible to claim restitution in a judgment against the identity thief.
You can also contact nongovernmental nonprofit groups established to provide assistance to victims of identity theft. For example:
Identity Theft Resource Center
The New Jersey Division of Consumer Affairs protects consumers against identity theft, unlawful invasions of privacy, and other computer-related violations by enforcing New Jersey’s Consumer Fraud Act , the Computer Related Offenses Act, the Identity Theft Protection Act, and other statutes such as COPPA , the federal Children’s Online Privacy Protection Act.
The Division’s Cyber Safe NJ website, at www.NJConsumerAffairs.gov, provides useful tips to help consumers take an active role in protecting themselves and their information in the online world.
Consumers who believe they have been cheated or scammed by a business, or suspect any other form of consumer abuse, can file a complaint with the State Division of Consumer Affairs by visiting its website or by calling 1-800-242-5846 (toll free within New Jersey) or 973-504- 6200. [TLS]