Even for the person in charge of protecting the data of an entire city, total privacy is a moving target.
Ginger Armbruster, Seattle’s chief data privacy officer, recently found herself on the other side of a breach when she discovered a fraudster had used her leaked information to open a sham bank account and float thousands of dollars in bad checks.
“I’m in the biz of worrying more about other people than my own information,” said Armbruster, who has been in the cyber arena since getting her master’s degree from the University of Washington in 2013. “So to have this happen to me … this is the thing we try very hard not to let happen to anybody, to have their data exfiltrated and used for purposes they never intended, because it is so invasive.”
In a post this month on the city’s Tech Talk blog, Armbruster shared how she discovered over the holidays that her personal information had been hacked. She opened a suspicious piece of mail from a well-known bank that she doesn’t use to find a statement showing someone had opened an account in her name and run up almost $5,000 in overdrafts.
Her post goes on to share important lessons that she learned through the ordeal and offer tips (below) to help others who have fallen victim to such theft. Armbruster’s aim is also to bring more awareness to the City of Seattle’s Data Privacy Week.
As a professional whose job is to be aware of risks and understand the consequences of identity theft, Armbruster still felt the sting of being victimized.
“You’ve stolen who I am, and used that in ways I never intended,” she told GeekWire. “Now I’ve got to go prove to somebody it wasn’t me.”
During the 30-to-90-day investigation, Armbruster found herself in the bizarre position of being treated as a suspect by the bank’s fraud department while they verified her story.
In her day job, Armbruster works with a team of 18 people on data compliance public records, managing and securing data for the city and the public. She works closely with Seattle’s chief information security officer to counsel city departments on minimizing what’s collected and taking good care of it.
Armbruster admits that on a personal level, the scale of modern data breaches is “overwhelming” for the human brain to process.
“The bad guys have all the time in the world,” she said. “That’s their full-time job.”
In 2021, about 23.9 million people (9% of U.S. residents age 16 or older) had been victims of identity theft during the prior 12 months, according to the Department of Justice. The rise of artificial intelligence tools is only making scams more sophisticated and harder to detect, the Identity Theft Resource Center reports.
Armbruster’s ability to respond to her own data breach took a great deal of effort, patience and know-how — qualities many vulnerable citizens might not possess.
“You have to be computer literate to be able to fix the problem,” she said, noting that banks often prefer online account creation over phone calls.
People often feel ashamed or embarrassed to fall victim to such a crime. Armbruster stresses that it shouldn’t be that way.
“It’s not shameful. You didn’t do anything wrong. You didn’t make a mistake,” she said. “You can do some things to help yourself, but someone did it to you.”
In her Tech Talk blog post, Armbruster says, among other things, that victims need to act fast and stay vigilant. Here are some key takeaways from her roadmap for recovery from identity theft:
- Assume you’re already leaked: Armbruster warns that given the scale of global breaches, you should assume your data is already on the dark web and it’s only a matter of time before it’s used.
- Freeze your credit: Her No. 1 recommendation is to place a credit freeze with all three major bureaus (Equifax, Experian, and TransUnion). She calls it the “ultimate ‘Do Not Disturb’ sign” for identity thieves.
- Open every piece of mail: Don’t ignore “solicitation” notices from banks you don’t use. These are often the first clue that a fraudulent account has been opened in your name.
- Report to the FBI: Use IC3.gov to file an official complaint. This creates a federal paper trail that is essential if you need to dispute charges or involve local police later.
- Change the “college password”: Use this as a catalyst to finally adopt a password manager and rotate old, weak passwords — especially for financial and email accounts.
- Kill ’em with kindness: When dealing with bank investigators, Armbruster notes that being nice to customer service reps makes them much more likely to help you navigate the complex fraud department bureaucracy.
