T-Mobile data breach highlights cybersecurity issues for clients
Advisers should be proactively discussing the attack with clients to protect those that have current or past association, experts say. There are simple tips for clients to follow.
Advisers should be proactive to protect their clients after T-Mobile said Wednesday millions of current, former and prospective customers’ personal data has been compromised by a cyberattack.
T-Mobile said it is “urgently investigating the highly sophisticated cyberattack against T-Mobile systems,” according to a company statement on its website. T-Mobile did confirm that the data breach, which includes names, social security numbers and driver’s license information, affects as many as 7.8 million postpaid subscribers, 850,000 prepaid customers and just over 40 million past or prospective customers who have applied for credit with T-Mobile.
Financial advisers should be proactively reaching out and discussing the T-Mobile data breach with clients to protect those that have any current or past association with the provider, says John O’Connell, president and founder of The Oasis Group. If a client’s personal information, like their SSN, is compromised there are immediate actions an adviser can take to help.
The first thing advisers should do immediately is notify the Federal Trade Commission via its identity theft reporting website, O’Connell said. “What will happen there is that if someone tries to re-register [a client’s] SSN, they can’t because you’ve already been notified that your SSN was compromised,” he said. Advisers should also have clients freeze their credit on all three of the major credit bureaus, O’Connell said.
Another option is to notify the IRS of a SSN hack because the IRS will give the client a PIN to use to file taxes and put an alert on the SSN, says Tara Unverzagt, a financial planner with South Bay Financial Partners.
“The IRS PIN is really important and not all financial advisers realize this,” she said in an email. “SSNs are used to file false tax returns that have a major refund that is put in a bank account that is connected with the ‘bad guy’ not the real person.
“When the real person files their tax return, they can’t and they may not be able to efile for a number of years after that. So best to make sure nobody files a tax return with your tax ID,” Unverzagt said.
Advisers can also recommend that clients get a My SSA account, which gives users access to personalize their Social Security protection, Unverzagt said. “If you don’t have an account and someone has your SSN, they can get an account before you do,” she said. “So beat them to punch and get your account up and running.”
Password diversification is also critical when data breaches come up, says Unverzagt, who had a client’s IRA account hacked because the client was using the same password as her Yahoo account. When Yahoo revealed that a 2013 security breach exposed information on all of its 3 billion user accounts, her financial accounts got hit also.
“The brokerage’s insurance refilled the account,” Unverzagt said. “But it was very scary and stressful, and she could have avoided it by having a better password system and changing passwords regularly.”
The last step an adviser can take with a client that is impacted by a data breach is to notify their employer, O’Connell said. A hacker may try to open up a fraudulent unemployment claim using the stolen SSN, and a fraudulent claim will go to an employer first.
“Now, this is not a big deal if you don’t work for a big company,” O’Connell said. “But if you work for a big company, you know that unemployment claims may take weeks for them to process and in the meantime, someone’s getting your unemployment money, and getting that money back into your unemployment account is unbelievably difficult to do.”
Financial advisory firms of all kinds have received fair warning that they must strengthen their data security and client identity protocols. The warning came in the form of the revelation of the huge Equifax cybersecurity breach, the Securities and Exchange Commission breach of 2016, and acknowledgement that the Internal Revenue Service was hacked twice in 2017 — with a February 2017 breach exposing the Social Security numbers of at least 464,000 taxpayers.
“Every adviser says they want to be the quarterback for their clients,” O’Connell said. “If you know that your client has a T-Mobile number, proactively reach out and send these action items in an email.”
For reprint and licensing requests for this article, click here