Use any tools offered to monitor credit following Ticketmaster data breach, says expert
Instructions, support provided by companies impacted may be the best place to start, says data breach expert
Consumers who have fallen victim to corporate data breaches should stay vigilant about monitoring their personal accounts and financial information, but may not need to completely cancel or close affected accounts, according to a lawyer and data breach expert practising in Canada.
The advice comes in the wake of major data breaches affecting customers of companies as large as American telecom giant AT&T or the world's largest ticket seller, Ticketmaster.
In particular, the instructions and support provided by those companies may be the best place to start, according to Brent Arnold.
"You should do what they tell you to do, because usually they give you some advice that's intended to empower you to look after yourself and protect yourself," said Arnold, lawyer and data breach counsel with law firm Gowling WLG in Toronto.
"It's almost always the same tips and those tips are a good idea," he said, referring specifically to instructions to monitor both the compromised and other accounts for unusual activity, and to sign up for any offered credit monitoring services.
In the email sent by Ticketmaster to many of its customers, the company offers identity monitoring free of charge for a year.
Arnold points out accessing these services goes beyond just checking a person's credit score.
"They're actually going into the places where people sell accounts to see if your data is there. It's way more than just giving you unlimited access to your credit rating stuff," said Arnold.
Cloud system contained names and payment info
Ticketmaster emailed customers on July 8 that it had discovered an "unauthorized third party" obtained information from a cloud database hosted by a third-party company between April 2 and May 18.
The information "may have included your name, basic contact information, and payment card information such as encrypted credit or debit card numbers and expiration dates," the email read.
In a previous interview with CBC News, Evan Light, an associate professor of communications at York University, suggested strong action be taken by affected customers.
"If people get emails from Ticketmaster saying that they're among these accounts, I'd say cancel your credit card right away," said Light.
RBC would not cancel credit card: customer
Advice like this was taken to heart by Daryn Magdall, who opted to call his financial institution to ask for his credit card number to be changed.
According to Magdall, RBC refused to accommodate when he called.
"They [RBC] proceeded to explain to me that Ticketmaster's investigating and we don't know that your credit card's actually been breached yet or not ... we're not going to change your card. We won't replace your card," he told CBC News.
When asked their policy in these situations, generally, RBC told CBC News that clients can cancel and replace their RBC credit cards on demand by reporting them as lost or stolen online, or by visiting a branch.
"The 'Report Lost or Stolen Credit Card' option in our online banking and mobile app is a convenient way for clients to cancel their credit cards for any concern with the security of their physical card or their card credentials. Alternatively, clients can always request cancellation through our Advice Centre or by visiting a branch," wrote RBC in a statement.
The bank added that clients should always monitor their accounts for suspicious activity.
The Canadian Bankers Association echoed RBC's message, saying that while it couldn't comment on this situation specifically, customers should report unauthorized transactions immediately.
It's little comfort to Magdall, who felt he was being proactive and was rebuffed because he had not yet been the victim of an unauthorized transaction.
"There have been stories where banks have refused to make right when somebody has been defrauded because they have excuses that, oh, you didn't protect this or you didn't do that," he said.
Consumers are targets 'by proxy'
From Arnold's perspective, the data breach expert says he understands why a bank representative might have been reticent to issue a new credit card number.
"Imagine that I ran to the bank every time or Visa every time one of these things came in and said, 'Change my credit card number.' The administrative burden of dealing with that for the banks and the credit card companies would be enormous," he said.
Arnold pointed out that, unfortunately, data breaches such as this one are becoming routine and consumers must respond by protecting themselves as part of a routine.
"Don't reuse passwords," he said, adding that multi-factor authentication on home computers and mobile devices is key.
"Too many people don't do that, because they think, oh, I'm not a target. You may not be, but as we saw here, businesses that you do business with are targets. So you end up being a target by proxy."
With files from Kevin Maimann