On this article on his blog, Bruce Schneier talks on protecting yourself from identity theft.

TL;DR: You can’t. You can only prevent criminals from using your personal information, which they almost certainly already have.

Bruce Schneier is a cryptographer, privacy and cybersecurity specialist and writer.
He is the author of several books on general security topics, computer security and cryptography and contributor writer for The Guardian.

In the article in question, Bruce starts with a brief introduction focused on most massive dataleaks of the last years

I could give you advice like don't stay at a hotel (the Marriott breach), don't get a government clearance (the Office of Personnel Management hack), don't store your photos online (Apple breach and others), don't use email (many, many different breaches), and don't have anything other than an anonymous cash-only relationship with anyone, ever (the Equifax breach).
But that's all ridiculous advice for anyone trying to live a normal life in the 21st century.

Then, Schneier drops the bomb with a strong statements that sums up very nicely the whole article:

The reality is that your sensitive data has likely already been stolen, multiple times.

Cybercriminals have your credit card information. They have your social security number and your mother's maiden name. They have your address and phone number. They obtained the data by hacking any one of the hundreds of companies you entrust with the data­ -- and you have no visibility into those companies' security practices, and no recourse when they lose your data.

So, what do I do?


The best option is to turn your efforts toward trying to make sure that your data isn't used against you.

So, for example:

  • Enable two-factor authentication for all important accounts whenever possible.
  • Don't reuse passwords for anything important.
    Use a password manager with random passwords, and disable the "secret questions" (or treat them as additional passwords also randomly generated) and other backup authentication mechanisms.
  • Encrypt your backups with GPG key (or similar tools) before putting them on cloud.
    When possible, switch email server and cloud hosting to a self-hosted solution.
  • Monitor your credit reports and your bank accounts for suspicious activity: enable credit monitor emails and fraud alerts.
  • Be wary of email and phone calls you get from people purporting to be from companies you do business with.

References and additional readings