LexisNexis talks with the ITRC in the newest Fraudian Slip podcast about the impact of identity fraud in the government & business sectors and how you can prevent identity fraud 

  • This month’s Fraudian Slip podcast talks about the steady growth of cybercriminals using stolen information to commit identity fraud.  
  • In the final ten months of 2020, the Identity Theft Resource Center (ITRC) helped about 750 individuals who were the victims of unemployment identity fraud. On June 2, the ITRC surpassed the number of identity-related unemployment fraud victims for 2020 in only six months.  
  • The ITRC sat down with LexisNexis, a leading provider of information used to mitigate risks, to discuss identity crimes, how you can prevent identity fraud and much more. Listen to this week’s episode of The Fraudian Slip
  • You can also learn more about identity fraud in government and business, other topics discussed in the podcast, and how to protect yourself from identity fraud and compromises by visiting the ITRC’s website
  • If you think you are the victim of an identity crime or your identity has been compromised, you can call us, chat live online, send an email or leave a voicemail for an expert advisor to get advice on how to respond. Just visit www.idtheftcenter.org to get started.  

Below is a transcript of our podcast with special guest Haywood J. “Woody” Talcove, CEO of LexisNexis Special Services 

Welcome to The Fraudian Slip, the Identity Theft Resource Center’s (ITRC) podcast, where we talk about all-things identity compromise, crime and fraud that impact people and businesses.   

This month, June, we’re going to dig into a trend impacting consumers, businesses, government agencies and other institutions. That trend is the steady growth of cybercriminals using stolen information to commit identity crimes. How can you prevent identity fraud? 

Identity theft occurs when a person’s or business’s information is stolen. Identity fraud is when that information is misused, and there is a lot of misuse going on these days. At the ITRC, in the final ten months of 2020, we helped about 750 individuals who were the victims of unemployment identity fraud – which is to say a criminal used their personal information to apply for unemployment benefits in their home state or other states.  

On June 2, the ITRC surpassed the number of identity-related unemployment fraud victims for 2020 in only six months, with four months left until the enhanced benefits that are attracting criminals expire.  

At the root of the rise in identity fraud is the billions of bits of personal information available to cybercriminals that can be used to pretend to be just about any adult in the U.S. While that may sound intimidating, there are groups whose mission is to help prevent information misuse and to ensure people “are who they say they are” to make sure benefits and privileges go to the actual person who needs them. They ensure the benefits do not go to a professional imposter halfway around the world, an organized crime ring or just garden variety criminals down the street. 

Helping us make sense of how you can prevent identity fraud is the ITRC’s CEO Eva Velasquez and Haywood J. “Woody” Talcove, CEO of LexisNexis Special Services, a leading provider of information used to mitigate risks.   

We talked with Haywood J. “Woody” Talcove about the following: 

  • What LexisNexis does to help mitigate risk. 
  • The impact of identity fraud in the government and business sectors. 
  • What can be done to prevent and mitigate identity fraud by government and business (information as both a risk and the solution). 

We talked with Eva Velasquez about the following: 

For answers to all of these questions and more on how you can prevent identity fraud, listen to this week’s episode of The Fraudian Slip Podcast.   

Contact the ITRC 

You can learn more about identity fraud as well as get help if you have been the victim of an identity crime by visiting the ITRC’s website at www.idtheftcenter.org. While you are there, sign up for our emails that alert you to the latest scams, monthly data breach updates and tips to protect your identity. 

Be sure and join us next week for our sister podcast, the Weekly Breach Breakdown, and next month for another episode of The Fraudian Slip.  

  • Scripps Health cyberattack led to a pause in the healthcare provider’s medical services for weeks and the exposure of personal and financial information for more than 147,000 people.  
  • A Herff Jones data compromise was discovered after multiple students reported fraudulent transactions with their payment cards. 
  • A data exposure of an unsecured database divulged an elaborate Amazon review scam. The database had direct messages between Amazon vendors and customers willing to provide fake Amazon reviews in exchange for free products. 
  • For more information about May data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified.   
  • If you believe you are a victim of identity theft from a data breach, contact the ITRC toll-free at 888.400.5530 or through live-chat on the company website www.idtheftcenter.org.  

Notable May Data Breaches 

Of all the data compromises the Identity Theft Resource Center (ITRC) tracked in May, three stand out: Scripps Health, Herff Jones, and an unsecured database with fake Amazon reviews. All three data events are notable for unique reasons. In one, a ransomware attack led to the exposure of sensitive information and a healthcare system having to shut down its systems, impacting thousands of patients. Another event was discovered after graduating students from several universities in the U.S. noticed fraudulent transactions on their payment cards. The third compromise revealed an Amazon review scam after messages were found between Amazon vendors and customers willing to provide fake Amazon reviews for free products. 

Scripps Health 

On May 1, Scripps Health, a San Diego-based healthcare system, suffered a ransomware attack that shut down many of its systems for nearly a month. According to HealthITSecurity, attackers gained access to the network, deployed malware, and exfiltrated copies of data on April 21. It was recently revealed that more than 147,000 patients, staff and physicians may have had their personal and financial information compromised as part of the Scripps Health cyberattack. However, electronic medical record applications were not accessed during the attack. Instead, the data was stolen from other documents stored on the network. 

The information exposed in the Scripps Health cyberattack includes names, addresses, dates of birth, health insurance information, medical record numbers, patient account numbers, and clinical information such as physician name, dates of service and treatment information. According to a notice from Scripps Health, for less than 2.5 percent of patients, Social Security numbers and driver’s license numbers were also affected.  

The Scripps Health ransomware attack is just the latest in a long list. Ransomware attacks are considered one of the top cybersecurity threats in 2021. Cybersecurity firm Proofpoint found that ransomware attacks are now viewed as the top cybersecurity threat by nearly half, 46 percent, of Chief Information Security Officers in a survey from earlier in the year. 

Herff Jones 

Bleeping Computer reports that students from several universities in the U.S. recently made claims about fraudulent transactions after using payment cards at cap, gown and class ring maker Herff Jones. Most students reported losses between $80 and $1,200, while one student reported a friend was charged $4,000 for a PS5 gaming system.  

Herff Jones, unaware of the compromise until students complained on social media about the fraudulent charges, immediately began an investigation. While the investigation is still ongoing, the company says they identified the theft of certain customers’ payment information. It is still unknown the impact of the Herff Jones data compromise, including the number of records exposed and what records may have been compromised aside from payment card information. In a statement, Herff Jones said that they have taken steps to mitigate the potential impact and notified law enforcement.  

Unsecured Database with Fake Amazon Reviews 

A data exposure of an Elasticsearch database divulged an elaborate Amazon review scam. According to Safety Detectives, the database, which contained over 13 million records and anywhere from 200,000 to 250,000 affected users, had direct messages between Amazon vendors and customers willing to provide fake Amazon reviews in exchange for free products. 

The Safety Detectives research team says the server was left open without any password protection or encryption. The personal data of people providing fake Amazon reviews, as well as Amazon vendors, could be found in leaked messages on the database. The information exposed includes full names, emails, usernames, PayPal addresses, links to Amazon profiles and more. The data exposure reminds us that no one is immune from being impacted by a data compromise, whether it is a cybercriminal or a regular consumer. For more information on this data compromise, read the ITRC’s blog on the incident. 

What to Do if These Breaches Impact You 

Anyone who receives a data breach notification letter should follow the advice offered by the company. The ITRC recommends immediately changing your password by switching to a 12+-character passphrase, changing the passwords of other accounts with the same password as the breached account, considering using a password manager and keeping an eye out for phishing attempts claiming to be from the breached company.   

In an interview with NBC 7 San Diego on the Scripps Health cyberattack, ITRC CEO Eva Velasquez advises anyone impacted to freeze their credit and report the incident to their creditors and bank.  

Regarding the Herff Jones data compromise, the company encourages people with questions to reach out to their customer service team at 855.535.1795 between 9 a.m. and 9 p.m. EST Monday through Friday until they identify and notify impacted customers.  

notified 

For more information about May data breaches, or other data breaches, consumers and businesses should visit the ITRC’s data breach tracking tool, notified, free to consumers.  

Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.     

Contact the ITRC 

If you believe you are the victim of an identity crime or your identity has been compromised in a data breach, you can speak with an ITRC expert advisor at no cost by phone (888.400.5530) or live-chat. Just go to www.idtheftcer.org to get started.  

  • Multiple states including California, Florida, Colorado and more, are offering lottery & sweepstakes incentive programs for COVID-19 vaccine recipients but scammers are taking advantage of the eager consumers. 
  • Scammers are posing as government officials and informing vaccine recipients they have won a lottery and follow-through by asking for bank details and Social Security numbers. 
  • To avoid these scams, be on alert for anyone asking for banking and personal information that can lead to financial identity theft. 
  • If anyone believes they are a victim of a COVID-19 lottery or sweepstakes scam, they can contact the ITRC toll-free by phone (888.400.5530) or live-chat. Just go to www.idtheftcenter.org to get started.  

Millions of U.S. residents have already received their COVID-19 vaccine and are automatically entered into their state’s lottery or sweepstakes program, which scammers are cashing in on as well. For example, California residents are reporting  COVID-19 vaccine scams where criminals pose as government officials with fake notifications claiming they have won the lottery. The scammer then asks for personal or banking data to claim their prize. 

Who are the Targets? 

Residents of states with lotteries or other vaccination incentives; vaccine recipients 

What is the Scam? 

Criminals are posing as government officials and informing vaccine recipients they have won the lottery and ask for bank details and Social Security numbers.   

What They Want 

Scammers can use your banking information from these COVID-19 vaccine lottery scams to commit financial identity theft or sell your information to other cybercriminals. They are also looking to collect “lottery fees” upfront. Remember, you should never pay money to receive money especially in a contest, sweepstakes or lottery. 

How to Avoid Being Scammed 

  • California and Colorado state residents 18 and older who receive the vaccine are automatically entered to win based on shot registration information and do not need to enter. However, Kentucky and Oregon residents must enter through the official website. Be sure to check with your state’s program on entering rules. 
  • If you are a lottery winner, you do not need to pay money or provide your banking information to claim your prize. 
  • Always go directly to the source to verify if the information is coming from a legitimate source. In this case, check with the Department of Public Health or lottery authority in your state. 
  • If you’ve received a phishing email, text or phone call, report it. You can report it to the Federal Trade Commission at www.ftc.gov/complaint.  

If anyone believes they are a victim of a COVID-19 lottery or sweepstakes scam, they can contact the ITRC toll-free by phone (888.400.5530) or live-chat. Just go to www.idtheftcenter.org to get started.

  • Amazon recently connected to its new network, “Sidewalk,” leaving some people wondering how to opt-out of Amazon Sidewalk. It takes a little piece of people’s network bandwidth, who have either an Amazon Echo or a Ring doorbell connected to their Wi-Fi, and shares it with others who have Amazon devices to create a mesh network.
  • While Amazon says the information will not be shared with other devices on the network, it still connected to people’s devices without their permission.
  • To opt-out of Amazon Sidewalk on an Amazon speaker, open the Alexa mobile app and go to More > SettingsAccount SettingsAmazon Sidewalk and choose Disable. For Ring doorbell,in the app go to the Control Center Amazon SidewalkDisableConfirm.
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified.
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

Sharing is Not Caring

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for June 11, 2021. Our podcast is possible thanks to support from Experian. Each week, we look at the most recent and interesting events and trends related to data security and privacy. This week, we will talk about how your parents, grandparents and teachers were wrong when you were young – at least when it comes to cybersecurity. We will also discuss how to opt-out of Amazon Sidewalk, a new mesh network.

How many times did you hear someone tell you that you need to share your toys with your sister or brother? “Share what you have” with your friends probably was thrown in there, too – along with this chestnut: sharing is caring.

That might be true on the playground when you’re talking about a cup of goldfish crackers. However, in today’s episode, we are talking about privacy and cybersecurity. Sharing is definitely NOT caring, especially when you’re forced to give up a piece of your internet bandwidth to your neighbors.

Amazon’s New Mesh Network “Sidewalk”

We are talking about Amazon’s new mesh network known as “Sidewalk.” Sounds innocent enough, right? It makes you think of walking around your neighborhood waving at your friends sitting on their front porch while you take a stroll with your trusty dog Rex.

Except in this scenario, you have an Amazon Echo smart speaker and a Ring doorbell connected to your Wi-Fi. Rex is wearing a tile smart tag, so you can find him when he runs away to make a deposit on a neighbor’s lawn. All of those Amazon smart devices are now automatically connected to the new Sidewalk network that went live on June 8, without your permission.

What the New Sidewalk Network Does

Right about now, you may be wishing you could trade that glass of lemonade you have been nursing on your walk for something a little stronger because chances are you’ve never heard of Sidewalk. That’s what Amazon calls its new local network that takes a little piece of your network bandwidth, up to 500 MB per month, and shares it with your neighbors who also have Alexa hanging around their houses.

The idea is it boosts Wi-Fi signals in weak areas by pooling the bandwidth of every house that has an Amazon device on a network. This “take a little here and give a little there” approach is known as a mesh network.

What It Means

Amazon hasn’t been shy about touting the benefits of this kind of expanded network. It means when Rex runs away, that tile smart tag you put on his collar can be tracked as long as Rex is near the new neighborhood-wide network. It means a sketchy signal will not prevent your Ring doorbell from showing you that pimply-faced kid who just showed up to take your daughter to the movies. Also, it means you can ask Alexa to tell you a joke in parts of your house where you couldn’t connect until Sidewalk launched.

What it doesn’t mean, according to Amazon, is that Alexa will share your information with the other devices in your neighborhood that are now connected to the wider network. There are also strict limits on how much bandwidth Sidewalk can use per month, so your internet bill doesn’t go through the roof.

While that’s good to know, it doesn’t change the fact that Sidewalk is, like Alexa and Ring, always on and you were not asked if you wanted to join the network.

How Opt-Out of Amazon Sidewalk

Fortunately, there is a way to jump off the Sidewalk by changing the settings on your Amazon devices. Here’s how to opt-out of Amazon Sidewalk:

  • For the Echo family of speakersopen the Alexa mobile app and go to More > SettingsAccount SettingsAmazon Sidewalk. Choose Disable, and you’re done.
  • In the Ring app, go to the Control Center Amazon SidewalkDisableConfirm.

While you’re busy putting your Wi-Fi back in the house where it belongs, make sure you have a strong password on your home network to keep cybercriminals and your cheapskate neighbor off your network. Sorry, we can’t do anything about the kids or dogs on your lawn.

Contact the ITRC

If anyone has questions about keeping their personal information secure or on how to opt-out of Amazon Sidewalk, they can visit www.idtheftcenter.org, where they will find helpful tips. People can also sign-up to receive our regular email updates on identity scams and compromises and download our latest report on how identity crimes impact individuals.

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. Victims can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST).

Thanks to Experian for supporting the ITRC and this podcast. Next week be sure to check out our sister podcast, The Fraudian Slip when we talk with the CEO of LexisNexis Special Services about the role of information in preventing identity crimes. We will be back in two weeks with another episode of the Weekly Breach Breakdown.

  • Application Programming Interfaces (APIs), software that allows two different applications to talk to each other and work together, is becoming more popular. Its use is up 61 percent in 2020 over 2019. However, so are API attacks – a 211 percent rise in 2020.
  • API flaws are at the root of the SolarWinds and Microsoft attacks and the Peloton data breach. API attacks also led to personal information from Facebook and LinkedIn being scraped.
  • To prevent API attacks, businesses with their own API developers should implement stronger testing protocols and security. Businesses that hire API development companies should insist on the highest level of testing and security. Consumers are encouraged to ask organizations they do business with how they protect personal information.
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified.
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org. Coming later this month, people can talk after-hours, weekends and on holidays with our new automated chatbot, ViViAN.

Alphabet Soup

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdownfor June 4, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. This week we are going to talk about an emerging threat to data security. By default, it’s personal information that most people are unaware even exists. It’s part of the alphabet soup of tech terms that can seem like a cure for insomnia.

Application Program Interfaces (APIs)

We are talking about API attacks. In fact, some of the biggest security events of 2020 and 2021 resulted from these kinds of attacks. So, what is an API, and how can it cause so much trouble?

API is short for Application Programming Interface. In English, that means the software that allows two different applications to talk to each other and work together. Think of when someone goes to a travel website to see which airline has the lowest price and best schedule for their vacation. It’s an API that connects the travel site to the airline’s system to get them the information they need. One may never see or interact with an API, but it’s there working in the background.

APIs Are Growing in Popularity

There’s nothing particularly complex about most APIs, which means they are not subjected to many of the rigorous testing protocols required for other software. Meanwhile, the use of APIs is growing – 61 percent in 2020 over 2019, and the growth rate in 2021 is projected to be 71 percent, according to trade publication Dev Ops Digest. Compare that to the growth in malicious API transactions in 2020 – a 211 percent increase.

API Flaws Becoming More Common in Security and Data Breaches

With poor software testing practices and a rapid development pace, flaws in APIs are climbing up the list of underlying causes of data and security breaches. Consider some recent research findings from API security firm SALT:

  • Ninety-one (91) percent of respondents suffered a security incident in their APIs in 2020.
  • Fifty-four (54) percent of those API attacks were tied to software flaws; 46 percent of the attacks succeeded because a malicious transaction was recognized as being legitimate.
  • Eighty-two (82) percent of organizations lack confidence in knowing which APIs expose personal information.
  • One hundred (100) percent of Salt Security’s customers that suffered API attacks in 2020 had standard cybersecurity tools like web application firewalls in place, but they did not prevent the attack.

API flaws are at the root of the SolarWinds and Microsoft attacks and the Peloton data breach. APIs were also exploited to scrape personal information from Facebook and LinkedIn.

How Can Businesses and Consumers Protect Themselves from API Attacks?

What can be done to minimize the risk of API attacks? Businesses that have their own API developers need to implement stronger testing protocols and security. Businesses that hire API development companies should insist on the highest level of testing and security.

Consumers should ask organizations with whom they do business how they protect personal information, including their cybersecurity and data protection programs.

Contact the ITRC

If anyone has questions about keeping their personal information secure, they can visit www.idtheftcenter.org, where they will find helpful tips. People can also sign-up to receive our regular email updates on identity scams and compromises and download our latest report on how identity crimes impact individuals.

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. Victims can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). On June 4, people can talk after-hours, weekends and holidays with our new automated chatbot, ViViAN. Just visit www.idtheftcenter.org to get started. 

Be sure to check out our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown.

  • E-signature scams are rising as remote workers rely more on services like DocuSign, HelloSign and other similar services. Recently, some employees at the Identity Theft Resource Center (ITRC) received phishing emails that claimed to have an invoice to sign that was attached to the email.  
  • Other e-signature email scams ask people to enter their personal and financial information, claiming that they either have a notification or their account was suspended.  
  • These e-signature scams and phishing attacks can lead to malware and stolen personal and financial data used to commit different forms of identity crimes.  
  • To avoid these scams, you should ignore any emails you are not expecting, never click on any unknown links and reach out directly to the person the email claims to come from to verify the validity of the message.  
  • If anyone believes they are a victim of an e-signature scam or wants to learn more, they can contact the ITRC toll-free by phone (888.400.5530) or live-chat. Just go to www.idtheftcenter.org to get started.  

DocuSign and similar services that offer verified electronic signatures have grown in popularity since COVID-19. According to one e-signature company’s recent financial report, their total revenue has increased by more than 50 percent. It’s no surprise more people need the services of an e-signature company. It is also no surprise that e-signature scams are spiking as a result. Multiple Identity Theft Resource Center (ITRC) employees recently received emails claiming to be from DocuSign with “invoices” attached: 

While convenient, e-signature services give threat actors another way to steal identities and financial and personal data. Consumers should keep an eye out for e-signature email scams so they don’t fall victim to a phishing attack.  

Who are the Targets? 

DocuSign users; Email users; Employees 

What is the Scam? 

In the latest e-signature scams, criminals send phishing emails claiming to come from “DocuSign Electronic Service.” The subject line typically tells users they received an invoice or notification from a service – DocuSign Electronic Service – for example. The emails contain malicious attachments that could lead to malware. Other e-signature scams tell people that they have a notification or their account is suspended and to click on a link and enter their personal and financial information. 

What They Want 

Criminals commit malware attacks and steal people’s personal and financial information to execute an array of identity crimes. They use the information to access people’s bank accounts, credit card accounts and work accounts, or they sell the personal information to other criminals. 

How to Avoid Being Scammed 

  • If you have not been requested to sign any documents, be wary of an email asking you to sign something. It is probably a phishing attack. 
  • Look for misspellings in the email. Sometimes scammers will alter a letter in the sender’s email address, hoping you do not notice. For example, if it is a DocuSign email scam, the sender address may be “@docsgn.com” instead of “@docusign.com.” 
  • Always check the sender’s email. If the email comes from an address or name you do not recognize, ignore it. If it claims to be from someone you work with, contact that person directly and ask them if they sent you the document. 
  • Never click on any links in an email you are not expecting. Instead, contact the source of the email directly to verify the validity of the email. 
  • If you’ve receive a phishing email, report it. You can report it to the Federal Trade Commission at www.ftc.gov/complaint.  

To learn more about e-signature scams, or if you believe you were the victim of an e-signature email scam, contact the ITRC toll-free by calling 888.400.5530. You can also visit the company website to live-chat with an expert advisor. Go to www.idtheftcenter.org to get started.   

  • A new cybersecurity executive order will lead to the creation of a Cyber Safety Review Board, removing barriers to sharing threat information and much more.
  • The Cyber Safety Review Board will determine how cybercriminals were able to infiltrate the SolarWinds software used by key government agencies and nearly every Fortune 500 company, and will meet anytime there is a significant event. Also, federal agencies will eliminate legal barriers that prevent the sharing of information about data and security breaches.
  • Since the same companies that sell technology to the government also sell products to consumers and businesses, the level of quality and security will rise for every use and everyone.
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notified.
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org. coming in June, you can talk after-hours, weekends and on holidays with our new automated chatbot, ViViAN.

Come What May

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdownfor May 28, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. This week, we will focus on something unusual – a new cybersecurity executive order and solutions to the seemingly endless race against cybercriminals.

In Macbeth, Shakespeare wrote: “Come what come may, time and the hour runs through the roughest day.” Without question, the last six months have been rough on companies, governments and individuals as identity scams and cyberattacks have captured headlines and disrupted lives.

Changes to How the Federal Government Approaches Cybersecurity

From companies most people have never heard of like SolarWinds and Accellion to household names like Microsoft and Peloton, along with critical infrastructure organizations like Colonial Pipeline and the respected Scripps Health system, organizations and institutions alike have been on the wrong side of data and security breaches.

However, federal officials have announced a series of actions that privacy and cybersecurity experts are praising as both needed and welcome changes to how the federal government approaches cybersecurity. Because the U.S. government purchases billions of dollars in IT products and services each year, the private sector, including individual consumers, will also benefit.

Top Provisions in New Cybersecurity Executive Order

There are seven key actions in the new Executive Order on Improving the Nation’s Cybersecurity. We don’t have time to go into all seven, so let’s focus on two of the most important provisions:

  1. Establishing a Cyber Safety Review Board; and,
  2. Removing barriers to sharing threat information.

The best news is, we already have a model in other areas that we know works. Here’s what we mean. Southwest Airlines flight 1380 was climbing through 32,000 feet on the morning of April 17, 2018. At approximately 11:03 a.m., fan blade No. 13 in the left engine shattered due to a previously undetected stress fracture. A 12-inch section weighing 6.825 pounds and a two-inch section of a fan blade weighing .650 pounds separated from the rest of the fan blade assembly. The result was an uncontained failure of the jet engine.

We know all of this because the National Transportation Safety Board (NTSB) publishes its findings so the public and industry can benefit from the knowledge gained in accident investigations. This decades-old information-sharing model has resulted in the safest form of transportation on the planet. According to the National Safety Council, the odds in 2019 of you dying while walking were one in 543. Dying in a plane crash? So low as to not be measurable.

What are the odds of a company suffering a cyberattack? It’s not a matter of “if,” but how many times, how frequently and if the attack succeeds. A 2017 study by the University of Maryland claims an attack occurs every 39 seconds. Yet, despite the near-constant level of cyber threats, there is no NTSB-style body to find and share the root causes of cyber incursions and the ways to prevent future attacks.

What the New Cybersecurity Executive Order Means

Due to the new cybersecurity executive order, federal agencies have been instructed to find the legal barriers that prevent the sharing of information about data and security breaches and get rid of them. The Homeland Security Secretary is to form a panel of public and private sector experts to determine how cybercriminals were able to infiltrate the SolarWinds software used by key government agencies and nearly every Fortune 500 company. The group is to convene anytime there is a significant cyber event, just like the NTSB.

Later in the year, federal agencies and the companies that sell them hardware and software will have to adopt strict new quality control standards. Because the same companies that sell technology to Uncle Sam also sell products to consumers and businesses, the overall level of quality and security will rise for every use and everyone.

Contact the ITRC

If anyone has questions about keeping their personal information secure, they can visit www.idtheftcenter.org, where they will find helpful tips. People can also sign-up to receive our regular email updates on identity scams and compromises and download our latest report on how identity crimes impact individuals.

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. Victims can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). And coming in June, people can talk after-hours, weekends and on holidays with our new automated chatbot, ViViAN. Just visit www.idtheftcenter.org to get started. 

Be sure to check out our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown.

Synchrony shares with the ITRC in the newest Fraudian Slip podcast the latest in data minimization, privacy laws and their impact on consumers 

  • On this month’s Fraudian Slip podcast, we are talking about the evolution of privacy. In 2018, the European Union adopted a data privacy law (General Data Protection Regulation, known as the GDPR). Since then, multiple states in the U.S. have either adopted laws with many of the same principles, or are actively considering one.  
  • The ITRC sat down with Synchrony, one of the leading financial services companies based in the U.S., to discuss these privacy issues and much more.  
  • To learn more, listen to this week’s episode of The Fraudian Slip
  • You can also learn more about the privacy, security and identity management topics discussed in the podcast and how to protect yourself from identity fraud and compromises by visiting the ITRC’s website
  • If you think you are the victim of an identity crime or your identity has been compromised, you can call us, chat live online, send an email or leave a voicemail for an expert advisor to get advice on how to respond. Just visit www.idtheftcenter.org to get started. 

Below is a transcript of our podcast with special guest Ricky Davis, Sr. Vice President & Chief Privacy Officer for Synchrony 

Welcome to The Fraudian Slip, the Identity Theft Resource Center’s (ITRC) podcast, where we talk about all-things identity compromise, crime and fraud that impact people and businesses.  

This month, May, we are going to talk about the evolution of privacy. Historically, we have always treated privacy, cybersecurity and identity management – that’s how your identity information is created and used – as three separate and distinct issues. We have a handful of federal laws that deal with identity and cybersecurity – primarily around health and financial information  

Every state, the District of Columbia and U.S. territory has a data breach notice law that requires consumers to get an alert if their personal information is exposed in a cyberattack or just good old-fashioned dumpster diving. We also have a patchwork quilt of industry self-regulations and government regulations that address the security required to protect data that companies keep on their customers and prospects. 

However, there is a change, and an evolution of privacy, in the wind. What started in the European Union in 2018 with the adoption of a single, comprehensive data privacy and cybersecurity law has now spread to the U.S. California has adopted many of the principles found in the EU’s General Data Protection Regulation (GDPR). Now, the Commonwealth of Virginia has joined the club.  

A dozen other states are also actively considering new privacy laws that add rights for consumers, obligations for businesses and fundamentally change the way we think about how we create, use, store, share and protect personal information. 

We talked with Ricky Davis, Sr. Vice President & Chief Privacy Officer for Synchrony, one of the leading financial services companies based in the U.S., about the following: 

  • The role of a Chief Privacy Officer 
  • The benefits to an organization to have a privacy focus 
  • What we have learned about the GDPR after three years that will help U.S. consumers and businesses 
  • The concept of data minimization (don’t collect or store more than you need for longer than you need it) and why it is important 
  • State laws versus a comprehensive federal law 

We also talked with ITRC CEO Eva Velasquez about the following:  

  • The practical effect on consumers of having three separate infrastructures – privacy, security and identity management 
  • The benefits to consumers from having more rights to access data 
  • State laws versus a comprehensive federal law 

For answers to all of these questions, and more on the evolution of privacy, listen to this week’s episode of The Fraudian Slip Podcast.  

Contact the ITRC 

You can learn more about data privacy, cybersecurity and other identity-related issues by visiting the ITRC’s website at www.idtheftcenter.org and by listening to our sister podcast, the Weekly Breach Breakdown

If you have questions about how to protect your personal information, or if you believe you have been the victim of an identity crime or compromise, talk to one of our expert advisers on the phone, by live-chat or by email during normal business hours (6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started. 

Be sure and join us next week for our Weekly Breach Breakdown podcast and next month for another episode of The Fraudian Slip. 

  • With data breaches on the rise last 30 days to 45 days, it has been one of the most intense periods seen in a while because of the pace, scope and impact of the crimes.
  • GEICO suffered a data breach impacting 132,000 people and could lead to unemployment fraud; the Pennsylvania Department of Health and ParkMobile both had data incidents due to third-party providers; and Peloton had a problem with third-party software, allowing other users to see people’s personal information.
  • Researchers guessed up to 80 percent of iPhone and iPad users would take advantage of Apple’s new anti-tracking privacy feature. However, based on early downloads of the iOS update, 96 percent of users are using the new feature to opt-out of app-tracking.
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notified
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

Too Fast, Too Furious

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for May 14, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. This week we’re highlighting data breaches on the rise the past 30 days in one of the most intense periods of cyberattacks and data breaches we’ve seen in a while.

With all due respect to Vin Diesel and the rest of the cast of the Fast and Furious movie franchise, we’re calling this week’s episode “Too Fast, Too Furious” because of the pace, scope and impact of identity compromising events over the past 45 days – some of which are still ongoing. We also have a quick update on the impact of the recent privacy tools added to iPhones and iPads.

ITRC’s Notable Breaches for April

In the ITRC’s most recent monthly report of data breaches, we highlighted three major events:

  • GEICO’s breach of driver’s license data that impacted 132,000 customers;
  • The contact tracing service hired by the Pennsylvania Department of Health failing to secure the COVID-related personal health information of Keystone state residents; and,
  • Twenty-one (21) million users of the ParkMobile app having their information exposed thanks to a vulnerability in third-party software.

Each of these is unique in some ways but also reflective of broader trends.

GEICO

In the case of GEICO, when announcing the data breach at the nation’s second-largest auto insurance company, officials said the stolen data was being used as part of unemployment insurance fraud schemes. Pandemic-related benefits fraud is estimated to be closing in on $100 billion. The ITRC is on pace to surpass the total number of unemployment identity fraud victims we helped in 2020 by the end of May 2021.

Pennsylvania Dept. of Health & ParkMobile

The events involving the Pennsylvania Department of Health and the ParkMobile parking app are two variations of the same issue: problems with third-party suppliers. In the case of the Pennsylvania Department of Health, the vendor supplying COVID-19 contact tracing services didn’t secure the personal information of 72,000 people. With ParkMoble, a third-party software issue exposed user’s personal information. Issues with supply chains are an escalating trend when it comes to data compromises, especially cyberattacks where threat actors can steal the data of multiple companies in a single attack.

Peloton

More recently, an issue with third-party software also allowed users of the popular Peloton exercise bikes to see the personal information of other users. The flaw was found by an independent cybersecurity researcher who reported the issue to Peloton, which did not initially respond to his information. Ultimately, Peloton fixed the issue early this month, but not before opening three million subscribers to having their information exposed. Peloton has since acknowledged they have fixed the problem, and there is no evidence of anyone stealing the user information.

Update on the New Apple Privacy Feature

Finally, an update on how many people are taking up Apple’s offer to block mobile app owners from collecting and selling user data without first getting consent. Researchers guessed before the launch of the new anti-tracking privacy feature that as many as 80 percent of iPhone and iPad users would take advantage of the blocking technology.

The actual numbers based on early downloads of the iOS update is 96 percent of users are saying no to app-tracking. That’s a giant obscene gesture to companies that rely on third-party data for marketing and advertising and the platforms that collect and sell user information. Now here is the next question: Who will follow Apple’s lead in addressing the privacy and cybersecurity concerns of consumers?

Contact the ITRC

If anyone has questions about keeping their personal information private and how to protect it, data breaches on the rise or on the new Apple privacy update, they can visit www.idtheftcenter.org. They will find helpful tips on these and many other topics. People can also sign-up to receive our regular email updates on identity scams and compromises.

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. Victims can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Visit www.idtheftcenter.org to get started. 

Be sure to listen next week to our sister podcast – The Fraudian Slip – when we’ll talk to the Chief Privacy Officer of Synchrony, a leading financial services company. We will be back in two weeks with another episode of the Weekly Breach Breakdown.