In our 2018 End-of-the-Year Data Breach Report, the Identity Theft Resource Center reported 907 data breaches that impacted the business sector; these breaches equaled more than the amount reported for the banking, education, government and medical sectors combined. Of the five industry categories ITRC tracks for data breaches (banking/credit/financial; business; education; government/military; and medical/healthcare), business-related data breaches are the most common.

You can learn more by signing up for the ITRC Monthly Breach Newsletter.

That is just one reason why the ITRC has been working to empower identity theft victims with the resources and tools to resolve their cases since 1999. Our mission is to help people proactively reduce their risk of becoming a victim of identity theft and to empower them if they become a victim. Since 2005, the ITRC has recorded over 10,000 publicly notified data breaches. We’re continuing our 10,000 breaches blog series with a look at the top five business data breaches that impacted U.S. consumers and personal information compromised.

Starwood Hotels & Resorts Worldwide, LLC. (Marriott International)

In November 2018, Marriott announced that its Starwood guest reservation database had been accessed by an unauthorized user. Nearly 383 million records were accessed in this business data breach, which included names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, birth dates and encrypted payment card numbers. Hotels are typically hot targets for data thieves due to the sheer volume of people’s data available.

Heartland Payment Systems

Payment processor Heartland Payment Systems announced in January 2009 that its processing systems had been breached one year prior, affecting thousands of businesses and banking institutions. Around 130 million consumers’ credit and debit card information had been stolen including cardholder names, card numbers and card expiration dates, putting all consumers at risk for fraud. An investigation into the business data breach began once Heartland received notifications from Visa and MasterCard about suspicious activity surrounding the payment systems processed card transactions.

Equifax

Once again, Equifax makes the list. As many people know, in 2017 Equifax experienced a hack that exposed 148 million U.S. consumer’s personal information including names, dates of birth, Social Security numbers, addresses, phone numbers, Driver’s License numbers, email addresses, payment card information and Tax ID numbers. In July 2019, Equifax reached a $700 million settlement due to their business data breach and agreed to spend up to $425 million to help the victims of the breach. If you were affected, you can file a claim for cash or free credit monitoring services. You can also file a claim for a minor that has been impacted as well. If you have questions about the settlement and what it means, read more here.

Experian/T-Mobile

In September 2015, Experian North America disclosed a breach of their computer systems that affected 15 million applicants for device financing from wireless provider T-Mobile. Names, birthdays, addresses, Social Security numbers, alternate forms of identification (such as Driver’s License numbers, passport numbers or military ID numbers) were some of the information exposed. While the business data breach impacted Experian’s services, it did not affect their consumer credit database. According to T-Mobile, Experian took full responsibility for the theft of data from its server and offered free credit monitoring services to all the consumers who were potentially at risk.

MyFitnessPal (Under Armour)

It was discovered that an unauthorized party acquired data associated with Under Armour’s MyFitnessPal user accounts in March of 2018. Approximately 150 million user accounts were compromised in the business data breach exposing usernames, email addresses and hashed passwords. MyFitnessPal released a notice of data breach stating they quickly took steps to determine the nature and scope of the issue and were working with data security firms and law enforcement authorities in an investigation. In the same statement, MyFitnessPal recommended users change their passwords for all their MyFitnessPal accounts, review their accounts for suspicious activity, be cautious of any unsolicited communications that ask for your personal data and to avoid clicking on links or downloading attachments from suspicious emails. (These are practices the ITRC encourages consumers to take with all of their accounts to reduce their risk of identity theft.)

Coming Up In 10,000 Breaches…

As we recap the last 10,000 breaches, the ITRC hopes that we can help those impacted – both as consumers and business – understand how to minimize their risk and mitigate their identity compromises. If you received a data breach notification letter, don’t just toss it aside. Call us at 888.400.5530 or LiveChat to talk with a live-advisor on what you should do. If you are a business impacted by a data breach incident, please reach out to the ITRC to discuss how we can provide assistance to your impacted customers.

 As part of this series, in our next 10,000 Breaches Later blog we will take a look at some of the top medical and healthcare breaches since 2005. For a look at all of the 10,000 breaches blogs, visit https://www.idtheftcenter.org/10000-data-breaches-blog-series.

 

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

10,000 Breaches Later: The Benchmark Breaches That Created Systemic Change

New Tool Breach Clarity Helps Consumers Make Sense of Data Breaches

10,000 Breaches Later: Three Major Data Breaches Consumers Should Know About

 

Facebook says using real names helps them keep the most popular social networking site in the world safer. By confirming identities, Facebook states it can help stop or minimize the risk of scams, phishing, abuse and foreign political influence.

In an effort to protect your identity from threats, Facebook is asking some users to send personal identifying information (PII) to prove users are who they say they are. This can happen for general users as well as advertisers. With obvious concerns for the safety of one’s identity, this blog details what, why and how Facebook uses this information.

What This Means for Users

For the average Facebook user, the company might ask you to provide a form of personal identification if you have lost access to your account, they detect suspicious activity or you need to confirm your Facebook name. Facebook will prompt you for verification when a concern arises on your account.

What Must I send to Facebook?

Facebook asks for PII that either includes your name and birth date or name and photograph. This could be a driver’s license, birth certificate, passport, green card or a tax identification card (view the full list here). If you do not want to send Facebook one of the items listed above for personal identification, you do have the option to send additional documentation like bank statements, credit cards, medical records, military IDs, religious documents or a social welfare card. You must provide two documents from this list, and Facebook still might require photo and birth date documentation.

Why Must I send Personal Information to Facebook?

Facebook claims they ask for personal identification to protect your identity and the overall safety of the network ecosystem. If you submit a complaint that you have been locked out of an account, for example, they want to make sure they grant access back to the right person and not an impostor. Of course, there are less serious incidents when it comes to account safety, like requesting to reset a password through email verification.

Another instance Facebook might ask you for personal identification is when you request to change your Facebook name. Whether you just got married, decided to stop or start going by a nickname or are removing your husband or wife from your joint account, Facebook could ask you to verify your identity first.

Technically Facebook users are supposed to go by their real name, even if this rule was not enforced in the past. For this process, Facebook requires the name on your account and the name on your personal identification to match.

How do I Provide my ID to Facebook?

Facebook asks users to scan or take a photo of their personal documents. Then upload them when prompted while trying to access their account.

Facebook will never ask you for your password or to provide identification in an email, or send you a password as an attachment. Emails sent from scammers posing as Facebook often include notifications about platform engagement, community standards and security warnings. Do not engage with Facebook emails if you are unsure of the content. Log directly into Facebook from a secure browser to check for any notifications regarding your account.

How does Facebook Protect the Information I Send?

Facebook claims to treat user personal information with the proper security standards. Their website says, “After you send us a copy of your ID, it’ll be encrypted and stored securely. Your ID will not be visible to anyone on Facebook.”

Facebook does ask users to allow them to “increase their efforts” by giving permission to store your encrypted personal identification for up to one year, with the hope of preventing fake accounts and imposters. To prevent Facebook from using your photo in this instance, visit your security settings.

A published Facebook statement emphasizes their concern for user privacy stating,

“We’ll use your ID or official document to confirm your identity. We’ll also use it to help detect and prevent risks such as impersonation or ID theft, which helps to keep you and our Facebook community safe. It will not be shared on your profile, in ads or with other admins of your Pages or ad accounts. After we’ve confirmed your identity, we’ll delete your ID or document within 30 days.”

Community Reaction

One Facebook user posted on the company’s forum on behalf of her father, who could not get into his account after resetting his password saying,

“Now when he goes to log in, he is being asked for a scanned document to verify his identity. Honestly, I think this is ridiculous! He is being asked to submit a picture of his birth certificate, driving license or marriage certificate. I have never been asked for anything like this in all my time on Facebook and I think it is ridiculous to ask people to do this. No wonder there is so much identity fraud!!”

This post, from 2013, is not an isolated incident and addresses the exact concerns of the Identity Theft Resource Center. When you share your PII with companies or individuals, you increase your risk of identity fraud and theft.

Some users reported after providing the required personal identification documents, they were still not granted access to their accounts. Other users are at a loss for how to help their child access his or her account without exposing them to dangers. Out of concern for privacy when creating an account, some users did not use their real birthday or name and now do not have proper personal identification documentation. Those users will be forced to change the provided information to what matches their legal records.

In response to a forum complaint, a member of Facebook’s Help Team provided the following statement:

“This usually happens when we detect suspicious activity or security threats to your account. We take your security very seriously, so before we can provide you with any information about this account or give you access to it, we need to make sure it belongs to you.”

ITRC’s Response

Before providing your PII to Facebook, or any other company, you need to assess the risk involved. By sharing your confidential legal documentation for storage on a third-party website, no matter for how long, your risk for identity theft and fraud increases. As we know too well, secured servers are still susceptible to data breaches and cyber attacks. We urge users to evaluate how important using Facebook is to them, the value it provides and the risk they are willing to take to continue using the social platform.

Need help? Watch our privacy videos or chat with an advisor today!

If you are a victim of identity theft in need of assistance, you can receive free remediation services from ITRC. Call one of our expert advisors toll-free at 888.400.5530 or LiveChat with us. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

What Does The Facebook Settlement Mean for Consumers?

Facebook Clear History Privacy Feature to Launch This Year

Change in Facebook Privacy Policy Ordered By the FTC

The first case of AI fraud has been reported after a perpetrator created an audio clip of a company’s CEO and used it to inform someone else within the company to release funds to the scammers.

In the world of artificial intelligence, a “deepfake” is a completely fabricated audio or video clip in which someone’s real voice or image is used in a situation the person was never in. With relative ease, skilled computer designers and editors can often create videos of a famous person saying or doing things they have never done.

Now being called a “vishing” attack, also known as voice phishing, this AI fraud case involves the head of a German company who supposedly contacted the CEO of one of its UK branches and requested a transfer of funds, stating that they would be reimbursed. The UK employee complied, sending around $243,000 to an account in Hungary. The callers made a total of three calls to the UK company but were eventually refused. Fortunately, the company carries insurance against this kind of AI fraud crime and it was covered.

While the entire point of a deepfake is that it is very difficult to discern from the real thing, there are things consumers and businesses alike can do in order to protect themselves from AI fraud.

Never comply with any kind of sensitive request without prior authorization.

It does not matter if the request comes as an email, a text message or now an audio-based call. Simply take down the caller’s name and the instructions and then verify it with the individual using a known contact phone number or in person.

Establish a company coding system for sensitive requests.

Institute a policy that all money transfers, file sharing or other sensitive activity must include the company “code word” in the instructions. The code should be changed frequently to avoid any threat from hackers.

Make sure that this information is shared throughout the company.

One of the best ways to pull off a successful phishing attack is to target a lower-level employee. It is important to make sure that everyone in the company knows and follows the security protocols.

If you are a victim of identity theft in need of assistance, you can receive free remediation services from ITRC. Call one of our expert advisors toll-free at 888.400.5530 or LiveChat with us. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

Yahoo Breach Settlement Proposed for $117.5 Million

10,000 Breaches Later: The Benchmark Breaches That Created Systemic Change 

Robocalls and What to do About Them 

 

Get the latest trends in data breaches by signing up for the ITRC Monthly Breach Newsletter delivered straight to your inbox.

On July 19, 2019, Pearson PLC reported a data breach affecting approximately 13,000 schools and university AIMS Web 1.0 accounts. The data breach was attributed to unauthorized access by an unknown individual. Students had their names and in some cases dates of birth and email addresses exposed. Additionally, some staff member names, email addresses and work information – such as job title and work addresses – were exposed.

Editor’s note: School districts affected by the Pearson breach have continued to come forward since the initial July 2019 report. ITRC is tracking each school district separately, as well as part of the larger breach by Pearson. Due to the scope of this breach, an unprecedented number of individual student accounts could have been exposed (hundreds of thousands) leaving an unknown number of victims. ITRC will continue to monitor this breach as it unfolds.

In August 2019 there were a total of 130 data breaches exposing 1,748,078 sensitive records.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

10,000 Breaches Later: The Benchmark Breaches That Created Systemic Change

10,000 Breaches Later: Three Major Data Breaches Consumers Should Know About

New Tool Breach Clarity Helps Consumers Make Sense of Data Breaches

 

By 2021, over 2.14 billion people worldwide are expected to buy goods and services online, up from 1.66 billion global digital buyers in 2016. That means retail data breaches will also be on the rise as point-of-sale (POS) systems, e-commerce sites and other store servers are major targets for hackers looking for large volumes of personally identifiable information (PII) and behavioral data.

Sign up for the ITRC Monthly Breach Newsletter

That is one reason why the Identity Theft Resource Center has been working to empower identity theft victims with the resources and tools to resolve their cases since 1999., including helping people proactively reduce their risk of becoming a victim of identity theft. Since 2005, the ITRC has recorded over 10,000 publicly notified data breaches with monthly and cumulative end-of-year report published.

Read next: 2018 End-of-Year Data Breach Report

ITRC currently tracks five industry categories: banking/credit/financial; business; education; government/military and medical/healthcare. ITRC is a leader in reporting new data breach trends. We’re continuing our 10,000 breaches blog series with a look at the five most impactful retail data breaches for consumers.

Target

Retail giant Target makes the list for their 2013 data breach that exposed the payment card information of 40 million people and the personal information of 70 million. Hackers were able to infect Target’s POS systems with malware, disrupting holiday shopping for millions of consumers. Between Black Friday and Christmas shopping, anyone who shopped at Target from November 27 to December 15, 2013 was at risk for fraud. In a public statement to customers, Target said they moved swiftly to address the issue and that they regret any inconvenience it might have caused.

TJX Companies

In January 2007, TJX Companies Inc., operator of stores like T.J. Maxx, Marshalls and HomeGoods, experienced a retail data breach that affected 94 million customers. Payment card information and customer return records, which included driver’s license numbers, military I.D. numbers or Social Security numbers, were stolen by hackers who were able to gain access to TJX’s computer systems that process and store transaction information. TJX reached settlements with a majority of entities in 2007 and 2008.

Home Depot

Target is not the only retailer that experienced a breach of their POS systems. In 2014, Home Depot announced that they had experienced a retail data breach affecting their payment card processing systems. The hackers were able to steal the payment card information of 40 million customers and emails of 54 million. Since the incident, there have been 57 lawsuits filed against the large retailer. While the company did not admit any wrongdoing, they say they settled so they could move forward and put the incident behind them without incurring further costs.

Hudson Bay

Hudson Bay, parent company of Saks Fifth Avenue and Lord & Taylor, experienced a retail data breach that affected the payment card information of five million customers in 2018. Most of the stores affected were located in New York and New Jersey. It is reported that the retail data breach only affected in-store purchases and did not affect its e-commerce sites. In a statement, Hudson Bay said they deeply regretted any inconvenience or concern the breach may have caused. They also said there was no indication that Social Security or driver’s license numbers were stolen.

Hannaford Brothers

In 2008, supermarket company Hannaford Brothers was breached. It affected just over four million customers. Malware was placed on 300 Hannaford servers as part of the retail data breach which allowed hackers to steal customers’ payment card details as they were used at the check-out. Of the just over four million customers who were affected, more than 1,800 reported their credit cards had been used.

As we recap the last 10,000 breaches, the ITRC hopes that we can help those impacted – both consumers and business fall victim to the nefarious acts of fraudsters – understand how to minimize their risk and mitigate their data compromises. If you received a data breach notification letter, don’t just toss it aside. Call us at 888.400.5530 or LiveChat to talk with a live-advisor on what you should do. If you are a business impacted by a data breach incident, please reach out to us to discuss how we can provide assistance to your impacted customers.

As part of this series, in our next 10,000 Breaches Later blog  we will take a look at some of the biggest business breaches since 2005 and what they meant for consumers. For a look at all of the ITRC’s 10,000 breaches blogs, visit idtheftcenter.org.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

10,000 Breaches Later: The Benchmark Breaches That Created Systemic Change

10,000 Breaches Later: Three Major Data Breaches Consumers Should Know About

New Tool Breach Clarity Helps Consumers Make Sense of Data Breaches

 

Online clothing reseller, StockX, has admitted that hackers have compromised their customer accounts. StockX, an online platform for reselling high-end shoes and apparel, appears to have suffered a data breach that affected 6.8 million of its customers’ accounts.

Forced Password Reset

However, that is not the newsworthy part of the story. After discovering suspicious activity on its servers that could have indicated unauthorized access, StockX sent out a forced password reset to its customers following the StockX data breach but did not state why. The information in the message requiring users to change their passwords was so vague that some questioned whether or not the email was a phishing attempt.

When a tech industry news outlet reached out to StockX for a comment on the forced reset, they were told that it was part of necessary system updates. However, that seems not to have been true. The same news outlet was later contacted by a hacker who claims to have stolen the customers’ information and posted it for sale on the Dark Web. The hacker went on to provide 1,000 records from the database to prove the StockX data breach was real.

The outlet, TechCrunch, contacted those individuals and verified that the stolen information, which contained their emails, usernames and shoe sizes from previous purchases at StockX, was accurate. At the time of the discovery, the hacker claimed the database of records had already been purchased at least once.

TechCrunch has not received any updates from StockX and their questions have gone unanswered. It is important for the public to be aware of some of the ramifications in the StockX data breach since it could happen with other companies and future data breaches.

Never Reuse Passwords

Companies actually do force password resets just to be on the safe side. If a security team discovers password combinations from previous data breaches of other companies, for example, they can compare those stolen passwords to ones on their site. If their customers have used the same email and password on this company’s website that they had on a site that has already been breached, that might trigger a forced password reset.

Never reuse a password. The hacker who made off with 6.8 million usernames and passwords in the StockX data breach is hoping that a lot of those people reused their email and password combination on their Amazon account, PayPal account, online banking account or email.

Watch for Phishing Emails

Scammers know that password reset emails are easy to fake. All a scammer has to do is steal the logo from a company’s website, make a fake email address and send it out to millions of people, telling them to click here to change their passwords. Instead, the scammers are gathering up the “old passwords” that the victims typed by following the link.

Customers who were suspicious are very smart. As a result of phishing tactics, it was incredibly savvy of the customers who reached out to the company and tech experts for advice. Never click a link you were not expecting or verify your account information for someone who contacts you.

Have Good Identity Hygiene

Change your passwords frequently, especially if you receive a notification like this one in the StockX data breach. It is simple and smart to change your passwords, just do not rely on an email with a link to do it. Go directly to the company’s website yourself and change your password in your profile settings. Ignore and delete the email, whether it was legitimate or not, and handle the password reset yourself.

If you are a victim of identity theft in need of assistance, you can receive free remediation services from ITRC. Call one of our expert advisors toll-free at 888.400.5530 or LiveChat with us. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

Poshmark Data Breach Leads to Emails and Passwords Being Exposed 

10,000 Breaches Later: The Benchmark Breaches That Created Systemic Change 

Robocalls and What to do About Them 

 

The recent Choice Hotels data breach contains so many cybersecurity variables that it is difficult to process the entire breach. Three separate problems all came together to expose an estimated 5.6 million records, although the situation is not as dire as it might seem.

Problem #1 – An accidental data breach

The first issue in the Choice Hotels data breach was an exposed server. Accidental overexposure data breaches are becoming more common, and they are the result of a mishap on the part of the entity in charge of securing company information. These online storage options are basically remote servers housed somewhere else. A company logs into their account, stores all their sensitive information and pays a fee for this service. It is supposed to be more secure and allow businesses to access their data from anywhere. Too often, though, the server is left unprotected and without a password to secure it. That means literally anyone who stumbles upon it online can access all of the information.

Problem #2 – Someone found it

In many accidental overexposures, the company is alerted to the problem by an outside security researcher or helpful tech expert who discovered it. These events are still treated as serious matters since someone could have found and stolen the information quietly. In the case of the Choice Hotels data breach, someone did find it and stole the records, then left a note demanding Bitcoin payment as ransom in order to delete their copy and not tell anyone about the breach.

While this was not actually ransomware, software that infects your system until you pay the hacker’s fee, the tactic was the same. Pay up, or we sell your information and announce that you were breached.

Fortunately, Choice Hotels did not try to cover it up. They carried out a cybersecurity investigation and learned that the stolen information was far smaller than they had originally thought. It was around 700,000 records and may have only included names, email addresses and phone numbers, which is still serious, as scammers can use this information to target these customers with phishing attacks.

Problem #3 – It wasn’t Choice Hotels’ server

The third variable in the Choice Hotels data breach was an outside vendor who left their own server unprotected. While the information belonged to Choice Hotels and was, therefore, their responsibility, a third-party vendor was using the database to demonstrate a new tool that would help Choice Hotels with some aspect of service. Instead, the vendor left their server exposed and allowed the information to be accessed by a hacker.

This kind of third-party relationship has long been the weak link in cybersecurity. The now infamous Target data breach in 2013, for example, involved an HVAC company that serviced some Target stores. Hackers worked their way into the company’s computers due to lax security practices and used that connection to steal millions of payment card account credentials on Black Friday that year.

It is odd to see so many things go wrong in the same data breach, but it happens. The Choice Hotels data breach, while limited in size and potential damage, should serve as a wakeup call to businesses who are working diligently to protect their customers’ data. It is critical that businesses understand who can access information, what they can do with it, how vulnerable it might be and what harm can come about as a result.

If you are a victim of identity theft in need of assistance, you can receive free remediation services from ITRC. Call one of our expert advisors toll-free at 888.400.5530 or LiveChat with us. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

Background Check Websites Offer Scammers Your Data 

10,000 Breaches Later: The Benchmark Breaches That Created Systemic Change 

Robocalls and What to do About Them 

 

The latest Poshmark data breach has led to personal identifying information (PII) being exposed for some users of the marketplace concept that lets people buy and sell clothing and beauty items.

Thanks to the abundance of websites and apps that let us buy, sell, and trade, it has never been easier to find what we love. That is the theory behind Poshmark. On the buyer side, you can look for just the right outfit from users’ virtual closets. On the seller side, you can make some money for items you have already got hanging at home.

Unfortunately, a platform like that will draw quite a few users, which can put it in a hacker’s crosshairs. The company announced it had discovered a data breach of its servers, and it has now helped to specify what types of information were compromised.

The information exposed in the Poshmark data breach appears to be limited to variables like email and username, as well as some shopping preferences like common sizes and encrypted passwords that are not supposed to be visible even if a hacker accesses them. However, to be on the safe side, Poshmark recommends changing your password if you discover that your information was affected by the Poshmark data breach.

Check Where Your Info May Have Been Compromised

There are a couple of handy tools that can help keep internet users safe. The first is a fairly comprehensive website known as HaveIBeenPwned.com. You simply type in your email address and it will show you exactly which known data breaches have contained information related to your email. It is a good idea to try it with any email account you have, even ones that are outdated or you no longer use.

The other tool appeared as part of Mozilla Firefox’s latest browser update. By even visiting Poshmark.com or its blog, Mozilla popped up a quick tab that explained user data had recently been stolen from that website. The option to enter your email address to check on your data was included in the popup. Other platforms offer similar tools, and they can help you keep tabs on where your information may have been compromised.

Change Your Password

Poshmark’s advice is sound. In the Poshmark data breach or any other data breach, changing your password should always be one of your first steps.

Never Reuse Passwords

Also, this serves as the most recent reminder of a crucial data security rule: Never reuse your email and password on multiple accounts. If any hackers gained this information from Poshmark, they can easily use it to cross-reference against other, more sensitive websites and apps. If any Poshmark account holders reused their passwords for their email, web retailers, social media, workplace computers, financial accounts or more, the hackers now control them. Change your passwords immediately if you are one of the many consumers who reuse your passwords, and do not forget to update them regularly just to be safe in case there is a data breach like the Poshmark data breach.

If you are a victim of identity theft in need of assistance, you can receive free remediation services from ITRC. Call one of our expert advisors toll-free at 888.400.5530 or LiveChat with us. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

Background Check Websites Offer Scammers Your Data 

10,000 Breaches Later: The Benchmark Breaches That Created Systemic Change 

Robocalls and What to do About Them 

 

The internet is a great tool in many ways, but it is also filled with privacy pitfalls. Overexposed information from data breaches are now the third certainty but background check websites are a legal, affordable and easy way for someone to collect a lot of your personal information. With the right pieces of the puzzle, a criminal could even use background check information to steal your identity. One Michigan man used the large amount of information found publicly on these sites to open bank accounts in as many as 51 people’s names to which he collected nearly $200,000 in fraudulent loans.

Background check websites are perfectly legal ways for someone to find out information about you. Usually, there is a reason for an individual to pay for the data. Perhaps they are hiring a summer babysitter and want your criminal history. They might own a small business where you have applied for employment. Maybe the person is trying to serve court documents on you and they need to know key information in order to file the with the court. Again, background check websites serve a valuable purpose, even if they can be used for harm.

It is important to know that one of the safety nets that is supposed to protect the public from people who use background check websites for identity theft is nothing more than a statement on the website that the information is not to be used for identity theft.

The FBI has already uncovered multiple victims in cases where their information was purchased from a background check website then used for identity theft. As noted by Quartz, “Online identity thieves use services that provide personal information for sales leads, real estate transactions, and credit reports to steal millions, gathering details about their victims’ lives from federal, state, and local records sold by brokers like BeenVerified, Instant Checkmate, and TruthFinder.”

Until legislation is enacted that will offer stronger protection for consumers, it is up to you to protect yourself.

Watch what you share and what you sign up for

Remember, your identity is like a puzzle. The more pieces you put out there about yourself, the higher the chance a thief can connect the pieces.

Be on the lookout for phishing attempts

A background check website will not tell a buyer everything, but it can be enough to connect the dots. The rest of the filling in can occur by sifting through your social media accounts or sending you phishing emails. Practice good online safety to prevent this kind of thing.

Put a freeze on your credit report

This free option can stop identity thieves from achieving their goal, namely to open new bank accounts and take out loans in your name. By placing a freeze on your credit report with all three of the major credit reporting agencies, lenders are not supposed to be able to issue new lines of credit under your Social Security number. Remember that it takes time to thaw your credit report if you did need to take out a loan or make a large purchase.

Monitor your accounts carefully

Some of the victims of a background check identity theft had reported small amounts of money being withdrawn from their bank accounts or as fees associated with their accounts. By not ignoring those small transactions, they were able to put a stop to a much bigger crime. Look over all bank statements, credit card bills and your credit report routinely for anything unusual.

If you are a victim of identity theft in need of assistance, you can receive free remediation services from ITRC. Call one of our expert advisors toll-free at 888.400.5530 or LiveChat with us. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

Robocalls and What to do About Them 

10,000 Breaches Later: Three Major Data Breaches Consumers Should Know About

Airport Technology Risks Can Threaten Your Identity 

 

 

The unsecured Facebook server contained nearly 500 million users’ contact info including a treasure trove of usernames and phone numbers. More than 220 million of them, were found for sale online, leading to a Facebook server leak.

How much does it cost to buy access to hundreds of millions of people? Just $1,000.

According to CNET, Elliott Murray, CEO of UK-based cybersecurity company WebProtect, found the information for sale on the web forum in May. He believes it is the same list that TechCrunch reported Wednesday was found on an unsecured web server by cybersecurity researcher Sanyam Jain.

Where did this sensitive information come from in the Facebook server leak? Facebook thinks it might be related to an old feature the company has since shut down. For a while, users could locate each other by phone number rather than Facebook username. Executives realized that feature could be used to steal phone numbers and sell them for spam marketing purposes.

That is apparently what happened in the Facebook server leak. Databases of stolen information are for sale all over the Dark Web. When the database contains complete identities, thieves buy them for identity theft, fraud and even those robocalls you get on a daily basis. However, when it is just lists of email addresses or phone numbers, they still want these in order to send out spam, attempt to scam people or turn around and sell the list to someone else.

Facebook has used an important turn of phrase regarding the Facebook server leak: publicly available. That can mean that this is not “sensitive” information under data breach laws. It does mean, though, that someone did the hard work of compiling the info into an easy-to-use, easy-to-sell database.

There is no cause for concern regarding the security of your actual Facebook account from the Facebook server leak, but it is a good idea to pop into your profile settings and delete your phone number. It will not help if your number has already been posted online for sale, but it can prevent future data scrapes from nabbing your contact info.

There is another lesson to be learned from the Facebook server leak: do not overshare. If you are signing up for a new account and you see that some registration items are optional (like email address or phone number), skip them. If the company does not need it in order to establish your account and let you utilize their site, then it is just one more piece of data that can be compromised. Protect your data and only give it to those who really need it.

If you are a victim of identity theft in need of assistance, you can receive free remediation services from ITRC. Call one of our expert advisors toll-free at 888.400.5530 or LiveChat with us. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

Robocalls and What to do About Them 

10,000 Breaches Later: Three Major Data Breaches Consumers Should Know About

Airport Technology Risks Can Threaten Your Identity