• With data breaches on the rise last 30 days to 45 days, it has been one of the most intense periods seen in a while because of the pace, scope and impact of the crimes.
  • GEICO suffered a data breach impacting 132,000 people and could lead to unemployment fraud; the Pennsylvania Department of Health and ParkMobile both had data incidents due to third-party providers; and Peloton had a problem with third-party software, allowing other users to see people’s personal information.
  • Researchers guessed up to 80 percent of iPhone and iPad users would take advantage of Apple’s new anti-tracking privacy feature. However, based on early downloads of the iOS update, 96 percent of users are using the new feature to opt-out of app-tracking.
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notified
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

Too Fast, Too Furious

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for May 14, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. This week we’re highlighting data breaches on the rise the past 30 days in one of the most intense periods of cyberattacks and data breaches we’ve seen in a while.

With all due respect to Vin Diesel and the rest of the cast of the Fast and Furious movie franchise, we’re calling this week’s episode “Too Fast, Too Furious” because of the pace, scope and impact of identity compromising events over the past 45 days – some of which are still ongoing. We also have a quick update on the impact of the recent privacy tools added to iPhones and iPads.

ITRC’s Notable Breaches for April

In the ITRC’s most recent monthly report of data breaches, we highlighted three major events:

  • GEICO’s breach of driver’s license data that impacted 132,000 customers;
  • The contact tracing service hired by the Pennsylvania Department of Health failing to secure the COVID-related personal health information of Keystone state residents; and,
  • Twenty-one (21) million users of the ParkMobile app having their information exposed thanks to a vulnerability in third-party software.

Each of these is unique in some ways but also reflective of broader trends.

GEICO

In the case of GEICO, when announcing the data breach at the nation’s second-largest auto insurance company, officials said the stolen data was being used as part of unemployment insurance fraud schemes. Pandemic-related benefits fraud is estimated to be closing in on $100 billion. The ITRC is on pace to surpass the total number of unemployment identity fraud victims we helped in 2020 by the end of May 2021.

Pennsylvania Dept. of Health & ParkMobile

The events involving the Pennsylvania Department of Health and the ParkMobile parking app are two variations of the same issue: problems with third-party suppliers. In the case of the Pennsylvania Department of Health, the vendor supplying COVID-19 contact tracing services didn’t secure the personal information of 72,000 people. With ParkMoble, a third-party software issue exposed user’s personal information. Issues with supply chains are an escalating trend when it comes to data compromises, especially cyberattacks where threat actors can steal the data of multiple companies in a single attack.

Peloton

More recently, an issue with third-party software also allowed users of the popular Peloton exercise bikes to see the personal information of other users. The flaw was found by an independent cybersecurity researcher who reported the issue to Peloton, which did not initially respond to his information. Ultimately, Peloton fixed the issue early this month, but not before opening three million subscribers to having their information exposed. Peloton has since acknowledged they have fixed the problem, and there is no evidence of anyone stealing the user information.

Update on the New Apple Privacy Feature

Finally, an update on how many people are taking up Apple’s offer to block mobile app owners from collecting and selling user data without first getting consent. Researchers guessed before the launch of the new anti-tracking privacy feature that as many as 80 percent of iPhone and iPad users would take advantage of the blocking technology.

The actual numbers based on early downloads of the iOS update is 96 percent of users are saying no to app-tracking. That’s a giant obscene gesture to companies that rely on third-party data for marketing and advertising and the platforms that collect and sell user information. Now here is the next question: Who will follow Apple’s lead in addressing the privacy and cybersecurity concerns of consumers?

Contact the ITRC

If anyone has questions about keeping their personal information private and how to protect it, data breaches on the rise or on the new Apple privacy update, they can visit www.idtheftcenter.org. They will find helpful tips on these and many other topics. People can also sign-up to receive our regular email updates on identity scams and compromises.

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. Victims can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Visit www.idtheftcenter.org to get started. 

Be sure to listen next week to our sister podcast – The Fraudian Slip – when we’ll talk to the Chief Privacy Officer of Synchrony, a leading financial services company. We will be back in two weeks with another episode of the Weekly Breach Breakdown.

  • A recent GEICO data breach led to fraudsters gaining access to nearly 132,000 GEICO customer’s driver’s license numbers. GEICO says they believe threat actors could use the information to apply for unemployment benefits fraudulently.
  • The Pennsylvania Department of Health’s third-party contact tracing vendor, Insight Global, failed to secure phone numbers, email addresses and personal information like gender, age, sexual orientation, COVID-19 diagnosis and exposure status of more than 72,000 Pennsylvania residents. Third-party breaches continue to be a growing trend.
  • Like the Pennsylvania Department of Health, ParkMobile Parking App also suffered a supply chain attack. The ParkMobile data incident exposed the non-sensitive information of 21 million users, putting them at risk of falling victim to social engineering.
  • For more information about April data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified.  
  • If you believe you are a victim of identity theft from a data breach, contact the ITRC toll-free at 888.400.5530 or through live-chat on the company website www.idtheftcenter.org.

Notable April Data Breaches

Of all the data breaches the Identity Theft Resource Center (ITRC) tracked in April, three stand out: GEICO, Pennsylvania Department of Health and the ParkMobile Group. All three data events are notable for unique reasons. In one, the company is very detailed in how criminals are misusing the information and what people should look out for; another event includes a contact tracing service failing to secure the private information of some residents in Pennsylvania – re-affirming a trend identified by the ITRC; the third compromise led to the exposure of data for 21 million people – stemming from a supply chain attack.

GEICO

A security bug led to threat actors stealing personally identifiable information (PII) from approximately 132,000 GEICO customers between January 21 and March 1. According to the GEICO data breach notice, fraudsters used the information they acquired about customers elsewhere to obtain unauthorized access to people’s driver’s license numbers through the online sales system of their website. GEICO says that they believe the information from the breach could be used to apply for unemployment benefits fraudulently. Unemployment benefits fraud continues to impact consumers all over the U.S. There could be over $200 billion lost to the fraud. The ITRC has received over 1,400 cases of unemployment benefits fraud in 2020 and 2021, compared to only 12 cases in 2019.

The GEICO data breach is notable because the insurance company is very detailed in how the information could be used and what people need to keep an eye on. It is not often the ITRC sees this level of detail in a data breach notice.

Pennsylvania Department of Health

Insight Global, a company that has provided COVID-19 contact tracing services for the Pennsylvania Department of Health since 2020, failed to secure the private information of more than 72,000 people.  According to WSKG, a health department spokesman said they recently learned workers at Insight Global disregarded security protocols established in the contract and created unauthorized documents outside the state’s secure data system.

The information exposed in the Pennsylvania Department of Health data compromise includes phone numbers, email addresses and personal information such as gender, age, sexual orientation, COVID-19 diagnosis and exposure status. The Pennsylvania Department of Health does not know how many people may have viewed or downloaded the documents. Officials say notifications will be mailed to all affected Pennsylvania residents.

The Pennsylvania Department of Health data compromise is the latest third-party exposure to occur. According to the ITRC’s Q1 2021 Data Breach Report, there’s been a 42 percent increase in supply chain attacks, including 27 at third-party vendors impacting 137 U.S. organizations, and 19 supply chain attacks in Q4 2020.

ParkMobile Group

The parking app, ParkMobile, also suffered a data compromise due to a vulnerability in third-party software, affecting 21 million people. According to the ParkMobile notification letter, they became aware of the vulnerability and launched an investigation, which is still ongoing. Information exposed includes license plate numbers, email addresses, phone numbers, mailing addresses and vehicle nicknames. According to KrebsOnSecurity, the data appeared for sale on a Russian-language crime forum.

Anyone who uses the ParkMobile parking app, used by cities and universities across the U.S., could be at risk of falling victim to social engineering. While no sensitive information was exposed, if hackers get enough information about people, they can put all of the information they have gathered together to commit identity fraud.

What to Do if These Breaches Impact You

Anyone who receives a data breach notification letter should follow the advice offered by the company. The ITRC recommends immediately changing your password by switching to a 12+-character passphrase, changing the passwords of other accounts with the same password as the breached account, considering using a password manager and keeping an eye out for phishing attempts claiming to be from the breached company.  

GEICO encourages its customers to check their account statements and credit reports regularly for any suspicious activity.

The Pennsylvania Department of Health has set up a hotline (855.535.1787) for those concerned about the security of their information.

notified

For more information about April data breaches, or other data breaches, consumers and businesses should visit the ITRC’s data breach tracking tool, notified, free to consumers. 

Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.    

Contact the ITRC

If you believe you are the victim of an identity crime or your identity has been compromised in a data breach, you can speak with an ITRC expert advisor at no cost by phone (888.400.5530) or live-chat. Just go to www.idtheftcer.org to get started. 

  • The U.S. Attorney’s Office for the District of Maryland, working with the Homeland Security Investigations (HSI) in Baltimore, recently seized the fake COVID-19 vaccine website “Freevaccinecovax.org.”
  • The website collected personal information from people who visited it by asking them to download a PDF file to their device to apply for more information.
  • Interacting on a malicious website offering COVID-19 vaccines could lead to an array of identity crimes, including a phishing attack, malware attack and different forms of social engineering.
  • COVID-19 vaccines are not being sold online. Any link that claims to take someone to a website to purchase one is fake. To find a vaccine appointment online, people should go through their local department of health, pharmacy or health care provider.
  • For more information on fake COVID-19 vaccine websites, or if you believe you are a victim of a COVID-19 vaccine scam, contact the Identity Theft Resource Center toll-free by phone (888.400.5530) or live-chat on the website www.idtheftcenter.org.

Federal officials shut down a fake COVID-19 vaccine website after discovering the website was stealing people’s personal information for cybercriminal activity. According to Threatpost, the U.S. Attorney’s Office for the District of Maryland, working with Homeland Security Investigations (HSI) in Baltimore, seized “Freevaccinecovax.org,” “which purported to be the website of a biotechnology company developing a vaccine for the COVID-19 virus,” according to a news release on the office’s website.

Since the U.S. began administering the COVID-19 vaccines, cybercriminals have tried to take advantage of consumer’s desire for vaccinations. According to NBC 4 Washington, BrandShield, a global cybersecurity firm protecting some of the world’s largest pharmaceutical companies from cyberthreats, found a 4,200 percent increase in potentially fraudulent COVID-19 vaccine websites from January 2020 through the end of February 2021. The news of the latest malicious website highlights the importance of being cautious with COVID-19 vaccine websites and how to use them.

Who are the Targets?

People looking to receive the COVID-19 vaccine

What is the Scam?

Threat actors created “Freevaccinecovax.org” to collect personal information from people who visited the website to commit identity crimes like fraud, phishing attacks or to deploy malware. Threatpost says the fake COVID-19 vaccine website used trademarked logos for Pfizer, the World Health Organization (WHO) and the United Nations High Commissioner for Refugees (UNHCR) on its homepage to trick people into believing it was a legitimate site. The malicious website had a drop-down menu that asked users to apply for information by downloading a PDF file to their device.

What They Want

Identity criminals are after people’s personal information to commit phishing attacks, malware attacks, social engineering and other forms of identity-related fraud.

How to Avoid Being Scammed

To avoid a fake COVID-19 website:

  • Ignore websites trying to sell a vaccine. COVID-19 vaccines are not being sold online. Any link that claims to take you to a website to purchase one is fake.
  • Do not click on any posts or ads claiming to sell cures. Remember, if it seems too good to be true, it probably is.
  • If you are checking for a vaccine appointment online, make sure you do it through your local department of health, pharmacy or health care provider. Never follow a link randomly sent to you.

To learn more about COVID-19 vaccine scams, malicious websites, or if you believe you were on a fake COVID-19 vaccine website, contact the Identity Theft Resource Center toll-free by calling 888.400.5530. You can also visit the company website to live-chat with an expert advisor. Go to www.idtheftcenter.org to get started.  

  • The Federal Emergency Management Agency (FEMA) reports that criminals are creating COVID-19 funeral scams. The announcement comes just days after the federal agency launched a new program to provide relief to the families of loved ones who died from COVID-19.
  • As part of the funeral scam, criminals contact people offering to register them for funeral assistance. Identity thieves are looking to steal money, as well as personal and financial information, to commit identity theft.
  • If you receive an unsolicited message offering to assist in registering for the program, you should contact FEMA directly. Also, you should never pay a fee or share personal information with anyone who sends an unsolicited message to obtain a government benefit on your behalf.
  • To report a funeral scam, call FEMA’s Helpline at 800.621.3362. To learn more, contact the Identity Theft Resource Center (ITRC) toll-free by phone (888.400.5530) or live-chat at the company website www.idtheftcenter.org.

The Federal Emergency Management Agency (FEMA) is doing what it can to help the families of loved ones who died from COVID-19. However, due to criminals, everyone needs to be on the lookout for COVID-19 funeral scams.

FEMA started a program in mid-April that offers up to $9,000 in relief to help families cover the funeral expenses for those who passed after June 20, 2020, from COVID-19. However, criminals have found a way to take advantage of the newest program.

FEMA has sounded the alarm with a fraud alert. They have received reports of scammers reaching out to people by phone, email, and online, offering to register them for funeral assistance. However, FEMA says that is not how the program works.

The Identity Theft Resource Center (ITRC) has received more than 1,500 reports of identity fraud related to government benefits since the beginning of the pandemic.

Who are the Targets?

The families and friends of loved ones who died from COVID-19 who are applying for FEMA’s COVID-19 Funeral Assistance Program.

What is the Scam?

FEMA says criminals are contacting people and offering to register them for funeral assistance. However, the criminals are asking for “fees” and other options to “expedite the process” to register for funeral expenses.

According to FEMA, any efforts that charge fees to assist in the application process are scams. The application process begins when you call the agency’s Funeral Assistance Line at 844.684.6333. FEMA will not contact you about the program unless you have already contacted them.

What They Want

Scammers hope to make away with either money or you or your deceased loved one’s personal information to commit an identity crime in you or your loved one’s name.

How to Avoid Being Scammed

  • If someone contacts you about the assistance program and you did not either apply or call FEMA directly, ignore it because it is a COVID-19 funeral scam. FEMA will not reach out until you either call them or apply for assistance.
  • Do not pay a fee for quicker service because that is another sign of a funeral scam. The government will not ask you to pay anything to get the FEMA benefits.
  • Do not provide your own or your deceased loved one’s personal or financial information to anyone based on an unsolicited call, text message, or email claiming to come from FEMA or another federal agency.
  • If you received a COVID-19 funeral scam call or email, report it to the FEMA Helpline at 800.621.3362.

Contact the ITRC

If you believe you are a victim of the COVID-19 funeral scam, received a suspicious message and want to know if it is a funeral scam, or want to learn more, contact the ITRC toll-free. You can call (888.400.5530) or use the live-chat function on the company website. Just go to www.idtheftcenter.org to get started.   

  • A new Apple privacy update, iOS 14.5, lets consumers stop Apple apps from tracking them.
  • Unless someone gives permission to an app, it cannot use their data for targeted ads, share their location data with advertisers, or share their advertising identity or any other identifiers with third parties.
  • If you do not want to be tracked by your Apple device, download Apple’s latest update (14.5), and select Settings > Privacy > Tracking, and toggle off Allow Apps to Request to Track. You can also decide on an app-by-app basis by selecting “Ask App Not to Track” or “Allow” once you download a new app.
  • To learn about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. 
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

He Loves Me Not

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for April 30, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. This week we’re going to focus on the seismic event in the data privacy world.

In Henry IV, Shakespeare’s play about taking action while others fail to act, Lady Percy says, “Some heavy business hath my lord in hand, And I must know it, else he loves me not.”

In this case, she’s referring to plans for a rebellion. However, in the context of this week’s episode, we’re talking about the new Apple privacy update, which gives consumers more control over their data as a substitute for privacy legislation. Later in the article, we will tell people how to take advantage of a new feature from the makers of the iPhone and iPad.

New Apple Privacy Update Feature

In an earlier episode, we talked about Apple’s controversial decision to add a built-in privacy feature that would block the ability of applications to track users. That data is used to serve ads to people either by the app owner, or if it’s sold to a third party that uses the information to target people with ads as they travel around the digital world.

Consumers Can Opt-Out of Being Tracked By their Apple Apps

Apple announced the new App Tracking Transparency feature in June 2020 to give app developers plenty of time to prepare for the change. And a big change it is. Unless someone gives permission to an app – including those made by Apple – it can’t use one’s data for targeted ads, share their location data with advertisers, or share their advertising identity or any other identifiers with third parties.

Many Privacy Experts & Consumer Advocates Favor the Change

Privacy experts and consumer advocates think the new Apple privacy update is a great step forward in giving people more direct control over their data, who has access to it, and how it is used. Advocates have long sought a shift in the U.S. to a more European privacy model where consumers must give their permission before personal information is collected and used.

From the beginning of the digital economy, the U.S. has built business models on a no-option basis. That means people have no choice but to surrender their personal information, which then becomes the property of the business, not them.

Thanks to a strong European privacy law that went into effect in 2018 – and several state laws and regulations in California, New York and Virginia – we are beginning to see the ability of consumers to “opt-out” of certain types of data collection and sales. That is to say consumers can tell a company to stop collecting, selling or sharing their information.

However, that approach is not universal since the U.S. has no national privacy law, and 48 of the 50 states have not passed specific data privacy laws. Enter the Apple privacy update that allows customers to block data collection.

What You Should Do If You Don’t Want to Be Tracked by Your Apple Device

If you don’t want to be tracked by your Apple devices, here’s what do you need to do:

  • Download and install the new iOS version 14.5 on your iPhone or iPad.
  • Once you do that, you can block access on an a la cart basis. When you download a new app, you will be asked if you want to let the app track your activity. You can select “Ask App Not to Track” or “Allow” if you are okay with that application collecting and using your data.
  • You can also opt-out of app tracking across every app you download by going to Settings > Privacy > Tracking, and toggling off Allow Apps to Request to Track. That way, any new app will be automatically informed you have requested not to be tracked. Also, all apps (unless you’ve already permitted them to track you) will be blocked from accessing your device’s information used for advertising. 
  • For apps that you have already downloaded and agreed to allow tracking, you can still turn those permissions on or off on a per-app basis in your device settings. 

The Lasting Effects Are Still Unknown

Predictions on how the Apple privacy update will affect consumer behavior, data sales, and ad revenues range from “meh” to Chicken Little-level “the sky is falling.” We will revisit this topic once we know if we can go about our business or need a hard hat.

Contact the ITRC

If anyone has questions about keeping their personal information private and how to protect it, or on the new Apple privacy update, they can visit www.idtheftcenter.org, where they will find helpful tips on these and many other topics. 

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. People can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Visit www.idtheftcenter.org to get started. 

Be sure to check out the most recent episode of our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown. 

  • Facebook and LinkedIn recently suffered data incidents that led to personal information like full names, emails and phone numbers being posted in identity marketplaces where cybercriminals buy and sell data.
  • While some have called the recent data leaks “data breaches,” technically and legally, they are not in the U.S. Rather, it is a legitimate and legal technique called “scraping.”
  • Even though these events are not data breaches, the Identity Theft Resource Center (ITRC) is creating an additional category of identity data compromises called “data leaks” to keep track of and report these kinds of events.
  • The Facebook and LinkedIn data leaks serve as good reminders to never post information online that you wouldn’t want people you don’t know or trust to see.
  • To learn about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. 
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

Data Breaches, Exposures, and Leaks! Oh, My!

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for April 23, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. In the movie version of The Wizard of Oz, Dorothy Gale of Kansas, along with the Scarecrow and Tin Man, are following the Yellow Brick Road through a dark and scary forest on their way to the Emerald City. They fear that wild animals are present as they chant “Lions…and Tigers…and Bears! Oh, my!” just before they meet the Cowardly Lion. Apply that principle to data security, and you get the title of today’s episode – “Data Breaches, Exposures, and Leaks! Oh, My!

Facebook and LinkedIn’s Recent Data Leaks

People may have seen media coverage about the recent data leaks at Facebook and LinkedIn. Personal information like full names, emails and phone numbers posted to user profiles were found in the identity marketplaces where cybercriminals buy and sell data.

In the case of Facebook, which would be the third-largest country in the world behind China and India if it were a Nation/State, the information on some half-a-billion people was exposed. Approximately 30 million live in the U.S. An even larger number of LinkedIn users were impacted by a similar event. To date, 837 million profiles have been exposed.

Facebook and LinkedIn Events Not Considered Data Breaches

These two recent data leaks have created quite the controversy in data privacy and security circles. People may have noticed that the ITRC has not referred to these events as data breaches. It’s because they technically and legally are not, at least under U.S. law. European Data Protection authorities have launched an investigation into both companies for potential violations of privacy laws. However, in the U.S., it’s a lot more complicated.

If you are a Facebook or LinkedIn user, you voluntarily provide the information posted to those and other social media websites. The companies try to limit the ability to copy user’s data. However, depending on how you configure your privacy settings, that information is, in fact, available for viewing by anyone. And if it can be seen, it can be misused.

Facebook and LinkedIn Suffered “Scraping”

There is a legitimate technique known as “scraping,” where companies copy large amounts of information that otherwise would require manual entry into a database. It is perfectly legal and typically involves getting permission and being transparent about how the data is used.

There are still some grey areas when it comes to private information being posted publicly on websites. In fact, there is a case pending before the U.S. Supreme Court directly on this question of copying information from LinkedIn. Lower courts have said publicly posted information is fair game for scraping even if LinkedIn’s terms and conditions say it is not.

Facebook and LinkedIn Events Fall Between the Cracks of Current Laws

What makes the recent data leaks at Facebook and LinkedIn so troubling is that they fall between the cracks of existing laws. If a criminal gained access to a company’s customer records that included names, addresses, phone numbers and email addresses, that would be a crime and considered a data breach.

Copying the same information posted voluntarily and publicly is not considered illegal today. Also, the current laws did not envision the ability to copy millions of unrelated records and combine them into a single database that could be used to commit identity fraud.

The ITRC to Create “Data Leak” Category of Identity Data Compromises

Even though these recent data leaks are not data breaches, the ITRC is creating an additional category of identity data compromises to keep track of and report these kinds of events. We’re going to call this new category “data leaks.”

It is also a good time to issue a reminder. Be careful what you post online. If you don’t want people you don’t know or trust to see your private information, don’t post it online.

Contact the ITRC

If anyone has questions about keeping their personal information private and how to protect it, they can visit www.idtheftcenter.org, where they will find helpful tips on these and many other topics. 

If someone thinks they have been the victim of an identity crime or a data breach – like the recent data leaks – and needs help figuring out what to do next, they should contact us. People can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Visit www.idtheftcenter.org to get started. 

 Be sure to check out the most recent episode of our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown. 

  • The proper disposal of e-waste – old electronic devices that are no longer used – is a priority, particularly for protecting personal data. The Identity Theft Resource Center (ITRC) reported 78 data compromises in 2020 around “physical attacks”; 52 percent of them from device theft and improper disposal.
  • E-waste puts personal information at risk and can have environmental impacts, too. It is why individuals need to adopt good e-waste solutions by educating themselves on the issue, re-evaluating their needs for more electronics and safeguarding their information.
  • Most people do not know how to recycle e-waste. Individuals should reuse electronics, if possible, and donate their old devices to be recycled if not. When people get rid of old electronics, they should put all of the data on a backup system and then wipe the device clean of personal information.
  • For more information, or if you believe you are a victim of identity theft, contact the ITRC toll-free by phone (888.400.5530) or live-chat. Just go to www.idtheftcenter.org to get started.

According to the Identity Theft Resource Center’s (ITRC) 2020 Data Breach Report, there were 78 “physical attacks” in 2020. Device theft and improper disposal (which includes electronic devices) made up 52 percent of the attacks. The Verizon 2020 Data Breach Investigations Report finds more than one thousand cases of loss involving mobile devices in 2019.

As technology continues to evolve, users and manufacturers are finding more ways to keep safety, environmental impact and security measures in mind – which revolve around how to recycle e-waste. Issues range from the risk of fire from batteries, devices being sent to landfills, and disposal of information that could lead back to a user’s account and put them at risk of identity theft.

What Are E-Waste Solutions?

There are a handful of e-waste solutions consumers should keep in mind.

  1. Education: People should learn about the dangers of e-waste and what they can do about it.
  2. Re-evaluating the need: One e-waste solution is to minimize e-waste itself. Do you need that extra device? What are you doing with your devices once you are done with them? Are you reusing electronics? Re-evaluating your need for electronics can help cut down on how many devices end up in a landfill.
  3. Safeguarding information: Before you dispose of any electronics, you should make sure you save your data on a backup system or hard drive and then wipe the device clean. That way, no one can access your files if the device is improperly recycled or ends up in the wrong hands. If you are getting rid of a phone, do a factory reset to restore the phone to “empty status.” By taking these steps, you are protecting your personal information.

How to Recycle E-Waste

Instead of discarding electronics, the best e-waste solution is to reuse or recycle devices. Local governments are increasingly hosting e-cycling initiatives. These programs keep electronics out of landfills and ensure devices are wiped clean of all user data. You can search online for e-cycling centers near you before disposing of electronics, including IoT devices and medical devices.

Many device manufacturers also accept old devices to be refurbished or recycled and provide credit toward a new device. Some will take a device from any manufacturer for recycling. Check with your device maker to see if they offer a recycling program.

Contact the ITRC

It is vital everyone does their part to help address e-waste to protect the environment and people’s personal information. If you have questions about how to recycle e-waste, other e-waste solutions, or you believe you are the victim of identity theft, contact us. You can speak with one of our expert advisors toll-free by phone (888.400.5530) or live-chat. Just go to www.idtheftcenter.org to get started. 

  • When doing your spring cleaning, consider making a digital spring-cleaning checklist. It is more important than ever in today’s digital-first society.
  • Digital spring-cleaning tips include backing up your information, deleting unused apps, reviewing all of your passwords (and making changes if needed), and checking your social media privacy settings.
  • It is also a good idea to delete or archive old emails, especially with sensitive information.
  • If you would like to learn more or believe you are a victim of identity theft, contact the Identity Theft Resource Center. You can check out our latest resources or speak to an expert advisor toll-free by phone (888.400.5530) or live-chat. Just visit www.idtheftcenter.org to get started.

Everyone looks forward to the spring! The weather changes, the flowers and landscape start to bloom, and people clean out clutter they don’t need before the summer arrives. While spring cleaning may make you feel good and productive, it is also a great way to minimize the risk of identity theft. With the move to a digital-first society, digital spring cleaning and having a digital spring-cleaning checklist is more important than ever. A few basic digital spring-cleaning steps could help keep one’s identity information out of a criminal’s hands.

Before You Begin

There are digital spring-cleaning steps to take before you have to deal with clutter. One possible vulnerability is your email inbox. Adopt the habit of not just deleting unwanted emails, but actively unsubscribing from them. To do that, open the email, scroll down and click “unsubscribe.” Do not follow these steps for emails that appear to be scam attempts. If you click on a malicious link, it can redirect you to harmful websites or install malicious software on your computer. Instead, you should avoid links or attachments in unsolicited messages and block the sender.

One other thing you can do is update your contact information. Review all of your contact information to ensure it is up-to-date and you are not missing any essential information. Once you take these steps, you can begin on your digital spring-cleaning checklist.

Digital Spring-Cleaning Checklist

Your digital identity becomes more important every day as the world moves to a digital-first model. However, the same principles behind decluttering your physical world can help you in the virtual space. Here are some digital spring-cleaning checklist tips to digitally declutter:

  1. Backup your information– No matter how safe and secure you are, you might need to recover old data in the future. Creating automatic backups is a good idea. Consider investing in an external hard drive or cloud-based storage subscription to store and protect the things you want to keep.
  2. Delete unused programs and apps– Take a look at all of the apps on your devices and figure out which ones you are not using. Delete unused apps or programs on the devices. This step is a good idea because some apps require large amounts of storage, can slow the device down, and most importantly, can introduce new vulnerabilities. The fewer apps and programs you have, the more secure your device and personal information will be.
  3. Review your passwords– Check the passwords for all of your accounts to ensure there are no duplicates (especially between work accounts and personal accounts). Also, make sure you use a strong and unique 12+ character passphrase for each account. They are easier to remember and harder to crack. If you cannot remember all of your passwords, consider investing in a password manager to store all of your passwords. Finally, if possible, enable multifactor authentication (MFA) on all of your accounts. The app version is better than the SMS version because scammers can create fake MFA SMS text messages.
  4. Update all of your apps and settings– When going through your digital spring-cleaning checklist, it is important to keep apps, programs and devices up-to-date on all software. The device will run faster, and it will lead to increased privacy, which will make it more difficult for someone to hack into them. It is also a good idea to enable automatic updates when possible.
  5. Look at the permissions you allow– Pay attention to the permissions you allow the mobile apps on your device because third-parties could be tracking information about you that you might not realize. If they aren’t actively using the collected data, they may still be storing it, leaving your personal information vulnerable to cyberattacks should the third-party fall victim to a data compromise.
  6. Review plugins and add-ons in your browser- Review the permission settings of the plugins and add-ons to make sure you are not sharing too much information. If you are not using a particular plugin or add-on anymore, delete it.
  7. Review your social media privacy settings– Check your privacy settings on all of your social media accounts to ensure you are not oversharing information with people you do not know. If criminals get a hold of enough information about you, your family and your friends, they can connect enough dots to commit scams based around social engineering.
  8. Clean out your email– Get rid of any unnecessary emails in your inbox, especially emails that contain personal information.

Other Digital Spring-Cleaning Tips

There are a few more spring-cleaning tips for people to follow:

  • While doing your spring cleaning, if there are important documents you might need later, you can photograph or scan them, and then store the originals in a secure space like a safe or bank safety deposit box.  
  • While you’re cleaning your email inbox, take a moment to destroy any paper documents you no longer need, especially those records with personal information.
  • It is also a good idea to organize your digital files. While it is time-consuming, it will make more space available for the most important things that need to be stored on your devices.

Contact the ITRC

If you have more questions about digital spring cleaning, a digital spring-cleaning checklist, or if you believe you are a victim of identity theft, contact us. You can chat with an expert advisor toll-free by phone (888.400.5530) or live-chat. You can also check out our latest resources. Just go to www.idtheftcenter.org to get started.

The IDSA shares with the ITRC in the newest Fraudian Slip podcast exploring identity management & the future of identity

  • This week, the Identity Theft Resource Center (ITRC) celebrated Identity Management Day, hosted by the Identity Defined Security Alliance (IDSA). The day raised awareness on the importance of identity management, securing digital identities and sharing best practices to help organizations and consumers.
  • The ITRC sat down with the IDSA to discuss how identity management has changed, the future of identity, how identity crimes are changing and much more.
  • To learn more, listen to this week’s episode of The Fraudian Slip
  • You can also learn more about the identity-related crimes discussed in the podcast and how to protect yourself from identity fraud and compromises by visiting the ITRC’s website.
  • If you think you are the victim of an identity crime or your identity has been compromised, you can call us, chat live online, send an email or leave a voice mail for an expert advisor to get advice on how to respond. Just visit www.idtheftcenter.org to get started.

Below is a transcript of our podcast with special guest Julie Smith, Executive Director of the Identity Defined Security Alliance

Welcome to The Fraudian Slip, the Identity Theft Resource Center’s (ITRC) podcast, where we talk about all-things identity compromise, crime and fraud that impact people and businesses. 

This month, April, we’re going to talk about one of the hottest topics in the world of cybersecurity, privacy and identity. Namely, the shift from what we think of as traditional identity theft to what is increasingly more common today – identity-based fraud.

As more organizations analyze their 2020 data and information from the first three months of 2021, there is a common theme. Cybercriminals are less interested in mass attacks seeking to scoop up as much information as possible about consumers. Instead, data thieves are focusing on attacking organizations where they can hold data for ransom, or where an attack against a single company can yield information from all the customers who rely on the breached business.

At the core of many of these attacks are identity credentials, little pieces of information that once upon a time was pretty much limited to your driver’s license, Social Security number and occasionally your mother’s maiden name. Today, identity credentials are everything from your login and password, which is more valuable than your credit card information to a cybercriminal, to the location where you use your smartphone.

The complexity of identity today makes it simultaneously more difficult to protect your identity while also making it easier to prove you are who you say you are.

This week we celebrated Identity Management Day to raise awareness of the importance of identity management, securing digital identities and sharing best practices to help organizations and consumers. Be Identity Smart. 

Identity Defined Security Alliance (IDSA) hosted the day.

We talked with Executive Director of IDSA Julie Smith about the following:

  • The IDSA, its members, and issues
  • How identity management has changed
  • A businesses role in managing and protecting consumer identities; the most important actions to take
  • The future of identity

We also talked with ITRC CEO Eva Velasquez about the following: 

  • How identity crimes are changing
  • Consumer self-management and protection; the most important actions to take
  • The future of identity

For answers to all of these questions, listen to this week’s episode of The Fraudian Slip Podcast

Contact the ITRC or IDSA

You can learn more about data privacy, cybersecurity, the future of identity and other identity-related issues by visiting the ITRC’s website www.idtheftcenter.org. If you want to learn more about the IDSA and its work, you can visit www.idsalliance.org.

If you have questions about how to protect your personal information, or if you believe you have been the victim of an identity crime or compromise, talk to one of our expert advisers on the phone (888.400.5530), by live-chat or by email during normal business hours (6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.

Be sure and join us next week for our Weekly Breach Breakdown podcast and next month for another episode of The Fraudian Slip.

  • The data of 533 million Facebook users has been published on a low-level hacker forum.
  • The information is believed to have been copied in 2019 or earlier from Facebook user pages and includes phone numbers, Facebook IDs, full names, birthdates, bios and email addresses.
  • The leaked data could help cybercriminals commit different forms of phishing attacks and other social engineering-based identity scams.
  • LinkedIn also recently suffered a similar attack, affecting over 500 million users and exposing user IDs, names, email addresses, phone numbers, professional titles and other work-related data.
  • The LinkedIn and Facebook data leaks are a great reminder to be careful what you share online. Users willingly posted all of the information copied from LinkedIn and Facebook into cybercriminal markets. If you don’t want to see the data in a hacker forum, don’t post it online.
  • To learn more, or if you believe you a victim of identity theft, contact the Identity Theft Resource Center toll-free by phone (888.400.5530) or live-chat. Just go to www.idtheftcenter.org to get started.

A recent Facebook data leak resulted in the personal data of more than 500 million users being copied (an often-legal process known as scraping) and later posted on a hacker forum. A similar attack happened with LinkedIn, leaving users to wonder what they could have done to prevent their personal information from being copied by data thieves. While the data was scraped from Facebook in 2019 because of a software flaw that the company says was patched the same year, the incident serves as a good reminder to be careful what you share online.

What Happened

According to Business Insider, a user in a low-level hacking forum scraped the phone numbers and personal data of 533 million Facebook users in 109 different countries – enough people to qualify as the third largest nation on Earth. The data file, published in a forum where identity information is bought and sold, includes more than 32 million records on users in the U.S. Information exposed in the Facebook data leak includes phone numbers, Facebook IDs, full names, birthdates, bios and email addresses.

What Does This Mean for You?

The scraped data from the LinkedIn and Facebook data leaks could help cybercriminals commit different forms of identity fraud, including phishing attacks and scams that require social engineering to convince you to give up even more personal information. Users should be on the lookout for phishing schemes or fraud using their own data.

Be Careful What You Share Online

While there is not a lot that Facebook and LinkedIn users can do to protect themselves from the latest incidents now, it is a great reminder to be careful what you share online to help prevent future identity fraud. The data thief did not gain access to the systems and steal private data. Instead, they copied (or scraped) information that people willingly posted on their own profiles and combined the information in a database that can be bought, sold or shared in criminal marketplaces.

If you post enough information about yourself online, hackers can connect the dots about your life, relatives and friends to commit identity fraud by pretending to be you. Be careful what you share online, including what you write in your posts and include in your profile. Also, check your privacy settings to ensure you are not sharing personal information with people you do not know or trust. A good rule of thumb is, “If you don’t want to see the data in a hacker forum, don’t post it online.”

Contact the ITRC

If you believe you were the victim of the latest Facebook data leak and want steps on how to protect yourself, or if you want to learn more about how to be careful what you share online, contact us. You can reach a contact advisor toll-free by phone (888.400.5530) or live-chat. You can find the latest resources on an array of identity-related topics. Just visit www.idtheftcenter.org to get started.