Whenever consumers learn about another data breach, they might envision a team of highly-skilled tech operatives working away at fancy computers in a darkened, windowless shop. That kind of scenario might happen, but the reality is that many data breaches are pulled off by an individual working off a laptop in a coffee shop. It is also a possibility that the breach occurred completely by mistake  – like when someone forgets to password-protect a server that stores millions of records.

These kinds of accidental data breaches have made headlines in recent months. Truthfully, some are discovered by the good guys who then report them to the companies at fault. The security flaws are fixed and the notification letters get sent out if necessary, all of which happens hopefully before anyone has had a chance to discover the exposed data and use it maliciously.

Even if so-called good guys discover the problem your information was out there for the taking. It is not always a matter of your username and password, sometimes much more personal information is available. Like in the Meditab Software Inc. breach that happened in the first quarter of 2019, where entire medical histories and prescriptions were exposed.

In this chilling situation California-based medical software developer, Meditab, left a feature unprotected in one of its tools. Meditab claims to be one of the world’s leading providers of medical record-keeping software, and it also provides fax capabilities through its partner company, MedPharm. The company was storing patient records on an unprotected server, which meant that any time MedPharm handled the faxing of a patient’s medical records, anyone with internet access could have seen it if they knew where to look.

Fortunately, those good guys discovered this one. A Dubai-based cybersecurity firm named SpiderSilk found that Meditab’s unsecured database included names, addresses, some Social Security numbers, medical histories, doctors’ notes, prescriptions, health insurance data and more. Patients affected ranged in age from early childhood to mature adults.

This kind of violation is a very serious matter under the laws surrounding HIPAA privacy, and the US government has a solid record of going after entities that store information and do not protect it adequately. If the breach was accidental and even if there is no proof that anyone used the information for harm, there are still very heavy fines and penalties for failing to store it securely.

Unfortunately, there are not a lot of actionable steps that individual patients can take in cases like this one. You can, however, ask the hard questions before the event occurs: how will my information be stored, who can access it, what company hosts your electronic database, what are you prepared to do if there is a data breach? Also, remember that there is often no need to share your most sensitive information when filling out basic medical forms; feel free to ask the person requesting it why it is needed.

Medical identity theft is a serious matter, and of all the types of identity-related crimes, this one can potentially have physical consequences for the patient if a thief uses their medical history. It is important to safeguard your medical records as much as possible, and to make your healthcare provider aware if there are any past medical identity theft issues with your personally identifiable information that could impact your care.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

If you have not filed your tax return yet, the deadline is looming. If you have filed already, you are probably still very aware of the date as you anxiously await your return. Whether you have filed or not, there is a good chance you have encountered one or two tax scams this year or in previous. Many scammers take advantage of the lack of knowledge and fear that comes with the April 15th tax day. While there may be fewer calls from shady people demanding your tax information after the 15th passes, that only means that tax scams will take on a new look and scammers will adapt.

First, remember that not everyone will file by the April 15th deadline. Whether due to late activity or previously-approved extensions, a significant number of consumers will mail or e-send those returns in after the date. Scammers know this, and therefore, have no intention of cutting off their activity. It is important to be on the lookout even after the deadline has passed and after you have filed your return.

Of course, extensions or late filing only applies to some people. If you have already filed but a caller tells you that your return was never received, you can probably have a good laugh and hang up the phone. Why? Because the IRS does NOT call you, but rather sends letters through the postal service instead (if you have not received any confirmation that your postal return was received, you might check in with the IRS to be safe, but they still will not call you).

What if the caller has a different story? What if someone posing as an IRS agent tells you that your return had an error, or that they suspect you have been the victim of identity theft since someone else sent in a return in your name? Those scenarios can be very frightening, and that means these tax scams are a lot harder to ignore.

First of all, the same rule from above still applies: the IRS will not call you, even for something as serious as those situations. You will receive a mailed letter if there is an issue, and this letter will provide you with the information you need to take your next steps. Even if your caller ID says “IRS,” you should be very careful since it is most likely a scam.

Next, it is important to develop a good habit of safeguarding your information, no matter who calls or why they claim to need it. If you are ever asked to verify your identity by providing anything more sensitive than your name or home address, do not comply. Instead, take down the caller’s information and contact their company or agency yourself using a verified contact method.

Also, if you are ever told you failed to pay your taxes correctly or owe a penalty, you will never be required to make an immediate payment over the phone (see previous mentions of phone calls). You will have time to look into the matter and take appropriate action. This is very important: you cannot pay with an iTunes or other gift cards, no matter what the scammer tells you. You will also never be required to use an untraceable method like a prepaid debit card or wire transfer. Your own check, a money order, or a cashier’s check are all valid forms of payment.

Finally, tax scams rely on the fear factor of messing up where the IRS is concerned but do not fall for this scare tactic. The burden of proof has been on the IRS’ shoulders for quite some time, not on the individual taxpayer. Do not be frightened into handing over your money or your identity to a thief.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Imposter Scams Were The Most Reported Consumer Complaint

As if a devastating natural disaster was not disruptive enough to people’s safety, homes, and finances, a new threat has emerged – one that was caused by the very people tasked with supporting the victims of natural disasters and other emergencies. The Federal Emergency Management Agency (FEMA) shared documents with a third-party contractor that contained highly sensitive information, some of which was a direct violation of current regulations for FEMA to share.

The current industry term for this kind of data breach event is an accidental overexposure, meaning no harmful intent was behind it and there is no indication of damage from the information falling into the wrong hands. Still, the FEMA data breach gave the potential for someone who was not unauthorized to access the information and use it for identity theft and fraud.

In this case, an internal audit found that FEMA’s documents included things like the victims’ names, addresses, and the names of their financial institutions. Some information also included victims’ electronic transfer numbers for moving funds and their bank transit numbers. Sharing this information seems to have been an oversight on FEMA’s part, and a statement about the incident said that FEMA is taking aggressive action to correct the error.

The name of the contractor in this incident has been redacted, but it is a company with direct ties to victim services. The company helps disaster victims find hotel accommodations that are covered under FEMA funding and therefore did need certain pieces of personally identifiable information on the victims it is helping. Impacted victims from the FEMA data breach include those from Hurricanes Irma, Harvey and Maria, as well as the California wildfires in 2017.

Any time consumers’ personally identifiable information is exposed, compromised or attacked, the likelihood of identity theft-related crimes can go up. The Identity Theft Resource Center has partnered with Futurion to create Breach Clarity, an interactive tool that assigns a risk score to different data breach events. It also outlines in easy-to-understand terms the actionable steps that experts recommend for every breach, from something as simple as changing your password to more involved security measures like a credit freeze.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Imposter Scams Were The Most Reported Consumer Complaint

A recently announced restaurant data breach relied on a fairly old form of attack—retail point of sale systems—but thanks to the interconnected nature of several different companies within the single brand, there could potentially be a lot of victims. Earl Enterprises, which owns numerous restaurants around the US and in locations like Disney Springs, discovered their system had been compromised after malware was detected on their restaurants’ point of sale systems, or payment card “swipers.”

Anyone who dined at any of Earl Enterprises’ six specific brand locations between May 28, 2018 and March 19, 2019 may have had their payment card information stolen. The restaurants include Planet Hollywood, Buca di Beppo, Earl of Sandwich, Chicken Guy!, Mixology, and Tequila Taqueria. The investigation of the incident does not show that other restaurants owned by the company were affected.

The investigation is still ongoing, and Earl Enterprises has brought in two different cybersecurity firms to uncover what went wrong and how far the restaurant data breach may have spread. They are also working with the state and federal governments on the matter. Just to be safe, though, they recommend that their customers request a free credit check to look for any suspicious activity. You can also request a free credit freeze from each of the three major credit reporting agencies:  Experian, Transunion and Equifax.

There is another very useful tool for consumers that can prove vitally helpful following the announcement of any data breach. Breach Clarity, which recently won the Identity Startup Pitch Competition at the KNOW 2019 Conference, is an interactive database of breach activity. By searching for the name of a company, you can see a threat-score of how serious the event may be, as well as a list of actionable steps you should take if your information may have been compromised as a result.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Imposter Scams Were The Most Reported Consumer Complaint

What is on your agenda for today? Go ahead and pencil in changing your Facebook passwords. This item does not need to be near the very top of the list, but it is certainly a good idea to put it on there and follow through.

According to a report by KrebsonSecurity and a follow-up announcement from the company, hundreds of millions of Facebook passwords were left accidently unencrypted. If you are not already aware of what that means for individual users, do not worry there is no evidence that anyone got your password. It just means that those passwords were “visible” in plain-text to anyone who was able to access the servers, which could include hackers—although there is no evidence of that—but certainly included numerous employees of the company.

In fact, Facebook seems to have traced the security issue back to project that centered on employee-created tools, apps, and features. Once the employees accessed the usernames and passwords for their work, those passwords were often stored in plain-text. Some of these employee-created copies of the login credentials—especially the passwords—go back as far as 2012.

Facebook has not released information on how many user accounts were visible or how many employees had access to the information, but KrebsonSecurity has details that put the number of employees at around 2,000—and those employees made approximately 9,000 separate data inquiries into millions of users’ login credentials.

This issue does not fall under data breach notification laws or protections, and Facebook is not recommending or forcing a password reset at this time. However, the social media site will inform users whose information was left potentially exposed, which is why it is important for the users themselves to be proactive about changing their Facebook passwords. There is no way of knowing if anyone other than the authorized employee accessed their information, and also no reason to assume that a company employee could not be the one to maliciously use or sell a large database of credentials.

“Password hygiene” has gotten a lot of attention in recent years, largely due to incidents like this one. If you secure all of your accounts with a strong password that you do not use anywhere else and that you change routinely, announcements like this one probably will not even be a cause for concern. However, if you use an easily guessed password, reuse your passwords on multiple accounts, and keep the same password for years, your risk of harm from a data breach is much greater.

Remember, to keep your online accounts protected:

  • Use a strong password that contains a long string of characters—eight to twelve letters, numbers, and symbols
  • Only use your password on one account
  • Update your passwords routinely, especially on sensitive accounts like email, social media, and financial sites

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Imposter Scams Were The Most Reported Consumer Complaint

In fact, of the 1,255 total data breaches recorded by the Identity Theft Resource Center in 2018, 150 of were because of the mismanagement of information by employees tasked with protecting it. That means 12% of the data breaches were the direct result of mistakes in handling sensitive information, leading to 1,131,288 records exposed and potentially costly consequences for the companies involved.

April is Records and Information Management Month, and while it might not conjure up holiday-themed festive images the same way Christmas does, it is a great reminder that your information and your identity are only as safe as the people who have their hands on it.

What does it mean to mishandle information? There are numerous ways that information can accidentally fall into the wrong hands. It may be losing a flash drive or laptop with customer records on it, the theft of company hardware like laptops or even servers, reusing a weak password that lets hackers easily break into a system or failing to password protect a database of records in the first place. In other cases, the exposure resulted from improper disposal of sensitive information, such as throwing paper records in an unsecured garbage dumpster instead of shredding. In many cases, employees may fall for phishing attempts or respond to requests that appear to come from someone within the company but are actually sent by malicious imposters.

In order to protect all of the sensitive information that businesses gather and store, it is important to understand how to secure it and what can happen if it is compromised. It often starts with a solid company-wide computer use policy that outlines exactly how things like password security, email responses and data access are supposed to be enforced. Helping every employee understand the ramifications of mishandling information is important, too. Finally, a good “delete” housekeeping from time to time to permanently destroy any outdated stored records can thwart a lot of security problems before they arise.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC

Read next: TurboTax Breach Cause By Credential Stuffing

The Federal Trade Commission (FTC) is the U.S. government agency tasked with protecting consumers. Whether it is issuing warnings and recalls about dangerous products, policing companies for misleading advertising or helping write regulations in regards to harmful products, the FTC is certainly the unsung hero that protects all of us on a daily basis.

The FTC has another crucial job, it is the go-to department for reporting scams, fraud, and other related crimes. As such, the FTC keeps tabs on the types of consumer reports that are filed each year and releases this comprehensive information in its annual report from the Consumer Sentinel Network.

The 2018 report has been released with a shocking new finding: for the first time since the FTC began tabulating and reporting the complaints, imposter scams topped the list of most commonly reported consumer fraud.

An imposter scam occurs when a criminal uses a false identity or persona to trap you. It might be someone pretending to be a Microsoft employee, a Google ad salesman, someone from your bank or credit company, an IRS agent, or a customer service representative from your utility company, just to name a few examples. Using this false persona, the criminal alerts you to some plausible reason why you must pay money or face a consequence of some kind.

For obvious reasons involving threats of jail time and significant penalties, government imposter scams are commonplace. Scams involving phony IRS or Social Security agents made up about half of the 535,417 imposter scam attempts that were reported to the FTC last year. The thought of a fraudulent charge on your credit can make some scam victims comply with a banking imposter scam, but thinking that they have broken the law with regards to their taxes is far scarier.

What is interesting about the increase in government imposter scams is that it is branching out from the norm. IRS scams were commonplace for a long time, as a caller would contact you and claim you have failed to pay your taxes. Now, Social Security imposters contact potential victims and frighten them into thinking their SSN has been suspended or their benefits will not be issued that month unless they verify their identities.

In either case, the goal is money or information. If a scammer can convince you to pay or provide your personally identifiable information, then they can cash in. Sometimes the scammer even manages to acquire both a payment and your data, which will then be used for identity theft.

Unfortunately, as the number of complaint reports to the FTC increased, so did the number of losses that victims reported. With nearly three million different consumer reports made to the FTC last year, the total amount of loss was $1.48 billion, a 38 percent increase compared to the previous year.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: The How and Why of Tax Identity Theft

A recent data breach of Verifications.io, a company that approves or verifies email addresses for third-parties, exposed 763 million consumer records. Verifications.io ensures third-parties’ email marketing campaigns are being sent out to verified accounts, and not just fake emails. The unsecured database discovered online by two security researchers did not contain things like passwords or Social Security numbers; however, it did contain an assortment of data points like mortgage amounts, interest rates on loans and social media email logins, along with identifiers like gender and birthdate.

There have been almost 7.7 billion compromised accounts since data breach tracking began in 2013. The total number of compromised data sets listed on Have I Been Pwned?, a security website that lets users see if their identifying information has been exposed, now exceeds the total number of people on Earth.

The real question that the researchers and Troy Hunt, founder of Have I Been Pwned?, want to know is how Verifications.io got its hands on all of this information in the first place. The Estonian-based company has refused to respond to questions from different news outlets and has taken down its entire website as of March 4, 2019. In fact, Hunt has publicly asked for the data breach victims’ help via Twitter. What are you supposed to do when the company that comes under attack had your information without your direct permission? If you can identify your email address compromised in the data breach and used it uniquely (i.e. for one service), researchers are asking that you contact them so they can try to track the path of data sharing.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: The How and Why of Tax Identity Theft

Of all the user-centric, social media websites on the internet, it is possible that none has faced as much intense public and government scrutiny as Facebook. Apart from various bugs, glitches, and possible hacking attempts the company has endured since its launch, governments around the world have taken the website and its founder to task for nearly abusing its users’ privacy.

The site has a long history of gathering, storing, and selling users’ information and internet habits to third-parties, some of whom users do not want to be associated with. There have even been allegations that one specific third-party, Cambridge Analytica, was using information to influence political action.

Now, after a lot of public and legislative demand, Facebook will launch a new feature this year that lets its users clear their Facebook “connection” history. No, this will not delete your posts or photographs instead, Facebook clear history will show users what apps and websites they have visited that maintained a connection to their Facebook accounts, and give users the ability to break that connection by deleting their history.

Why should you do this? First, it puts a dent in the number of websites that can see your posts or content and gather information about where you go, who you visit, what you like, and more. From there, it can stop that information from being sold to advertisers.

The purpose of Facebook clear history really comes down to removing any trace of a connection rather than just blocking a website from accessing your data. Think of this example: if you were simply to remove a baby product website from your Facebook access, that one website could no longer target you with ads. However, any other website that sells similar products may still be able to see that you were once connected and that you interacted with those ads.

Until this new feature launches, there are some things consumers can do if they want to help safeguard some of their privacy on social media. Remember, though, the entire reason you can use these platforms for free is because they are benefitting financially from third parties who pay for access to your account activity.

First, stop logging in with Facebook. It’s very convenient to simply tap “log in with Facebook” on an app or other websites, but it connects that app or website to your Facebook account. Next, stop sharing the news of your latest high score in a game; no one actually cares how well you are playing, but more importantly that game is connected to your profile information. The entire reason that game lets you play for free is because they want that access.

Finally, do your own privacy checkups from time to time, not just on social media but on all of your online accounts. Delete cookies and your browser history if you do not want that information stored, and make sure your passwords are strong and up-to-date in order to keep hackers at bay.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: The How and Why of Tax Identity Theft