Another week has gone by, and in this week’s Weekly Breach Breakdown, the Identity Theft Resource Center (ITRC) highlights a handful of data compromises that could leave a big impact on businesses and consumers. The ITRC has been tracking publicly-notified U.S. data breaches since 2005 to look for patterns, new trends and any information that could better help educate on the need for understanding the value of protecting personally identifiable information (PII). Some of the data compromises highlighted this week include CVS, Walgreens and Walmart pharmacy data breaches with a unique twist; an athlete recruiting tool; and one state’s taxpayer system. All of these breaches have one thing in common: they are relatively small data events that can still leave a lasting impact.

CVS, Walgreens and Walmart Pharmacy Data Breaches

Three well-known companies suffered from individual pharmacy data breaches. It wasn’t a cyberattack or failure to secure their electronic records; instead, some of their stored health information was physically stolen, leaving the potential for a serious impact on the individuals whose information was exposed. During recent protests in several cities, pharmacies owned by Walmart, Walgreens and CVS were looted. Paper files and computer equipment containing customer information was taken from individual stores, not the companies at-large. The missing information included prescriptions, consent forms, birth dates, addresses, medications and physician information. All three companies affected by the pharmacy data breaches notified impacted patients, but only CVS released the number of customers involved – 21,289.

Front Rush Data Compromise

The next data compromise includes student-athlete recruiting tool, Front Rush. Front Rush recently notified 61,000 athletes and coaches that their information was open to the internet due to a misconfigured cloud database for four years. In a notice to individuals impacted, Front Rush acknowledged that they could not tell if anyone accessed or removed any PII while it was exposed to the web from 2016-2020. Some of the personal information in the database included: Social Security numbers, Driver’s Licenses, student IDs, passports, financial accounts, credit card information, birth certificates and health insurance information.

The Vermont Department of Taxes Data Compromise

The state of Vermont recently notified more than 70,000 taxpayers that the online credentials they used to file certain types of tax forms had been exposed on the internet since 2017. State officials say they lacked the tools to tell if the information was downloaded from their systems by threat actors, but they believe the risk of an identity crime is low. However, the State Department of Taxes is recommending taxpayers take precautions like monitoring bank and credit accounts, reviewing credit reports and reporting any suspicious activity to local law enforcement.

What it Means

Stolen credentials like logins and passwords, like the information breached in Vermont, are currently the number one cause of data breaches, according to IBM. However, that is tied with misconfigured cloud security that leads to data being exposed to the web, as in Front Rush. Misconfigured cloud security generally means that someone forgot to set up a password or other security tool when they configured the database. Stolen physical records and devices ranks five out of ten on the attack scale for the most common attack vectors.

For more information about the latest data breaches, subscribe to the ITRC’s data breach newsletter.

NotifiedTM

Keep an eye out for the ITRC’s new data breach tracker NotifiedTM. It is updated daily and free to consumers. Businesses that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the ITRC’s three paid subscriptions. Subscriptions help ensure the ITRC’s free identity crime services stay free. Notified launches later this month.

If someone believes they are the victim of identity theft or their information has been compromised in a data breach, they can call the ITRC toll-free at 888.400.5530 to speak with an expert advisor. They can also use live-chat. Finally, victims of a data breach can download the free ID Theft Help app to access advisors, resources, a case log and much more. Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.


 You might also like…

Being Able to Identify a Phishing Attack is More Important Now Than Ever

Netflix Email Phishing Scam Could Steal Credit Card Information

Hacked Dating Apps are a Popular Target for Social Engineering Scams

Phishing attacks are nothing new. However, with scammers increasingly using sophisticated and new methods of harming recipients that experts are not as familiar with, being able to identify a phishing attack has never been more important. They can arrive as emails, texts, social media messages, phone calls or links to websites which appear to come from someone the victim knows or a legitimate business. It might look like a boss or co-worker, someone in an email contact list, a bank or a consumer’s favorite retailer.

Trusted brands are used to provide an air of credibility for scammers, who capitalize on the good reputation and relationships these brands have built. Some brands that have been used in phishing attacks to target consumers include Wells Fargo, Zoom, American Express, Apple and Microsoft. The companies being used are not involved in these scams; in many ways, they are victims of the scammer as much as the targeted consumer.

Every phishing attack has a different goal, depending on what kind of ruse they are using. Some use links or attachments to insert malicious code on the user’s device so they can collect more information. Others attempt to steal people’s personal and business usernames or passwords,  and others still try to get someone to click on a well-disguised link so they can divert them to a place where the user enters even more information that the fraudster will use to his or her benefit. While phishing attacks have different objectives, the attackers’ primary goal is to steal the information needed to scam individuals and businesses.

Fortunately, the age-old advice about avoiding a phishing attack still holds true. These are some things people should keep in mind when trying to identify a phishing attack.

Check the email address and URL to make sure it is not fake

Check unexpected inbound messages very carefully, paying special attention to the sender’s email or website address included in the message; they might notice something strange. If it says “Amaz0n.com,” for example, it is fake. If the website link is Citibank.card.shop.com (as an example), instead of the company’s actual web address, again, it is probably fake. Always go back to the source of the email (or in this case, the company that is being represented) and check for alerts about potential scams of which they are already aware. Many times, the company is aware and has posted information about the scam.

Never click on an unknown link or open an unexpected attachment

Received an unexpected email, text, social media message or phone call with a link or an attachment?  Consumers should reach out directly to the purported “source” of the communication to verify the validity of the message before clicking on a link or opening an attachment (as mentioned above). Clicking on a malicious link or opening a bogus attachment could lead to someone’s personal information being stolen or infect the device with malware.

Check the message for grammatical errors and awkward phrasing

Read unexpected messages carefully and with a critical eye. Grammatical errors and awkward language are two quick indicators that the email isn’t sent by the company indicated. In trying to identify a phishing attack, customers should remember that companies do not send out emails or other messages with glaring errors – in most cases, large, reputable companies have teams checking their communications for just those types of issues. Smaller businesses may have a looser communication style, but loyal customers will know if something is “off.”  If someone sees any strange mistakes, that is probably a sign it is a fake. In fact, sometimes spelling mistakes are intentional so that only more gullible recipients will interact.

Never trust the caller ID

Do not go by what the caller ID may say. It is easy for a scammer to change the phone number or screen name to say anything, like “IRS” or “County Sheriff’s Department.” If someone calls with an attempt to verify identity information or demands for some kind of payment, consumers should hang up immediately and initiate contact with the company directly using a verified phone number from a trusted source. Here’s a tip: people should put numbers in their contact list for companies that are used regularly – but name them something only they would identify. For example, list the bank as “Bank on 4th & Main St.” instead of by the bank’s name. That way, if there’s an inbound call from the number, the person receiving the call will know they can trust it.

Remember that in many cases, fraudsters are using websites that look like the companies they are pretending to be. A web search could also bring someone to a potential fraudulent site. People should always treat the search results with the same critical eye as they would these other steps.

Phishing attacks can be confusing because of how close to real they can look or sound. Scam websites, emails, phone calls and text messages that mimic trusted brands will continue. However, by implementing these tips to identify a phishing attack, it will help reduce the risk of falling for a phishing attack.

Anyone with additional questions about phishing attacks, or believes they have been a victim of one, can call the Identity Theft Resource Center toll-free at 888.400.5530 to speak with an expert advisor. They can also use the live-chat feature on the website to get the help they need.


You might also like…

A new Netflix phishing email scam has been targeting customers under the guise of a billing issue or account suspension. The attack, claiming to be from Netflix support, looks legitimate enough to get some users to expose their credit card information.

The Netflix phishing email scam is titled “Notice of Verification Failure,” and it claims there is an issue with billing. It asks users to verify their personal information within 24 hours to prevent their account from being canceled.

The link provided takes the user to a CAPTCHA page with Netflix branding. Once it is filled out, they are led to a site aiming to steal credit card details and billing information. While there have been other Netflix phishing scams, this new version uses pages hosted on legitimate domains, making it seem more realistic.

Steps You Should Take

  • Be suspicious of any email or text message asking you to verify personal information or credit card details
  • Check for spelling errors in URL links and email addresses
  • Instead of clicking any links in the email, go directly to your Netflix account through your web browser to see if you have a notification about your billing. Also, reach out to Netflix directly about the email.

Remember, scammers cast a wide net by posing as big companies to scam consumers. Due to the increase in streaming services and online platforms during COVID-19, there may be a continued rise in phishing attacks and other related cyberattacks.

If people have questions regarding Netflix phishing email scams, they are encouraged to contact the Identity Theft Resource Center through the website to live-chat with an expert advisor or call toll-free at 888.400.5530.


You might also like…

Twitter Hack Serves as a Reminder of How Manipulative Bitcoin Scams Can Be

Netflix Email Scam

USS Bonhomme Richard Charitable Giving Scam

Another week has gone by, a week full of interesting publicly-reported U.S. data compromises. This week on the Identity Theft Resource Center’s Weekly Breach Breakdown podcast, we are focusing on cyberattacks and data breaches that help us put a price tag on people’s personal information – including EDP Renewables’ ransomware attack, a Twitter data breach that exposed Slack user information and much more.

In the 1980s, hacking started to become a thing. For the most part, hackers were young, smart and motivated by the challenge of breaking into the phone company or the Pentagon. As the ITRC’s COO and podcast host James Lee says, “the payout was street credibility.” Today, hackers are known as threat actors, and they are looking to steal people’s personal information simply because they are motivated by greed. Stealing someone’s personal information is not so much about breaking into someone’s bank account as it is stealing users’ login and passwords from a company to dupe them into paying a fake invoice (from said company) or infecting a company’s systems with ransomware.

Earlier this year, security research firm SentinelOne estimated that ransomware cost U.S. companies $7.5 billion in 2019. That number is expected to increase because the average ransom paid is going up. According to Security Boulevard, in six months between October 2019 and March 2020, the average ransom payment went from $44,000 to more than $110,000 an attack.

Originally, data thieves were content with just locking up a company’s files and walking away if they did not get paid or releasing the files back to the company if they did. Now, however, cybercriminals specializing in ransomware are using more sophisticated attack software and bolder tactics. Attackers are downloading sensitive personal information before they notify their victims instead of just sending a ransom note after locking files, turning a basic cyber hold-up into a classic data breach.

This past week, EDP Renewables, a European energy company that serves 11 million customers in the U.S., confirmed they were the target of a ransomware attack with a $14 million price-tag. Customer information was breached as part of the attack. In ransomware attacks, like EDP Renewables, the stolen information is used as leverage to force companies to pay the attackers. EDP Renewables did not pay. The demands like the one in the EDP Renewables ransomware attack make it easy to calculate the value cybercriminals put on identity information.

Another way to tell the value of personal information is to look at the price data commands in one of the Dark Web’s illicit marketplaces – where stolen information and identities are commerce. Earlier in July, data thieves posted a database of customer information from Live Auctioneers, an auction website that allows people worldwide to bid on auctioned items in real-time. The complete set of 3.4 million records are for sale starting at $2,500.

However, not all data is as valuable as other pieces of information. For example, a credit or debit card could be worth as much as $11 or as little as $1. Workspace tool Slack is learning their user information is not as valuable to data thieves, at least right now. A recent Twitter data breach exposed Slack user information. According to security researchers at KELA Group, 17,000 Slack credentials from 12,000 company workspaces are for sale on the dark web for a little as $0.50 and as much as $300. Despite the cheap low rate, no one is taking advantage of the Slack data from the Twitter data breach – posts offering the Slack credentials are nearly a year old. The reasons why cybercriminals are interested in some data and not interested in other data can vary. However, right now, data thieves are not interested in the Slack user information; because as popular as Slack is with users and Wall Street, Slack channels are rarely filled with the kinds of information cybercriminals want.

For more information about the latest data breaches, people can subscribe to the ITRC’s data breach newsletter. Keep an eye out for the ITRC’s new data breach tool, NotifiedTM. It’s updated daily and free for consumers. Businesses that need access to comprehensive breach information for business planning or due diligence can subscribe to unlock as many as 90 data points through one of three paid tiers. Subscriptions help ensure the ITRC’s free identity crime services stay free. Notified launches in August.

If someone believes they are a victim of identity theft or have been impacted by a data breach, they can call the ITRC toll-free at 888.400.5530 to speak with an expert advisor. They can also use live-chat. Finally, victims of a data breach can download the free ID Theft Help app to access advisors, resources, a case log and much more.

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.

You might also like…

Twitter Hack Serves as a Reminder of How Manipulative Bitcoin Scams Can Be

Cyber-Hygiene Tips to Keep Consumers Safe

USS Bonhomme Richard Charitable Giving Scam

Scammers love using instances of crisis to take advantage of consumers and steal their money and personal information. That is exactly what they are doing after a Navy ship caught fire. As reported by Identity Theft Resource Center (ITRC)  partner, the Federal Trade Commission, fake crowdfunding pages have been created as part of a charitable giving scam, after a fire destroyed the USS Bonhomme Richard and sailors lost all their possessions.

Who is it Targeting: Consumers wanting to help sailors in need after the USS Bonhomme Richard fire

What is it: A giving scam using crowdsource funding pages to take advantage of the crisis

What Are They After: The charitable giving scam employs fake crowdsource funding pages to steal people’s money instead of putting it towards the sailors impacted by the USS Bonhomme Richard fire. However, there is no way of knowing whether the money makes it to the sailors in need. Also, scammers can steal people’s personal information, like their credit card number or bank account information, to target them with future scams or, depending on what information the scammers get, commit identity theft and fraud.

How You Can Avoid It: Don’t rely on crowdsource funding pages to make legitimate donations. Crowdsource funding pages make it impossible to know whether the donations make it to the recipient. Always do research and only donate to known and trustworthy charities. Learn more about how to check out a charity before giving at https://www.ftc.gov/charity.

If people have questions regarding charitable giving scams, they are encouraged to contact the ITRC through the website to live-chat with an expert advisor or call toll-free at 888.400.5530.


Read more about charity scams in our related blogs…

Looking to Give During COVID-19? Don’t Fall for a Charitable Giving Scam

Veterans Charity Scam

COVID-19 Catfishing Scams Make a Rebound Amid Pandemic

Bitcoin scams come in many different forms. Scammers use different platforms to try and get people to pay them in bitcoin (also known as cryptocurrency or digital money). Bitcoin scams are a popular way for fraudsters to trick people into sending money. Recently, they used Twitter and some of its most notable accounts to target Twitter users.

On July 15, hackers compromised verified Twitter accounts and sent cryptocurrency scam tweets requesting bitcoin donations with the promise of doubling the investments to “give back to the community.” Scammers responsible for bitcoin scams not only aim to steal people’s money, but also collect their personally identifiable information (PII) and sell it to other cybercriminals.

According to Twitter, attackers are believed to have targeted certain Twitter employees through a social engineering scheme. Twitter says the attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through their two-factor protections. While Twitter continues their forensic review, they believe the bad actors may have attempted to sell some of the usernames. The hackers are not believed to have viewed previous account passwords. However, they were able to view personal information, including email addresses and phone numbers.

Twitter says nearly 130 accounts were targeted, and 45 successfully hacked. The Twitter accounts hacked include high profile individuals with verified accounts such as Barak Obama, Kanye West, Elon Musk and Bill Gates. Twitter responded by preventing any blue-check marked accounts from tweeting while security teams responded to the attack. Twitter apologized for the attack; the UK’s National Cyber Security Center, whom Twitter officers reached out to for support, released a statement urging people to treat requests for money or PII on social media with extreme caution.

The recent social-engineering hijack of Twitter accounts highlights a larger issue that has been on the increase since COVID-19 began: the prevalence of cryptocurrency scams. According to the Federal Trade Commission, most bitcoin scams appear as emails trying to blackmail someone, online chain-referral schemes or bogus investment/business opportunities. However, no matter how the scam is executed, a scammer wants the victim to either send money, give-up their PII or a combination of these. Once someone engages, there is usually nothing they can do to get their money back.

The Twitter hack creates a teachable moment – what should consumers do to reduce their risk of falling for a bitcoin scam? It also highlights the need for businesses to ensure their employees are educated on social engineering. This incident proves that even the most technologically-advanced companies are not immune from an employee granting access to bad actors. To avoid a bitcoin scam or other forms of social engineering, people should remember the following:

  • Never share PII through social media channels and always verify the person or business asking. While these scams are designed to steal people’s money, they are also designed to collect PII to sell to other cybercriminals.
  • If someone sees a tweet, email, text message or other social media post that asks for payment in bitcoin, it is – most likely – a scam.
  • High profile individuals will not contact anyone to give away large sums of money – especially in bitcoin – by social media message. There are other methods for informing someone if they are a recipient; if an offer seems too good to be true, it probably is.
  • If a consumer receives a message telling him or her it’s a guarantee to make money, it is probably a scam.
  • No one should ever click a link, download a file or open an attachment if they are unsure of who sent it or what it is; they should be cautious of links that are shared on social media.
  • Keep up with the latest around scams and how they work. The Twitter bitcoin scam employed a lot of common cognitive biases. Understanding how bitcoin or cryptocurrency works reduces the number of people who fall for scams about it.

If someone believes they are a victim of a bitcoin scam or has questions about other scams, they can live-chat with an Identity Theft Resource Center expert advisor. They can also call toll-free at 888.400.5530.


You might also like…

The Unconventional 2020 Data Breach Trends Continue

School District Data Breaches Continue to be a Playground for Hackers

Is This an Amazon Brushing Scam?

People are spending more time on their phones, tablets and computers now than ever, making the importance of cyber-hygiene tips as paramount as they’ve ever been. The Identity Theft Resource Center (ITRC) wants to highlight some of the best practices and steps that users can take to improve their online security.

We recommend everyone make these cyber-hygiene tips part of their regular routine to greatly reduce their risk of identity theft or other cybersecurity compromises.

1. Use a secure connection and a VPN to connect to the internet

A virtual private network (VPN) is a digital tool that keeps outsiders, such as hackers, identity thieves, spammers and even advertisers from seeing online activity. Users should also be wary of public Wi-Fi. While public Wi-Fi may be convenient, it can have many privacy and security risks that could leave someone vulnerable to digital snoops. If connecting to public Wi-Fi, be sure to use a VPN.

2. Get educated about the terms of service and other policies

It is important to understand what the terms of service and other policies say because, once you check the box, you may have agreed to have your information stored and sold, automatic renewals, location-based monitoring and more.

3. Make sure anti-virus software is running on all devices

It is very important to have anti-virus software running on every device because it is designed to prevent, detect and remove software viruses and other malicious software. It will protect your devices from potential attacks.

4. Set up all online accounts (email, financial, shopping, etc.) with two-factor or multi-factor authentication

Two-factor authentication (2FA) or multi-factor authentication (MFA) adds an extra layer of protection to your accounts; it requires at least two separate verification steps to log into an account. Relying on a minimum of two methods of login credentials before accessing accounts will make it harder for a hacker to gain access.

5. Use secure payment methods when shopping online

One easy cyber-hygiene step is to only shop on trusted websites and use trusted payment methods. Consumers should not use payment portals or shop on websites with which they are not familiar.

Always use a payment instrument that has a dispute resolution process – like a credit card or PayPal – if you have to shop on an unfamiliar site.

6. Use unique passphrases for passwords and do not reuse passwords

The best practice these days is to use a nine to ten-character passphrase instead of an eight-character password. A passphrase is easier to remember and harder for hackers to crack.

Also, users should employ unique passphrases; if they use the same one, hackers can gain access to multiple accounts through tactics like credential stuffing.

7. Never open a link from an unknown source

Do not click on links or download attachments via email or text – unless you are expecting something from someone or a business you know. If it is spam, it could insert malware on your device.

Also, never enter personally identifiable information (PII) or payment information on websites and web forms that are not secure or have not been fully vetted. It could be a portal to steal personal information.

8. Make sure devices are password protected

If devices are not password protected, it is just that much easier for a hacker to share or steal personal information. Without a layer of protection or authentication to access the device, all the information saved on it becomes fair game. Use a PIN code, biometric or pattern recognition to lock your devices and set the same protection for apps that have access to sensitive information like banking or credit cards.

9. Log out of accounts when done

This is another bad habit that makes it much easier for someone to share or steal your information. Always log out of accounts when done so no one can get easy access to them.

While there is nothing that can be done to eliminate identity theft, account takeovers and other malicious intent, these cyber-hygiene tips will help keep consumers safe, as well as reduce the number of cybercrime victims.

For anyone who believes they have been a victim of identity theft or has questions about cyber-hygiene tips, they can call the ITRC toll-free at 888.400.5530 to speak with an expert advisor. They can also live-chat through the website or the free ID Theft Help app.


Read more of our related articles below

The Unconventional 2020 Data Breach Trends Continue

School District Data Breaches Continue to be a Playground for Hackers

Is This an Amazon Brushing Scam?

A Florida-based healthcare provider has issued a warning to its patients that their highly-sensitive personally identifiable information (PII) and personal health information (PHI) may have been stolen in a data breach. In what appears to have been a ransomware attack, Florida Orthopaedic Institute’s servers were infiltrated by malicious actors who then encrypted patients’ files, blocking access to them by the facility’s staff members. The facility is a conglomerate of orthopaedic physicians’ offices, meaning it could be possible that patients affected by the Florida Orthopaedic Institute data breach are not familiar with the company’s name.

The Florida Orthopaedic Institute’s investigation also uncovered reasons to suspect that some of the patients’ complete identities had been stolen before the encryption. That would include such data points as names, birthdates, Social Security numbers and more. Right now, the Florida Orthopaedic Institute has not found evidence that those identities have been used. Other compromised information from the Florida Orthopaedic Institute data breach includes medical data or PHI like appointment times, insurance plan numbers and payments for services, just to name a few.

While the facility was able to regain access to the encrypted files, affected patients should take immediate action. Some important steps include:

  • Changing the passwords on any accounts that share a username and password with their Florida Orthopaedic Institute account
  • Requesting a free copy of their credit report from AnnualCreditReport.com to look for signs of unusual activity
  • Signing up for the free credit monitoring and fraud protection tools that Florida Orthopaedic Institute is providing to the victims of this breach. It’s also important for victims of the Florida Orthopaedic Institute data breach to place a freeze on their credit report if their financial or payment card information was affected.
  • Contacting their insurance provider and asking if they can change their insurance account and card number. Victims should see what additional protections they can put in place such as an additional password when calling for service
  • Checking medical insurance billing statements closely to ensure the company is not covering services received by a thief that the victim has not received

As with any data breach event, including the Florida Orthopaedic Institute data breach, consumers can also reach out to the Identity Theft Resource Center (ITRC) for help and information by live-chat or calling toll-free at 888.400.5530. The ITRC’s free ID Theft Help app for iOS and Android is a place for victims to manage their case-specific action plans and find other helpful resources.


You might also like…

The Unconventional 2020 Data Breach Trends Continue

School District Data Breaches Continue to be a Playground for Hackers

Is This an Amazon Brushing Scam?

In 2019, the Identity theft Resource Center (ITRC) saw a 17 percent increase in data breaches compared to 2018. Credential stuffing attacks exploded in 2019, as well as third-party contractors being breached. 2020 has been a different story.

While scams are up due to COVID-19, publicly-reported data breaches are down in the U.S. Despite millions of Americans shifting to working from home – where cybersecurity and data protections may not be as strong as their regular workspace, the number of data breaches has dropped by one-third (nearly 33 percent) in the first six months of 2020 compared to 2019. The data compromise decrease statistics do not stop there. More significantly, the number of individuals impacted by breaches dropped by 66 percent over the same time period one year ago.

ITRC-Year-over-Year-Jan-Jun-Breaches-2020-v2
Year -over-year January – June 2020 data breach trends provided by ITRC

The 2020 data breach statistics are good news for consumers and businesses overall. However, the emotional and financial impacts on individuals and organizations are still significant. In fact, the impact on individuals might be even more catastrophic as criminals use stolen personally identifiable information (PII) to misappropriate government benefits intended to ease the impact of the COVID-19 pandemic.

External threat actors continue to account for most successful data compromises (404), compared to internal threats from employees (83) and third-party contractors (53). Internal threat data compromises are the lowest they have been since 2018.

In comparison, January 1, 2019 to June 30, 2019 saw 588 breaches caused by an external threat actor, 126 breaches caused by an internal threat actor and 89 involved a third-party. The data compromise decrease can be attributed, in part, to more people working from home.

Due to the increase in remote work, employees have less access to the data and systems necessary to easily steal PII. However, businesses and employees are also hyper-focused on preventing identity theft.

Unless there is a significant uptick in data compromises reported, 2020 is on pace to see the lowest number of data breaches and data exposures since 2015.

ITRC-Year-over-Year-Breaches-2020-v2
Year-over-year data breach trends 2020 provided by ITRC

With that said, there is reason to believe the lower number of breaches is only temporary. Cybercriminals have been using the billions of data points stolen in data breaches during the last five years to execute different types of scams and attacks, which include phishing, credential stuffing and other exploits that require PII. With so much data being consumed and so much focus on improved cyber-hygiene, both at work and at home, the available pool of useful data is being reduced.

At some point, cybercriminals will have to update their data, which should lead to a return of the normal threat pattern. While there are signs of increased cyberattacks that – if successful – could lead to PII being compromised, it is too early to tell when the uptick may occur. Even then, it is more likely to be a “dimmer switch” approach rather than just flipping on a light switch, meaning it will not happen all at once.

The ITRC will continue to monitor all of the publicly-reported data breaches daily and analyze them to keep businesses and consumers educated on what the cybercriminals are doing.

If someone believes they have had their information exposed as part of a data compromise, or is a victim of identity theft due to a data breach, they can live-chat with an ITRC expert advisor. They can also call toll-free at 888.400.5530. Advisors can help victims create action plans that are tailored to them.

Victims can also download the free ID Theft Help App. The app lets them track their case in a case log, access resources and tips to help them protect their identity and more.

For more information on the ITRC’s data breach tracking and trend analysis, or if your organization would like to subscribe to our monthly data breach product, please email notifiedbyITRC@idtheftcenter.org.