• When the Identity Theft Resource Center (ITRC) was founded nearly 22 years ago, the root cause of most data breaches and data crimes involved paper. Now, it is far and away cyberattacks.
  • Phishing is the number one attack vector that leads to data breaches, ransomware second and malware third.
  • However, there are ways to protect yourself from cyberattacks. Back up your information, update your software, use strong and unique passphrases, and collect and maintain less information.
  • To learn about recent data breaches, consumers and businesses should visit the ITRC’s data breach tracking tool, notified. 
  • If you believe you are the victim of an identity crime, data breach or want to learn more ways to protect yourself from cyberattacks, contact the ITRC. Call toll-free at 888.400.5530 or live-chat on the company website www.idtheftcenter.org.

The Crimes, They Are Changing

Welcome to the Identity Theft Resource Center’s (ITRC’s)Weekly Breach Breakdown for October 15, 2021. Our podcast is possible thanks to support from Experian. Each week, we look at the most recent events and trends related to data security and privacy. We also use a lot of literary references – especially Shakespeare. Today, though, we turn to a different classic for inspiration – Bob Dylan – in honor of Cybersecurity Awareness Month. October is the time each year when you focus on ways to protect yourself from cyberattacks and other identity crimes. That’s why we’re calling today’s episode: The crimes, they are changing.

The Rise in Digital Data Theft

When the ITRC was founded nearly 22 years ago, the root cause of most data breaches and data crimes involved paper. Digital data theft didn’t arrive until the mid-2000s. Even then, it was usually because someone’s laptop or external hard drive was stolen.

Not so today. Physical attacks and human errors were once the leading cause of data compromises. Today it is far and away cyberattacks. In fact, cyberattacks are so common that the number of data breaches and exposures associated with them so far this year exceeds all forms of data compromises in 2020.

Phishing is the leading attack vector that leads to data breaches. The login and password credentials stolen in these email, text and website-related attacks are often used by cybercriminals to access company networks and databases held hostage in a ransomware assault – the second most common cause of data compromises.

Malware is the third leading cause of identity-related data breaches. It is often used to exploit software flaws or penetrate networks as part of a ransomware attack or just good old-fashioned data theft. Caught in the cross-hairs of all these cyberattacks are consumers – people whose data is held in trust by organizations that are the targets of cybercriminals.

The ITRC to Release Inaugural Business Aftermath Report

We often think of data breaches and ransomware only impacting big businesses whose names we recognize. However, later this month, the ITRC will issue a new report on the impact of identity crimes on small businesses and solopreneurs – the tens of millions of companies with zero or just a handful of employees. Without giving away too much right now, the research shows more than half of all small businesses have experienced one or more data breaches, security breaches or both.

Use Good Cyber-Hygiene Habits to Protect Yourself

What are some ways to protect yourself from cyberattacks both at work and at home?  The actions must be the same. Regular listeners already know the basics of a good cyber defense. Make good back-ups of your information, update or patch your software as fast as possible, and practice good password hygiene. Do not use the same password at work and at home. Each account gets a unique, 12+ character password.

There are two additional ways to protect yourself from cyberattacks you should consider:

  1. Collect and maintain less information. If you are a business, get rid of the personal data you no longer need once you complete a transaction. The same is true for consumers. Don’t keep sensitive information you no longer need. Cyberthieves can’t steal what you don’t have.
  2.  If you are a business leader, train your teams like you’re voting in Chicago – early and often. If you’re a consumer, you can use some routine training, too. Why is this important? Cybercriminals are constantly improving their attack methods and inventing new ones. We need to make sure we know what to do to stay safe from identity scams and cyber risks, and that takes training and education.

Contact the ITRC

If you think you have been the victim of an identity crime or a data breach and need help figuring out what to do next, you can speak with an expert advisor on the phone (888.400.5530), live on the web or exchange emails during our normal business hours. Just visit www.idtheftcenter.org.

Thanks again to Experian for supporting the ITRC and this podcast. Be sure to join us next week for our sister podcast, The Fraudian Slip, when we talk more about cyber education with Zarmeena Waseem of the National Cybersecurity Alliance and our very own ITRC CEO, Eva Velasquez. We will be back in two weeks with another episode of the Weekly Breach Breakdown.

  • A new report from Intel 471 reveals that cybercriminals are going after one-time passwords, known as OTPs.
  • The attackers deceive people into giving them a one-time password or other verification codes via a mobile device, which the criminals use to steal money from the now compromised account.
  • Also, do not share personal information with anyone you do not know until you verify they are who they claim to be.
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified
  • If you believe you are the victim of an identity crime or a data breach, contact the ITRC. Call toll-free at 888.400.5530 or live-chat on the company website www.idtheftcenter.org.  

Nice Things

Welcome to the Identity Theft Resource Center’s (ITRC’s)Weekly Breach Breakdown for October 1, 2021. Our podcast is possible thanks to support from Experian. Each week we look at the most recent events and trends related to data security and privacy. This week we dig into a troubling development that we all kind of knew was coming but maybe didn’t want to admit it. Cybercriminals are finding ways to steal those one-time passwords you send to your phone by text. 

This is why we can’t have nice things in our adult world. Every time someone comes up with a new way of protecting our personal information from the grubby little fingers of threat actors, the criminals find a new way to steal our data. That seems to be the case when it comes to two-factor authentic education, also known as multifactor authentication, or MFA.

New Report Shows Cybercriminals are Targeting One-Time Passwords

This week, a cybersecurity research team at Intel 471 issued a report that noted, “Two-factor authentication is one of the easiest ways for people to protect any online account.” Now, criminals are trying to circumvent that protection. Cyber thieves are using various tactics to gain account information, including impersonating banks and legitimate services on phone calls.

Using social engineering methods, the attackers deceive people into giving them a one-time password or other verification code via a mobile device, which the crooks then use to steal money from the now compromised account.

The criminals buy easy-to-use applications that send a potential victim a text message requesting their phone number. Once a target’s phone number has been entered into a chat message, the malicious application takes over from there. The researchers at Intel 471 found that about 80 percent of people targeted by cybercriminals will end up providing their information to threat actors, allowing them to drain the money from their accounts.

Variations on these OTP attack schemes include:

  • Specialty software that targets accounts on social media.
  • Media networks such as Facebook, Instagram and Snapchat.
  • Financial services like PayPal and Venmo.

Even an automated tool allows an attacker to make any phone call that appears to be from a specific bank.

Once a call is answered, the criminals use a script to trick potential victims into sharing information such as ATM, PINs, credit card verification codes or one-time passwords. Quoting the Intel 471 researchers again, while SMS and phone-based one-time password services are better than nothing, criminals have found ways to socially engineer their way around the safeguards. It was always a matter of time before the bad guys found a way around this layer of defense in these particular instances. The weak security link is the user who willingly gives information to someone they believe to be a legitimate representative at a company where they do business.

To Avoid an OTP Text Scam, the ITRC Advises You To

  • Always verify the legitimacy of any contact you do not initiate, whether it is a phone call, email, text message or a social media instant message.
  • Don’t share any personal information with anyone you do not personally know and trust until you verify the person contacting you is who they claim to be. Also, make sure they have a good reason for asking you for information they should already know.

Today is the first day of Cyber Security Awareness Month. The ITRC has a full list of activities planned, including participating in industry events and special guests on our sister podcast, The Fraudian Slip. We will also issue two very important reports this month. Next week, on October 6, we’ll publish our Q3 Data Breach Analysis that shows how many new data compromises were reported in the past three months and what the trends tell us.

On October 27, we’ll issue our very first Business Aftermath Report. As a companion to our longtime report on the impact of identity crimes on consumers, the Business Aftermath Report will look at what happens to small businesses and solopreneurs after a security breach, a data breach or both.

Contact the ITRC

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an ITRC expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started. 

Thanks again to Experian for supporting the ITRC and this podcast. We will be back next week with another episode of the Weekly Breach Breakdown.

  • T-Mobile recently suffered its third data breach since December of 2020. The T-Mobile data compromise has affected over 40 million people and led to information like Social Security numbers (SSNs) and driver’s license information being hacked.  
  • Cybersecurity researchers claim the T-Mobile data compromise may impact as many as 100 million current, past and prospective customers. 
  • To protect yourself from the T-Mobile data compromise, consider freezing your credit, changing your passwords and PIN numbers to long and unique passphrases, using multi-factor authentication and not ignoring breach notices.  
  • To learn about recent data breaches, like the T-Mobile data compromise, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC’s) data breach tracking tool, notified
  • For more information on the T-Mobile data compromise, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.  

Facts Are Stubborn, But Statistics Are Pliable 

Welcome to the Identity Theft Resource Center’s (ITRC)Weekly Breach Breakdownfor August 20, 2021. Our podcast is possible thanks to support from Abine and Experian. Each week we look at the most recent events and trends related to data security and privacy. This week, we talk about the T-Mobile data compromise, which is one of the most significant data breaches so far this year. We also talk about what you should do in response, even if you are not impacted by it. 

Mark Twain once wrote that “Facts are stubborn things, but statistics are pliable.” Apply that same principle to data breaches and you get the natural pattern that emerges when personal information is suddenly stolen or exposed by a cybercriminal. The typical response goes something like this:  

  • “We don’t have any evidence there has been a breach, but we will investigate.” 
  • Followed by “We have investigated and found that a small number of customers information has been compromised, but we do not believe any sensitive or personal data is at risk.” 
  • That statement is often followed by an update that sounds like this: “We have now determined that more than X million of our valued customers are directly impacted by unauthorized access by cybercriminals of our systems, and the data involved does include Social Security numbers (SSNs) and other personal information.”  

T-Mobile Suffers its Second Data Breach Since February 2021 

We don’t “name and shame” companies at the ITRC. Cyberattacks and data breaches are an unfortunate consequence of our digital society. It’s only logical that the more you investigate, the more you know, meaning numbers change. We have laws, regulations and courts to handle the blame game. We do, though, use anecdotes to help educate consumers and businesses on how to protect themselves.  

What Happened? 

This week, T-Mobile finds itself in the unenviable position of providing a teaching moment thanks to its third data breach since December 2020 and its second data breach since February 2021. The nation’s third-largest mobile telecom provider did not know it had been breached until a cybercriminal posted customer information stolen from T-Mobile in an identity marketplace used by identity thieves. 

Cybersecurity researchers claim as many as 100 million current, past and prospective customers may be impacted by the T-Mobile data compromise. T-Mobile has confirmed the personal information of 47 million people has been compromised, including customers’ first and last names, dates of birth, SSNs and driver’s license/identity information in some instances. 

T-Mobile customers can visit the carrier’s website t-mobile.com to learn more about the company’s actions to help victims of the breach. 

What Should You Do to Protect Yourself After the T-Mobile Data Compromise? 

What should you do if you are a T-Mobile customer? Actually, it doesn’t matter if you are a T-Mobile customer or not. Here are some actions that everyone should take to help protect their personal information today and after a data breach:  

  1. Do not ignore data breach notices. There are a lot of them. However, there are usually important action steps in the notices, like how to activate free identity protection services. 
  1. Freeze your creditCredit monitoring is helpful, but it offers no protection. It tells you what happened, but it doesn’t stop anything from happening. To protect yourself, freeze your credit. It’s free, easy and doesn’t impact your credit. 
  1. Change your passwords and PIN numbers to make sure you do not use the same passwords or PINs on more than one account. Make sure the password is long, at least 12 characters, and is something you can remember. You can also use a password manager to generate and keep track of your credentials. Cybercriminals love it when we reuse passwords on more than one account. 
  1. Use multi-factor authentication (MFA or 2FA) on all your accounts that offer it. If possible, use an authentication app rather than have a code sent by text to your phone. Authentication apps are available for free from Microsoft, Google and other software providers. 
  1. If you are a business, make sure you don’t collect more personal information than you need. Don’t keep it longer than you need to complete the transaction. Also, keep what data you do collect and maintain safe and secure by encrypting it. Make sure you offer MFA for your customers’ and prospects’ protection, too. 

Contact the ITRC 

You can always call us at the ITRC if you have questions about what you should do if you receive a data breach notice or hear about a breach in the media, like the T-Mobile data compromise. Just visit www.idtheftcenter.org, where you’ll find helpful tips. You can speak with an expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST).  

Thanks again to Experian and Abine for supporting the ITRC and this podcast. We’ll be back next week with another episode of the Weekly Breach Breakdown

  • According to a new report from NTT Application Security, the percent of application software being patched has dropped below 50 percent. It is partly because more applications are being tested in the wake of recent high-profile cyberattacks. 
  • The average time to fix the most severe software vulnerabilities in a large enterprise is 203 days. That number is more than twice that figure in some industries. 
  • The report also reveals that most applications in 10 of the 11 leading industries tracked by NTT Application Security have at least one software flaw open to attack every day of the year. 
  • Cybersecurity teams are failing to fix software vulnerabilities on a timely basis, which is one reason why cybercriminals have success attacking businesses
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC’s) data breach tracking tool, notified
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.  

A King of Shreds & Patches 

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for July 30, 2021Our podcast is possible thanks to support from Experian and Sentilink. Each week we look at the most recent events and trends related to data security and privacy. This week, we discuss one of the primary causes of cyberattacks that leads to data compromises – known but unpatched software vulnerabilities and flaws.  

In Shakespeare’s Hamlet, the troubled prince refers to his uncle, a usurper of the Danish throne, as a rag-tag monarch: “A king of shreds & patches.” That description also applies to how much modern software is riddled with known flaws that give cybercriminals an easy path into organizations. There’s a report out this week that gives us a clue into just how difficult it is to patch software, even when the bugs are well known. 

Cybersecurity Teams Struggle to Quickly Fix Software Vulnerabilities 

Global cybersecurity provider NTT Application Security claims that cybersecurity teams are struggling to fix issues quickly. So far this year, the percent of application software being patched has dropped below 50 percent, partly because more applications are being tested in the wake of recent high-profile cyberattacks. 

Still, the time to patch has not improved over time. The average time to fix the most severe software vulnerabilities and flaws in a large enterprise is 203 days. In some industries, the number is more than twice that figure. The time needed to fix software used in the agriculture and forestry sector is the highest at 513 days, on average. The education sector, a common target for ransomware attacks, is the second slowest industry and requires an average of 478 days to fix a known flaw. 

How long does it take for a cybercriminal to exploit software vulnerabilities? A 2020 report puts the time to breach a system at as few as two hours once a flaw is publicly announced, usually at the same time a fix is issued. 

The Consequences of Slow Response Times to Patch Flaws 

The universally slow patch cycle where companies prioritize which software vulnerabilities they fix in what order has an unintended consequence, too. The lower the risk, the longer the time to patch. That allows cybercriminals to develop new attacks that link several lower-risk flaws into a single attack that is hard to detect and defend.  

NTT Application Security’s research shows that the same kind of software vulnerabilities continue to appear in new and updated applications. Most of the flaws identified in the first six months of 2021 fall into the same five categories month after month. 

What does that tell us? According to the report’s authors, it means that the people who are developing software and the teams that are protecting systems are not talking to one another, at least not enough to learn what bugs are common and how to fix them. 

Most Applications Have At least One Software Flaw Open to Attack 

There’s one last statistic from the NTT Application Security report that should be discussed. A majority of applications in 10 of the 11 leading industries tracked by NTT have at least one software flaw open to attack every day of the year. That explains why cybercriminals are successful at attacking businesses

Next week, we’ll take a look at the ever-growing costs to businesses that suffer a data compromise as calculated in a new report from IBM

Contact the ITRC 

If you have questions about how to keep your personal information private and secure, visit www.idtheftcenter.org, where you will find helpful tips. 

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during normal business hours (6 a.m.-5 p.m. PST). 

Thanks again to Sentilink and Experian for supporting the ITRC and this podcast. Be sure to check out our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown


  • Application Programming Interfaces (APIs), software that allows two different applications to talk to each other and work together, is becoming more popular. Its use is up 61 percent in 2020 over 2019. However, so are API attacks – a 211 percent rise in 2020.
  • API flaws are at the root of the SolarWinds and Microsoft attacks and the Peloton data breach. API attacks also led to personal information from Facebook and LinkedIn being scraped.
  • To prevent API attacks, businesses with their own API developers should implement stronger testing protocols and security. Businesses that hire API development companies should insist on the highest level of testing and security. Consumers are encouraged to ask organizations they do business with how they protect personal information.
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified.
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org. Coming later this month, people can talk after-hours, weekends and on holidays with our new automated chatbot, ViViAN.

Alphabet Soup

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdownfor June 4, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. This week we are going to talk about an emerging threat to data security. By default, it’s personal information that most people are unaware even exists. It’s part of the alphabet soup of tech terms that can seem like a cure for insomnia.

Application Program Interfaces (APIs)

We are talking about API attacks. In fact, some of the biggest security events of 2020 and 2021 resulted from these kinds of attacks. So, what is an API, and how can it cause so much trouble?

API is short for Application Programming Interface. In English, that means the software that allows two different applications to talk to each other and work together. Think of when someone goes to a travel website to see which airline has the lowest price and best schedule for their vacation. It’s an API that connects the travel site to the airline’s system to get them the information they need. One may never see or interact with an API, but it’s there working in the background.

APIs Are Growing in Popularity

There’s nothing particularly complex about most APIs, which means they are not subjected to many of the rigorous testing protocols required for other software. Meanwhile, the use of APIs is growing – 61 percent in 2020 over 2019, and the growth rate in 2021 is projected to be 71 percent, according to trade publication Dev Ops Digest. Compare that to the growth in malicious API transactions in 2020 – a 211 percent increase.

API Flaws Becoming More Common in Security and Data Breaches

With poor software testing practices and a rapid development pace, flaws in APIs are climbing up the list of underlying causes of data and security breaches. Consider some recent research findings from API security firm SALT:

  • Ninety-one (91) percent of respondents suffered a security incident in their APIs in 2020.
  • Fifty-four (54) percent of those API attacks were tied to software flaws; 46 percent of the attacks succeeded because a malicious transaction was recognized as being legitimate.
  • Eighty-two (82) percent of organizations lack confidence in knowing which APIs expose personal information.
  • One hundred (100) percent of Salt Security’s customers that suffered API attacks in 2020 had standard cybersecurity tools like web application firewalls in place, but they did not prevent the attack.

API flaws are at the root of the SolarWinds and Microsoft attacks and the Peloton data breach. APIs were also exploited to scrape personal information from Facebook and LinkedIn.

How Can Businesses and Consumers Protect Themselves from API Attacks?

What can be done to minimize the risk of API attacks? Businesses that have their own API developers need to implement stronger testing protocols and security. Businesses that hire API development companies should insist on the highest level of testing and security.

Consumers should ask organizations with whom they do business how they protect personal information, including their cybersecurity and data protection programs.

Contact the ITRC

If anyone has questions about keeping their personal information secure, they can visit www.idtheftcenter.org, where they will find helpful tips. People can also sign-up to receive our regular email updates on identity scams and compromises and download our latest report on how identity crimes impact individuals.

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. Victims can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). On June 4, people can talk after-hours, weekends and holidays with our new automated chatbot, ViViAN. Just visit www.idtheftcenter.org to get started. 

Be sure to check out our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown.

  • A new cybersecurity executive order will lead to the creation of a Cyber Safety Review Board, removing barriers to sharing threat information and much more.
  • The Cyber Safety Review Board will determine how cybercriminals were able to infiltrate the SolarWinds software used by key government agencies and nearly every Fortune 500 company, and will meet anytime there is a significant event. Also, federal agencies will eliminate legal barriers that prevent the sharing of information about data and security breaches.
  • Since the same companies that sell technology to the government also sell products to consumers and businesses, the level of quality and security will rise for every use and everyone.
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notified.
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org. coming in June, you can talk after-hours, weekends and on holidays with our new automated chatbot, ViViAN.

Come What May

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdownfor May 28, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. This week, we will focus on something unusual – a new cybersecurity executive order and solutions to the seemingly endless race against cybercriminals.

In Macbeth, Shakespeare wrote: “Come what come may, time and the hour runs through the roughest day.” Without question, the last six months have been rough on companies, governments and individuals as identity scams and cyberattacks have captured headlines and disrupted lives.

Changes to How the Federal Government Approaches Cybersecurity

From companies most people have never heard of like SolarWinds and Accellion to household names like Microsoft and Peloton, along with critical infrastructure organizations like Colonial Pipeline and the respected Scripps Health system, organizations and institutions alike have been on the wrong side of data and security breaches.

However, federal officials have announced a series of actions that privacy and cybersecurity experts are praising as both needed and welcome changes to how the federal government approaches cybersecurity. Because the U.S. government purchases billions of dollars in IT products and services each year, the private sector, including individual consumers, will also benefit.

Top Provisions in New Cybersecurity Executive Order

There are seven key actions in the new Executive Order on Improving the Nation’s Cybersecurity. We don’t have time to go into all seven, so let’s focus on two of the most important provisions:

  1. Establishing a Cyber Safety Review Board; and,
  2. Removing barriers to sharing threat information.

The best news is, we already have a model in other areas that we know works. Here’s what we mean. Southwest Airlines flight 1380 was climbing through 32,000 feet on the morning of April 17, 2018. At approximately 11:03 a.m., fan blade No. 13 in the left engine shattered due to a previously undetected stress fracture. A 12-inch section weighing 6.825 pounds and a two-inch section of a fan blade weighing .650 pounds separated from the rest of the fan blade assembly. The result was an uncontained failure of the jet engine.

We know all of this because the National Transportation Safety Board (NTSB) publishes its findings so the public and industry can benefit from the knowledge gained in accident investigations. This decades-old information-sharing model has resulted in the safest form of transportation on the planet. According to the National Safety Council, the odds in 2019 of you dying while walking were one in 543. Dying in a plane crash? So low as to not be measurable.

What are the odds of a company suffering a cyberattack? It’s not a matter of “if,” but how many times, how frequently and if the attack succeeds. A 2017 study by the University of Maryland claims an attack occurs every 39 seconds. Yet, despite the near-constant level of cyber threats, there is no NTSB-style body to find and share the root causes of cyber incursions and the ways to prevent future attacks.

What the New Cybersecurity Executive Order Means

Due to the new cybersecurity executive order, federal agencies have been instructed to find the legal barriers that prevent the sharing of information about data and security breaches and get rid of them. The Homeland Security Secretary is to form a panel of public and private sector experts to determine how cybercriminals were able to infiltrate the SolarWinds software used by key government agencies and nearly every Fortune 500 company. The group is to convene anytime there is a significant cyber event, just like the NTSB.

Later in the year, federal agencies and the companies that sell them hardware and software will have to adopt strict new quality control standards. Because the same companies that sell technology to Uncle Sam also sell products to consumers and businesses, the overall level of quality and security will rise for every use and everyone.

Contact the ITRC

If anyone has questions about keeping their personal information secure, they can visit www.idtheftcenter.org, where they will find helpful tips. People can also sign-up to receive our regular email updates on identity scams and compromises and download our latest report on how identity crimes impact individuals.

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. Victims can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). And coming in June, people can talk after-hours, weekends and on holidays with our new automated chatbot, ViViAN. Just visit www.idtheftcenter.org to get started. 

Be sure to check out our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown.

  • The data of 533 million Facebook users has been published on a low-level hacker forum.
  • The information is believed to have been copied in 2019 or earlier from Facebook user pages and includes phone numbers, Facebook IDs, full names, birthdates, bios and email addresses.
  • The leaked data could help cybercriminals commit different forms of phishing attacks and other social engineering-based identity scams.
  • LinkedIn also recently suffered a similar attack, affecting over 500 million users and exposing user IDs, names, email addresses, phone numbers, professional titles and other work-related data.
  • The LinkedIn and Facebook data leaks are a great reminder to be careful what you share online. Users willingly posted all of the information copied from LinkedIn and Facebook into cybercriminal markets. If you don’t want to see the data in a hacker forum, don’t post it online.
  • To learn more, or if you believe you a victim of identity theft, contact the Identity Theft Resource Center toll-free by phone (888.400.5530) or live-chat. Just go to www.idtheftcenter.org to get started.

A recent Facebook data leak resulted in the personal data of more than 500 million users being copied (an often-legal process known as scraping) and later posted on a hacker forum. A similar attack happened with LinkedIn, leaving users to wonder what they could have done to prevent their personal information from being copied by data thieves. While the data was scraped from Facebook in 2019 because of a software flaw that the company says was patched the same year, the incident serves as a good reminder to be careful what you share online.

What Happened

According to Business Insider, a user in a low-level hacking forum scraped the phone numbers and personal data of 533 million Facebook users in 109 different countries – enough people to qualify as the third largest nation on Earth. The data file, published in a forum where identity information is bought and sold, includes more than 32 million records on users in the U.S. Information exposed in the Facebook data leak includes phone numbers, Facebook IDs, full names, birthdates, bios and email addresses.

What Does This Mean for You?

The scraped data from the LinkedIn and Facebook data leaks could help cybercriminals commit different forms of identity fraud, including phishing attacks and scams that require social engineering to convince you to give up even more personal information. Users should be on the lookout for phishing schemes or fraud using their own data.

Be Careful What You Share Online

While there is not a lot that Facebook and LinkedIn users can do to protect themselves from the latest incidents now, it is a great reminder to be careful what you share online to help prevent future identity fraud. The data thief did not gain access to the systems and steal private data. Instead, they copied (or scraped) information that people willingly posted on their own profiles and combined the information in a database that can be bought, sold or shared in criminal marketplaces.

If you post enough information about yourself online, hackers can connect the dots about your life, relatives and friends to commit identity fraud by pretending to be you. Be careful what you share online, including what you write in your posts and include in your profile. Also, check your privacy settings to ensure you are not sharing personal information with people you do not know or trust. A good rule of thumb is, “If you don’t want to see the data in a hacker forum, don’t post it online.”

Contact the ITRC

If you believe you were the victim of the latest Facebook data leak and want steps on how to protect yourself, or if you want to learn more about how to be careful what you share online, contact us. You can reach a contact advisor toll-free by phone (888.400.5530) or live-chat. You can find the latest resources on an array of identity-related topics. Just visit www.idtheftcenter.org to get started.

  • Identity Management Day 2021 is about informing people of the dangers of improperly managing and securing digital identities. It is also designated to share best practices. 
  • The biggest threat to individual identities is the significant shift away from traditional identity theft fueled by personal information acquired in mass attacks and towards credential theft used to commit identity fraud, according to the Identity Theft Resource Center.  
  • Targeted attacks against businesses are easier for threat actors to execute and result in a larger payout. The average ransomware payment from companies has grown from less than $10,000 in Q3 2018 to more than $312,000 per event today.  
  • To protect themselves, businesses and consumers should follow cyber-hygiene best practices, especially good password management. To learn more or participate in Identity Management Day 2021, visit https://www.idsalliance.org/identity-management-day-overview/

Save the date for the first-ever Identity Management Day! Identity Management Day 2021, hosted by the Identity Defined Security Alliance (IDSA) and the National Cybersecurity Alliance (NCSA), is a day to inform people about the dangers of improperly managing and securing digital identities. It raises awareness, shares best practices and leverages the support of vendors in the identity security space.  

Identity Management Day 2021 is important for both businesses and individuals. According to IDSA, 79 percent of organizations have experienced an identity-related breach in the last two years, and 99 percent believe their identity-related breaches were preventable. A report from the Federal Trade Commission (FTC) shows that identity theft reports have tripled since 2018.  

Technology grows in importance every day as the world moves towards a digital-first model. With the emphasis on technology, it is more vital that people’s digital identities and the systems that protect them work properly. 

The Biggest Identity Management Challenge Facing Businesses & Consumers  

The biggest threat the Identity Theft Resource Center (ITRC) sees to identities is the dramatic shift to credential theft and away from traditional attacks fueled by personally identifiable information (PII) acquired in mass attacks. Today, threat actors are more interested in collecting personal and business logins and passwords that can be used in credential stuffing, phishing (including business email compromises or BECs) and supply chain attacks.  

  • Statistics show that cybercriminals are spending more time and effort on attacks that rely on personal credentials to commit cybercrimes like identity-related fraud. According to the ITRC’s Q1 2021 Data Breach Report, the number of individuals impacted by a data compromise was up 564 percent in Q1 2021 compared to Q4 2020. The rise is in large part to an increase in supply chain attacks. There have been supply chain attacks at 27 third-party vendors and 19 supply chain attack-related data compromises in Q4 2020.  
  • According to the FBI, BEC scams cost businesses more than $1.8 billion in 2020. The ITRC’s 2020 Data Breach Report shows 382 phishing/smishing/BEC attacks, making up 44 percent of all publicly-reported U.S. data breaches in 2020.  
  • The trend toward supply chain attacks shows that cybercriminals are concentrating their efforts by attacking single organizations that give them access to the data of multiple businesses. Instead of attacking 1,000 consumers to gain $300,000, threat actors attack one company and walk away with the same amount or more money with less effort and risk. 

What You Can Do 

The ITRC’s advice is simple and revolves around good password and cyber-hygiene practices.  

  • A long and memorable password (12+ characters) is a great way to keep people out of your account. They are easier to remember and harder for a criminal to use an automated tool to crack. 
  • It is essential to have a unique password for each account. If your credentials for one account are stolen, threat actors will not be able to access any of your other accounts.  
  • Do not use a password from one of your personal accounts on a work account. It puts consumers and businesses at an increased risk. 
  • Multifactor authentication (MFA) is always a good idea because it creates an added layer of security for the account. It is better to use MFA with an app than SMS because hackers can create scams with fake SMS MFA messages.  
  • Never click on a link in an unsolicited email, text or social media direct message. You should directly contact the sender to see if the message is legitimate if there is any doubt.  

The ITRC is honored to participate in Identity Management Day 2021 and hopes to educate business leaders, IT decision-makers and the general public about the importance of managing and securing digital identities. To learn more or participate in Identity Management Day 2021, visit https://www.idsalliance.org/identity-management-day-overview/.  

  • According to the FBI’s annual report on cybercrime, in 2016, nearly 300,000 cybercrime reports were filed with the FBI. The total impact of the cybercrimes was $1.5 billion. 
  • In late 2020, the number of crimes reported more than doubled to almost 800,000. The rate of loss skyrocketed to $4.2 billion, a 180 percent increase. 
  • However, despite the cybercrime increase, the IC3 Recovery Asset Team scored an 82 percent success rate in helping victims recover money transferred to criminals. Nearly $380 million was restored to victims of cybercrime. 
  • To learn about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified.  
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.  

Since Noah Was a Sailor 

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for March 26, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. This week we look at the FBI’s annual report on cybercrime, highlighting a significant cybercrime increase. It’s been 21 years since the Bureau’s Internet Crime Complaint Center (IC3) was formed to track cybercrime.  

That’s almost as long as the commercial internet has been in existence, or as Shakespeare would put it in Twelfth Night, “since Noah was a sailor.” That is the title of this episode as we look at the long-term trends in cybercrime. 

Changes in Cybercrime 

It’s not particularly instructive to compare cybercrime in 2000 to 2021. It is safe to say that there is a cybercrime increase. Far more cybercriminals commit exponentially more fraud today than when people still had to dial-up their internet connection with a modem. Anyone who remembers doing so is hearing that sound right now in their head. 

What is more helpful is to look at the last five years of data from the FBI. We apologize for listing many numbers and asking everyone to visualize the magnitude of the changes in half a decade. However, the numbers speak for themselves.  

Cybercrime in 2016 

In 2016, Captain America: Civil War was the top box office grossing movie, and Game of Thrones was the undisputed ratings champ on television. The Denver Broncos won the Super Bowl, the Chicago Cubs won a World Series for the first time in 108 years, and nearly 300,000 cybercrime reports were filed with the FBI.  

The total impact of the cybercrimes was $1.5 billion. The number one complaint (81,000 of them) was when someone ordered a product on the internet and did not receive it, or a merchant did not receive payment for a product sold over the web. 

Data breaches were the second-highest complaint at 27,000 reports, followed by phishing, extortion and identity theft with just under 17,000 complaints. 

Cybercrime in 2020 

Fast forward to the end of 2020, with much of the world still on pandemic lock-down. Many people are doing the bulk of their work and business transactions online. 

The number of complaints more than doubled – from nearly 300,000 to almost 800,000. The same can be said of the rate of loss. $1.5 billion in 2016 turned into $4.2 billion in 2020 – a 180 percent increase in losses attributed to cybercrime. 

Where non-payment or non-delivery of goods was the number one complaint five years ago, in 2020, it was phishing in all its various forms. 19,000 reports in 2016 grew to more than 241,000 phishing attacks against businesses and individuals due to the cybercrime increase. Losses attributed to 19,000 business email compromises (a subset of phishing) totaled more than $1.8 billion last year alone. 

IC3 Team Help Victims 

There is some good news in the FBI’s annual cybercrime report around the cybercrime increase. The IC3 includes a team assigned to help victims under certain circumstances recover money transferred to criminals. In 2020, the Recovery Asset Team scored an 82 percent success rate, restoring nearly $380 million to cybercrime victims. 

Contact the ITRC 

If anyone has questions about keeping their personal information private and how to protect it, they can visit www.idtheftcenter.org, where they will find helpful tips on these and many other topics. 

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, including when to report a crime to IC3, they should contact us. People can speak with an expert advisor on the phone, chat live on the web, or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Visit www.idtheftcenter.org to get started.  

Be sure to check out the most recent episode of our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown.