• According to a new report from NTT Application Security, the percent of application software being patched has dropped below 50 percent. It is partly because more applications are being tested in the wake of recent high-profile cyberattacks. 
  • The average time to fix the most severe software vulnerabilities in a large enterprise is 203 days. That number is more than twice that figure in some industries. 
  • The report also reveals that most applications in 10 of the 11 leading industries tracked by NTT Application Security have at least one software flaw open to attack every day of the year. 
  • Cybersecurity teams are failing to fix software vulnerabilities on a timely basis, which is one reason why cybercriminals have success attacking businesses
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC’s) data breach tracking tool, notified
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.  

A King of Shreds & Patches 

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for July 30, 2021Our podcast is possible thanks to support from Experian and Sentilink. Each week we look at the most recent events and trends related to data security and privacy. This week, we discuss one of the primary causes of cyberattacks that leads to data compromises – known but unpatched software vulnerabilities and flaws.  

In Shakespeare’s Hamlet, the troubled prince refers to his uncle, a usurper of the Danish throne, as a rag-tag monarch: “A king of shreds & patches.” That description also applies to how much modern software is riddled with known flaws that give cybercriminals an easy path into organizations. There’s a report out this week that gives us a clue into just how difficult it is to patch software, even when the bugs are well known. 

Cybersecurity Teams Struggle to Quickly Fix Software Vulnerabilities 

Global cybersecurity provider NTT Application Security claims that cybersecurity teams are struggling to fix issues quickly. So far this year, the percent of application software being patched has dropped below 50 percent, partly because more applications are being tested in the wake of recent high-profile cyberattacks. 

Still, the time to patch has not improved over time. The average time to fix the most severe software vulnerabilities and flaws in a large enterprise is 203 days. In some industries, the number is more than twice that figure. The time needed to fix software used in the agriculture and forestry sector is the highest at 513 days, on average. The education sector, a common target for ransomware attacks, is the second slowest industry and requires an average of 478 days to fix a known flaw. 

How long does it take for a cybercriminal to exploit software vulnerabilities? A 2020 report puts the time to breach a system at as few as two hours once a flaw is publicly announced, usually at the same time a fix is issued. 

The Consequences of Slow Response Times to Patch Flaws 

The universally slow patch cycle where companies prioritize which software vulnerabilities they fix in what order has an unintended consequence, too. The lower the risk, the longer the time to patch. That allows cybercriminals to develop new attacks that link several lower-risk flaws into a single attack that is hard to detect and defend.  

NTT Application Security’s research shows that the same kind of software vulnerabilities continue to appear in new and updated applications. Most of the flaws identified in the first six months of 2021 fall into the same five categories month after month. 

What does that tell us? According to the report’s authors, it means that the people who are developing software and the teams that are protecting systems are not talking to one another, at least not enough to learn what bugs are common and how to fix them. 

Most Applications Have At least One Software Flaw Open to Attack 

There’s one last statistic from the NTT Application Security report that should be discussed. A majority of applications in 10 of the 11 leading industries tracked by NTT have at least one software flaw open to attack every day of the year. That explains why cybercriminals are successful at attacking businesses

Next week, we’ll take a look at the ever-growing costs to businesses that suffer a data compromise as calculated in a new report from IBM

Contact the ITRC 

If you have questions about how to keep your personal information private and secure, visit www.idtheftcenter.org, where you will find helpful tips. 

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during normal business hours (6 a.m.-5 p.m. PST). 

Thanks again to Sentilink and Experian for supporting the ITRC and this podcast. Be sure to check out our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown


  • Application Programming Interfaces (APIs), software that allows two different applications to talk to each other and work together, is becoming more popular. Its use is up 61 percent in 2020 over 2019. However, so are API attacks – a 211 percent rise in 2020.
  • API flaws are at the root of the SolarWinds and Microsoft attacks and the Peloton data breach. API attacks also led to personal information from Facebook and LinkedIn being scraped.
  • To prevent API attacks, businesses with their own API developers should implement stronger testing protocols and security. Businesses that hire API development companies should insist on the highest level of testing and security. Consumers are encouraged to ask organizations they do business with how they protect personal information.
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified.
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org. Coming later this month, people can talk after-hours, weekends and on holidays with our new automated chatbot, ViViAN.

Alphabet Soup

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdownfor June 4, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. This week we are going to talk about an emerging threat to data security. By default, it’s personal information that most people are unaware even exists. It’s part of the alphabet soup of tech terms that can seem like a cure for insomnia.

Application Program Interfaces (APIs)

We are talking about API attacks. In fact, some of the biggest security events of 2020 and 2021 resulted from these kinds of attacks. So, what is an API, and how can it cause so much trouble?

API is short for Application Programming Interface. In English, that means the software that allows two different applications to talk to each other and work together. Think of when someone goes to a travel website to see which airline has the lowest price and best schedule for their vacation. It’s an API that connects the travel site to the airline’s system to get them the information they need. One may never see or interact with an API, but it’s there working in the background.

APIs Are Growing in Popularity

There’s nothing particularly complex about most APIs, which means they are not subjected to many of the rigorous testing protocols required for other software. Meanwhile, the use of APIs is growing – 61 percent in 2020 over 2019, and the growth rate in 2021 is projected to be 71 percent, according to trade publication Dev Ops Digest. Compare that to the growth in malicious API transactions in 2020 – a 211 percent increase.

API Flaws Becoming More Common in Security and Data Breaches

With poor software testing practices and a rapid development pace, flaws in APIs are climbing up the list of underlying causes of data and security breaches. Consider some recent research findings from API security firm SALT:

  • Ninety-one (91) percent of respondents suffered a security incident in their APIs in 2020.
  • Fifty-four (54) percent of those API attacks were tied to software flaws; 46 percent of the attacks succeeded because a malicious transaction was recognized as being legitimate.
  • Eighty-two (82) percent of organizations lack confidence in knowing which APIs expose personal information.
  • One hundred (100) percent of Salt Security’s customers that suffered API attacks in 2020 had standard cybersecurity tools like web application firewalls in place, but they did not prevent the attack.

API flaws are at the root of the SolarWinds and Microsoft attacks and the Peloton data breach. APIs were also exploited to scrape personal information from Facebook and LinkedIn.

How Can Businesses and Consumers Protect Themselves from API Attacks?

What can be done to minimize the risk of API attacks? Businesses that have their own API developers need to implement stronger testing protocols and security. Businesses that hire API development companies should insist on the highest level of testing and security.

Consumers should ask organizations with whom they do business how they protect personal information, including their cybersecurity and data protection programs.

Contact the ITRC

If anyone has questions about keeping their personal information secure, they can visit www.idtheftcenter.org, where they will find helpful tips. People can also sign-up to receive our regular email updates on identity scams and compromises and download our latest report on how identity crimes impact individuals.

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. Victims can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). On June 4, people can talk after-hours, weekends and holidays with our new automated chatbot, ViViAN. Just visit www.idtheftcenter.org to get started. 

Be sure to check out our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown.

  • A new cybersecurity executive order will lead to the creation of a Cyber Safety Review Board, removing barriers to sharing threat information and much more.
  • The Cyber Safety Review Board will determine how cybercriminals were able to infiltrate the SolarWinds software used by key government agencies and nearly every Fortune 500 company, and will meet anytime there is a significant event. Also, federal agencies will eliminate legal barriers that prevent the sharing of information about data and security breaches.
  • Since the same companies that sell technology to the government also sell products to consumers and businesses, the level of quality and security will rise for every use and everyone.
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notified.
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org. coming in June, you can talk after-hours, weekends and on holidays with our new automated chatbot, ViViAN.

Come What May

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdownfor May 28, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. This week, we will focus on something unusual – a new cybersecurity executive order and solutions to the seemingly endless race against cybercriminals.

In Macbeth, Shakespeare wrote: “Come what come may, time and the hour runs through the roughest day.” Without question, the last six months have been rough on companies, governments and individuals as identity scams and cyberattacks have captured headlines and disrupted lives.

Changes to How the Federal Government Approaches Cybersecurity

From companies most people have never heard of like SolarWinds and Accellion to household names like Microsoft and Peloton, along with critical infrastructure organizations like Colonial Pipeline and the respected Scripps Health system, organizations and institutions alike have been on the wrong side of data and security breaches.

However, federal officials have announced a series of actions that privacy and cybersecurity experts are praising as both needed and welcome changes to how the federal government approaches cybersecurity. Because the U.S. government purchases billions of dollars in IT products and services each year, the private sector, including individual consumers, will also benefit.

Top Provisions in New Cybersecurity Executive Order

There are seven key actions in the new Executive Order on Improving the Nation’s Cybersecurity. We don’t have time to go into all seven, so let’s focus on two of the most important provisions:

  1. Establishing a Cyber Safety Review Board; and,
  2. Removing barriers to sharing threat information.

The best news is, we already have a model in other areas that we know works. Here’s what we mean. Southwest Airlines flight 1380 was climbing through 32,000 feet on the morning of April 17, 2018. At approximately 11:03 a.m., fan blade No. 13 in the left engine shattered due to a previously undetected stress fracture. A 12-inch section weighing 6.825 pounds and a two-inch section of a fan blade weighing .650 pounds separated from the rest of the fan blade assembly. The result was an uncontained failure of the jet engine.

We know all of this because the National Transportation Safety Board (NTSB) publishes its findings so the public and industry can benefit from the knowledge gained in accident investigations. This decades-old information-sharing model has resulted in the safest form of transportation on the planet. According to the National Safety Council, the odds in 2019 of you dying while walking were one in 543. Dying in a plane crash? So low as to not be measurable.

What are the odds of a company suffering a cyberattack? It’s not a matter of “if,” but how many times, how frequently and if the attack succeeds. A 2017 study by the University of Maryland claims an attack occurs every 39 seconds. Yet, despite the near-constant level of cyber threats, there is no NTSB-style body to find and share the root causes of cyber incursions and the ways to prevent future attacks.

What the New Cybersecurity Executive Order Means

Due to the new cybersecurity executive order, federal agencies have been instructed to find the legal barriers that prevent the sharing of information about data and security breaches and get rid of them. The Homeland Security Secretary is to form a panel of public and private sector experts to determine how cybercriminals were able to infiltrate the SolarWinds software used by key government agencies and nearly every Fortune 500 company. The group is to convene anytime there is a significant cyber event, just like the NTSB.

Later in the year, federal agencies and the companies that sell them hardware and software will have to adopt strict new quality control standards. Because the same companies that sell technology to Uncle Sam also sell products to consumers and businesses, the overall level of quality and security will rise for every use and everyone.

Contact the ITRC

If anyone has questions about keeping their personal information secure, they can visit www.idtheftcenter.org, where they will find helpful tips. People can also sign-up to receive our regular email updates on identity scams and compromises and download our latest report on how identity crimes impact individuals.

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. Victims can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). And coming in June, people can talk after-hours, weekends and on holidays with our new automated chatbot, ViViAN. Just visit www.idtheftcenter.org to get started. 

Be sure to check out our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown.

  • The data of 533 million Facebook users has been published on a low-level hacker forum.
  • The information is believed to have been copied in 2019 or earlier from Facebook user pages and includes phone numbers, Facebook IDs, full names, birthdates, bios and email addresses.
  • The leaked data could help cybercriminals commit different forms of phishing attacks and other social engineering-based identity scams.
  • LinkedIn also recently suffered a similar attack, affecting over 500 million users and exposing user IDs, names, email addresses, phone numbers, professional titles and other work-related data.
  • The LinkedIn and Facebook data leaks are a great reminder to be careful what you share online. Users willingly posted all of the information copied from LinkedIn and Facebook into cybercriminal markets. If you don’t want to see the data in a hacker forum, don’t post it online.
  • To learn more, or if you believe you a victim of identity theft, contact the Identity Theft Resource Center toll-free by phone (888.400.5530) or live-chat. Just go to www.idtheftcenter.org to get started.

A recent Facebook data leak resulted in the personal data of more than 500 million users being copied (an often-legal process known as scraping) and later posted on a hacker forum. A similar attack happened with LinkedIn, leaving users to wonder what they could have done to prevent their personal information from being copied by data thieves. While the data was scraped from Facebook in 2019 because of a software flaw that the company says was patched the same year, the incident serves as a good reminder to be careful what you share online.

What Happened

According to Business Insider, a user in a low-level hacking forum scraped the phone numbers and personal data of 533 million Facebook users in 109 different countries – enough people to qualify as the third largest nation on Earth. The data file, published in a forum where identity information is bought and sold, includes more than 32 million records on users in the U.S. Information exposed in the Facebook data leak includes phone numbers, Facebook IDs, full names, birthdates, bios and email addresses.

What Does This Mean for You?

The scraped data from the LinkedIn and Facebook data leaks could help cybercriminals commit different forms of identity fraud, including phishing attacks and scams that require social engineering to convince you to give up even more personal information. Users should be on the lookout for phishing schemes or fraud using their own data.

Be Careful What You Share Online

While there is not a lot that Facebook and LinkedIn users can do to protect themselves from the latest incidents now, it is a great reminder to be careful what you share online to help prevent future identity fraud. The data thief did not gain access to the systems and steal private data. Instead, they copied (or scraped) information that people willingly posted on their own profiles and combined the information in a database that can be bought, sold or shared in criminal marketplaces.

If you post enough information about yourself online, hackers can connect the dots about your life, relatives and friends to commit identity fraud by pretending to be you. Be careful what you share online, including what you write in your posts and include in your profile. Also, check your privacy settings to ensure you are not sharing personal information with people you do not know or trust. A good rule of thumb is, “If you don’t want to see the data in a hacker forum, don’t post it online.”

Contact the ITRC

If you believe you were the victim of the latest Facebook data leak and want steps on how to protect yourself, or if you want to learn more about how to be careful what you share online, contact us. You can reach a contact advisor toll-free by phone (888.400.5530) or live-chat. You can find the latest resources on an array of identity-related topics. Just visit www.idtheftcenter.org to get started.

  • Identity Management Day 2021 is about informing people of the dangers of improperly managing and securing digital identities. It is also designated to share best practices. 
  • The biggest threat to individual identities is the significant shift away from traditional identity theft fueled by personal information acquired in mass attacks and towards credential theft used to commit identity fraud, according to the Identity Theft Resource Center.  
  • Targeted attacks against businesses are easier for threat actors to execute and result in a larger payout. The average ransomware payment from companies has grown from less than $10,000 in Q3 2018 to more than $312,000 per event today.  
  • To protect themselves, businesses and consumers should follow cyber-hygiene best practices, especially good password management. To learn more or participate in Identity Management Day 2021, visit https://www.idsalliance.org/identity-management-day-overview/

Save the date for the first-ever Identity Management Day! Identity Management Day 2021, hosted by the Identity Defined Security Alliance (IDSA) and the National Cybersecurity Alliance (NCSA), is a day to inform people about the dangers of improperly managing and securing digital identities. It raises awareness, shares best practices and leverages the support of vendors in the identity security space.  

Identity Management Day 2021 is important for both businesses and individuals. According to IDSA, 79 percent of organizations have experienced an identity-related breach in the last two years, and 99 percent believe their identity-related breaches were preventable. A report from the Federal Trade Commission (FTC) shows that identity theft reports have tripled since 2018.  

Technology grows in importance every day as the world moves towards a digital-first model. With the emphasis on technology, it is more vital that people’s digital identities and the systems that protect them work properly. 

The Biggest Identity Management Challenge Facing Businesses & Consumers  

The biggest threat the Identity Theft Resource Center (ITRC) sees to identities is the dramatic shift to credential theft and away from traditional attacks fueled by personally identifiable information (PII) acquired in mass attacks. Today, threat actors are more interested in collecting personal and business logins and passwords that can be used in credential stuffing, phishing (including business email compromises or BECs) and supply chain attacks.  

  • Statistics show that cybercriminals are spending more time and effort on attacks that rely on personal credentials to commit cybercrimes like identity-related fraud. According to the ITRC’s Q1 2021 Data Breach Report, the number of individuals impacted by a data compromise was up 564 percent in Q1 2021 compared to Q4 2020. The rise is in large part to an increase in supply chain attacks. There have been supply chain attacks at 27 third-party vendors and 19 supply chain attack-related data compromises in Q4 2020.  
  • According to the FBI, BEC scams cost businesses more than $1.8 billion in 2020. The ITRC’s 2020 Data Breach Report shows 382 phishing/smishing/BEC attacks, making up 44 percent of all publicly-reported U.S. data breaches in 2020.  
  • The trend toward supply chain attacks shows that cybercriminals are concentrating their efforts by attacking single organizations that give them access to the data of multiple businesses. Instead of attacking 1,000 consumers to gain $300,000, threat actors attack one company and walk away with the same amount or more money with less effort and risk. 

What You Can Do 

The ITRC’s advice is simple and revolves around good password and cyber-hygiene practices.  

  • A long and memorable password (12+ characters) is a great way to keep people out of your account. They are easier to remember and harder for a criminal to use an automated tool to crack. 
  • It is essential to have a unique password for each account. If your credentials for one account are stolen, threat actors will not be able to access any of your other accounts.  
  • Do not use a password from one of your personal accounts on a work account. It puts consumers and businesses at an increased risk. 
  • Multifactor authentication (MFA) is always a good idea because it creates an added layer of security for the account. It is better to use MFA with an app than SMS because hackers can create scams with fake SMS MFA messages.  
  • Never click on a link in an unsolicited email, text or social media direct message. You should directly contact the sender to see if the message is legitimate if there is any doubt.  

The ITRC is honored to participate in Identity Management Day 2021 and hopes to educate business leaders, IT decision-makers and the general public about the importance of managing and securing digital identities. To learn more or participate in Identity Management Day 2021, visit https://www.idsalliance.org/identity-management-day-overview/.  

  • According to the FBI’s annual report on cybercrime, in 2016, nearly 300,000 cybercrime reports were filed with the FBI. The total impact of the cybercrimes was $1.5 billion. 
  • In late 2020, the number of crimes reported more than doubled to almost 800,000. The rate of loss skyrocketed to $4.2 billion, a 180 percent increase. 
  • However, despite the cybercrime increase, the IC3 Recovery Asset Team scored an 82 percent success rate in helping victims recover money transferred to criminals. Nearly $380 million was restored to victims of cybercrime. 
  • To learn about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified.  
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.  

Since Noah Was a Sailor 

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for March 26, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. This week we look at the FBI’s annual report on cybercrime, highlighting a significant cybercrime increase. It’s been 21 years since the Bureau’s Internet Crime Complaint Center (IC3) was formed to track cybercrime.  

That’s almost as long as the commercial internet has been in existence, or as Shakespeare would put it in Twelfth Night, “since Noah was a sailor.” That is the title of this episode as we look at the long-term trends in cybercrime. 

Changes in Cybercrime 

It’s not particularly instructive to compare cybercrime in 2000 to 2021. It is safe to say that there is a cybercrime increase. Far more cybercriminals commit exponentially more fraud today than when people still had to dial-up their internet connection with a modem. Anyone who remembers doing so is hearing that sound right now in their head. 

What is more helpful is to look at the last five years of data from the FBI. We apologize for listing many numbers and asking everyone to visualize the magnitude of the changes in half a decade. However, the numbers speak for themselves.  

Cybercrime in 2016 

In 2016, Captain America: Civil War was the top box office grossing movie, and Game of Thrones was the undisputed ratings champ on television. The Denver Broncos won the Super Bowl, the Chicago Cubs won a World Series for the first time in 108 years, and nearly 300,000 cybercrime reports were filed with the FBI.  

The total impact of the cybercrimes was $1.5 billion. The number one complaint (81,000 of them) was when someone ordered a product on the internet and did not receive it, or a merchant did not receive payment for a product sold over the web. 

Data breaches were the second-highest complaint at 27,000 reports, followed by phishing, extortion and identity theft with just under 17,000 complaints. 

Cybercrime in 2020 

Fast forward to the end of 2020, with much of the world still on pandemic lock-down. Many people are doing the bulk of their work and business transactions online. 

The number of complaints more than doubled – from nearly 300,000 to almost 800,000. The same can be said of the rate of loss. $1.5 billion in 2016 turned into $4.2 billion in 2020 – a 180 percent increase in losses attributed to cybercrime. 

Where non-payment or non-delivery of goods was the number one complaint five years ago, in 2020, it was phishing in all its various forms. 19,000 reports in 2016 grew to more than 241,000 phishing attacks against businesses and individuals due to the cybercrime increase. Losses attributed to 19,000 business email compromises (a subset of phishing) totaled more than $1.8 billion last year alone. 

IC3 Team Help Victims 

There is some good news in the FBI’s annual cybercrime report around the cybercrime increase. The IC3 includes a team assigned to help victims under certain circumstances recover money transferred to criminals. In 2020, the Recovery Asset Team scored an 82 percent success rate, restoring nearly $380 million to cybercrime victims. 

Contact the ITRC 

If anyone has questions about keeping their personal information private and how to protect it, they can visit www.idtheftcenter.org, where they will find helpful tips on these and many other topics. 

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, including when to report a crime to IC3, they should contact us. People can speak with an expert advisor on the phone, chat live on the web, or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Visit www.idtheftcenter.org to get started.  

Be sure to check out the most recent episode of our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown.  

  • Digital wallets, an electronic version of payment cards and accounts, and mobile payment apps have become more popular during the global pandemic. U.S. users jumped from 38 percent to 55 percent of smartphone owners in 2020 because they are more convenient and secure for many consumers. They also help serve an important population: the unbanked and underbanked
  • It can be difficult for some households (approximately 7.1 million) to get a bank account for an array of reasons. Digital wallets and mobile payment apps allow those households to make payments, store funds, transfer money to other financial accounts and even write checks depending on the app.  
  • Digital wallets and mobile payment apps can be less risky than traditional payment methods because there are security measures that are not available when someone pays with a physical card or cash. Because digital wallets are contactless, they also represent less of a health risk during the COVID-19 pandemic. 
  • To learn more about digital wallets, contact the Identity Theft Resource Center toll-free at 888.400.5530 or via live-chat on our website www.idtheftcenter.org.  

Digital wallets and mobile payment apps continue to grow in popularity. In fact, U.S. users jumped from 38 percent to 55 percent of smartphone owners. A digital wallet allows people to carry much of what they would have in their physical wallet on a mobile device. Payment apps are also surging in popularity. According to an article in Newsday, a recent survey sponsored by SimpleTexting, a Miami Beach provider of text messaging software, shows that 81 percent of those polled use cash apps more often since the COVID-19 pandemic. Digital wallets provide people with more payment options and allow them to convert physical cash to an online account to then link to these services, especially those who are unbanked and underbanked

Digital Wallet vs. Mobile Payment App 

A digital wallet is a virtual version of payment cards and financial accounts that can be accessed on a computer or smart device. Some popular digital wallets include ApplePay, Google Pay, Samsung Pay and PayPal. Mobile payment apps are tied to purchases made at a single business such as Starbucks or Walmart, or an app like Venmo that transfers cash to other people as payment. 

The Benefits and Risks of a Digital Wallet and Mobile Payment App 

Digital wallets and mobile payment apps allow people to simplify how they make payments and what they have to carry with them to purchase items. Both kinds of apps enable consumers to complete transactions without using cash while protecting financial account information and passwords. Digital wallets use security protocols, like two-factor authentication and one-time-use PIN numbers. They also use advanced encryption and virtualization techniques that ensure people’s financial information never leaves their actual device.   

However, that does not mean criminals will not target users. Keeping a device secure by using screen locks and device passwords/biometrics is vitally important, along with the ability to remotely disable a smart device if it’s lost or stolen. If a thief gains access to someone’s digital wallet, they may have the ability to make purchases or steal someone’s fundslike one person from Grosse Pointe Farms. There is still the risk of also being tricked into old-fashioned product or service fraud, too. Users of digital wallets and payment apps need to be cautious and only engage in a transaction if it’s part of a purchase or fund transfer they initiate. 

Digital Wallets and Mobile Payment Apps Help the Unbanked and Underbanked 

The FDIC Survey of Household Use of Banking and Financial Services found that in 2019 approximately 7.1 million U.S. households were unbanked, meaning no one in the home had a bank account. The number of unbanked and underbanked people (U.S. residents with limited access to banking services) is on the decline, and the increased use of digital wallets and payment apps is part of the trend.  

Digital wallets and mobile payment apps are a great answer and a more secure way of making financial transactions for those who cannot or do not want to access a bank’s services. It is safer, there are fewer fees and easier access. Unbanked and underbanked households can make payments, store funds, transfer money to other financial accounts, and even have bill pay (check writing) features depending on the app.  

Digital wallets and mobile payment apps can also improve financial inclusion by reducing people’s dependency on cash and decreasing risks associated with handling money, such as health concerns, fraud, theft, and loss. 

What People Should do to Stay Safe 

  • Enable all the security features like screen lock/biometric lock and Find my iPhone to keep hackers from accessing the digital wallet, payment apps as well as stealing login credentials or money. 
  • Use a strong password and good cyber hygiene/security practices on all accounts to reduce the risk of hacking. The Identity Theft Resource Center (ITRC) encourages consumers to use a passphrase that is at least 12 characters long.  
  • Beware of phishing attacks because they could lead to a hacked account. Consumers should avoid unsolicited emails or text messages that ask the user to send money directly through a digital wallet or payment app. Criminals may send people an unsolicited payment request through a mobile app, so users should only use a digital wallet or mobile payment app if they initiate the transaction.  
  • Look for red flags like payments you did not make using your payment apps. If someone is victimized, they should report it to the app, change their account password and consider scanning their device with antivirus software. 

Contact the ITRC 

If anyone has questions about digital wallets, how to use them or how safe they are, they can contact the ITRC. Consumers can reach a live advisor for free by phone (888.400.5530) or live-chat and can get access to the ITRC’s latest information. All people have to do is visit www.idtheftcenter.org to get started. 

  • The Identity Theft Resource Center’s (ITRC) 2020 Data Breach Report shows 62 percent of cyberattacks that led to data breaches in 2020 involved phishing and ransomware.  
  • Google and Stanford University study reveals that people with more than one device are more likely to be struck by a phishing attempt. It also says that Australia is the most targeted country for phishing attacks
  • Proofpoint Security study says people who had personal data exposed in a third-party breach were five times more likely to be targeted by phishing or malware. 
  • All three reports make the same point about the rise in phishing attacks – a data breach does not mean someone’s identity has been misused. It means people impacted are at increased risk of becoming an identity crime victim. 
  • For information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.  

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for February 12, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. This week we talk about what seems to be the average cybercriminals’ favorite pastime – phishing and the rise in phishing attacks. Phishing with a ph. In Troilus & Cressida, Shakespeare’s incredibly complex play about the Trojan War, the main character compares the great lengths some people go to deceive the search for the other kind of fishing that gives rise to our episode title: 

Whiles others fish with craft for great opinion, 

I with great truth catch mere simplicity 

ITRC 2020 Data Breach Report & the Rise in Phishing Attacks 

Two weeks ago, the ITRC released our annual data breach analysis, which pointed out that 62 percent of cyberattacks that led to data breaches in 2020 involved phishing and ransomware. Phishing was in the number one position because it is a simple attack to execute. 

Google and Stanford University Study Reveals New Phishing Attack Findings 

This week, Google and Stanford University released a new study that looked at the 1.2 billion phishing emails aimed at Gmail users during a five-month period in 2020. Among the findings: 

  • People are more at risk of a phishing attempt if they have more than one device. If someone only has a desktop or laptop, or only has a smartphone, they are less likely to be a target. The conclusion is if someone has multiple devices, they have more of an online presence. It is the same if someone sends a lot of emails – they are five times more likely to be phished if they do. 
  • Older users are targeted more frequently than younger people. Someone between the ages of 55-64-years-old is 1.6 times more likely to be the target of a phishing scheme than someone who is 18-24-years-old. One potential reason is that the older someone gets, the bigger their footprint, which makes them easier to find. 

People in Australia are More Likely to be Targeted by a Phishing Attack 

Who in the world do you think is the most targeted country? This will surprise you. While U.S. residents send more emails by volume than any other country, people in Australia are more likely to be targeted for a phishing attack than anyone else. In fact, the odds are nearly double that they will be phish bait down under.  

The U.S is number 16 when it comes to the likelihood of being targeted on a country adjusted basis. This is the point where we need to ask once again – why is there a rise in phishing attacks? 

Third-Party Breaches and Their Impact on the Rise in Phishing Attacks 

Proofpoint Security reported this week a 14 percent increase in malicious phishing emails in 2020 over the previous year. Here is the truly staggering statistic: People who had personal data exposed in a third-party breach were five times more likely to be targeted by phishing or malware, according to the report, which highlights just how damaging these types of data breaches can be, even in the long run. 

What the Reports Mean for Consumers  

The report comes on the heels of the announcement of the release in an identity marketplace of the largest set of logins and passwords ever compiled. Around 3.2 billion credentials were stolen in previous data breaches and bundled in a single file. All of these reports – from the ITRC, Google and Stanford University, and Proofpoint make the same point – a data breach does not mean someone’s identity has been misused. It means people those impacted are at increased risk of becoming an identity crime victim. 

To quote Proofpoint: 

“Our results suggest that data breaches expose users to lasting harms due to the lack of viable remediation options.” 

Contact the ITRC 

If anyone has questions about protecting their information from data breaches and data exposures before they happen, visit www.idtheftcenter.org, where there are helpful tips on phishing attacks and many other topics – including the 2020 Data Breach Report

If someone believes they have already been the victim of an identity crime or a data breach and needs help figuring out what to do next, contact us to speak with an expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.  

Be sure to check out the most recent episode of our sister podcast – The Fraudian Slip – with a special guest from the Federal Trade Commission (FTC). We will be back next week for another Weekly Breach Breakdown. 

  • The Identity Theft Resource Center (ITRC) unveiled its 15th annual data breach report, which revealed a 19 percent decrease in breaches and a 66 percent decrease in individuals impacted. 
  • The ITRC 2020 Data Breach Report identifies a trend that cybercriminals are less interested in stealing large amounts of consumers’ personal information. 
  • Threat actors are now more interested in taking advantage of bad consumer behaviors to attack businesses using stolen credentials like logins and passwords.  
  • The report also states an increase in ransomware attacks, supply chain attacks and unsecured databases. 
  • For more information on the latest data breach information, visit the ITRC’s interactive data breach tracking tool, notified. It is updated daily and free to consumers.   
  • Consumers and victims can receive free support and guidance from a knowledgeable live-advisor by calling 888.400.5530 or visiting idtheftcenter.org to live-chat. 

Each January, the Identity Theft Resource Center (ITRC) releases its annual data breach report, breaking down the numbers, trends, attack methods and much more. For the last 15 years, the ITRC has tracked publicly-reported data breaches in an effort to make businesses and consumers aware of the latest information. While parts of the ITRC’s 2020 Data Breach Report reveal encouraging statistics, some worrisome trends also exist. 

The Number of Data Breaches and People Impacted Decrease 

After a 17 percent increase in data breaches in 2019 (1,473), the number decreased by 19 percent in 2020 (1,108). Even better, the number of individuals impacted dropped by 66 percent. In years past, the ITRC saw data breaches on the rise. However, there is a reason for the decline in breaches and consumers impacted.  

A Shift in the Cybercriminals Tactics 

The ITRC 2020 Data Breach Report shows the continuation of one trend from 2019. Cybercriminals are less interested in stealing large amounts of consumers’ personal information. Instead, threat actors are more interested in taking advantage of bad consumer behaviors to attack businesses using stolen credentials like logins and passwords. It is why ransomware and phishing attacks directed at organizations are now the preferred data theft method by cyberthieves.   

The shift comes as no surprise to the ITRC. One ransomware attack can generate as much revenue in minutes as hundreds of individual identity theft attempts over months or years. Coveware reports that the average ransomware payout has grown from less than $10,000 per event in Q3 2018 to more than $233,000 per occurrence in Q4 2020.    

Other Notable Findings 

There were other notable findings in the report: 

  • Supply chain attacks are becoming increasingly popular with attackers since they can access the information of larger organizations or multiple organizations through a single, third-party vendor. Often, the attacked organization is smaller, with fewer security measures than the companies they serve.   
  • Unemployment benefits fraud hit consumers hard in 2020 and could continue well into 2021. Organized cybercriminals used stolen credentials and other identifying information to apply for unemployment benefits through state websites. In fact, Washington and Maryland each reported more than $500 million in fraudulent benefit claims and California more than $11 billion in 2020. The U.S. Department of Labor estimated the total identity-related fraud at more than $26 billion in all 50 states and the District of Columbia during that same timeframe. The unemployment benefits fraud attacks are another example of it being easier and more profitable to commit a cybercrime using stolen, legitimate credentials than hacking into a company’s computer network.  
  • Case studies on Blackbaud and Vertafore break down what happened in each data compromise and how it happened. For more information on these case studies, download the ITRC 2020 Data Breach Report 

Staying One Step Ahead of the Cybercriminals 

While it is encouraging to see the number of data breaches and the number of people impacted by them decline, businesses and consumers should understand that this problem is not going awayCybercriminals are just shifting their tactics to find a new way to attack businesses and consumers. People need to adapt their practices to stay one step ahead of the threat actors.  

What You Can Do 

Ransomware attacks, stolen credentials and unsecured databases affect consumers and businesses in many different ways. Here are what businesses and consumers can do to protect themselves from each threat: 

  • Ransomware attacks  While ransomware attacks do not typically affect consumers, businesses should 1) frequently back up their systems, 2) patch any software flaws as soon as they are noticed, and 3) refuse to pay any ransomware demands.  
  • Stolen credentials – To protect themselves, consumers should 1) not reuse any passwords, 2) switch to a 12-character unique passphrase, 3) use a password manager if needed, 4) use multi-factor authentication when possible, and 5) consider creating online accounts so cybercriminals cannot open one in your name. 
  • Unsecured databases  It is a misconception that cloud service providers are responsible for cybersecurity. To prevent leaving a database unsecured, businesses should 1) properly configure cybersecurity tools for cloud environments and 2) apply the same level of effort to protecting cloud environments as an on-premise system and data assets. 

To download the ITRC 2020 Data Breach Reportclick here. 

To learn more about the latest data breaches, visit the ITRC’s interactive data breach tracking tool, notified. It is updated daily and free to consumers.   

For anyone that has been a victim of a data breach, the ITRC recommends downloading its free ID Theft Help app to manage the various aspects of an individual’s data breach case.  

Consumers and victims can receive free support and guidance from a knowledgeable live-advisor by calling 888.400.5530 or visiting idtheftcenter.org to live-chat.