A recently announced Evite data breach has some alarming potential outcomes. The internet-driven invitation platform allowed people to sign up for events and virtual meetups, so the very nature of the website gave outsiders a way to contact users via email. Access to the users’ Evite accounts means a hacker could send phishing attempts, malicious links or other scam communications to unsuspecting individuals.

The Evite data breach, which occurred from February to May this year, compromised account information dating back as far as 2013. That information included names, email addresses, usernames and passwords for an as-of-yet unknown number of users. Other optional information that some users provided, such as birthdates and phone numbers, was accessed as well.

Risk Level of Information Exposed

It is tempting to think that this information is not all that sensitive, so therefore, this breach is not too troublesome. Unfortunately, that is not the case. First, any data breach of stored information is a big deal since it means someone has managed to work their way into a cache of collected data. Moreover, usernames, email addresses, and passwords are a massive problem if the users haven’t been practicing solid security hygiene.

There is an interesting twist with the Evite data breach that experts have identified: the notification letter itself. Now that data breach notification letters can legally be emailed—which not only reduces the amount of time for victims to find out, but also greatly reduces the cost to the company who suffered the breach—there is actually a plausible concern that spammers themselves will email the victims. Once news of this or any data breach comes to light, spammers could send out fake emails that appear to come from the affected company. Instead of helping the victims, though, they may contain harmful links, viruses or further phishing attempts. It is important to follow good protocols for your security when receiving a data breach notification email.

What You Can Do About It

For now, Evite users are encouraged to change their passwords and ensure that no other accounts they use shared those same login credentials. This is true even if you do not receive a notification email from Evite. Also, if you do receive any communication from Evite, do not click a link or download an attachment. The company has already said its notification letter while not contain those things, but it is never a good idea to click or download in an email unless you were expecting additional content. Always verify the safety of the link or attachment before opening it, regardless of who you think sent it.

Of course, the Identity Theft Resource Center is here to help. Speak to an identity theft advisor for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Experian proudly provides financial support to the Identity Theft Resource Center.


You might also like…

Imposter Scams Were the Most Reported Complaint in 2018

In New Scam, Criminals Pose as Government Pretending to Help With Identity Theft

Study Explores Non-Economic Negative Impacts Caused by ID Theft 

 

In what has become an alarming security trend, yet another company has exposed millions of consumers’ profiles online due to a non-password protected web-based server. Ladders, a recruitment site that lets users create a profile that can be shared with potential employers, was using an Amazon-hosted web server to store the profiles; according to a security researcher who discovered the information exposed online—and according to confirmation from the company—13.7 million of those users’ complete profiles were available to anyone who knew to look for them.

While the information didn’t appear to contain Social Security numbers, everything else that you might list in a job application was there. Names, email addresses, physical addresses, work histories, educational level, even whether or not the applicant had a security clearance and in what field were all available.

Fortunately, the information was discovered by Sanyam Jain, who works for a non-profit that specifically looks for overexposed information and reports it. There’s no way of knowing if anyone with malicious intentions got to it beforehand, though. After receiving the report, Ladders took down the database within a short time.

Incidents like this one continue to happen, largely due to poor password security. In far too many of the cases of accidental overexposure or data leak, the company who posted their information didn’t realize the default setting was “open” to the public.

For users of any platform, there’s really no way to prevent this kind of oversharing of their information. Other than contacting the company’s IT department, asking if they host their databases on web-based servers, and then asking if that server is password protected—all of which the IT department is probably not going to share with a member of the general public—there’s not much that individuals can do. But here are some actionable steps:

  1. Establish a secondary email – In cases like this, a spammer could download the database and target the users with spam and potentially harmful emails. If you’re establishing online accounts, you might consider setting up an email address that you only use for those purposes. However, in this case, it must be one that you can still check routinely since the purpose of the account was to be notified about job opportunities.
  2. Password security – Even if the other company doesn’t quite have their passwords nailed down, that doesn’t mean you can’t be safer with good password security. Never reuse a password or make one that’s too easy—remember, humans don’t sit and “guess” your password, but rather, software that can make billions of guesses per second does the job for them. Also, it’s a good idea to change your password from time to time, especially on sensitive accounts.
  3. Don’t throw in the towel – Even if it feels like your information is exposed every single day, that’s not the case. Data breach fatigue is a documented problem, but don’t let the constant news of poor security practices keep you from locking down your information as much as possible.

Of course, the Identity Theft Resource Center is here to help. Speak to an identity theft advisor for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

Imposter Scams Were the Most Reported Complaint in 2018

In New Scam, Criminals Pose as Government Pretending to Help With Identity Theft

Study Explores Non-Economic Negative Impacts Caused by ID Theft 

 

Why Has UCSD Failed to Notify HIV Patients of Data Breach?

Data breaches are already upsetting enough, especially when your highly-sensitive personally identifiable information is put at risk. But when it comes to data breaches and fraud, perhaps there’s no greater intrusion than to suffer a data breach of your medical information; somehow though, even that kind of intrusion pales in comparison to being victimized in a breach then victimized again by the company who failed to inform you about it.

Now imagine that the medical information that was breached is of the most private nature, one that could have serious consequences for the victims should it get out.

University of California-San Diego partnered with a health services industry organization known as Christie’s Place to recruit participants for a vital, worthwhile study. The study’s subjects were all HIV-positive women who were examined on their commitment to treatment based on experiences with domestic violence, trauma, mental illness, and substance abuse. Unfortunately, the entire case file for all of the study’s participants was left visible in the computer—accessible to literally anyone who worked or volunteered with Christie’s Place.

Somehow, this data breach has taken yet another upsetting turn: UCSD decided not to inform the patients that their information has been exposed. The details on who was behind that decision have not been very clear, but as of recent reports, the patients are still unaware.

There are some very unclear details emerging from this, including allegations of misconduct and even possible attempts to inflate the numbers of patients receiving support. However, none of those accusations has been proven. More information on those matters can be found here.

In the meantime, the very least that can be argued about this breach and the failure to notify is that patients have not been given an opportunity to take action to secure their information. Some of the participants also may have not shared news of their diagnoses with others, and a violation of this kind could have serious consequences for them. The university has stated that it will notify patients very soon, but there is no specific timeline for that to take place.


You might also like…

Imposter Scams Were the Most Reported Complaint in 2018

In New Scam, Criminals Pose as Government Pretending to Help With Identity Theft

Study Explores Non-Economic Negative Impacts Caused by ID Theft 

 

United States Customs and Border Protection (CBP) announced that it was victim of a data breach at the hands of a third-party partner. The information exposed included photos of license plates and travelers. CBP released a statement about the breach saying,

“In violation of CBP policies and without CBP’s authorization or knowledge, [a subcontractor] transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network,” CBP added. “The subcontractor’s network was subsequently compromised by a malicious cyberattack.”

The hack happened by accessing a database on the third-party’s server that was unauthorized by CBP to exist. Although the third-party who caused the breach was not directly named, The Washington Post reported that the subject line of the emailed statement included “Perceptics.” Perceptics is a company based in Tennessee whose website boast they have been “securing our nation’s boarders for more than 30 years.” They design technology for identifying vehicles and license plates for federal and commercial use.

CBP claims they have conducted a thorough search and have not found any of the stolen information on the dark web. This does not however mean the data is impossible to use for malicious acts. President and CEO of ITRC, Eva Velazquez, sums it up in her NBC7 interview saying, “These things, they stay in perpetuity. It is not going to disintegrate. So even in this moment, if there is not a way to monetize, that does not mean 10 years from now that (stolen information) might not be more valuable.”

While CBP noted their own databases were not affected by this attack, this is not the first data breach under the Department of Homeland Security. Early last year it was reported more than 240 thousand employee records were exposed by a former employee.

ITRC continues to monitor the trend of cybercriminals targeting large third-party versus smaller first party databases. Four million records were exposed in 2018 because of focused cybercrime efforts on vendor security. By targeting popular third-party vendors that work with multiple companies, criminals can collect even more personal identifying information in one attack.


You might also like…

Imposter Scams Were the Most Reported Complaint in 2018

In New Scam, Criminals Pose as Government Pretending to Help With Identity Theft

Study Explores Non-Economic Negative Impacts Caused by ID Theft 

 

This is an emerging data breach incident – this information will be updated as ITRC receives more information. Last update: 06/07/19 10:30 am

Quest Diagnostics is one of the United States’ premier providers of medical testing. They are notifying customers who may be at risk because a third party vendor, American Medical Collection Agency (AMCA), was breached. AMCA reported to Quest that unauthorized users gained access to internal systems. Around 11.9 million Quest patients have potentially been affected, although the company is working to verify that number and patient risk. 200,000 payment cards been previouly found for sale on a well-known dark web market (by Gemini Advisory) and GA linked the cards to AMCA. 15% of the records included additional PII such as: DOB, SSN, and physical addresses. 

The information exposed includes Social Security numbers, financial information and medical information. Quest reported that the information breached did not include laboratory test results. 

We are investigating a data incident involving an unauthorized user accessing the American Medical Collection Agency system,” reads a written statement attributed to the AMCA. “Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page.”

“We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security. We have also advised law enforcement of this incident. We remain committed to our system’s security, data privacy, and the protection of personal information.”

Quest also noted that since being notified of the breach, the company has stopped new requests to AMCA and are working to notify patients affected in accordance with the law. AMCA is in the process of sending notices to approximately 200,000 LabCorp consumers whose credit card data or bank account information may have been accessed. These individuals have been offered 2 years of credit monitoring and identity theft protection services. 

AMCA provides billing collections services to a company called Optum360, whom is a contractor with Quest Diagnostics. Quest Diagnostics is the only company to make a public notification of being affected by the breach, but there is a chance other companies who work with AMCA could also be associated. The trend of third-party breaches is on the rise as hackers target large databases of vendors who work with sensitive information.

Breach Clarity – the new tool developed to help consumers make sense of their risk when it comes to data breach – can help victims of this breach understand their risk of additional exposure. The tool updates its risk score as new, more detailed information is made publicly available. Breach Clarity will guide consumers on their best course of action given the current information – please check it regularly to understand the updated risk assessment and minimization plans.

While patients are waiting to be notified they were affected, those who think they might be victims can start taking steps to minimize their risk. Financial identity theft and medical identity theft could both be a cause of the breach. You can find resources for financial and medical identity theft in our knowledge center. If you have additional questions regarding data breach, our expert advisors are available to help. Call us toll-free at 888.400.5530 or LiveChat with us. 

For Media Inquiries

About the Identity Theft Resource Center®

Founded in 1999, the Identity Theft Resource Center® (ITRC) is a nationally recognized non-profit organization established to support victims of identity theft in resolving their cases, and to broaden public education and awareness in the understanding of identity theft, data breaches, cybersecurity, scams/fraud, and privacy issues. Through public and private support, ITRC provides no-cost victim assistance and consumer education through its call center, website, social media channels, live chat feature and ID Theft Help app. For more information, visit: https://www.idtheftcenter.org

Contact: Charity Lacey, VP of Communications

Email: media@idtheftcenter.org

More media resources here


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read more: First American Financial Breach Exposes Millions of Complete Identities

 

In yet another example of technology outpacing its users, an unsecured database of First American Financial has exposed hundreds of millions of records, including complete identities—names, account numbers, Social Security numbers, and much more—of American consumers. The information was compiled in a database that was left unsecured on a web-based server, meaning anyone with internet access could have potentially stumbled across it.

The ITRC currently tracks seven categories of data loss methods and is categorizing the First American Financial breach under “accidental web exposure.” This kind of data exposure is becoming all-too-common. Web servers like this one are intended to let authorized individuals access documents online. All they need is the URL, or web address, for a single document; that URL is usually shared with the intended recipient by the owner, in this case, First American Financial. But if the web server isn’t password protected or doesn’t require authentication, all you’d have to do to see any other document in the database is change a digit in the URL. That single digit would provide you access to an entirely different customer’s personal information, history, bank account numbers, SSN, tax and mortgage records, and more.

Even worse, in these kinds of breaches, there’s no way of knowing if anyone accessed them or not. In the case of First American Financial, a real estate professional discovered this flaw by mistake. When he reported it to the company but they had no response, he reported the security incident to Krebs on Security, who then confirmed it.

First American Financial is one of the country’s largest title insurance providers—meaning they’ve handled hundreds of millions of consumer records.  Fortunately, a new tool can help consumers make sense of a data breach; Breach Clarity helps people who are affected by the breach understand their options and take corrective action.  If any of the estimated 885 million records were actually accessed by a malicious individual and you think you may be a victim, securing your credit report with a freeze and monitoring your accounts are some of the few useful steps you can take. For its part, the company has taken steps to close off further access to these records, but isn’t offering any further information until their own internal review is completed.

The Identity Theft Resource Center and Futurion have partnered and launched a tool called Breach Clarity, which takes publicly-available data breach information and breaks down both the threat and actionable steps for consumers. 


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read more: ITRC Advisor Saves Woman from Lottery Scam and Losing $2,500

When news of yet another data breach comes out, the reaction can range from panic to “blah.” At the one of end of the spectrum, consumers can be left with documented feelings of stress, fear and even paranoia about further attacks to their identity. At the same time, a very real phenomenon known as “data breach fatigue” occurs when there are so many attacks that consumers stop taking them seriously.

Fortunately, a new tool can help consumers make sense of a data breach; while neither overreaction nor inaction is an appropriate response, this tool can help people who are affected by the breach understand their options and take corrective action.

The Identity Theft Resource Center and Futurion have partnered and launched a tool called Breach Clarity, which takes publicly-available data breach information and breaks down both the threat and that actionable steps for consumers.

Watch Our New Free Webinar: Deciphering the Code of Data Breach Notifications

Unfortunately, far too many consumers do not check up on these kinds of attacks until it is too late. Even then, many victims of data breaches do not follow up on the support that notification letters offer, including things like identity theft protection or credit monitoring.

Breach Clarity lets users type in a general search term for a known breach and see a graphic representation of the threat level based on a number of factors. These include things like understanding whether or not financial information was exposed or if Social Security numbers (or other sensitive PII) were accessed. From there, a one-to-ten risk score is provided so consumers understand just how seriously this could affect them. The Home Depot breach in 2014 only receives a 3 out of 10 because of the nature of the information that was stolen; the 2015 attack on the US government’s Office of Personnel Management was far more serious and received a 10 out of 10 risk score as a result.

Breach Clarity was unveiled at the 2019 KNOW Conference in Las Vegas where it won first place in the third annual Identity Startup Pitch Competition. The criteria for selecting a grand prize winner included factors like the degree to which the entrant meets the customer’s needs and expectations, innovation, originality, and more.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

A security researcher discovered an unsecured online storage server—an all-too-common occurrence known as an accidental overexposure—that linked to 4.9 million lines of patient records from an addiction treatment center called Steps to Recovery. Those millions of lines of information were not all for separate patients, but rather were separate entries on almost 150,000 of the same patients, outlining their medical treatment.

When it comes to data breaches and hacking, personally identifiable information like Social Security numbers are considered the “holy grail” of theft. Credit card information or emails are still very valuable and useful—since the card numbers make purchases until the bank shuts them down, or the email address can be sold to spammers—but Social Security numbers are permanent. With the intact data set of identifying information (PII), a thief can sell the complete records or use them to open new lines of credit in someone’s name, potentially forever.

Unfortunately, a Social Security number is not the very worst PII that can be exposed to hackers. As one report has now demonstrated, leaked patient medical treatment records can have a far more harmful effect, making the victim wish that it was “just” their Social Security number that had been stolen.

There is an unfortunate stigma that still surrounds addiction and mental health, and the possibilities are nightmarish for what a hacker could have done with this information. Whether through blackmail by threatening to expose the patients’ treatment or using the information to target them with malicious content, there are no words to describe how this could have brought harm to vulnerable people who sought help for their conditions.

Fortunately, the discovery was made by a security researcher who then contacted both Steps to Recovery and the company that hosts the treatment center’s online server. While the hosting company responded to confirm that the treatment center took down the information, Steps to Recovery never responded to the researcher’s request for information concerning patient notification. It is still not known whether the center ever informed the patients about the leak.

In order to demonstrate just how serious this is, the researcher went a little further. By cross-matching patient records that were left wide open online with basic, free Google searches, he was able to find a reasonable match for a sampling of patients listed in the leak. Those results provided names, addresses, family members’ names, ages, phone numbers and email addresses, and even political affiliations. This demonstrates just how dangerous this leak truly was, and hopefully the patients have now been informed of the situation.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: New Tool Breach Clarity Helps Consumers Make Sense of Data Breaches 

Microsoft announced a data breach that gave hackers limited access to some of its customers’ email accounts. The hackers were able to see email addresses, subject lines of emails, and folders, but not open any emails or their attachments. They also were not able to obtain the customers’ passwords. Essentially, the hackers were able to do the same exact thing as looking over your shoulder in a coffee shop while your email inbox screen was open.

So what’s the big deal?

First, any time an outside agent is able to access a company’s stored data—especially information on its customers—that’s a big deal. In this case, a hacker compromised the login credentials of a customer service agent. The history of data breaches is filled with examples of cybercriminals reaching their intended target by going through this kind of side door, so to speak.

Read next: New Tool Breach Clarity Helps Consumers Make Sense of Data Breaches

Also, compromising someone’s login credentials should be a difficult-to-impossible task if the right security measures are in place. Microsoft has not provided details on how the credentials were compromised, or even whether or not it was a Microsoft employee or a third-party customer service provider. If someone was able to “guess” the username and login using readily-available hacking software, then the password wasn’t strong enough. If the hackers obtained the credentials from a previous data breach, then those credentials are being reused and not being updated routinely. If they got the credentials through a phishing scam, then the employee may not have been adequately trained on security practices and protocols.

Finally, this event is a big deal because it serves as yet-another warning about password security, email strength, and data breach fatigue. If your first response to the announcement from Microsoft was, “Here were go again…yawn,” then you may be experiencing data breach fatigue. If you read the announcement and thought, “Well, thank goodness it was just the email addresses!” you may be feeling numb to certain kinds of cybercrimes.

It’s important that customers take all data breaches and hacking attempts seriously. Microsoft has locked down the credentials on accounts that it believes were affected—in order to block any potential access the hackers may gain—but urges all Microsoft account users to change their passwords. Password strength, including frequently changing your passwords, is one of the most important things consumers can do to protect themselves from cybercrimes.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Payment App Protection: Keep Scammers Out of Your Accounts

Hackers are targeting vendors of companies for third-party data breach efforts. This trend rose in 2018, with over 4 million records exposed do to criminal efforts focused on vendor security.

Data breaches often occur at the hand, or keyboards, of hackers. Criminals can infiltrate insecure systems and steal personal data owned or stored by a company. The size of company and amount of personal identifying information (PII) they store factor in to the level of risk for consumers presented by the breach. One of the more newsworthy data breaches of 2018 was Marriot International, which exposed hundreds of millions of guest information including passport numbers. Hackers targeted Marriot because of the potential payoff of lots of lucrative PII, versus targeting many companies that might result in more – but smaller – payoffs. Now hackers are reevaluating their strategy and getting smarter about where they exert their efforts.

This new strategy comes in the form of targeting vendors for third-party data breach. Instead of going after one large company’s data, they go after a vendor who works with multiple large companies and collects even more PII. Third-party vendors – like email servers, payment platforms and web plugins – often work with a multitude of companies ranging in purpose or product offered. Therefore by compromising a third-party’s security measures, a hacker gains access to even more PII from a wide variety of consumers.

This attack on third-parties and subcontractors became a trend in 2018. Of the third-party data breaches that were reported in 2018, 4,823,234 records were exposed four times more compared to 2017 third-party breaches. In 2019, eSentire (a cybersecurity firm) commissioned a study to determine how concerned companies are regarding vendor risk given the trend in data breach.

According to the study, 81 percent of respondents said they had an effective third-party risk policy and 74 percent are confident in their vendors’ protections. However, only 35 percent said managing vendor risk was a priority and 20 percent said they trust vendors to uphold privacy standards blindly. The reality is of the respondents surveyed, 44 percent of them (or their employer) had experienced a data breach involving a vendor in the last 12 months. To make matters worse, only 15 percent were notified of the breach by the responsible vendor.

There is a clear disconnect between the effort put forth into managing vendor security and the amount of trust companies put in their vendors. Companies need to start evaluating vendor relationships and security practices more thoroughly to ensure the safety of consumers. On the opposite end, consumers need to remember that the safety of their data ultimately resides with them and take the utmost precautions with their personal information.

If you are a victim of data breach, or have concerns over a recent data breach and your identity, Breach Clarity can help you identify your potential risk and suggest preventative steps. You can also contact ITRC for free assistance regarding your case. Speak with an expert advisor over the phone (888.400.5530) or through LiveChat.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.