• According to the Identity Theft Resource Center’s (ITRC) First Half 2021 Data Breach Analysis, data compromises are up 38 percent over the first quarter of 2021. If this trend from the data breach statistics continues, 2021 will set an all-time high for data compromises.
  • While data compromises are up, the number of individuals impacted is down 20 percent quarter-over-quarter. If the current trajectory holds, 2021 will see the fewest number of impacted individuals since 2016.
  • Phishing and Ransomware remain the top two root causes of data compromises for the second quarter and the first half of the year. However, supply chain attacks continue to increase in volume, scale and complexity.
  • To learn about recent data breaches, or to see the ITRC’s data breach statistics in our latest report, consumers and businesses should visit the ITRC’s data breach tracking tool, notified.
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

First Half 2021

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for July 9, 2021. Our podcast is possible thanks to support from Experian. Each week we look at the most recent events and trends related to data security and privacy. This week we look at the ITRC’s data breach statistics and trends for the second quarter of this year and what they tell us about how we may end 2021.

How the ITRC Reports Data

First, here’s a brief reminder of how the ITRC reports data. We only include information from U.S. data events that are publicly-reported. We report 1) data compromises, which includes data breaches, data exposures (think cloud databases with no security), and 2) data leaks, generally public information that is aggregated and used for a purpose other than that for which it was intended (think scraping information from social media sites that are sold for marketing lists or used for phishing attacks).

Key Takeaways from the ITRC’s First Half 2021 Data Breach Analysis

Now, let’s look at the key takeaways from this week’s ITRC First Half 2021 Data Breach Analysis:

  • According to the ITRC’s data breach statistics, data compromises are up 38 percent over the first quarter of 2021, putting us on a trajectory to end 2021 with a record level of compromises. Every month this year (except May) has seen data compromises higher than the month before. If this trend continues, we will exceed the all-time high number of compromises set in 2017 of 1,632 publicly-reported data events.
  • However, the number of people impacted by data compromises is down 20 percent quarter-over-quarter. That means we could end 2021 with fewer than 250 million victims of identity compromises, which continues a trend away from the mass collection of individual information that started in 2018.
  • The data breach statistics show we are on pace to have the highest number of data compromises ever in the same year that we could see the fewest number of people impacted since the all-time high was set in 2016.
  • Data compromises are rising or flat pretty much across the board, with half of the sectors tracked by the ITRC showing increases.
  • Manufacturing & Utilities and Professional Services are seeing significant increases while Healthcare and Retail are seeing data compromises drop. This shift reflects the broader trend of cybercriminals focusing their attention on critical infrastructure entities, so important they cannot be allowed to remain offline, and targets considered to be not as well defended. It is all in hopes of securing larger ransomware payments.
  • Phishing and Ransomware remain the #1 and #2 root causes of data compromises for the second quarter (Q2) and the first half of the year. However, supply chain attacks continue to increase in volume, scale and complexity. Attacks against vendors that give criminals access to many companies through a single data or security breach increased 19 percent in Q2. The 58 supply chain attacks through June 30, 2021 compares to the 70 malware-related compromises for the year so far. These data breach statistics indicate that third-party risks are poised to surpass malware as the third most common root cause of data events by the end of this year.
  • Just two days after the end of the second quarter, a major supply chain attack was launched against the cybersecurity provider Kaseya. Cybercriminals demanded a record $70 million in ransom to restore the operations of more than 1,500 companies impacted by the attack. It’s not known if any personal information has been compromised. However, we know this early third quarter (Q3) attack is an indication that cybercriminals are launching ever more sophisticated attacks that command larger and larger ransom payments.

Contact the ITRC

If you have questions about how to keep your personal information private or secure, visit www.idtheftcenter.org, where you will find helpful tips, and where you can download our First Half 2021 Data Breach Analysis to see our data breach statistics.

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during our normal business hours (6 a.m. to 5 p.m. PST). Just visit www.idtheftcenter.org to get started.

Thanks again to Experian for supporting the ITRC and this podcast. Be sure to check out our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown. 

  • According to a new study, 74 percent of the participants were not aware of the breaches where there was documented evidence their information was compromised. 
  • While the study also found that most victims blamed themselves, researchers say the fault for data breaches almost always lies with poor cybersecurity practices by the company that lost control of the information, not with the victims of the breach. 
  • However, the reuse of passwords is also to blame. Participants admitted to using the same or similar passwords on multiple accounts. 
  • While researchers say notice of data breach letters are a great idea in theory, they believe the letters are generally not helpful in practice because poor communication by companies can make them hard to understand. 
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org

No Darkness but Ignorance 

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for June 25, 2021. Our podcast is possible thanks to support from Experian. Each week we look at the most recent events and trends related to data security and privacy. This week, we will talk about some new research that tackles an issue we’ve been pondering at the ITRC for a while now: What do people do when they receive a notice of data breach letter? 

In Twelfth Night, Shakespeare wrote what was almost certainly a throw-away line: “There is no darkness but ignorance.” The line, referring to a character who was tricked into believing he only thought his jail cell was dark, was actually a reflection of Shakespeare’s belief that education and knowledge solves most ills. 

So, it is true today when it comes to the impacts of data breaches and the actions people take when they learn their identities have been compromised. That is to say, most people don’t know how many times they have been breached. When they learn their information is in the wild, they don’t do much about it. 

Many Consumers Are Unaware When Their Information is Involved in a Breach 

Researchers from the University of Michigan School of Information, along with colleagues at Georgetown University and Germany’s Karlsrhue Institute of Technology, published a study this week that found participants were not aware of 74 percent of the breaches where there was documented evidence their information was compromised. 

The researchers also found that most of the 413 study participants blamed themselves for becoming a victim of a data breach. Only 14 percent said the responsibility for the compromise was with other actors. Victims cited their own use of the same password for multiple accounts, keeping the same email for a long time and signing up for “sketchy” accounts as some of the personal behaviors they believe contributed to their information being breached. 

Researchers Say Victims Are Not Usually at Fault  

However, the researchers point out that the fault for data breaches almost always lies with poor cybersecurity practices by the company that lost control of the information, not with the victims of the breach.  

This study supports the conclusions of a smaller report from the Carnagie Melon University’s CyLab from May 2020. That study of data breach victims focused on what happened when consumers received a notice of data breach letter. The short answer is “not much.” 

Reuse of Passwords is Also to Blame  

In the Carnagie Melon study, two-thirds of the participants who received data breach notices of compromised email accounts did not change their passwords. Only 13 percent of the breach victims who did change their passwords did so within the first three months following the breach announcement. What is most concerning is the updated passwords were often weaker than the previous passwords that were compromised. 

As in the University of Michigan study, participants admitted to using the same or similar passwords on multiple accounts. The Carnagie Melon cohort had an average of 30 other passwords that were like the breached password. On average, those who changed a breached password changed less than three of the 30 similar passwords. 

Notice of Data Breach Letters May Not Be Very Helpful  

One other common element of the two studies: both sets of researchers believe that notice of data breach letters are a great idea in theory, but are generally not helpful in practice. They believe poor communication practices by companies render the notices difficult to understand and don’t offer any practical advice. 

Contact the ITRC 

That’s not a problem at the ITRC. If you have questions about how to keep your personal information private and secure, visit www.idtheftcenter.org where you’ll find helpful tips. You can also sign-up to receive our regular email updates on identity scams and compromises. Look out for our analysis of data breaches in the first half of 2021 that will be released on July 7.  

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.  

Thanks again to Experian for supporting the ITRC and this podcast. Be sure to check out our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown. 


  • Scripps Health cyberattack led to a pause in the healthcare provider’s medical services for weeks and the exposure of personal and financial information for more than 147,000 people.  
  • A Herff Jones data compromise was discovered after multiple students reported fraudulent transactions with their payment cards. 
  • A data exposure of an unsecured database divulged an elaborate Amazon review scam. The database had direct messages between Amazon vendors and customers willing to provide fake Amazon reviews in exchange for free products. 
  • For more information about May data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified.   
  • If you believe you are a victim of identity theft from a data breach, contact the ITRC toll-free at 888.400.5530 or through live-chat on the company website www.idtheftcenter.org.  

Notable May Data Breaches 

Of all the data compromises the Identity Theft Resource Center (ITRC) tracked in May, three stand out: Scripps Health, Herff Jones, and an unsecured database with fake Amazon reviews. All three data events are notable for unique reasons. In one, a ransomware attack led to the exposure of sensitive information and a healthcare system having to shut down its systems, impacting thousands of patients. Another event was discovered after graduating students from several universities in the U.S. noticed fraudulent transactions on their payment cards. The third compromise revealed an Amazon review scam after messages were found between Amazon vendors and customers willing to provide fake Amazon reviews for free products. 

Scripps Health 

On May 1, Scripps Health, a San Diego-based healthcare system, suffered a ransomware attack that shut down many of its systems for nearly a month. According to HealthITSecurity, attackers gained access to the network, deployed malware, and exfiltrated copies of data on April 21. It was recently revealed that more than 147,000 patients, staff and physicians may have had their personal and financial information compromised as part of the Scripps Health cyberattack. However, electronic medical record applications were not accessed during the attack. Instead, the data was stolen from other documents stored on the network. 

The information exposed in the Scripps Health cyberattack includes names, addresses, dates of birth, health insurance information, medical record numbers, patient account numbers, and clinical information such as physician name, dates of service and treatment information. According to a notice from Scripps Health, for less than 2.5 percent of patients, Social Security numbers and driver’s license numbers were also affected.  

The Scripps Health ransomware attack is just the latest in a long list. Ransomware attacks are considered one of the top cybersecurity threats in 2021. Cybersecurity firm Proofpoint found that ransomware attacks are now viewed as the top cybersecurity threat by nearly half, 46 percent, of Chief Information Security Officers in a survey from earlier in the year. 

Herff Jones 

Bleeping Computer reports that students from several universities in the U.S. recently made claims about fraudulent transactions after using payment cards at cap, gown and class ring maker Herff Jones. Most students reported losses between $80 and $1,200, while one student reported a friend was charged $4,000 for a PS5 gaming system.  

Herff Jones, unaware of the compromise until students complained on social media about the fraudulent charges, immediately began an investigation. While the investigation is still ongoing, the company says they identified the theft of certain customers’ payment information. It is still unknown the impact of the Herff Jones data compromise, including the number of records exposed and what records may have been compromised aside from payment card information. In a statement, Herff Jones said that they have taken steps to mitigate the potential impact and notified law enforcement.  

Unsecured Database with Fake Amazon Reviews 

A data exposure of an Elasticsearch database divulged an elaborate Amazon review scam. According to Safety Detectives, the database, which contained over 13 million records and anywhere from 200,000 to 250,000 affected users, had direct messages between Amazon vendors and customers willing to provide fake Amazon reviews in exchange for free products. 

The Safety Detectives research team says the server was left open without any password protection or encryption. The personal data of people providing fake Amazon reviews, as well as Amazon vendors, could be found in leaked messages on the database. The information exposed includes full names, emails, usernames, PayPal addresses, links to Amazon profiles and more. The data exposure reminds us that no one is immune from being impacted by a data compromise, whether it is a cybercriminal or a regular consumer. For more information on this data compromise, read the ITRC’s blog on the incident. 

What to Do if These Breaches Impact You 

Anyone who receives a data breach notification letter should follow the advice offered by the company. The ITRC recommends immediately changing your password by switching to a 12+-character passphrase, changing the passwords of other accounts with the same password as the breached account, considering using a password manager and keeping an eye out for phishing attempts claiming to be from the breached company.   

In an interview with NBC 7 San Diego on the Scripps Health cyberattack, ITRC CEO Eva Velasquez advises anyone impacted to freeze their credit and report the incident to their creditors and bank.  

Regarding the Herff Jones data compromise, the company encourages people with questions to reach out to their customer service team at 855.535.1795 between 9 a.m. and 9 p.m. EST Monday through Friday until they identify and notify impacted customers.  

notified 

For more information about May data breaches, or other data breaches, consumers and businesses should visit the ITRC’s data breach tracking tool, notified, free to consumers.  

Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.     

Contact the ITRC 

If you believe you are the victim of an identity crime or your identity has been compromised in a data breach, you can speak with an ITRC expert advisor at no cost by phone (888.400.5530) or live-chat. Just go to www.idtheftcer.org to get started.  

  • With data breaches on the rise last 30 days to 45 days, it has been one of the most intense periods seen in a while because of the pace, scope and impact of the crimes.
  • GEICO suffered a data breach impacting 132,000 people and could lead to unemployment fraud; the Pennsylvania Department of Health and ParkMobile both had data incidents due to third-party providers; and Peloton had a problem with third-party software, allowing other users to see people’s personal information.
  • Researchers guessed up to 80 percent of iPhone and iPad users would take advantage of Apple’s new anti-tracking privacy feature. However, based on early downloads of the iOS update, 96 percent of users are using the new feature to opt-out of app-tracking.
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notified
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

Too Fast, Too Furious

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for May 14, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. This week we’re highlighting data breaches on the rise the past 30 days in one of the most intense periods of cyberattacks and data breaches we’ve seen in a while.

With all due respect to Vin Diesel and the rest of the cast of the Fast and Furious movie franchise, we’re calling this week’s episode “Too Fast, Too Furious” because of the pace, scope and impact of identity compromising events over the past 45 days – some of which are still ongoing. We also have a quick update on the impact of the recent privacy tools added to iPhones and iPads.

ITRC’s Notable Breaches for April

In the ITRC’s most recent monthly report of data breaches, we highlighted three major events:

  • GEICO’s breach of driver’s license data that impacted 132,000 customers;
  • The contact tracing service hired by the Pennsylvania Department of Health failing to secure the COVID-related personal health information of Keystone state residents; and,
  • Twenty-one (21) million users of the ParkMobile app having their information exposed thanks to a vulnerability in third-party software.

Each of these is unique in some ways but also reflective of broader trends.

GEICO

In the case of GEICO, when announcing the data breach at the nation’s second-largest auto insurance company, officials said the stolen data was being used as part of unemployment insurance fraud schemes. Pandemic-related benefits fraud is estimated to be closing in on $100 billion. The ITRC is on pace to surpass the total number of unemployment identity fraud victims we helped in 2020 by the end of May 2021.

Pennsylvania Dept. of Health & ParkMobile

The events involving the Pennsylvania Department of Health and the ParkMobile parking app are two variations of the same issue: problems with third-party suppliers. In the case of the Pennsylvania Department of Health, the vendor supplying COVID-19 contact tracing services didn’t secure the personal information of 72,000 people. With ParkMoble, a third-party software issue exposed user’s personal information. Issues with supply chains are an escalating trend when it comes to data compromises, especially cyberattacks where threat actors can steal the data of multiple companies in a single attack.

Peloton

More recently, an issue with third-party software also allowed users of the popular Peloton exercise bikes to see the personal information of other users. The flaw was found by an independent cybersecurity researcher who reported the issue to Peloton, which did not initially respond to his information. Ultimately, Peloton fixed the issue early this month, but not before opening three million subscribers to having their information exposed. Peloton has since acknowledged they have fixed the problem, and there is no evidence of anyone stealing the user information.

Update on the New Apple Privacy Feature

Finally, an update on how many people are taking up Apple’s offer to block mobile app owners from collecting and selling user data without first getting consent. Researchers guessed before the launch of the new anti-tracking privacy feature that as many as 80 percent of iPhone and iPad users would take advantage of the blocking technology.

The actual numbers based on early downloads of the iOS update is 96 percent of users are saying no to app-tracking. That’s a giant obscene gesture to companies that rely on third-party data for marketing and advertising and the platforms that collect and sell user information. Now here is the next question: Who will follow Apple’s lead in addressing the privacy and cybersecurity concerns of consumers?

Contact the ITRC

If anyone has questions about keeping their personal information private and how to protect it, data breaches on the rise or on the new Apple privacy update, they can visit www.idtheftcenter.org. They will find helpful tips on these and many other topics. People can also sign-up to receive our regular email updates on identity scams and compromises.

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. Victims can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Visit www.idtheftcenter.org to get started. 

Be sure to listen next week to our sister podcast – The Fraudian Slip – when we’ll talk to the Chief Privacy Officer of Synchrony, a leading financial services company. We will be back in two weeks with another episode of the Weekly Breach Breakdown.

  • A recent GEICO data breach led to fraudsters gaining access to nearly 132,000 GEICO customer’s driver’s license numbers. GEICO says they believe threat actors could use the information to apply for unemployment benefits fraudulently.
  • The Pennsylvania Department of Health’s third-party contact tracing vendor, Insight Global, failed to secure phone numbers, email addresses and personal information like gender, age, sexual orientation, COVID-19 diagnosis and exposure status of more than 72,000 Pennsylvania residents. Third-party breaches continue to be a growing trend.
  • Like the Pennsylvania Department of Health, ParkMobile Parking App also suffered a supply chain attack. The ParkMobile data incident exposed the non-sensitive information of 21 million users, putting them at risk of falling victim to social engineering.
  • For more information about April data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified.  
  • If you believe you are a victim of identity theft from a data breach, contact the ITRC toll-free at 888.400.5530 or through live-chat on the company website www.idtheftcenter.org.

Notable April Data Breaches

Of all the data breaches the Identity Theft Resource Center (ITRC) tracked in April, three stand out: GEICO, Pennsylvania Department of Health and the ParkMobile Group. All three data events are notable for unique reasons. In one, the company is very detailed in how criminals are misusing the information and what people should look out for; another event includes a contact tracing service failing to secure the private information of some residents in Pennsylvania – re-affirming a trend identified by the ITRC; the third compromise led to the exposure of data for 21 million people – stemming from a supply chain attack.

GEICO

A security bug led to threat actors stealing personally identifiable information (PII) from approximately 132,000 GEICO customers between January 21 and March 1. According to the GEICO data breach notice, fraudsters used the information they acquired about customers elsewhere to obtain unauthorized access to people’s driver’s license numbers through the online sales system of their website. GEICO says that they believe the information from the breach could be used to apply for unemployment benefits fraudulently. Unemployment benefits fraud continues to impact consumers all over the U.S. There could be over $200 billion lost to the fraud. The ITRC has received over 1,400 cases of unemployment benefits fraud in 2020 and 2021, compared to only 12 cases in 2019.

The GEICO data breach is notable because the insurance company is very detailed in how the information could be used and what people need to keep an eye on. It is not often the ITRC sees this level of detail in a data breach notice.

Pennsylvania Department of Health

Insight Global, a company that has provided COVID-19 contact tracing services for the Pennsylvania Department of Health since 2020, failed to secure the private information of more than 72,000 people.  According to WSKG, a health department spokesman said they recently learned workers at Insight Global disregarded security protocols established in the contract and created unauthorized documents outside the state’s secure data system.

The information exposed in the Pennsylvania Department of Health data compromise includes phone numbers, email addresses and personal information such as gender, age, sexual orientation, COVID-19 diagnosis and exposure status. The Pennsylvania Department of Health does not know how many people may have viewed or downloaded the documents. Officials say notifications will be mailed to all affected Pennsylvania residents.

The Pennsylvania Department of Health data compromise is the latest third-party exposure to occur. According to the ITRC’s Q1 2021 Data Breach Report, there’s been a 42 percent increase in supply chain attacks, including 27 at third-party vendors impacting 137 U.S. organizations, and 19 supply chain attacks in Q4 2020.

ParkMobile Group

The parking app, ParkMobile, also suffered a data compromise due to a vulnerability in third-party software, affecting 21 million people. According to the ParkMobile notification letter, they became aware of the vulnerability and launched an investigation, which is still ongoing. Information exposed includes license plate numbers, email addresses, phone numbers, mailing addresses and vehicle nicknames. According to KrebsOnSecurity, the data appeared for sale on a Russian-language crime forum.

Anyone who uses the ParkMobile parking app, used by cities and universities across the U.S., could be at risk of falling victim to social engineering. While no sensitive information was exposed, if hackers get enough information about people, they can put all of the information they have gathered together to commit identity fraud.

What to Do if These Breaches Impact You

Anyone who receives a data breach notification letter should follow the advice offered by the company. The ITRC recommends immediately changing your password by switching to a 12+-character passphrase, changing the passwords of other accounts with the same password as the breached account, considering using a password manager and keeping an eye out for phishing attempts claiming to be from the breached company.  

GEICO encourages its customers to check their account statements and credit reports regularly for any suspicious activity.

The Pennsylvania Department of Health has set up a hotline (855.535.1787) for those concerned about the security of their information.

notified

For more information about April data breaches, or other data breaches, consumers and businesses should visit the ITRC’s data breach tracking tool, notified, free to consumers. 

Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.    

Contact the ITRC

If you believe you are the victim of an identity crime or your identity has been compromised in a data breach, you can speak with an ITRC expert advisor at no cost by phone (888.400.5530) or live-chat. Just go to www.idtheftcer.org to get started. 

  • Facebook and LinkedIn recently suffered data incidents that led to personal information like full names, emails and phone numbers being posted in identity marketplaces where cybercriminals buy and sell data.
  • While some have called the recent data leaks “data breaches,” technically and legally, they are not in the U.S. Rather, it is a legitimate and legal technique called “scraping.”
  • Even though these events are not data breaches, the Identity Theft Resource Center (ITRC) is creating an additional category of identity data compromises called “data leaks” to keep track of and report these kinds of events.
  • The Facebook and LinkedIn data leaks serve as good reminders to never post information online that you wouldn’t want people you don’t know or trust to see.
  • To learn about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. 
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

Data Breaches, Exposures, and Leaks! Oh, My!

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for April 23, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. In the movie version of The Wizard of Oz, Dorothy Gale of Kansas, along with the Scarecrow and Tin Man, are following the Yellow Brick Road through a dark and scary forest on their way to the Emerald City. They fear that wild animals are present as they chant “Lions…and Tigers…and Bears! Oh, my!” just before they meet the Cowardly Lion. Apply that principle to data security, and you get the title of today’s episode – “Data Breaches, Exposures, and Leaks! Oh, My!

Facebook and LinkedIn’s Recent Data Leaks

People may have seen media coverage about the recent data leaks at Facebook and LinkedIn. Personal information like full names, emails and phone numbers posted to user profiles were found in the identity marketplaces where cybercriminals buy and sell data.

In the case of Facebook, which would be the third-largest country in the world behind China and India if it were a Nation/State, the information on some half-a-billion people was exposed. Approximately 30 million live in the U.S. An even larger number of LinkedIn users were impacted by a similar event. To date, 837 million profiles have been exposed.

Facebook and LinkedIn Events Not Considered Data Breaches

These two recent data leaks have created quite the controversy in data privacy and security circles. People may have noticed that the ITRC has not referred to these events as data breaches. It’s because they technically and legally are not, at least under U.S. law. European Data Protection authorities have launched an investigation into both companies for potential violations of privacy laws. However, in the U.S., it’s a lot more complicated.

If you are a Facebook or LinkedIn user, you voluntarily provide the information posted to those and other social media websites. The companies try to limit the ability to copy user’s data. However, depending on how you configure your privacy settings, that information is, in fact, available for viewing by anyone. And if it can be seen, it can be misused.

Facebook and LinkedIn Suffered “Scraping”

There is a legitimate technique known as “scraping,” where companies copy large amounts of information that otherwise would require manual entry into a database. It is perfectly legal and typically involves getting permission and being transparent about how the data is used.

There are still some grey areas when it comes to private information being posted publicly on websites. In fact, there is a case pending before the U.S. Supreme Court directly on this question of copying information from LinkedIn. Lower courts have said publicly posted information is fair game for scraping even if LinkedIn’s terms and conditions say it is not.

Facebook and LinkedIn Events Fall Between the Cracks of Current Laws

What makes the recent data leaks at Facebook and LinkedIn so troubling is that they fall between the cracks of existing laws. If a criminal gained access to a company’s customer records that included names, addresses, phone numbers and email addresses, that would be a crime and considered a data breach.

Copying the same information posted voluntarily and publicly is not considered illegal today. Also, the current laws did not envision the ability to copy millions of unrelated records and combine them into a single database that could be used to commit identity fraud.

The ITRC to Create “Data Leak” Category of Identity Data Compromises

Even though these recent data leaks are not data breaches, the ITRC is creating an additional category of identity data compromises to keep track of and report these kinds of events. We’re going to call this new category “data leaks.”

It is also a good time to issue a reminder. Be careful what you post online. If you don’t want people you don’t know or trust to see your private information, don’t post it online.

Contact the ITRC

If anyone has questions about keeping their personal information private and how to protect it, they can visit www.idtheftcenter.org, where they will find helpful tips on these and many other topics. 

If someone thinks they have been the victim of an identity crime or a data breach – like the recent data leaks – and needs help figuring out what to do next, they should contact us. People can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Visit www.idtheftcenter.org to get started. 

 Be sure to check out the most recent episode of our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown. 

  • According to the Identity Theft Resource Center’s (ITRC) Q1 2021 Data Breach Report, data compromises are up 12 percent, and the number of individuals impacted 564 percent compared to Q4 2020.  
  • The rise is in large part to 59 late-reported compromises in Q4 2020 and a 42 percent increase in the number of supply chain attacks in Q1 2021 versus Q4 2020.  
  • The Q1 trends continue to point to a rise in cybercrimes focused on stealing company resources using personal information.  
  • To learn about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified.  
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.  

Pointing in All Directions  

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for April 9, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. President Harry Truman once said that if you put all the government experts in a straight line, they’d point in all directions. That might be a good title for this week’s episode where we look at the data compromise and cybersecurity trends for the first quarter of the year in the ITRC’s Q1 2021 Data Breach Report. There’s a little something for everyone in these numbers. 

Data Compromises Rise 12 Percent 

According to the ITRC’s Q1 2021 Data Breach Report, the number of publicly-reported U.S. data breaches and exposures are up 12 percent from Q4 2020 to 363 total compromises. That’s a slight reversal of the trend in 2020. However, part of the reason for the increase was 59 compromises that occurred late in Q4 2020 but were recorded in Q1 2021. With that said, the number of breaches would have been down nearly a quarter in the first three months of this year compared to the final three months of last year. 

Number of Individuals Impacted Rise 564 Percent 

The number of individuals impacted, though, is up significantly. Fifty-one (51) million people had their data compromised in Q1 2021 versus eight million in Q4 2020. That’s a 564 percent increase. If people set aside the late notices from 2020, the primary reason for the gap between compromises versus people impacted is a 42 percent rise in the number of supply chain attacks compared to Q4 2020.  

Supply Chain Attacks to Blame for Increasing Numbers 

We’ve talked about this kind of attack before. Supply chain attacks happen when cybercriminals attack a vendor to access the systems or data of the company’s customers. Think Blackbaud in 2020 or Accellion this year. Supply chain attacks at 27 third-party vendors impacted 137 U.S. organizations and seven million individuals this quarter. There were 19 supply chain attacks in Q4 2020. 

Top Root Causes for Q1 2021 Data Compromises  

By the way, phishing and ransomware attacks remained the number one and two root causes of data compromises in Q1, according to the Q1 2021 Data Breach Report. Malware was a distant third, but supply chain attacks were only slightly behind. At the current growth rate, supply chain attacks could pass malware in Q2 2021. 

Blackbaud Continues to Result in New Data Breach Notices 

The double-digit jump in supply chain attacks in Q1 2021 does not include the continual impact of third-party exploits first reported in 2020. The mid-year 2020 attack against IT provider Blackbaud continues to result in new data breach notices: 62 in Q1 2021 that impacted an estimated 146,000 individuals. To date, nearly 13 million people and 555 organizations have been affected by this single event. 

SolarWinds Supply Chain Attack 

Q4 2020 ended with a blockbuster revelation of a supply chain attack against key cybersecurity and software companies – namely SolarWinds – that was the tip of a much bigger iceberg. In Q1 2021, major supply chain attacks against MicrosoftAccellion and other service organizations were announced. The attacks put the personal information of millions of individuals and corporate IPs at risk.  

Cybercriminals Continue to Focus on Credential Theft  

Here’s the bottom line from the Q1 2021 Data Breach Report: The Q1 trends continue to point to a rise in cybercrimes focused on stealing company resources using personal information. The broader trend of cybercriminals preferring to exploit multiple organizations through a single point-of-attack may also be accelerating.  

That may sound like good news for individuals. However, what it means is that businesses and individuals alike need to adapt to the new ways cybercriminals are behaving.  

Contact the ITRC 

If anyone has questions about keeping their personal information private and how to protect it, they can visit www.idtheftcenter.org, where they will find helpful tips on these and many other topics. That’s also where people will find the detailed version of our Q1 2021 Data Breach Report

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. People can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Visit www.idtheftcenter.org to get started.   

Be sure to listen next week to our sister podcast, The Fraudian Slip, where we will talk about identity management and how companies are coming together to protect identity information. We’ll be back soon with another episode of the Weekly Breach Breakdown. 

  • IT security provider Accellion suffered an attack on their file-sharing product. It resulted in multiple entities being impacted by the Accellion data breach, including the Office of the Washington State Auditor.  
  • A data breach at Astoria Company, LLC. led to a database with 300 million user’s data being offered for sale by cybercriminals. According to Night Lion Security, the database is believed to have 20 million users’ Social Security numbers (SSNs) and bank account information, and 30 million users ’ sensitive medical data. 
  • The California Department of Motor Vehicles suffered a security incident after third-party, Automatic Funds Transfer Services, Inc., was the victim of a ransomware attack in early February. The attack may have compromised 38 million records of millions of Californians over the last 20 months. 
  • For more information about February data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified.   
  • If you believe you are a victim of identity theft from a data breach, contact the ITRC toll-free at 888.400.5530 or through live-chat on the company website. 

Notable February Data Breaches in 2021 

Of all the data breaches the Identity Theft Resource Center (ITRC) tracked in February, three stood out: Accellion, Astoria Company, LLC. and the California Department of Motor Vehicles. All three data events are notable for unique reasons. One event happened when a file-sharing product was targeted in a highly sophisticated cyberattack that affected many well-known entities; another event, which occurred after an attack by ShinyHunters, led to a 300 million user database being offered for sale – a database that includes an array of sensitive personally identifiable information (PII); the third event may have compromised as many as 38 million driving records. 

Accellion 

IT security provider, Accellion, was the target of an attack, first disclosed in late December, that targeted Accellion’s 20-year-old file-sharing product, File Transfer Appliance (FTA). According to TechTarget, the attackers utilized a zero-day vulnerability in FTA in what Accellion called a “highly sophisticated cyberattack.” Threat actor motivations were not immediately clear. However, FireEye recently published research that showed the Accellion data breach was the work of threat actors the vendor identified as UNC2546, which have connections to Clop ransomware. 

The Accellion data breach has impacted multiple entities in the U.S. They include Flagstar Bank, Jones Day, Qualys, Kroger, University of Colorado and, most notably, the Office of the Washington State Auditor. The breach may have also impacted Goodwin Law, Southern Illinois University School of Medicine, Trillium Community Health Plan and Harvard Business School.  

Image of Accellion Data Breach impacting multiple entities as tracked in ITRC’s Notified Data Breach dashboard

The information exposed varies by entity. However, a notice from the Office of the Washington State Auditor says the data includes personal information from about 1.6 million unemployment claims made in 2020 to the office, as well as other information from some state agencies and local governments. 

Astoria Company, LLC. 

Marketing company Astoria Company, LLC. fell victim to an attack by the ShinyHunters cybercrime group. According to Night Lion Security, the threat intelligence team became aware of several new large data breaches being sold by ShinyHunters, including a 300 million user database from Astoria.  

The Astoria database is believed to have 40 million users’ Social Security numbers (SSNs), 20 million users’ SSNs and bank account information, and 30 million identities linked to sensitive medical data. Night Lion Security says every lead within the database contained, at a minimum, names, email addresses, dates of birth, mobile phone numbers, physical address and IP addresses. 

California Department of Motor Vehicles 

The California Department of Motor Vehicles (DMV) is investigating a security breach that may have compromised as many as 38 million records of millions of Californians over the last 20 months. According to Patch, a company the California DMV contracts with to verify vehicle registration addresses – Automatic Funds Transfer Services, Inc. – was the victim of a ransomware attack in early February. Automatic Funds Transfer Services, Inc. has access to the names, addresses, license plate numbers and vehicle identification numbers of registrants. However, the DMV says it does not have access to SSNs, birthdates, voter registration information, immigration status or driver’s license information. 

In a recent press release, the DMV said its systems have not been compromised, and it is unknown if DMV data shared with Automatic Funds Transfer Services, Inc. has been compromised. The DMV immediately stopped all data transfers to the company and notified law enforcement, including the Federal Bureau of Investigation (FBI).  

What to Do if These Breaches Impact You 

Anyone who receives a data breach notification letter should follow the advice offered by the company. The ITRC recommends immediately changing your password by switching to a 12+-characterpassphrase, changing the passwords of other accounts with the same password as the breached account, considering using a password manager, and keeping an eye out for phishing attempts claiming to be from the breached company.  

The California DMV asks anyone who spots suspicious activity on their account to report it to law enforcement.  

The Office of the Washington State Auditor has set up a website for the latest information on the Accellion data breach and its impacts on the State Auditor’s Office. 

notified 

For more information about February data breaches, or other data breaches, consumers and businesses should visit the ITRC’s data breach tracking tool, notified, free to consumers. 

Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.    

Contact the ITRC 

If you believe you are the victim of an identity crime or your identity has been compromised in a data breach, you can speak with an ITRC expert advisor at no-cost by phone (888.400.5530) or live-chat. Just go to www.idtheftcer.org to get started. 

  • While there were only a handful of supply chain attacks in 2020, there have already been three high-profile attacks in 2021 with the Accellion data breach, the SITA data breach and the Microsoft Exchange server attack.  
  • The Identity Theft Resource Center (ITRC) began to see a rise in supply chain cyberattacks in the second half of 2020 with the Blackbaud data breach and the SolarWinds cyberattack.  
  • For more information on these incidents and the recent rise in supply chain attacks, listen to the ITRC’s Weekly Breach Breakdown podcast. 
  • To learn about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified.   
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org

Don’t Shoot the Messenger

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for March 12, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. We’ve focused for the past two episodes on data privacy and how state laws are giving consumers more rights and businesses more obligations to keep personal information safe and secure. This week, we talk about the challenges of doing just that – protecting data – while supply chain attacks are on the rise 

In Shakespeare’s Antony and Cleopatra, a messenger is sent to inform the Egyptian Queen that her lover has married another, prompting a threat to treat his eyes as the Ptolemaic version of tennis balls. In response, the messenger reminds Cleopatra that “I that do bring the news made not the match.” Today, we would say the title to this week’s episode is – “Don’t shoot the messenger.” 

Yet, this is where many businesses find themselves now as they send out data breach notices to customers – even though they did not cause the problem. A vendor did. 

A Look Back at the Blackbaud Data Breach 

People might recall that one of the highest-profile cyberattacks in 2020 involved a company known as Blackbaud. The company, an IT provider to nonprofits, healthcare and education institutions, was breached and the data of more than 500 companies and 12 million individuals were held for ransom. People might also recall that these kinds of attacks where a cybercriminal can get the information of many companies from a single vendor is known as a supply chain attack. 

The ITRC’s 2020 Data Breach Report Studies the Blackbaud Data Breach

Supply Chain Attacks on the Rise  

There were only a handful of supply chain attacks in all of 2020. However, so far in 2021, there have been three high-profile attacks – two in the last two weeks. One of the events involves one of the biggest names in technology: Microsoft. 

This cluster of attacks reinforces a trend the ITRC saw take hold toward the second half of 2020 with the Blackbaud breach. It was followed by the block-buster cyberattack against the IT services company SolarWinds, which impacted cabinet-level agencies in the U.S. government and an undetermined number of private sector companies (believed to be in the thousands). 

Accellion Data Breach 

While the SolarWinds attack appears to be the work of cybercriminals seeking intelligence information for the Russian government (not consumer data to sell), the ransomware group that attacked software provider Accellion wanted information that it could hold hostage or sell outright. It did not want information from Accellion, but from the customers whose information could be stolen from Accellion’s tech platform. 

The criminals went to the time and expense of reverse-engineering the 20-year-old Accellion platform and found new flaws, as well as old ones. They unpatched ones that allowed criminals to extract information from high-profile clients – including law firms, telecommunications companies, universities, grocery store chains and government agencies in the U.S. and other countries. 

SITA Data Breach 

We don’t know how a supply chain cyberattack against tech provider SITA was executed. However, we know that the company processes the frequent flier information of 90 percent of the world’s airlines. The company describes the cyberattack as “highly sophisticated,” and member airlines have started informing their frequent fliers of the breach.  

Microsoft Exchange Server Attack 

The third supply chain cyberattack in this most recent string is also the most dangerous. A cybercriminal group based in China was able to exploit flaws in Microsoft Exchange servers. The kinds that run the ubiquitous Outlook email software inside organizations. The threat actors inserted backdoors into company email systems that could be used to take control of the email system from outside the network where the server resides. 

More than 100,000 organizations worldwide could be impacted by the cyberattack, including at least 30,000 in the U.S. Government officials and Microsoft leaders have all encouraged organizations operating Exchange servers to patch their servers immediately. They have also made a series of tools available to help users determine if the attack has impacted them. 

Fortunately, these issues do not involve the cloud-based Microsoft 365 services used by individuals and small businesses that include Outlook email. 

Contact the ITRC 

If anyone has questions about keeping their personal information private and how to protect it, they can visit www.idtheftcenter.org, where they will find helpful tips on these and many other topics. That includes small businesses, too. 

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. People can speak with an expert advisor on the phone, chat live on the web, or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Visit www.idtheftcenter.org to get started. 

Be sure to check out the most recent episode of our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown.