Whenever consumers learn about another data breach, they might envision a team of highly-skilled tech operatives working away at fancy computers in a darkened, windowless shop. That kind of scenario might happen, but the reality is that many data breaches are pulled off by an individual working off a laptop in a coffee shop. It is also a possibility that the breach occurred completely by mistake  – like when someone forgets to password-protect a server that stores millions of records.

These kinds of accidental data breaches have made headlines in recent months. Truthfully, some are discovered by the good guys who then report them to the companies at fault. The security flaws are fixed and the notification letters get sent out if necessary, all of which happens hopefully before anyone has had a chance to discover the exposed data and use it maliciously.

Even if so-called good guys discover the problem your information was out there for the taking. It is not always a matter of your username and password, sometimes much more personal information is available. Like in the Meditab Software Inc. breach that happened in the first quarter of 2019, where entire medical histories and prescriptions were exposed.

In this chilling situation California-based medical software developer, Meditab, left a feature unprotected in one of its tools. Meditab claims to be one of the world’s leading providers of medical record-keeping software, and it also provides fax capabilities through its partner company, MedPharm. The company was storing patient records on an unprotected server, which meant that any time MedPharm handled the faxing of a patient’s medical records, anyone with internet access could have seen it if they knew where to look.

Fortunately, those good guys discovered this one. A Dubai-based cybersecurity firm named SpiderSilk found that Meditab’s unsecured database included names, addresses, some Social Security numbers, medical histories, doctors’ notes, prescriptions, health insurance data and more. Patients affected ranged in age from early childhood to mature adults.

This kind of violation is a very serious matter under the laws surrounding HIPAA privacy, and the US government has a solid record of going after entities that store information and do not protect it adequately. If the breach was accidental and even if there is no proof that anyone used the information for harm, there are still very heavy fines and penalties for failing to store it securely.

Unfortunately, there are not a lot of actionable steps that individual patients can take in cases like this one. You can, however, ask the hard questions before the event occurs: how will my information be stored, who can access it, what company hosts your electronic database, what are you prepared to do if there is a data breach? Also, remember that there is often no need to share your most sensitive information when filling out basic medical forms; feel free to ask the person requesting it why it is needed.

Medical identity theft is a serious matter, and of all the types of identity-related crimes, this one can potentially have physical consequences for the patient if a thief uses their medical history. It is important to safeguard your medical records as much as possible, and to make your healthcare provider aware if there are any past medical identity theft issues with your personally identifiable information that could impact your care.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

As if a devastating natural disaster was not disruptive enough to people’s safety, homes, and finances, a new threat has emerged – one that was caused by the very people tasked with supporting the victims of natural disasters and other emergencies. The Federal Emergency Management Agency (FEMA) shared documents with a third-party contractor that contained highly sensitive information, some of which was a direct violation of current regulations for FEMA to share.

The current industry term for this kind of data breach event is an accidental overexposure, meaning no harmful intent was behind it and there is no indication of damage from the information falling into the wrong hands. Still, the FEMA data breach gave the potential for someone who was not unauthorized to access the information and use it for identity theft and fraud.

In this case, an internal audit found that FEMA’s documents included things like the victims’ names, addresses, and the names of their financial institutions. Some information also included victims’ electronic transfer numbers for moving funds and their bank transit numbers. Sharing this information seems to have been an oversight on FEMA’s part, and a statement about the incident said that FEMA is taking aggressive action to correct the error.

The name of the contractor in this incident has been redacted, but it is a company with direct ties to victim services. The company helps disaster victims find hotel accommodations that are covered under FEMA funding and therefore did need certain pieces of personally identifiable information on the victims it is helping. Impacted victims from the FEMA data breach include those from Hurricanes Irma, Harvey and Maria, as well as the California wildfires in 2017.

Any time consumers’ personally identifiable information is exposed, compromised or attacked, the likelihood of identity theft-related crimes can go up. The Identity Theft Resource Center has partnered with Futurion to create Breach Clarity, an interactive tool that assigns a risk score to different data breach events. It also outlines in easy-to-understand terms the actionable steps that experts recommend for every breach, from something as simple as changing your password to more involved security measures like a credit freeze.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Imposter Scams Were The Most Reported Consumer Complaint

A recently announced restaurant data breach relied on a fairly old form of attack—retail point of sale systems—but thanks to the interconnected nature of several different companies within the single brand, there could potentially be a lot of victims. Earl Enterprises, which owns numerous restaurants around the US and in locations like Disney Springs, discovered their system had been compromised after malware was detected on their restaurants’ point of sale systems, or payment card “swipers.”

Anyone who dined at any of Earl Enterprises’ six specific brand locations between May 28, 2018 and March 19, 2019 may have had their payment card information stolen. The restaurants include Planet Hollywood, Buca di Beppo, Earl of Sandwich, Chicken Guy!, Mixology, and Tequila Taqueria. The investigation of the incident does not show that other restaurants owned by the company were affected.

The investigation is still ongoing, and Earl Enterprises has brought in two different cybersecurity firms to uncover what went wrong and how far the restaurant data breach may have spread. They are also working with the state and federal governments on the matter. Just to be safe, though, they recommend that their customers request a free credit check to look for any suspicious activity. You can also request a free credit freeze from each of the three major credit reporting agencies:  Experian, Transunion and Equifax.

There is another very useful tool for consumers that can prove vitally helpful following the announcement of any data breach. Breach Clarity, which recently won the Identity Startup Pitch Competition at the KNOW 2019 Conference, is an interactive database of breach activity. By searching for the name of a company, you can see a threat-score of how serious the event may be, as well as a list of actionable steps you should take if your information may have been compromised as a result.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Imposter Scams Were The Most Reported Consumer Complaint

A recent data breach of Verifications.io, a company that approves or verifies email addresses for third-parties, exposed 763 million consumer records. Verifications.io ensures third-parties’ email marketing campaigns are being sent out to verified accounts, and not just fake emails. The unsecured database discovered online by two security researchers did not contain things like passwords or Social Security numbers; however, it did contain an assortment of data points like mortgage amounts, interest rates on loans and social media email logins, along with identifiers like gender and birthdate.

There have been almost 7.7 billion compromised accounts since data breach tracking began in 2013. The total number of compromised data sets listed on Have I Been Pwned?, a security website that lets users see if their identifying information has been exposed, now exceeds the total number of people on Earth.

The real question that the researchers and Troy Hunt, founder of Have I Been Pwned?, want to know is how Verifications.io got its hands on all of this information in the first place. The Estonian-based company has refused to respond to questions from different news outlets and has taken down its entire website as of March 4, 2019. In fact, Hunt has publicly asked for the data breach victims’ help via Twitter. What are you supposed to do when the company that comes under attack had your information without your direct permission? If you can identify your email address compromised in the data breach and used it uniquely (i.e. for one service), researchers are asking that you contact them so they can try to track the path of data sharing.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: The How and Why of Tax Identity Theft

It’s the ultimate payoff for a scammer: raking in a high-dollar payday with little effort or cybersecurity expertise. Unfortunately, that’s exactly what makes business email compromise scams, or BEC scams for short, so popular among criminals. By gaining access to an email account within a company, the potential for lucrative phishing scams is limitless.

One recent victim? Save the Children Foundation, a well-known non-profit organization that supports relief efforts for children all around the world. After scammers gained access to a staff member’s email address in 2017 and began sending invoices for solar panels to the proper department, the organization was cheated out of around one million.

BEC scams aren’t new. They used to be called “boss phishing” and “CEO phishing,” among other names. Now that criminals have figured out there are more people within a company with high-security access, the scam email can come from a variety of positions within the company.

The fact that BEC scams continue to work is alarming, though. In fact, the FBI reported that there were more than 300,000 cases of cybercrime in 2017, totaling over $1.42 billion in losses. BEC scams accounted for nearly half of those loses at $676 million. These scams saw a 137 percent increase in an eighteen-month period, and a report by WeLiveSecurity stated that social engineering scams like BEC and phishing emails were the third most commonly reported scam last year.

Unfortunately, social engineering scams still work, especially as scammers become more and more involved in the storyline. Those ludicrous old “Nigerian prince” email scams relied on social engineering, or getting the victim to hand over money in order to help someone in need and see a return on that money later. In the case of a BEC scam, the engineering is even simpler: “Bob from accounting” emailed an invoice—or so it appeared—and the recipient cut a check or transferred the funds, just like they do every single day. In other cases, the boss seems to have emailed a request for payroll records or W2 forms for everyone within the company; the assistant who received the email never thinks twice about following a logical request, and hands over the complete identities of everyone who works there.

In the case of business email compromise, the age-old advice isn’t easy to follow. Email scam recipients have always been told to ignore them. But how do you ignore a request from the CEO? How is a charity supposed to ignore an invoice for solar panels in a remote village when the organization’s job is literally to provide these things?

The first way for organizations to fight back against BEC scams is to institute iron-clad policies on submitting sensitive information, issuing payments and funds, changing account numbers or passwords, and other eyebrow-raising activities. The policy has to outline exactly which requests are to be questioned, as well as offer a layer of protection for an employee who requests verbal confirmation. Of course, preventing this kind of crime also starts with ensuring outsiders cannot gain access to a company’s email accounts, namely through strong, unique passwords that are force-changed on a regular basis and multi-factor authentication.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: The Government Shutdown is Hurting Crime Victims

A phishing scam has led to the unauthorized access of more than 500,000 students’ identifying information in the San Diego Unified School District. Through emails sent to staff members of the school district, an outsider was able to gain staff members’ login credentials and view students’ profiles.

Phishing scams like this one are all too common. By masquerading as an official email from a verified source, outsiders can trick recipients into all manner of sensitive activities, from changing passwords and account numbers to transferring funds to paying phony invoices. In this case, the emails likely required staff members to verify their usernames and passwords.

The phishing attack is believed to have been carried out between January and November of this year, but school system officials first became aware of it in October. However, the credentials gave the unauthorized person access to student records dating all the way back to the 2008-2009 school year.

Impacted individuals are being notified by letter from the school system, and the current investigation has already identified someone believed to be responsible. Officials have not determined whether or not any of the data was actually stolen or used, but it was certainly possible to steal complete identities from the activity that occurred; therefore, they are treating this incident as a data breach.

There are some important takeaways from this news. The first is that sharing your information with outsiders can result in the loss of that data. If you are not absolutely legally required to turn over your complete identity or that of your children, don’t. If you are required to provide it, ask who will be able to access it and how it will be protected. In the case of the school system, even base-level staff members were able to view details like birthdates and Social Security numbers, something that they didn’t need.

Also, if you receive a notification letter that your information has been breached, it’s vitally important that you take note of what data was compromised and what steps the company is taking to make it right. If the company is offering credit monitoring or identity monitoring, don’t delay. Sign up for that support immediately to take advantage of the protection.

Finally, since this incident involves children’s personally identifiable information, parents and guardians must be cautious about their children’s identities. Too many young people only discover they’ve been victimized this way when they become adults and attempt to get a job, enlist in the military, apply for financial aid, or other similar actions. Parents can freeze their children’s credit reports to reduce the chances that someone will use their information maliciously.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: The 2018 Impact of Data Breaches and Cybercrime

Year after year, cybercrimes like scams, fraud, identity theft and data breaches make a global impact on consumers and businesses alike. Organizations like the Federal Trade Commission and the Identity Theft Resource Center keep tabs on the statistics and the aftermath of these events in order to form a clearer picture of their effects. With only days to go until we reach the end of 2018, here’s a look at some of the numbers from this year.

Top Scams of the Year

According to a report by Heimdal Security, phishing attempts continue to be one of the more prevalent ways scammers connect with their victims. Phishing usually arrives as an email that entices someone to take action; the action might be to send money, hand over sensitive data, redirect to a harmful website, or even download a virus from a macro contained within the email. No matter what the story the scammers use, one-third of all security incidents last year began with a phishing email.

What happens to consumers when they fall for a phishing email? One in five people reported losing money, around $328 million altogether. That’s about $500 per victim on average, but that’s also only from the victims who reported the scam. Interestingly, new data this year found that Millennials were more likely to fall for a scam than senior citizens, although seniors still lost more money on average than these younger victims.

Different Industries Impacted by Data Breaches

The ITRC’s annual Data Breach Report highlights the organizations that have been impacted by data breaches throughout the year, along with the number of consumer records that were compromised. While the year isn’t over, the data compiled through Nov. 30 is already worrisome.

There have been more than 1,100 data breaches through the end of November 2018, and more than 561 million consumer records compromised. Those breaches were categorized according to the type of industry the victim organization falls under: banking/credit/financial, business, education, government/military and medical/healthcare.

The business sector saw not only the highest number of breaches but also the highest number of compromised records with 524 breaches and 531,987,008 records. While the medical and healthcare industry had the second highest number of breaches at 334 separate events, the government/military’s 90 breaches totaled more compromised records at 18,148,442. The financial sector only had 122 data breaches this year, but those events accounted for more than 1.7 million compromised records. Finally, while education—from pre-K through higher ed—only reported 68 data breaches, there were nearly one million compromised records associated with schools and institutions.

The Crimes that Made Headlines

There were quite a few headline-grabbing security incidents this year. While Facebook and the Cambridge Analytica events were not classified as traditional data breaches, they were nonetheless an eye opener for social media users who value their privacy. The Marriott International announcement of a 383 million-guest breach of its Starwood Hotels brand has opened consumers’ eyes about the types of information that hackers can steal, in this case, 5 million unencrypted passport numbers. The breach of the government’s online payment portal at GovPayNow.com affected another 14 million users, demonstrating that even the most security-driven organizations can have vulnerabilities. Finally, separate incidents at retailers and restaurants like Hudson Bay and Jason’s Deli reminded us (and those breaches’ combined 8.4 million victims) that attacking point-of-sale systems to steal payment card information is still a very viable threat.

What Do Criminals Really Steal?

In every scam, fraud, and data breach, criminals are targeting some kind of end goal. Typically, it’s money, identifying information or both. But recent breaches this year of websites like Quora—which provides login services for numerous platforms’ comment forums—also show that sometimes login credentials can be just as useful.

After all, with the high number of tech users who still reuse their passwords on numerous online accounts, stealing a database of passwords to a fairly innocuous site could result in account access to so-called bigger fish, like email, online banking, major retail websites, and more. Furthermore, it showed that a lot of users establish accounts or link those accounts to their Facebook or Gmail logins without really following up; a lot of people who learned their information was stolen in the Quora breach may have forgotten they even had accounts in the first place. The number of victims in that breach is expected to be over 100 million.

Moving Forward into the New Year

The biggest security events of 2018 may pale in comparison to criminal activity next year. After all, there was a time when the Black Friday 2013 data breach of Target’s POS system was considered shocking. One thing that cybercriminals have taught us time and time again is that there’s money to be made from their activities, and they aren’t going to give up any time soon.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: “Honeyboys Keeping Internet Users Safe”

Question and answer site Quora announced a data breach that affected about 100 million users’ accounts. The hacked information included names, email addresses, and encrypted passwords. While most people who participate in online discussion via the platform may establish an account, anyone who has posted through Quora anonymously does not need to worry about their name getting “out there” since they never provided it.

Names, email addresses, and Quora passwords might not seem like a big deal to some users. After all, the company discovered the breach on November 30th and has already begun issuing notification letters. They’ve also forced a reset of all account passwords, so everything should be fine.

Unless… unless you’re one of the incredibly high numbers of people—52%, in fact—who reuses their passwords on multiple websites.

For years, security experts have tracked the use of “popular” passwords, and have found bizarrely simple passwords to be the most popular. These include things like “password,” “123456,” and “QWERTY,” just to name a few. But password strength—or lack thereof—isn’t really the problem in this case.

With the Quora breach, it doesn’t matter how amazing your password is, like “h2E9Nb17LW.” If you reuse that same password on any other website on the web, the hackers who have your Quora email and password have those same credentials to try on other sites. Hopefully, your online banking, credit card, PayPal, Amazon, and other vital accounts aren’t connected to those credentials this way.

This incident and so many others that only affect login credentials can be mistaken for being “not a big deal,” but the reality is just the opposite. When web users reuse their credentials like this, they leave themselves vulnerable to other account breaches and identity theft. It’s essential to create a strong password for every account you have, but it’s equally important to keep each strong password limited to one account.


Read next: “Secret Sisterhood” Online Gift Exchange Scam Alert

The term “data breach” serves as a catch-all word for any kind of event in which someone entrusted with information—usually for large groups of people, like one’s customers or patients—allows that information to be exposed. While some data breaches are the work of highly-skilled hackers who can access a billion email accounts at once, others could be something as simple as an electrician leaving his work phone behind on a job site, possibly exposing customers’ info.

However, no matter how it happened, who was at fault, or what information was exposed, all data breaches are serious. They carry the potential for someone to misuse information or harm others.

A recently reported data breach of the United States Postal System’s website appears to be accidental, but since about 60 million users’ information were exposed for at least a year, there’s no telling what damage could have occurred…or has already occurred.

This breach involves the website’s API, or “application program interface.” API is computer lingo for the set of parameters that help legitimate users interact with a website. The API was connected to the USPS “Informed Visibility Mail Tracking & Reporting” service, a mail tracking preview program, where the weakness was found. Unfortunately, by exploiting any security holes found in the tracking service, hackers can interact with the API, too.

Here’s what security researchers found: the USPS website was accidentally left “unlocked,” meaning anyone with an account could change the search parameters and find other users’ accounts and information. They could even make changes to those accounts in some cases.

Think of it like this example: pretend you went to a major retailer’s website to look up a pair of socks you ordered two years ago. You go to your order history, type in your name and zip code, and then your order history appears. Now pretend that you could simply change the zip code or the last name, or your city or street address. What would you do if all of the information for every person in your zip code, last name, city, or street address appeared? What if it showed you every single item those people had ever ordered?

That’s similar to what happened here, and there are a few unfortunate issues with this breach. First, the information was never secured in the first place. It was only a matter of time before someone decided to test out different data points. Also, the USPS was supposedly informed of this website problem a year ago. Recently, the person who informed them then contacted Krebs on Security to report that the matter had still not been resolved, and Brian Krebs reached out to the postal service. After he contacted them, the USPS patched the problem and made it stop.

This certainly isn’t the first time a government agency has suffered a data breach. The Office of Personnel Management, reported in June 2015, and the US State Department, reported in September 2018, for example, have both endured exposures of users’ sensitive information. However, that doesn’t make the issue any easier for the consumers who now need to monitor their USPS accounts and make sure that nothing out of the ordinary has taken place.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: “Secret Sisterhood” Online Gift Exchange Scam Alert