A Landry’s data breach has exposed thousands of people’s information after they had their software compromised. The more things change, the more they stay the same. At least, that is how it appears in the world of cybercrime, data breaches and identity theft. As hackers come up with new tools and tactics to steal information electronically, old methods of gaining financial or identifying information are still just as much of a problem as ever.

A recently announced data breach of Houston-based restaurant and hotel company Landry’s, Inc., proves this point. More than 600 locations in the company’s sixty brands were impacted by unauthorized access to the software that controls their card readers. Patrons who visited these locations between March 13 and October 17 of 2019 are advised to look through their card statements for signs of any unusual activity due to malware that was installed on the company’s servers.

However, Landry’s data breach has a slightly different twist. According to a statement from the company, the issue arose when servers inadvertently swiped payment cards in the wrong type of card reader at a few locations. Some card readers in the locations are used to send food and drink orders directly to the bar or kitchen, and the affected cards appear to have been used in those card readers. The list of brands under the Landry’s, Inc. umbrella can be found here.

All consumers who rely on payment cards for any kind of transaction have to be proactive about their accounts, specifically in watching out for signs that their cards may have been compromised. Enabling security tools from your financial institutions is also helpful, as these tools can alert you to unauthorized transactions the moment they occur.

Landry’s has not mentioned the offer of credit monitoring for affected customers yet, but the company recommends reporting any fraudulent charges from Landry’s data breach to the Federal Trade Commission and to your financial institution.

You might also like…

Concerns Arise Around Possible LinkedIn Password Exposure

Super Bowl Means Super Scams

New York Special Olympics Email List Suffers Hack 

Popular convenience store chain Wawa has announced a breach that potentially stole the payment card information for customers throughout much of this year. In the case of the Wawa data breach, malware was discovered on the company’s payment processing servers on December 10, and that malware was designed to steal cardholders’ names and card numbers at the time of payment. However, there is no reason to believe that PIN numbers, security codes or driver’s license numbers—used to purchase things like alcohol or tobacco—were compromised in the Wawa data breach.

Unfortunately, their investigation has led them to believe that the malware was installed sometime after March 4 of this year. Customers are urged to look back through their transactions and see if there are any fraudulent charges, which the company has said they will not be responsible for. The company is also offering one year of free credit monitoring to affected customers of the Wawa data breach.

The response to the Wawa data breach—discover the malware, contain it, investigate it and report it with corrective action—is all in line with how businesses are urged to handle these kinds of crimes. It is a massive improvement over data breaches from only a few years ago in which the incident might not have been discovered and the victims not notified for a year or longer.

Incidents like the Wawa data breach should serve as an important reminder to take as much preventive action as you can. First, enabling “card not present” alerts with your financial institution or card issuer will inform you immediately if someone uses your card number without the physical card in their possession. You can also ask your bank what other security measures they specifically offer to prevent these kinds of crimes. Finally, it is important that you check your account transactions routinely in order to spot anything unusual. Do not wait for a notification letter or email to tell you that someone has stolen from you.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

Ring Doorbell Data Leak Exposes Over 3,000 Accounts

2019 Identity Crime Wrap-up

Social Security Phone Scam



More than 3,000 Ring customers’ credentials were compromised in a recently announced Ring doorbell data leak. However, according to sources from the company, there has been no data breach or attack on the company’s systems. What’s at stake, and how did it happen?

First, the compromised information from the Ring doorbell data leak includes some payment card information, email logins and passwords, locations and very specific names that the customers assigned to their Wi-Fi-enabled doorbell/camera combos. Ring, which is famous for its doorbell that lets users see, record and interact with someone who comes to their door, also makes interior cameras that are smartphone-controlled over Wi-Fi. These cameras were accessible to the criminals, even in real-time, once the credentials were stolen.

However, a company spokesperson said that Ring’s network and servers were not compromised, which leads to the possibility of credential stuffing being at the core of the Ring doorbell data leak. This happens when a username and password are stolen in an unrelated data breach, and then those credentials are cross-matched to other accounts. If the customer reused the old stolen email and password on their Ring account, that would give the thief access to it. It would also explain why an oddly specific number of accounts, 3,672 according to Buzzfeed, was accessed.

General password hygiene has been a hot topic for a long time, but the message is still not reaching all tech users. The need for strong, unique passwords has been shared, but unless tech users follow through by creating lengthy, seemingly random passwords that they only use on one account, they are simply not protected. Moreover, changing your passwords frequently is a great idea since a treasure trove of old login credentials could end up online or be discovered long after the fact. If you frequently change your password, it does not matter what kind of information a cybercriminal finds since it will no longer provide access to your account.

There is another concerning facet to the news of the Ring doorbell data leak, and that is the relaxed approach so many tech users have taken to internet-enabled invasions of privacy. While things like cameras and voice-activated home assistants are highly beneficial to a lot of people, there is simply no excuse for installing something like a camera that records your child’s bedroom and then not keeping it as secure as possible. A hacker with the right skillset can break into some of the world’s best defenses, but you do not have to make their job easier by failing to protect yourself. Password security is important at all times, but never more so than when your personal safety is on the line.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

Exercise Car Safety to Avoid Leaving Your Identity Behind

2019 Identity Crime Wrap-up

Social Security Phone Scam

As this year winds down, it is important to spend a little time reflecting on the 2019 identity crimes, some of the things that went right in 2019 and the things that did not go as well. This is true for so many subjects, especially identity crime – which includes scams, fraud, data breaches, cybercrime and all of the other types of crimes that go with it.

Fallout from 2018

As in previous years, this past year has been a big one for these kinds of crimes. Tech users are still feeling the aftermath of things like the Facebook/Cambridge Analytica privacy debacle that was uncovered last year; Congress is still at work on what to do about consumer privacy in the social media age. Also, the news that phishing attacks more than doubled last year over the year before had researchers, businesses, lawmakers and consumers alike paying closer attention to the messages they receive.

What Went Right in 2019

Fortunately, new legislation has come along to make our privacy lives a little safer. The General Data Protection Regulation (GDPR) regulations went into effect in Europe last year, for example, and they inflict strict penalties on businesses that gather and store data but let it fall into the wrong hands. New laws in California and Colorado will be taking effect soon, intent on strengthening privacy and consumer choice. Best of all, the awareness of what constitutes these kinds of crimes and how to recognize them is increasing.

Top Security Incidents of 2019

However, this welcome news does not mean that consumers are safe or that hackers are finally giving up. With every new platform, tool or technology, there is even greater potential for new avenues of attack. Healthcare providers and insurance companies continued to be one of the hardest-hit targets this year, thanks to the overwhelming amount of personally identifiable information (PII) they gather. “Accidental exposure” breaches were a common 2019 identity crime for major-name companies, which happens when businesses store huge databases of private information – in an online server then fail to password protect it as an example. Even our entertainment was not safe, as many apps and online gaming portals suffered data breaches that were traced back to reusing passwords on multiple sites.

2019 did not just see a lot of large data breaches, but settlements as well.

Equifax Settlement

In July, Equifax reached a $700 million settlement for harms caused by their data breach. Equifax agreed to spend $425 million to help victims of the breach, leading to lots of discussion on how to file a claim.

Facebook Settlement

While the Equifax settlement was the largest in data breach history to date, Facebook blew it out of the water just two days later, as they were ordered to pay $5 billion. After the settlement, Facebook said it required a “fundamental shift” in Facebook’s approach at every level of the company in terms of their privacy.

Yahoo Settlement

A month and a half later a Yahoo data breach settlement was proposed for $117.5 million after over three billion Yahoo accounts were exposed. Identity Theft Resource Center CEO, Eva Velasquez, stated in a media alert that the settlement trend is moving the needle in the right direction for both consumers and victims. However, that was not without its challenges, including putting the onus on the consumer to tell the settlement administrators how they were harmed and provide proof of it.

10,000 Breaches Reported

This past year the Identity Theft Resouce Center also recorded 10,000 publicly-notified data breaches since 2005. As part of the milestone, the ITRC took a look back at some of the top breaches the last 15 years as part of our 10,000 Breaches Later blog series.

Minimizing Future Risks

While data breach fatigue is a recognized phenomenon, one that can occur when consumers are bombarded with constant news about their data being compromised, the flip side is the kind of paranoia that makes you want to unplug and go live off the grid. However, neither of those is the solution. What does work is an awareness of the threat and some good privacy habits to prevent crimes like the 2019 identity crimes:

We’re Here to Help

Remember, you are not responsible for the criminal behaviors of a hacker. However, you can take steps that reduce your risk of becoming a victim and help minimize the damage if the worst does occur. The Identity Theft Resource Center is always here to help. Call us toll-free at 888.400.5530 or live-chat with one of our advisors.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

Exercise Car Safety to Avoid Leaving Your Identity Behind

Holiday Phishing Scams Target Small Business

Social Security Phone Scam



A recent Macy’s data breach is creating headaches for lots of its shoppers. There are a lot of different ways a cybercriminal can gain access to sensitive data. Not all of those ways involve highly sophisticated technological know-how. Sometimes it is as simple as finding unsecured information online, stealing someone’s work laptop or sending out a fake email that looks like the real thing in order to get the victim to hand over their data.

However, other forms of attack are something straight out of a cyberthriller. Knowledgeable black-hat hackers with a very specific skill set can inject malicious computer code into the script of a website, channeling activity from that website to any location they choose. Even worse, this is often done without the web owner’s knowledge and can continue on undetected for quite some time.

That is the case with the October 2019 Macy’s data breach. A MageCart attack, in which harmful code was embedded into Macy’s retail website, resulted in the loss of customers’ names, addresses, account numbers, credit card information and other related data points. The code was redirecting all of the information that customers entered to another location without Macy’s permission. Imagine the old home phone lines in which two handsets worked on the same phone number. This attack is just like someone picking up the other extension and listening in on a conversation without the other parties knowing.

The Macy’s data breach was discovered about a week after the code was injected into the company’s site. Macy’s has now issued a notification letter to all affected customers of the Macy’s data breach and has established a free 12-month credit monitoring option for those customers. They have also removed the malicious code and enabled safeguards to prevent further attacks of this kind.

As for the customers, there are some key takeaways from Macy’s data breach. First, the only information the thieves managed to steal was data that would be entered when creating your Macy’s account. No Social Security numbers, for example, or the information that was entered upon checkout. Second, this means that the thieves could have used your stored credit card but not establish new lines of credit or open new credit cards in your name. If you have card not present alerts enabled from your financial institution, you would have been alerted the moment a thief tried to use the card you have stored on the Macy’s website.

For now, customers affected by the Macy’s data breach are encouraged to monitor their account statements carefully for any signs of fraud, sign up for the free credit monitoring if offered and remember to activate the kinds of security measures that will protect you in the event something like this happens again. Card not present alerts and two-factor authentication are just two of the tools that many banks and credit card companies offer in order to keep you safe.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

T-Mobile Data Breach Exposes One Million Prepaid Accounts

Hacked Disney+ Accounts Are Being Sold Online

E-Skimming is a New Cybercrime That is Just in Time for the Holidays



T-Mobile has become the most recent telecom giant to announce a data breach affecting a large number of U.S. customers. As part of the T-Mobile data breach, more than one million prepaid service accounts were affected, which included names, addresses, phone numbers and information about customers’ rate plans, calling features and international calling.

This information may not appear to be very damaging. After all, there is no financial information or identifying data from the T-Mobile data breach that could allow thieves to open a new line of credit or a new account. However, the information that was compromised could still be used for malicious purposes. By having detailed information on what plan a customer has and what calling features they subscribe to, it would not be very difficult to convince a T-Mobile associate that the hacker is actually the account holder, and then solicit the employee’s help in taking over the account entirely.

T-Mobile has not answered some key questions about the T-Mobile data breach, such as the specific number of customers who were affected and whether it was a breach of its customer website or another online source. While the company should be applauded for a rapid response to discovering the T-Mobile data breach, there is other pertinent information that the public and security experts alike could benefit from knowing.

Many of the customers have already received a text message notification about the T-Mobile data breach, which is another possible cause for concern. Users have to be able to discern between genuine communications from the company and phishing attempts by hackers who are posing as T-Mobile representatives. Any message that asks you to confirm your information, especially sensitive things like your password or PIN, is suspicious and the company has said it will never contact its customers for that kind of data.

This is true of most companies, whether there has been a data breach or not. Phishing attacks work because the victim thinks they are talking to someone from the business. Instead, it is a cleverly disguised copy of a company communication. In any event, there is never a reason to verify your identifying information for someone who contacts you, no matter what form the communication takes. Ignore the message and go directly to your account online in order to verify that everything is okay.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

Are the Wrong Toys on Your Holiday Shopping List?

Hacked Disney+ Accounts Are Being Sold Online

E-Skimming is a New Cybercrime That is Just in Time for the Holidays

According to the National Center for Education Statistics (NCES), about 56.6 million students are attending school this fall. The NCES also reports that there are 3.7 million teachers currently in the United States. That is over 60 million students and teachers spending their time inside of schools, on their Wi-Fi, online programs and much more.

Data breaches that affect students and teachers are not uncommon, although education ranked lowest of the five industry sectors that the Identity Theft Resource Center (ITRC) records in 2018 with 76 education data breaches exposing 1,408,670 records. However, 2017 was a different story. According to the ITRC’s 2018 End-of-Year Data Breach Report, in 2017 there were 128 education data breaches exposing 1,418,455 records. So far in 2019, there have been 104 breaches exposing 2,248,578 records. You can learn more by signing up for our ITRC Monthly Breach Newsletter.

While the education sector is not seeing as many breaches as some of the other industry categories, the ITRC believes that one breach is one too many. That is why we continue to empower identity theft victims – particularly those that are victims of education data breaches – with the resources to resolve their cases. Our mission, since our founding in 1999, is to help people proactively reduce their risk of becoming a victim and to empower them to mitigate their cases if they have become one. Since 2005, the ITRC has recorded over 10,000 publicly notified data breaches. As part of our 10,000 Breaches Later blog series, last week we looked at the top banking, credit and financial data breaches. This week we conclude our blog series with a look at the top five education data breaches that impacted U.S. teachers, students and families and their personal information that was compromised.

Maricopa County Community College District

Following a data breach incident in January 2011, Maricopa County Community College District experienced another education data breach in 2013 that led to personal information like names, addresses, Social Security numbers, dates of birth and financial aid information being exposed. The breach affected 2.5 million current and former students, employees and vendors. In January 2011, the district was first notified by the FBI of a small data breach affecting 400 people. Information from its database was found online for sale, and the FBI warned the district that it needed to properly secure its systems. Ten months later the district was warned, once again, this time after the Arizona Auditor General found that terminated employees still had active user accounts on the district’s network. One year later an audit found that the district had still not tightened up its security procedures. This led to the breach in 2013 which discovered, once again, sensitive information had been found for sale online. The impact on those teachers and students was potentially catastrophic given the amount of sensitive information and data compromised. This education data breach also highlights the importance of businesses and schools to take their security measures seriously.

Georgia Tech

In April 2019, Georgia Tech announced that nearly 1.3 million current and former faculty members, students, staff and student applicants had been affected by an education data breach that was caused by unauthorized access to a web application. Information compromised included names, addresses, dates of birth and Social Security numbers. The university has taken steps since to help people who were affected by offering credit monitoring and identity theft protection services to individuals who had their Social Security number exposed. Faculty members and students should be aware of the sensitive nature of their data and the potential unique identity theft aspects that could come from its exposure.

Washington State University – Social & Economic Science Research Center

Two years prior to the Georgia Tech education data breach, Washington State University learned that a locked safe containing a hard drive used by the Social & Economic Science Research Center to store backed-up files had been stolen. The hard drive contained a wide range of sensitive information on 1.1 million individuals including demographic information, Social Security numbers and personal health information. In April of 2019, the university reached a $4.7 million settlement where victims were entitled to receive up to $5,000 in cash reimbursements for any out-of-pocket expenses incurred, credit monitoring services or credit reports. This breach stresses the importance of making sure schools and universities have guidelines and measures in place to make sure that all student and faculty information is securely protected and that there is no risk of it being stolen, whether online or from a safe.

University of California Los Angeles (UCLA)

In October 2006, UCLA was hit by a cyber-attack allowing a hacker to gain access to a restricted database containing sensitive information of 800,000 current and former students, faculty and staff. The database included names, addresses, dates of birth and Social Security numbers. While this breach affected less than five percent of the records in the database, it was still one of the largest education data breaches at that time. While the university said there was no evidence of any personal information being misused, they suggested those possibly affected contact credit reporting agencies and take steps to minimize the risk of potential identity theft.

Pearson

Initially reported in July 2019, educational software maker, Pearson, experienced a data breach affecting its AIMSWeb 1.0 platform. Roughly 13,000 school and university accounts were affected by this breach. However, this number does not include the individual students and staff members whose information was contained in each account. Although the information exposed varies per account, information like student names, student dates of birth, student email addresses, student ID numbers, staff names, staff email addresses, job titles and more was exposed. In an interview with the Las Vegas Review-Journal, ITRC president and CEO, Eva Velasquez said, fortunately, the information exposed was limited: “Just a name is not going to necessarily lead to an increase in the risk of identity theft. A name and date of birth could potentially lead to a slight increase. But as far as very serious personal identifying information, it does not appear that this breach contains that level of data.” School districts are continuing to come forward to report being affected by the Pearson breach.

As we recap education data breaches, the ITRC hopes to help those impacted – both as faculty members, students, schools and universities – understand how to minimize their risk and mitigate their identity compromises. If you received a data breach notification letter, do not just set it aside. Call us at 888.400.5530 or LiveChat to talk with a live-advisor on what you should do. If you are a school or university that has been impacted by a data breach incident, please reach out to the ITRC to discuss how we can provide assistance to your impacted customers. Every victim of a data breach should download our free ID Theft Help App to track their activities around any given data breach.

For a complete look at all the blogs from the 10,000 Breaches Later blog series, visit https://www.idtheftcenter.org/10000-data-breaches-blog-series.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

10,000 Breaches Later: Top Five Financial, Credit and Banking Data Breaches

10,000 Breaches Later: Top Five Military and Government Data Breaches

10,000 Breaches Later: Top Five Medical and Healthcare Data Breaches

It seems hard to imagine that companies still suffer accidental data breaches, but it happens with alarming frequency and it led to a ‘Magic: The Gathering’ data breach. It may be an employee who downloads some malicious software or falls for a spear phishing campaign, or someone who leaves an unsecured laptop or flash drive out. Regardless of how it happens, what is important is that it happens often enough that more companies should be safeguarding themselves from this kind of threat.

One frighteningly common event is the accidental overexposure, which occurs when a company unintentionally puts its sensitive information online for anyone to find. Sadly, even though they are doing it by mistake, that does not stop malicious people from finding the information and using it.

The most recent example of a company leaving a database of customer information exposed on the internet is Wizards of the Coast, the developer of the popular game, ‘Magic: The Gathering.’ It led to a ‘Magic: The Gathering’ data breach. This card-based game has been widely popular for many years and has a devoted following. Unfortunately, the owners used an unsecured Amazon Web Services bucket. This online server contained customer data for more than 452,000 users, including usernames and hashed and salted passwords. However, the information was not encrypted.

Accidental data breaches like the ‘Magic: The Gathering’ data breach have happened to numerous well-known, large-scale companies recently. It is always with the same issue that the requirement to password protect the server is turned off by default. Unless the company opts to password protect the server and takes the steps to do so, their information can go online without any kind of wall around it.

Unfortunately, TechCrunch reported this incident with a somewhat bothersome finding. A security company called Fidus Information Security discovered the database of information and contacted the game developers. However, there is no way of knowing if anyone else had already compromised the information. In this case, as TechCrunch states, “Fidus reached out to Wizards of the Coast but did not hear back. It was only after TechCrunch reached out that the game maker pulled the storage bucket offline.”

One of the most critical things any company can do during a data breach like the ‘Magic: The Gathering’ data breach is to respond in a timely way. Leaving the information online while looking into the matter or failing to notify the customers of the breach quickly is not the best way to protect anyone. The developer has informed affected customers to change their passwords and has reported the breach to officials who oversee the EU’s privacy compliance regulations.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

Three-Pronged Web Service Data Breach A Cause For Alarm

Virtual Reality Privacy Concerns

Who is Responsible for Fraud Prevention? Join the Fraud Week Twitter Chat with ACFE!

Three web services recently suffered a web service data breach in August. The news broke from Krebs On Security that users of Network Solutions, Register.com and Web.com may have received notice that an unauthorized user was able to gain access to certain important pieces of information from users’ accounts.

Domain Registration Websites

The three companies in question have a very important place in the online business world. They register website domain names, which means that if you create a website, they may hold the key data around that website. This web service data breach is particularly alarming if your website had sensitive information about the owners—including names, email addresses, phone numbers and physical addresses—which may have been compromised. Sensitive websites might be political in nature, may involve children’s photographs or identifying features or might pertain to marginalized communities of people.

Change Your Password Immediately

So far, Web.com, which owns both of the other two registration companies, has only issued a blanket warning to customers to change their passwords. The web service data breach notification is available on a separate section of their website, but none of the companies list this important announcement on their home pages.

If you have registered a website via any of these companies, it is important to change your password right away. However, even if you have not used one of them, it is encouraged to take this time to go to your domain registration company and change your password for good measure.

Watch For More Sophisticated Phishing Emails

Phishing attacks are another serious concern from breaches like the web service data breach. Hackers use or sell your email information in order to flood you with spam emails, mass marketing and fraud attempts. It would be easy for someone to create a fake email that appears to come from one of these companies and then send you an email demanding your login credentials or financial information. Be on the lookout for these kinds of approaches, and know how to respond to a potentially harmful email or text message.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

Adobe Account Information Leaked After Server Left Unsecured

Be on the Lookout for 2020 Census Scams

Hy-Vee Cards Stolen in Recent Data Breach Are Fetching a Higher Price on Dark Web Websites