According to our 2018 End-of-Year Breach Report, there were a total of 372 data breaches in the medical and healthcare sector that exposed over 10 million records. As of September 2019, there have already been 368 data breaches that have exposed over 36 million records in the sector – poised to push well past the 2018 statistics. In the last two years, the ITRC has seen an increase in medical and healthcare data breaches – more than any other category we track, aside from the business sector.

Sign up for the ITRC Monthly Breach Newsletter for more information on these data breaches.

This is one reason why the Identity Theft Resource Center has been working to empower identity theft victims with the resources and tools to resolve their cases since 1999, including helping people proactively reduce their risk of becoming a victim of identity theft – especially of their highly sensitive personally health information (PHI). Since 2005, the ITRC has recorded over 10,000 publicly notified data breaches with monthly and cumulative end-of-year reports.

Last week we took a look at some of the largest business data breaches. This week we shift our attention to the top five most impactful medical and healthcare data breaches for consumers.

Anthem

In February 2015, Anthem suffered what is considered to be the largest medical and healthcare data breach and the largest Health Insurance Portability and Accountability Act (HIPAA) settlement in the United States. Nearly 80 million consumers were impacted with information like names, birthdates, Social Security numbers, addresses, phone numbers, email addresses and employment data being compromised. Minors on their parent’s healthcare plans were affected, which is particularly troubling due to the long shelf-life of the static data (SSNs) that was compromised. Anthem agreed to take corrective actions in 2018 by paying the U.S. Department of Health and Human Services, Office for Civil Rights $16 million to settle the violations of HIPAA Privacy and Security rules. This created awareness among consumers that while their health information was regulated under HIPAA, that didn’t mean that it wasn’t at risk for exposure – and not just their health information but a host of other components to their identity.

American Medical Collection Agency

Third-party billing and collections agency, American Medical Collections Agency, experienced a medical and healthcare data breach with an intrusion in its payment system in March of 2019. That intrusion exposed personal information of millions of patients. Over 24 million people and 20 entities (so far) were affected by this breach, including Quest Diagnostics who reported approximately 11.9 million of their patients were impacted. Some of the data exposed included names, dates of birth, payment card numbers, names of labs or medical service providers, dates of medical services, referring doctors, banking information, Social Security numbers and certain medical information like patient account numbers and health insurance numbers. The information exposed varied entity to entity since the same information was not provided to AMCA for their patients. As of this blog’s publish date, we’re still receiving notifications of medical industry organizations that were victims of this breach – we will continue to update the numbers as we receive them in our monthly Data Breach Report.

Premera Blue Cross

Major healthcare services provider Premera Blue Cross announced a data breach in March of 2015 that impacted over 11 million of its customers. The data breach was caused by hackers pretending to be Premera IT, sending employees phishing emails with links containing malware. This data breach affected both Premera Blue Cross and Premera Blue Shield of Alaska, as well as their affiliate brands Vivacity and Connexion Insurance Solutions, Inc. Names, birthdays, email addresses, physical addresses, phone numbers, Social Security numbers, member ID numbers, bank account information and claims information that could have been included in clinical information were some of the information exposed. In July 2019, Premera Blue Cross paid a total of $74 million ($32 million in damages and $42 million to improve data security) as part of a settlement. Premera will pay $50 to any class member who submits a claim, and up to $100,000 if class members can provide documents showing proven out-of-pocket damages from the breach.

Excellus Blue Cross Blue Shield

Blue Cross had another breach just six months later, this time including health insurer Excellus Blue Cross Blue Shield. This medial and healthcare data breach affected over ten million plan members and vendors. The cyberattack began in December 2013 and was not detected by Excellus until nearly two years later. Information such as names, dates of birth, Social Security numbers, addresses, phone numbers, claims and financial payment information (including some credit card numbers) was compromised.

Virginia Department of Health Professionals

In May 2009, the Virginia Department of Health Professionals (DHP) announced a security breach impacting the agency’s Prescription Monitoring Program. DHP discovered the breach one month prior after a message was posted on the Prescription Monitoring Program website by a hacker claiming to have stolen eight million patient records and 35.5 million prescriptions. In fact, the message included a ransom note demanding $10 million in seven days or the hacker would sell the data to the highest bidder. The breach was first reported on WikiLeaks.

As we recap the last 10,000 breaches, the ITRC hopes to help those impacted – both consumers and businesses fall victim to the nefarious acts of fraudsters – understand how to minimize their risk and mitigate their data compromises. Medical/healthcare breaches don’t just impact health information. As we can see by these examples, static information like Social Security numbers, date of birth can also be gleaned by those harvesting data through breaches – which puts consumers at an even higher risk of every aspect of identity theft (not just medical).

If you ever receive a data breach notification letter, do not just toss it aside or throw it away. Call us toll-free at 888.400.5530 or LiveChat to talk with a live-advisor on what you should do. If you are a business impacted by a data breach incident, please reach out to the ITRC to discuss how we can provide assistance to your impacted customers.

As part of this series, in our next 10,000 Breaches Later blog we will take a look at some of the largest government and military breaches since 2005 and what they meant for consumers. For a look at all of ITRC’s 10,000 breaches blogs, visit https://www.idtheftcenter.org/10000-data-breaches-blog-series/

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

12 Million Quest Diagnostic Patients Exposed in Third-Party Breach

Medicaresupplement.com Data Breach Caused by Accidental Exposure

10,000 Breaches Later: The Benchmark Breaches That Created Systemic Change

 

Popular game developer Zynga is the company behind such widely popular apps as Words with Friends, Farmville and Draw Something, but these games are not only popular with smartphone users. A well-known hacker named Gnosticplayers has claimed responsibility for stealing the login credentials for around 200 million Android and iOS users who had downloaded those and other games.

These games allow users to find friends online and play long-distance games, as well as to engage in fun challenges with strangers within the safety of the app. Unfortunately, a hacker was able to inject themselves into the system that controls things like usernames, passwords, email addresses and any Facebook accounts that were connected to the app in order to speed up login as part of the Zynga data breach.

While the hacker did not necessarily grab any highly-sensitive information, the information that was stolen in the Zynga data breach can easily be used for malicious purposes. These include spam emailing, scams and phishing attempts. Of course, any users who reused a password on their apps, meaning one that they use on other unrelated accounts, may have put those other accounts at risk as well.

Zynga is urging all of its users who downloaded these apps prior to September 2019 to change their passwords immediately. If you connected the app to your Facebook profile, it is a good idea to go into your settings and remove that connection, then change your Facebook password just to be safe.

In the future, there are two really important things you can do to minimize the risk from this kind of attack like the Zynga data breach.

First, never reuse a password or use one that is easily guessed.

Anyone who nabs your password in any data breach has automatic access to every account where you have reused it.

Second, avoid connecting your apps, especially frivolous ones like games, to your social media accounts.

It might make it easier to login and you can post updates on how many levels you have beaten at some random three-in-a-row game, but you are also opening yourself up to possible harm.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

New Venmo Scam Targets Payment App Users 

Breach Clarity Helps Consumers Make Sense of Data Breaches

10,000 Breaches Later: Three Major Data Breaches Consumers Should Know About

 

On September 26, 2019, a DoorDash data breach was announced by the popular food delivery app, leading to hackers accessing the company’s data system. Approximately 4.9 million customers, restaurants and delivery workers had their personal information exposed, including their driver’s license numbers, names and addresses and bank and credit card information. Users who joined after April 5, 2018 were not affected by this breach.

In a security notice regarding the data breach, DoorDash said earlier this month they became aware of unusual activity involving a third-party service provider. They then immediately launched an investigation that led to the determination they were hacked on May 4, 2019. DoorDash continued on to say that customers who signed up before April 5, 2018 potentially had their names, email addresses, phone numbers, order histories and the last four digits of their credit and debit cards exposed. However, full credit and debit card information was not accessed.

Delivery workers and restaurants could have had the last four digits of their bank account numbers taken. However, once again, the full bank information was not accessed. Approximately 100,000 delivery workers also had their driver’s license numbers hacked.

The food delivery app says they are reaching out directly to those affected by the DoorDash data breach with specific information about what was accessed. If consumers have any questions, comments or concerns, DoorDash has set up a call center that is available for 24/7 support at 855.646.4683. In the meantime, here are some things you can do if you think you may have been affected by the DoorDash data breach.

Change Your Passwords Now

Anytime there is a data breach and you think you might have been affected, the Identity Theft Resource Center urges people to change their passwords immediately. Despite the fact that DoorDash says it will be reaching out to everyone affected, however, it is still a good idea to update your password and make sure it is a strong, unique password.

Track Your Steps

According to Identity Theft Resource Center’s 2018 End-of-Year Data Breach Report last year there were 1,244 data breaches reported. What that is less than 2017, the number of exposed sensitive information significantly increased.

In the event you are a victim of a data breach and have a incurred financial costs or expended time and other resources, the ITRC encourages people to be prepared so you can prove your case in the future. You can do that by downloading our ID Theft Help App, which has a case log manager tool to help track any actions you take in response to a breach.

Consider A Credit Freeze

If you were a DoorDash driver before April 5, 2018, you could have had your driver’s license stolen, as well as potentially the names and contact information. Delivery drivers might want to consider putting a credit freeze on their reports to prevent a criminal from opening an unauthorized account in their name.

It is important to note that a credit freeze will stop someone from taking out a credit card or loan in your name, but it does not prevent identity theft not related to opening up a credit account.

Watch for Suspicious Activity

Be sure to track all your accounts daily for suspicious activity whether you were impacted by the DoorDash data breach or not. This also includes being very careful if you get any emails or phone calls from DoorDash. It is common for scams to happen following a data breach. If you see any suspicious activity do not respond and report it.

For more information on the data breach, you can go to Breach Clarity to see what information was exposed and see the risk score of the DoorDash data breach. You can also call the Identity Theft Resource Center toll-free at 888.400.5530 for assistance or LiveChat online.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

New Venmo Scam Targets Payment App Users 

Breach Clarity Helps Consumers Make Sense of Data Breaches

10,000 Breaches Later: Three Major Data Breaches Consumers Should Know About

 

In our 2018 End-of-the-Year Data Breach Report, the Identity Theft Resource Center reported 907 data breaches that impacted the business sector; these breaches equaled more than the amount reported for the banking, education, government and medical sectors combined. Of the five industry categories ITRC tracks for data breaches (banking/credit/financial; business; education; government/military; and medical/healthcare), business-related data breaches are the most common.

You can learn more by signing up for the ITRC Monthly Breach Newsletter.

That is just one reason why the ITRC has been working to empower identity theft victims with the resources and tools to resolve their cases since 1999. Our mission is to help people proactively reduce their risk of becoming a victim of identity theft and to empower them if they become a victim. Since 2005, the ITRC has recorded over 10,000 publicly notified data breaches. We’re continuing our 10,000 breaches blog series with a look at the top five business data breaches that impacted U.S. consumers and personal information compromised.

Starwood Hotels & Resorts Worldwide, LLC. (Marriott International)

In November 2018, Marriott announced that its Starwood guest reservation database had been accessed by an unauthorized user. Nearly 383 million records were accessed in this business data breach, which included names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, birth dates and encrypted payment card numbers. Hotels are typically hot targets for data thieves due to the sheer volume of people’s data available.

Heartland Payment Systems

Payment processor Heartland Payment Systems announced in January 2009 that its processing systems had been breached one year prior, affecting thousands of businesses and banking institutions. Around 130 million consumers’ credit and debit card information had been stolen including cardholder names, card numbers and card expiration dates, putting all consumers at risk for fraud. An investigation into the business data breach began once Heartland received notifications from Visa and MasterCard about suspicious activity surrounding the payment systems processed card transactions.

Equifax

Once again, Equifax makes the list. As many people know, in 2017 Equifax experienced a hack that exposed 148 million U.S. consumer’s personal information including names, dates of birth, Social Security numbers, addresses, phone numbers, Driver’s License numbers, email addresses, payment card information and Tax ID numbers. In July 2019, Equifax reached a $700 million settlement due to their business data breach and agreed to spend up to $425 million to help the victims of the breach. If you were affected, you can file a claim for cash or free credit monitoring services. You can also file a claim for a minor that has been impacted as well. If you have questions about the settlement and what it means, read more here.

Experian/T-Mobile

In September 2015, Experian North America disclosed a breach of their computer systems that affected 15 million applicants for device financing from wireless provider T-Mobile. Names, birthdays, addresses, Social Security numbers, alternate forms of identification (such as Driver’s License numbers, passport numbers or military ID numbers) were some of the information exposed. While the business data breach impacted Experian’s services, it did not affect their consumer credit database. According to T-Mobile, Experian took full responsibility for the theft of data from its server and offered free credit monitoring services to all the consumers who were potentially at risk.

MyFitnessPal (Under Armour)

It was discovered that an unauthorized party acquired data associated with Under Armour’s MyFitnessPal user accounts in March of 2018. Approximately 150 million user accounts were compromised in the business data breach exposing usernames, email addresses and hashed passwords. MyFitnessPal released a notice of data breach stating they quickly took steps to determine the nature and scope of the issue and were working with data security firms and law enforcement authorities in an investigation. In the same statement, MyFitnessPal recommended users change their passwords for all their MyFitnessPal accounts, review their accounts for suspicious activity, be cautious of any unsolicited communications that ask for your personal data and to avoid clicking on links or downloading attachments from suspicious emails. (These are practices the ITRC encourages consumers to take with all of their accounts to reduce their risk of identity theft.)

Coming Up In 10,000 Breaches…

As we recap the last 10,000 breaches, the ITRC hopes that we can help those impacted – both as consumers and business – understand how to minimize their risk and mitigate their identity compromises. If you received a data breach notification letter, don’t just toss it aside. Call us at 888.400.5530 or LiveChat to talk with a live-advisor on what you should do. If you are a business impacted by a data breach incident, please reach out to the ITRC to discuss how we can provide assistance to your impacted customers.

 As part of this series, in our next 10,000 Breaches Later blog we will take a look at some of the top medical and healthcare breaches since 2005. For a look at all of the 10,000 breaches blogs, visit https://www.idtheftcenter.org/10000-data-breaches-blog-series.

 

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

10,000 Breaches Later: The Benchmark Breaches That Created Systemic Change

New Tool Breach Clarity Helps Consumers Make Sense of Data Breaches

10,000 Breaches Later: Three Major Data Breaches Consumers Should Know About

 

Get the latest trends in data breaches by signing up for the ITRC Monthly Breach Newsletter delivered straight to your inbox.

On July 19, 2019, Pearson PLC reported a data breach affecting approximately 13,000 schools and university AIMS Web 1.0 accounts. The data breach was attributed to unauthorized access by an unknown individual. Students had their names and in some cases dates of birth and email addresses exposed. Additionally, some staff member names, email addresses and work information – such as job title and work addresses – were exposed.

Editor’s note: School districts affected by the Pearson breach have continued to come forward since the initial July 2019 report. ITRC is tracking each school district separately, as well as part of the larger breach by Pearson. Due to the scope of this breach, an unprecedented number of individual student accounts could have been exposed (hundreds of thousands) leaving an unknown number of victims. ITRC will continue to monitor this breach as it unfolds.

In August 2019 there were a total of 130 data breaches exposing 1,748,078 sensitive records.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

10,000 Breaches Later: The Benchmark Breaches That Created Systemic Change

10,000 Breaches Later: Three Major Data Breaches Consumers Should Know About

New Tool Breach Clarity Helps Consumers Make Sense of Data Breaches

 

By 2021, over 2.14 billion people worldwide are expected to buy goods and services online, up from 1.66 billion global digital buyers in 2016. That means retail data breaches will also be on the rise as point-of-sale (POS) systems, e-commerce sites and other store servers are major targets for hackers looking for large volumes of personally identifiable information (PII) and behavioral data.

Sign up for the ITRC Monthly Breach Newsletter

That is one reason why the Identity Theft Resource Center has been working to empower identity theft victims with the resources and tools to resolve their cases since 1999., including helping people proactively reduce their risk of becoming a victim of identity theft. Since 2005, the ITRC has recorded over 10,000 publicly notified data breaches with monthly and cumulative end-of-year report published.

Read next: 2018 End-of-Year Data Breach Report

ITRC currently tracks five industry categories: banking/credit/financial; business; education; government/military and medical/healthcare. ITRC is a leader in reporting new data breach trends. We’re continuing our 10,000 breaches blog series with a look at the five most impactful retail data breaches for consumers.

Target

Retail giant Target makes the list for their 2013 data breach that exposed the payment card information of 40 million people and the personal information of 70 million. Hackers were able to infect Target’s POS systems with malware, disrupting holiday shopping for millions of consumers. Between Black Friday and Christmas shopping, anyone who shopped at Target from November 27 to December 15, 2013 was at risk for fraud. In a public statement to customers, Target said they moved swiftly to address the issue and that they regret any inconvenience it might have caused.

TJX Companies

In January 2007, TJX Companies Inc., operator of stores like T.J. Maxx, Marshalls and HomeGoods, experienced a retail data breach that affected 94 million customers. Payment card information and customer return records, which included driver’s license numbers, military I.D. numbers or Social Security numbers, were stolen by hackers who were able to gain access to TJX’s computer systems that process and store transaction information. TJX reached settlements with a majority of entities in 2007 and 2008.

Home Depot

Target is not the only retailer that experienced a breach of their POS systems. In 2014, Home Depot announced that they had experienced a retail data breach affecting their payment card processing systems. The hackers were able to steal the payment card information of 40 million customers and emails of 54 million. Since the incident, there have been 57 lawsuits filed against the large retailer. While the company did not admit any wrongdoing, they say they settled so they could move forward and put the incident behind them without incurring further costs.

Hudson Bay

Hudson Bay, parent company of Saks Fifth Avenue and Lord & Taylor, experienced a retail data breach that affected the payment card information of five million customers in 2018. Most of the stores affected were located in New York and New Jersey. It is reported that the retail data breach only affected in-store purchases and did not affect its e-commerce sites. In a statement, Hudson Bay said they deeply regretted any inconvenience or concern the breach may have caused. They also said there was no indication that Social Security or driver’s license numbers were stolen.

Hannaford Brothers

In 2008, supermarket company Hannaford Brothers was breached. It affected just over four million customers. Malware was placed on 300 Hannaford servers as part of the retail data breach which allowed hackers to steal customers’ payment card details as they were used at the check-out. Of the just over four million customers who were affected, more than 1,800 reported their credit cards had been used.

As we recap the last 10,000 breaches, the ITRC hopes that we can help those impacted – both consumers and business fall victim to the nefarious acts of fraudsters – understand how to minimize their risk and mitigate their data compromises. If you received a data breach notification letter, don’t just toss it aside. Call us at 888.400.5530 or LiveChat to talk with a live-advisor on what you should do. If you are a business impacted by a data breach incident, please reach out to us to discuss how we can provide assistance to your impacted customers.

As part of this series, in our next 10,000 Breaches Later blog  we will take a look at some of the biggest business breaches since 2005 and what they meant for consumers. For a look at all of the ITRC’s 10,000 breaches blogs, visit idtheftcenter.org.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

10,000 Breaches Later: The Benchmark Breaches That Created Systemic Change

10,000 Breaches Later: Three Major Data Breaches Consumers Should Know About

New Tool Breach Clarity Helps Consumers Make Sense of Data Breaches

 

Online clothing reseller, StockX, has admitted that hackers have compromised their customer accounts. StockX, an online platform for reselling high-end shoes and apparel, appears to have suffered a data breach that affected 6.8 million of its customers’ accounts.

Forced Password Reset

However, that is not the newsworthy part of the story. After discovering suspicious activity on its servers that could have indicated unauthorized access, StockX sent out a forced password reset to its customers following the StockX data breach but did not state why. The information in the message requiring users to change their passwords was so vague that some questioned whether or not the email was a phishing attempt.

When a tech industry news outlet reached out to StockX for a comment on the forced reset, they were told that it was part of necessary system updates. However, that seems not to have been true. The same news outlet was later contacted by a hacker who claims to have stolen the customers’ information and posted it for sale on the Dark Web. The hacker went on to provide 1,000 records from the database to prove the StockX data breach was real.

The outlet, TechCrunch, contacted those individuals and verified that the stolen information, which contained their emails, usernames and shoe sizes from previous purchases at StockX, was accurate. At the time of the discovery, the hacker claimed the database of records had already been purchased at least once.

TechCrunch has not received any updates from StockX and their questions have gone unanswered. It is important for the public to be aware of some of the ramifications in the StockX data breach since it could happen with other companies and future data breaches.

Never Reuse Passwords

Companies actually do force password resets just to be on the safe side. If a security team discovers password combinations from previous data breaches of other companies, for example, they can compare those stolen passwords to ones on their site. If their customers have used the same email and password on this company’s website that they had on a site that has already been breached, that might trigger a forced password reset.

Never reuse a password. The hacker who made off with 6.8 million usernames and passwords in the StockX data breach is hoping that a lot of those people reused their email and password combination on their Amazon account, PayPal account, online banking account or email.

Watch for Phishing Emails

Scammers know that password reset emails are easy to fake. All a scammer has to do is steal the logo from a company’s website, make a fake email address and send it out to millions of people, telling them to click here to change their passwords. Instead, the scammers are gathering up the “old passwords” that the victims typed by following the link.

Customers who were suspicious are very smart. As a result of phishing tactics, it was incredibly savvy of the customers who reached out to the company and tech experts for advice. Never click a link you were not expecting or verify your account information for someone who contacts you.

Have Good Identity Hygiene

Change your passwords frequently, especially if you receive a notification like this one in the StockX data breach. It is simple and smart to change your passwords, just do not rely on an email with a link to do it. Go directly to the company’s website yourself and change your password in your profile settings. Ignore and delete the email, whether it was legitimate or not, and handle the password reset yourself.

If you are a victim of identity theft in need of assistance, you can receive free remediation services from ITRC. Call one of our expert advisors toll-free at 888.400.5530 or LiveChat with us. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

Poshmark Data Breach Leads to Emails and Passwords Being Exposed 

10,000 Breaches Later: The Benchmark Breaches That Created Systemic Change 

Robocalls and What to do About Them 

 

The recent Choice Hotels data breach contains so many cybersecurity variables that it is difficult to process the entire breach. Three separate problems all came together to expose an estimated 5.6 million records, although the situation is not as dire as it might seem.

Problem #1 – An accidental data breach

The first issue in the Choice Hotels data breach was an exposed server. Accidental overexposure data breaches are becoming more common, and they are the result of a mishap on the part of the entity in charge of securing company information. These online storage options are basically remote servers housed somewhere else. A company logs into their account, stores all their sensitive information and pays a fee for this service. It is supposed to be more secure and allow businesses to access their data from anywhere. Too often, though, the server is left unprotected and without a password to secure it. That means literally anyone who stumbles upon it online can access all of the information.

Problem #2 – Someone found it

In many accidental overexposures, the company is alerted to the problem by an outside security researcher or helpful tech expert who discovered it. These events are still treated as serious matters since someone could have found and stolen the information quietly. In the case of the Choice Hotels data breach, someone did find it and stole the records, then left a note demanding Bitcoin payment as ransom in order to delete their copy and not tell anyone about the breach.

While this was not actually ransomware, software that infects your system until you pay the hacker’s fee, the tactic was the same. Pay up, or we sell your information and announce that you were breached.

Fortunately, Choice Hotels did not try to cover it up. They carried out a cybersecurity investigation and learned that the stolen information was far smaller than they had originally thought. It was around 700,000 records and may have only included names, email addresses and phone numbers, which is still serious, as scammers can use this information to target these customers with phishing attacks.

Problem #3 – It wasn’t Choice Hotels’ server

The third variable in the Choice Hotels data breach was an outside vendor who left their own server unprotected. While the information belonged to Choice Hotels and was, therefore, their responsibility, a third-party vendor was using the database to demonstrate a new tool that would help Choice Hotels with some aspect of service. Instead, the vendor left their server exposed and allowed the information to be accessed by a hacker.

This kind of third-party relationship has long been the weak link in cybersecurity. The now infamous Target data breach in 2013, for example, involved an HVAC company that serviced some Target stores. Hackers worked their way into the company’s computers due to lax security practices and used that connection to steal millions of payment card account credentials on Black Friday that year.

It is odd to see so many things go wrong in the same data breach, but it happens. The Choice Hotels data breach, while limited in size and potential damage, should serve as a wakeup call to businesses who are working diligently to protect their customers’ data. It is critical that businesses understand who can access information, what they can do with it, how vulnerable it might be and what harm can come about as a result.

If you are a victim of identity theft in need of assistance, you can receive free remediation services from ITRC. Call one of our expert advisors toll-free at 888.400.5530 or LiveChat with us. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

Background Check Websites Offer Scammers Your Data 

10,000 Breaches Later: The Benchmark Breaches That Created Systemic Change 

Robocalls and What to do About Them 

 

The latest Poshmark data breach has led to personal identifying information (PII) being exposed for some users of the marketplace concept that lets people buy and sell clothing and beauty items.

Thanks to the abundance of websites and apps that let us buy, sell, and trade, it has never been easier to find what we love. That is the theory behind Poshmark. On the buyer side, you can look for just the right outfit from users’ virtual closets. On the seller side, you can make some money for items you have already got hanging at home.

Unfortunately, a platform like that will draw quite a few users, which can put it in a hacker’s crosshairs. The company announced it had discovered a data breach of its servers, and it has now helped to specify what types of information were compromised.

The information exposed in the Poshmark data breach appears to be limited to variables like email and username, as well as some shopping preferences like common sizes and encrypted passwords that are not supposed to be visible even if a hacker accesses them. However, to be on the safe side, Poshmark recommends changing your password if you discover that your information was affected by the Poshmark data breach.

Check Where Your Info May Have Been Compromised

There are a couple of handy tools that can help keep internet users safe. The first is a fairly comprehensive website known as HaveIBeenPwned.com. You simply type in your email address and it will show you exactly which known data breaches have contained information related to your email. It is a good idea to try it with any email account you have, even ones that are outdated or you no longer use.

The other tool appeared as part of Mozilla Firefox’s latest browser update. By even visiting Poshmark.com or its blog, Mozilla popped up a quick tab that explained user data had recently been stolen from that website. The option to enter your email address to check on your data was included in the popup. Other platforms offer similar tools, and they can help you keep tabs on where your information may have been compromised.

Change Your Password

Poshmark’s advice is sound. In the Poshmark data breach or any other data breach, changing your password should always be one of your first steps.

Never Reuse Passwords

Also, this serves as the most recent reminder of a crucial data security rule: Never reuse your email and password on multiple accounts. If any hackers gained this information from Poshmark, they can easily use it to cross-reference against other, more sensitive websites and apps. If any Poshmark account holders reused their passwords for their email, web retailers, social media, workplace computers, financial accounts or more, the hackers now control them. Change your passwords immediately if you are one of the many consumers who reuse your passwords, and do not forget to update them regularly just to be safe in case there is a data breach like the Poshmark data breach.

If you are a victim of identity theft in need of assistance, you can receive free remediation services from ITRC. Call one of our expert advisors toll-free at 888.400.5530 or LiveChat with us. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

Background Check Websites Offer Scammers Your Data 

10,000 Breaches Later: The Benchmark Breaches That Created Systemic Change 

Robocalls and What to do About Them 

 

The unsecured Facebook server contained nearly 500 million users’ contact info including a treasure trove of usernames and phone numbers. More than 220 million of them, were found for sale online, leading to a Facebook server leak.

How much does it cost to buy access to hundreds of millions of people? Just $1,000.

According to CNET, Elliott Murray, CEO of UK-based cybersecurity company WebProtect, found the information for sale on the web forum in May. He believes it is the same list that TechCrunch reported Wednesday was found on an unsecured web server by cybersecurity researcher Sanyam Jain.

Where did this sensitive information come from in the Facebook server leak? Facebook thinks it might be related to an old feature the company has since shut down. For a while, users could locate each other by phone number rather than Facebook username. Executives realized that feature could be used to steal phone numbers and sell them for spam marketing purposes.

That is apparently what happened in the Facebook server leak. Databases of stolen information are for sale all over the Dark Web. When the database contains complete identities, thieves buy them for identity theft, fraud and even those robocalls you get on a daily basis. However, when it is just lists of email addresses or phone numbers, they still want these in order to send out spam, attempt to scam people or turn around and sell the list to someone else.

Facebook has used an important turn of phrase regarding the Facebook server leak: publicly available. That can mean that this is not “sensitive” information under data breach laws. It does mean, though, that someone did the hard work of compiling the info into an easy-to-use, easy-to-sell database.

There is no cause for concern regarding the security of your actual Facebook account from the Facebook server leak, but it is a good idea to pop into your profile settings and delete your phone number. It will not help if your number has already been posted online for sale, but it can prevent future data scrapes from nabbing your contact info.

There is another lesson to be learned from the Facebook server leak: do not overshare. If you are signing up for a new account and you see that some registration items are optional (like email address or phone number), skip them. If the company does not need it in order to establish your account and let you utilize their site, then it is just one more piece of data that can be compromised. Protect your data and only give it to those who really need it.

If you are a victim of identity theft in need of assistance, you can receive free remediation services from ITRC. Call one of our expert advisors toll-free at 888.400.5530 or LiveChat with us. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

Robocalls and What to do About Them 

10,000 Breaches Later: Three Major Data Breaches Consumers Should Know About

Airport Technology Risks Can Threaten Your Identity