• A T-Mobile repeat data breach event resulted from unauthorized access to 200,000 customer accounts, including call records.
  • It is the fourth time T-Mobile has sent a data breach notification since 2018. The T-Mobile data breach in December was the second one in 2020.
  • An investigation into the SolarWinds data hack has not revealed any evidence suggesting the attackers sought or stole mass amounts of personal information. The target appears to be either intellectual property or the personal information of particular individuals for espionage purposes.
  • For information about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notifiedTM.
  • Keep an eye out for the ITRC’s 15th Annual Data Breach Report. The 2020 Data Breach Report will be released on January 27, 2021. 
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the Identity Theft Resource Center toll-free at 888.400.5530 or via live-chat on the company website. 

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for January 8, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. We started this podcast and a sister monthly program in 2020 in response to the shifts in privacy, security and identity issues: the changes in how criminals collect and use consumer and, increasingly, business information.

One of the trends that the ITRC has identified, and will explore in a report this spring, is the rise in the number of repeat data breaches, even as the overall number of data events is declining. That leads us to the title of this week’s episode – “Second Verse, Same as the First.”

While most of us were prepping for a socially distanced Christmas celebration, one of the largest mobile telephone companies posted a data breach notice on its website. It was not the first time T-Mobile issued a breach notice; it was the fourth time since 2018.

T-Mobile Repeat Data Breach Event

T-Mobile announced that an unauthorized party accessed a small percent of customer accounts, about 200,000 accounts, in early December 2020. The compromised data may have included call records — such as when a call was made, how long the call lasted, the phone numbers called and other information that might be found on a customer’s bill.

T-Mobile says the hackers did not access names, home or email addresses, financial data and account passwords or PINs. An investigation is on-going.

The December data event is the second time an attacker accessed customer information in the same year. Just months into 2020, a breach of the T-Mobile employee email system allowed criminals to see customer data and potentially misuse it. Information about more than one million prepaid customers was exposed in 2019, and cybercriminals compromised nearly two million accounts in 2018.

A Shift in Data Thieves Tactics

Research conducted by the ITRC shows the number of consumers who report being the victim of more than one identity crime has increased 33 percent in the past 18 months. It comes at a time when data thieves are shifting their tactics and targets. Our research shows they are focusing more on business data and less on mass amounts of consumer personal data.

While data breaches are dropping, cyberattacks are rising. The two are not the same. That’s an important distinction as a large and consequential cybersecurity breach occurred in late December 2020 and is likely still underway.

SolarWinds Data Hack Update

We talked about the attack in our last podcast before the holiday break, but the scope of this attack warrants an update.

Here’s what happened: A group of professional cybercriminals affiliated with the Russian government’s intelligence service was able to insert software into a common technology service used by governments and private companies, known as SolarWinds. An estimated 18,000 organizations have been exposed to the malware, including some of the largest agencies in the U.S. government – the Departments of Commerce, Treasury, Justice, State and most of the Fortune 500.

The good news for consumers is at this point, after nearly a month of investigation, there is no indication the attackers sought or stole mass amounts of personal information. As is common with this particular group of threat actors, the target appears to be intellectual property or the personal information of specific individuals for espionage purposes – not profit.

We will release a detailed report on the impact of identity-related crimes in May. We will issue our report on 2020 data breaches and trends on January 27, just a few weeks from now.

Contact the ITRC

If you have questions about how to protect your information from data breaches and data exposures, visit www.idtheftcenter.org, where you will find helpful tips on this and many other topics.

If you think you have already been the victim of an identity crime or a data breach and you need help figuring out what to do next, contact us. You can speak with an expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during regular business hours. Just visit www.idtheftcenter.org to get started.

Next week listen to our sister podcast, The Fraudian Slip, which focuses on identity-related fraud when we talk with the Deputy Chief of the Internal Revenue Service’s Criminal Division about identity crimes and how they might impact your taxes.

  • Last week, FireEye, a cybersecurity provider, revealed their tools to detect and block sophisticated cyberattacks were stolen in a security breach. 
  • This week we learned attackers, believed to be affiliated with Russia’s state security service, infiltrated government agencies and potentially thousands of companies through a software update from IT management company SolarWinds that was issued months ago. 
  • So far, there is no indication that the Nation/State attackers were after consumer information. These groups tend to be more interested in information they can use for intelligence or espionage. 
  • For information about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notifiedTM
  • Keep an eye out for the ITRC’s 15th Annual Data Breach Report. The 2020 Data Breach Report will be released on January 27, 2021.  
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the Identity Theft Resource Center toll-free at 888.400.5530 or via live-chat on the company website.  

Subscribe to the Weekly Breach Breakdown Podcast  

Every week the Identity Theft Resource Center (ITRC) looks at some of the top data compromises from the previous week and other relevant privacy and cybersecurity news in our Weekly Breach Breakdown Podcast on SoundCloud. This week, on the last breach breakdown podcast of 2020, we look at the FireEye and SolarWinds hacks, which have shaken the cybersecurity community. 

Also available on Apple Podcasts and Spotify.

Data Breaches Down/Security Breaches Up 

2020 has been a difficult year for many. However, there have been some encouraging trends that the ITRC has talked about in previous breach breakdown podcast episodes. One of the most promising trends includes cybercriminal’s lack of interest in consumer information, resulting in a significant drop in data breaches and the number of people impacted by them.  

Unfortunately, you can’t say the same of a companion crime, security breaches. One cannot have a mass data breach without also experiencing a cybersecurity failure. With that said, it is possible to have a security breach without impacting consumer data. That is what dominates the news as we wrap up 2020 – a massive security breach involving two leading technology companies: FireEye and SolarWinds. 

What You Need to Know About FireEye 

FireEye, a cybersecurity provider, supports large organizations worldwide with tools that detect and defend against cyberattacks. When there are attacks on companies and governments, FireEye often gets the call to figure out what happened and how it happened. 

What You Need to Know About SolarWinds 

SolarWinds, a software company, claims to help more than 33,000 companies, including virtually all Fortune 500 companies and every major agency in the U.S. government. SolarWinds’ software helps organizations with large, complex computer systems manage their networks and devices.  

FireEye and SolarWinds Hacked 

Last week, FireEye revealed their tools to detect and block sophisticated cyberattacks, the kind launched by governments, had been stolen due to a security breach. A few days later, the U.S. Treasury and Commerce Departments announced they were hacked. It was followed by announcements of hacks at the National Institutes of Health as well as the Departments of Homeland Security and State. 

This week, we learned that the security breaches were the result of threat actors believed to be affiliated with Russia’s state security service. The attackers infiltrated these government agencies and FireEye through a software update from SolarWinds that was issued months ago. SolarWinds believes as many as 18,000 customers may be affected by the malware inserted by the attackers into the SolarWinds update.  

What the FireEye and SolarWinds Hacks Mean for Consumers 

It is too early to tell what the FireEye and SolarWinds Hacks mean for consumers. So far, there is no indication that the Nation/State attackers were after consumer information. These groups tend to be interested in information that can be used for intelligence or espionage, not making money by stealing and selling consumer data.  

There is another reason to believe consumer information may be safe from the FireEye and SolarWinds hacks. SolarWinds software does not access or manage consumer data. As ITRC Chief Operating Officer James Lee says in the podcast, think of SolarWinds as a traffic cop. They can tell people what businesses are on the street and how to get there, but they cannot take people there and open the door for them. 

With enough time and motivation, the attackers could have wandered around a SolarWinds customer’s networks to access some consumer information. However, experts don’t believe that happened on a mass scale. The ITRC will post more details if we find consumer information is involved.  

How We Know About the Attacks 

We know about this and other breaches because of laws and regulations that require organizations, even government agencies, to issue breach notices. Many of those rules do not set a specific timeline for when a notice must be given. That is about to change for banks governed by the Federal Deposit Insurance Corporation (FDIC).  

For the past 15 years, the FDIC rules only required that regulators be notified of a data or security breach within a reasonable period of time. This week, the FDIC approved a new regulation that sets the notification period at 36 hours whenever a security issue or system’s failure significantly impacts operations. That is stricter than the 72 hours required by the State of New York, the toughest notification law in the U.S. The FDIC rule only requires regulators to receive a notice. State laws still govern public notices.  

notifiedTM    

For information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.   

Contact the ITRC   

If you believe you are the victim of an identity crime or data breach and need help figuring out what to do next, contact us. You can speak with an expert advisor at no-cost by calling 888.400.5530 or chat live on the web. Just visit www.idtheftcenter.org to get started.  

Twenty-three episodes from 2020 are in the books. We will be back in January to share more insights into data breaches and identity trends. Join us in 2021 on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.   

  • A Canon data breach resulted from a ransomware attack on the company by the Maze ransomware group. Canon is just one of many companies recently hit with a ransomware attack, a trend the Identity Theft Resource Center predicts to continue in 2021.  
  • The mobile video game Animal Jam suffered a data breach affecting 46 million users after threat actors stole a database. However, WildWorks, the game’s owner, has been very transparent throughout the entire process, setting an example of how businesses should approach data breaches. 
  • Insurance tech company Vertafore discovered files containing driver-related information for 28 million Texas residents were posted to an unsecured online storage service.  
  • For more information about recent data breaches, consumers and businesses should visit the ITRC’s data breach tracking tool, notifiedTM.  
  • Keep an eye out for the ITRC’s 15th Annual Data Breach Report. The 2020 Data Breach Report will be released on January 27, 2021. 
  • If you believe you are a victim of identity theft from a data breach, contact the ITRC toll-free at 888.400.5530 or through live-chat on the company website.  

Notable Data Compromises for November 2020 

Of all the data breaches the Identity Theft Resource Center (ITRC) tracked in November, three stood out: Canon, WildWorks – Animal Jam, and Vertafore. All three data events are notable for different reasons. One highlights a trend and prediction made by the ITRC; another shows transparency by the company throughout the process; the third leaves 28 million individuals’ driver-related information exposed. 

Canon 

Camera manufacturer Canon recently suffered a data breach that was caused by a ransomware attack, but the company only acknowledged the attack was the result of ransomware in November. According to techradar.com and Bleeping Computer, the Canon IT department notified their staff in August that the company was suffering “widespread system issues affecting multiple applications, Teams, email and other systems.” On November 25, the company acknowledged the Canon data breach was due to a ransomware attack by the Maze ransomware group.  

It is unknown how many people are affected by the Canon data breach. However, files that contained information about current and former employees from 2005 to 2020, their beneficiaries, and dependents were exposed. Information in those files included Social Security numbers, driver’s license numbers or government-issued identification numbers, financial account numbers provided to Canon for direct deposit, electronic signatures and birth dates. 

Canon is just one of many companies that have been hit with a ransomware attack. As the ITRC mentioned in its 2021 predictions, cybercriminals are making more money defrauding businesses with ransomware attacks and phishing schemes that rely on poor consumer behaviors than traditional data breaches that rely on stealing personal information. As a result of the ransomware rise, data breaches are on pace to be down by 30 percent in 2020 and the number of individuals impacted down more than 60 percent year-over-year.  

WildWorks – Animal Jam 

Animal Jam, an educational game launched by WildWorks in 2010, suffered a data breach after threat actors stole a database. According to the WildWorks CEO, cybercriminals gained access to 46 million player records after compromising a company server. The information exposed in the Animal Jam data breach includes seven million email addresses, 32 million usernames, encrypted passwords, approximately 15 million birth dates, billing addresses and more. 

WildWorks has been very transparent throughout the entire process. The company provided a detailed breakdown of the information taken in the Animal Jam data breach, how the data event happened, where the information was circulated, whether people’s accounts are safe and the next steps to take. The ITRC believes WildWorks has set an example of how other businesses should share information with impacted consumers after a data breach.  

Anyone affected by the Animal Jam data breach should change their email and password for their account (consumers should switch to a 12-character passphrase because it is easier to remember and harder to guess). Users should also change the email and password of other accounts that share the same email and password. If any users think their account was used illegally, they are encouraged to contact the Animal Jam security team by emailing support@animaljam.com  

Vertafore 

Vertafore, a Denver based insurance tech company, recently discovered three files containing driver-related information were posted to an unsecured online storage service. The files included data from before February 2019 on nearly 28 million Texas drivers. Vertafore says the files have since been secured, but they believe the files were accessed without authorization. To learn more about this data breach, read the ITRC’s latest blog, and listen to our podcast on the event. 

Unfortunately, companies continue to leave databases unsecured, which is tied with ransomware as the most common cause of data compromises, according to IBM. Consumers impacted by the Vertafore data event need to follow the advice given by Vertafore and the Texas Department of Public Safety

notifiedTM  

For more information about recent data breaches, consumers and businesses should visit the ITRC’s data breach tracking tool, notifiedTM, free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.  

Contact the ITRC 

If you believe you are the victim of an identity crime or your identity has been compromised in a data breach, you can speak with an ITRC expert advisor at no-cost by phone (888.400.5530) or live-chat. Just go to www.idtheftcer.org to get started. Also, victims of a data breach can download the free ID Theft Help app to access resources, a case log and much more.  

  • Vertafore, a Denver based insurance tech company, discovered three files containing driver-related information were posted to an unsecured online storage service. The files included data from before February 2019 on nearly 28 million Texas drivers.
  • The files included lienholder information, drivers’ license numbers, names, dates of birth, addresses and vehicle registration histories.
  • Failing to secure a cloud database is tied with ransomware as the most common cause of data compromise, according to IBM. The ITRC’s own data breach information corroborates the findings.
  • Consumers impacted by the Vertafore data compromise need to follow the advice given by Vertafore and the Texas Department of Public Safety. Vertafore is offering one year of free credit monitoring and identity restoration services.
  • For more information on the Texas driver’s records exposed, contact the Identity Theft Resource Center toll-free at 888.400.5530 or live-chat on the company website.
  • For the latest on data breaches, visit the ITRC’s data breach tracking tool notifiedTM.

Subscribe to the Weekly Breach Breakdown Podcast

Every week the Identity Theft Resource Center (ITRC) looks at some of the top data compromises from the previous week and other relevant privacy and cybersecurity news in our Weekly Breach Breakdown Podcast. This week, we will discuss the Vertafore data compromise that exposed personal information to the risk of being stolen by a cybercriminal by not installing security on a cloud storage service.

What We Know

There is one thing that almost everyone carries in their pocket – their driver’s license. Without a driver’s license, people can’t legally drive or show proof of age or identity. It is one of the most important forms of identification a person needs in the U.S. That is why a recent event that led to Texas driver’s records exposed has millions of people worried about how it could affect them.

Vertafore, a Denver based insurance tech company, discovered that three files containing driver-related information were moved to an unsecured online storage service. In other words, it was moved to a third-party cloud database with no security. The files included data before February 2019 on nearly 28 million Texas drivers. The files included lienholder information, drivers’ license numbers, names, dates of birth, addresses and vehicle registration histories.

In a statement announcing that Texas driver’s records were exposed, Vertafore says there is no evidence of information misuse. However, the company acknowledges that there is evidence an unknown and unauthorized party accessed the information. Other Vertafore data – including partner, vendor or additional supplier information – and systems remain unimpacted. No Vertafore systems were found to include known software vulnerabilities, and Vertafore immediately secured the suspect files.

Investigators hired by the company believe the unauthorized access to the data occurred between March 11 and August 1 of 2020. The files supported one of Vertafore’s products that helps insurance companies determine insurance policy costs. The files did not contain Social Security numbers or financial information about consumers. Vertafore is offering one year of free credit monitoring and identity restoration services.

Cloud Databases Continue to be Left Unsecured

Unfortunately, this kind of event is far too common. On last week’s podcast, we highlighted another company that left a cloud database unsecured, leading to nearly ten million people’s travel accounts being available online.

Failing to secure a cloud database is tied with ransomware as the most common cause of data compromise, according to IBM. The ITRC’s own data breach information corroborates the findings. Most of the time, there is no evidence data thieves removed or copied the data – meaning the risk of misuse is relatively low. However, it is not zero. It is why consumers impacted by the Vertafore data compromise need to follow the advice given by Vertafore and the Texas Department of Public Safety.

How the Data Ends Up in the Hands of a Private Company

The event that led to Texas driver’s records exposed has prompted consumers to ask questions about how their driver’s license and related data ends up in the hands of a private company. That is not an uncommon question when data breaches, compromises and exposures involve businesses that victims have never heard of – and did not give permission for their data to be shared.

While the answer to the question varies from state to state, the response is almost always some version of “it’s legal.” Also, consumers rarely have the opportunity to “opt-in” or “opt-out” of the sale or sharing of information like driver’s license data by the government.

In response to questions about the Vertafore compromise, the State of Texas issued a statement about the use of driver’s data:

“Texas law permits, and at times requires, the release to authorized parties of driver license and vehicle registration information.”

In the case of Vertafore, the permitted use involves ensuring companies have the data they need to appropriately price insurance premiums for drivers.

Even the nation’s toughest privacy law, the California Consumer Privacy Act (CCPA), allows personal information from government agencies to be sold and shared for certain purposes without the consumers’ consent. Generally, consumers cannot opt-out of these uses if they are designed to prevent fraud or are used to verify someone’s identity.

notifiedTM  

For information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.  

Contact the ITRC

If you have questions about how to protect your information from data breaches and data exposures, or if you want to learn more about the Vertafore data compromise, contact the ITRC. You can speak with an advisor toll-free over the phone (888.400.5530), live-chat on the web, or email itrc@idtheftcenter.org during business hours. Just visit www.idtheftcenter.org to get started. Also, download the free ID Theft Help App to access resources, a case log and much more.  

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform. 

  • The software provider behind some of the largest travel websites, Prestige Software, maintained a cloud database without a password. The unsecured database led to approximately 10 million accounts being available to view online to anyone who knew where to look.  
  • Prestige Software provides technology services to Booking.com, Expedia, Hotels.com, Sabre and other hotel reservation websites around the world. Information included credit card details, payment details and reservation details dating back to 2013.  
  • While there is no evidence the exposed information is being misused, travel website users should change their passwords on their accounts (our experts suggest enacting a passphrase), add two-factor authentication, freeze their credit, monitor their bank statements for any unusual activity and keep an eye out for phishing attempts.  
  • For more information, contact the Identity Theft Resource Center toll-free at 888.400.5530 or live-chat on the company website. 
  • For the latest on data breaches, visit the ITRC’s data breach tracking tool notifiedTM

Subscribe to the Weekly Breach Breakdown Podcast 

Every week the Identity Theft Resource Center (ITRC) looks at some of the top data compromises from the previous week and other relevant privacy and cybersecurity news in our Weekly Breach Breakdown Podcast. This week, we look at the all too frequent event in the world of data – unsecured databases. 

A Lack of Secure Online Databases 

In the context of data protection, repeating the same mistake can have significant consequences. It is why cybersecurity professionals tend to focus on preventing data breaches. That requires them to continually adapt their strategies and tactics to match those of the treat actors who are frequently attacking company systems.  

 Securing online databases continues to slip away from cybersecurity teams. The software provider behind some of the world’s largest travel websites maintained a cloud database without a password, leading to 10 million accounts being available online for access by anyone who knew where to look.  

Forensic researchers believe the available information dates back to 2013 and only relates to hotel reservations. While the information contained in the unsecured database could be used to commit several identity crimes and fraud, right now, there is no evidence the information has been copied and removed from the database. Also, right now, there are no reports of the data being used. 

Software Provider Behind Large Travel Websites Leaves Database Unsecured 

Prestige Software provides technology services to websites that many consumers may have used, including: 

  • Booking.com 
  • Expedia 
  • Hotels.com 
  • Sabre (The reservation system used by American Airlines) 
  • Other hotel reservation websites & mobile apps 

The cloud database was hosted in an Amazon Web Services (AWS) environment that included basic security protections. However, they were not configured. Prestige Software confirmed the database was open to the internet and is now secured.  

Information Exposed Due to Unsecure Prestige Software Database 

The information stored in the unsecured database included large amounts of personal information like full names, email addresses, national I.D. numbers and phone numbers of hotel guests. Additional information stored includes: 

Credit card details: card number, cardholder’s name, CVV and expiration date 

Payment details: total cost of hotel reservations 

Reservation details: reservation number, dates of a stay, the price paid per night, additional requests made by guests, number of people, guest names and much more 

What Impacted Consumers Need To Do 

Consumers who have used these travel websites should assume that any information they shared since 2013 is in the wild and available to be misused in identity crimes, fraud and phishing schemes. Consumers should act as if they have already received a breach notice due to the unsecured database and take the necessary steps to protect their personal information

  • Change your passwords on the travel accounts to a longer, memorable passphrase. Make sure it is unique to the account. Do not use the same passphrase on more than only one account because it helps the bad guys. 
  • Add two-factor authentication. 
  • Freeze your creditif you haven’t already, and monitor your credit card statements for unusual activity over the next few months. 
  • Keep an eye out for phishing attemptsespecially related to any websites affected by this breach or other travel-related websites. Remember, the best protection is to never click on unsolicited links. If you are unsure, contact the company directly.  

How It Impacts Prestige Software 

For the company, the impacts of the lapse in cybersecurity could be significant. Prestige Software is based in Spain and subject to the European Union’s strict privacy and cybersecurity law, known as the General Data Protection Regulation (GDPR). Companies found to have failed to protect consumer information are subject to significant fines up to four percent of their annual revenue.  

Also, companies that process credit cards are subject to self-regulations. The penalty for failing to comply with the Payment Card Industry (PCI) standards include, in some cases, a company losing the right to process debit and credit cards. It is surprising that we have to continue to remind companies of a simple fact: Companies are responsible for securing their cloud environments, not cloud platform providers like Amazon, IBM, Microsoft or any other cloud services companies. Cloud hosts will make basic tools available, but companies have to use them. Also, companies are still responsible for patching their applications and maintaining their advanced cybersecurity tools.  

notifiedTM  

For information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.  

Contact the ITRC 

If you believe you have been affected by the Prestige Software database exposure and want to learn more or think you’re the victim of an identity crime, contact the ITRC at no-cost by calling 888.400.5530 or by live-chat on the company website. Also, download the free ID Theft Help App to access resources, a case log and much more.  

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform. 


Timberline, BankSight and MAXEX Headline the Most Notable Data Breaches in October

California Voters Pass Strongest Privacy Law in the U.S. – The California Privacy Rights Act (CPRA)

Reports Show Consumer Privacy and Cybersecurity Views Have Evolved

  • Timberline Billing Service recently determined a supposed ransomware attack led to encrypted files and information removed from their network. So far, the Identity Theft Resource Center (ITRC) has tracked 14 impacted schools.  
  • A database exposure was recently discovered at BankSight Software Systems, exposing over 300 million records for at least 100,000 people.  
  • MAXEX exposed 9 GB of internal data, including confidential banking documents, system login credentials, emails, the company’s data breach incident response policy, and reports from penetration tests. 
  • For more information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM
  • For more information, contact the ITRC toll-free at 888.400.5530, or by live-chat via the company website. People can also download the free ID Theft Help app to access advisors, resources, a case log and much more. 

There were many notable data breaches in October, all tracked by the Identity Theft Resource Center (ITRC). Since 2005, the ITRC has compiled publicly-reported U.S. data breaches as part of our data breach tracking efforts. The ITRC tracks both publicly-reported data breaches and data exposures in a database containing 25 different information fields that are updated daily. Of the notable data breaches in October, Timberline, BankSight and MAXEX top the list. 

Timberline Billing Service 

Timberline Billing Service, a company that claims Medicaid for education agencies in Iowa, recently determined that someone accessed their network between February 12, 2020 and March 4, 2020. The supposed ransomware attack led to encrypted files and information removed from the system.

However, the investigation was unable to determine what information was removed. The information exposed includes names, dates of birth, Medicaid I.D. numbers, billing information, support service code and identification numbers, medical record numbers, treatment information, medical information regarding diagnoses and symptoms and Social Security numbers. However, the information exposed varies from school to school.  

Of the 190 schools in Iowa Timberline assists, so far, the ITRC has tracked 14 impacted schools: 

  • Fort Dodge Community School District 
  • Iowa City Community School District 
  • Cherokee Community School District 
  • Kingsley-Pierson Community School District 
  • Central Decatur Community School District 
  • Clinton Community School District 
  • Muscatine Community School District 
  • Saydel Community School District 
  • Sheldon Community School District 
  • Mid-Prairie Community School District 
  • Hudson Community School District 
  • Dallas Center-Grimes Community School District 
  • Knoxville Community School District 
  • Oskaloosa Community School District 

Timberline says they are taking steps to enhance their security systems, resetting all user passwords, requiring frequent password rotations and migrating school and student data to a cloud location. Timberline is also offering a year of identity monitoring services through Experian to impacted children. Impacted individuals should monitor their accounts for any suspicious activity and contact the appropriate company and act if needed.  

BankSight Software Systems, Inc. 

vpnMentor’s research team recently discovered an exposed BankSight database, exposing over 300 million records for at least 100,000 individuals. According to vpnMentor, the exposed information includes the following: names, Social Security numbers, email addresses, phone numbers, home and business addresses, employment and business ownership details, financial data for businesses and individuals, and personal notes from people looking for loans or postpone on loan payments, exposing private family and business information.  

vpnMentor says they contacted BankSight, and BankSight shut down the server one day later. The information exposed allows a hacker to create sophisticated fraud schemes and target customers of BankSight’s clients. BankSight customers should contact the company to determine the steps to take to protect their client’s data.  

MAXEX, LLC.  

Of the notable data breaches in October, MAXEX does not impact the most people. However, it potentially creates the most significant risk to affected individuals. According to BankInfoSecurity, MAXEX, a residential mortgage trading company, exposed 9 GB of its internal data, including software development for its loan-trading platform. The data also had confidential banking documents, system login credentials, emails, the company’s data breach incident response policy, and reports from penetration tests done years ago.

The company also leaked the complete mortgage documents for at least 23 people in New Jersey and Pennsylvania. The records include tax returns, IRS transcripts, credit reports, bank account statements, scans of birth certificates, passports and driver’s licenses, letters from employers, divorce records, academic transcripts and Social Security numbers for the mortgage applicants and their children.  

MAXEX says they have retained security experts and contacted law enforcement agencies. They also have a computer forensics unit tracing the source of the breach and providing resolution advice. The company says they have fixed the issue that led to the breach. MAXEX says its mortgage trading platform was unaffected. However, links to the data are circulating on forums where stolen data is posted. On one platform, the information has been downloaded more than 1,000 times, according to BankInfoSecurity.  

While the data compromise only impacted a limited number of people, it does not always matter how many people it affected. Rather, the information that was exposed or stolen. Impacted individuals should begin contacting the appropriate companies to determine the next steps to take. Some of the steps to take include freezing your and your child’s credit, checking your reports for suspicious activity, and taking part in credit monitoring or identity monitoring services.  

notifiedTM 

For more information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free. 

Contact the ITRC 

If you believe you are the victim of an identity crime or your identity has been compromised in a data breach, like one of the notable data breaches in October, you can speak with an ITRC expert advisor on the website via live-chat or by calling toll-free at 888.400.5530. Finally, victims of a data breach can download the free ID Theft Help app to access advisors, resources, a case log and much more. 


Read more of our latest information & educational resources below

QR Code Security Threats Begin to Grow as Digital Barcode Popularity Rises

Unsubscribe Email Scam Looks to Trick Consumers

  • A new CheckPoint report shows that 44 percent of all phishing attacks involve emails that use Microsoft as the spoofed brand. Microsoft was the brand used as bait in 19 percent of all forms of phishing last quarter. 
  • Barnes & Noble acknowledged what they initially thought was a systems error earlier in October turned out to be a cyberattack on some of its systems. 
  • Cyberthieves posted three million credit cards for sale on the dark web earlier in the month stolen from Dickey’s BBQ restaurant chain throughout 2019 and 2020. 
  • Darkside announced they donated $20,000 in bitcoins to two global charities. Darkside claims they do not attack schools, hospitals or governments, and instead focus on highly profitable, large corporations. 
  • If you are the victim of a phishing attack or data compromise, contact the Identity Theft Resource Center for no-cost assistance at 888.400.5530 or by live-chat on the company website. 

A new report reveals how frequently identity criminals use well-known brands to trick people into sharing their personal information. CheckPoint Security researchers say one company has jumped to the top of the heap when it comes to fake emails and fake websites involved in brand phishing attacks – Microsoft.  

Subscribe to the Weekly Breach Breakdown Podcast 

Every week, the Identity Theft Resource Center (ITRC) looks at some of the top data compromises from the previous week and other relevant cybersecurity news in our Weekly Breach Breakdown podcast. This week, we take a look at CheckPoint’s latest survey and what it means, as well as two data compromises that recently prompted consumer notices, and a ransomware group donating to charities.  

Brand Phishing Attacks 

There are different types of phishing attacks. What is a brand phishing attack? In this attack style, a cybercriminal imitates a well-known brand’s official website by using a web address and webpage design similar to the real thing. A link to the fake website is then sent to people by email, text message, or social media.

The fake webpage often contains a form intended to steal the credentials, payment details, or other personal information of the people caught in the phisher’s net.  

While many of the spoofed websites are fake with poor spelling or grammar, these emails, websites, texts and social media accounts are increasingly sophisticated and highly accurate imitations that even trained professionals don’t spot at first glance. 

Report Reveals Microsoft as the Top Spoofed Brand 

CheckPoint’s current report shows that 44 percent of all phishing attacks involve emails that use Microsoft as the spoofed brand. Forty-three percent of all types of phishing attacks involve fake websites, and Microsoft is again the number one brand used to lure unsuspecting users.

As tolled, Microsoft was the brand used as bait in 19 percent of all forms of phishing last quarter.  

However, Microsoft is not the only brand in the crosshairs of cybercriminals. The rest of the top ten brands currently being used in phishing campaigns include: 

  • Google (nine percent) 
  • PayPal (six percent) 
  • Netflix (six percent) 
  • Facebook (five percent) 
  • Apple (five percent) 
  • WhatsApp (five percent) 
  • Amazon (four percent) 
  • Instagram (four percent) 

How to Avoid a Phishing Attack 

The best way to avoid falling victim to all types of phishing attacks is to ignore unsolicited emails and texts that include links. If anyone receives a notice from a company where they do business, they should log in directly to their account to verify the message they received was real.

Anyone who gets a notice can also go to the company website directly and contact them. Under no circumstances should anyone click on a link or call a telephone number in an unexpected email.  

Barnes & Noble Data Compromise 

We also want to tell you about two recent data compromises that led to consumer notices. Barnes & Noble – the online brick and mortar bookseller – acknowledged what they initially thought was a systems error earlier in October was, in fact, a cyberattack on some of the company’s systems.

Customer email addresses, billing and shipping addresses, telephone numbers and transaction histories may have been involved in the security breach. Barnes & Noble says there is no evidence of a data exposure. However, they are not ruling out the possibility. 

Dickey’s BBQ Data Compromise 

The Barnes & Noble breach is different from the circumstances at the Dickey’s BBQ restaurant chain. Cyberthieves posted three million credit cards for sale on the dark web earlier in the month stolen from the popular eatery throughout 2019 and 2020. Security researchers believe 156 Dickey’s locations across 30 states likely had payment systems compromised by card-stealing software.  

“Darkside” Ransomware Group Tries to Claim its Legitimacy 

Finally, the ransomware group known as “Darkside” is trying its hand at brand building just like a legitimate company. This week Darkside announced they had donated $20,000 in bitcoins to two global charities. Darkside claims they do not attack schools, hospitals or governments, and instead focus on highly profitable, large corporations.  

Security researcher Chris Clements notes, “The most troubling realization here is that the cybercriminals have made so much money through extortion that donating $20,000 is chump change to them.”  

Neither of the two charities has acknowledged receiving the donation and say they will not keep it if it turns out to be true. 

notifiedTM 

For more information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.  

Contact the ITRC 

If you accidentally click on a link of a brand phishing attack or provide information to what you discover later was a fake website form, contact the ITRC toll-free at 888.400.5530 or live-chat with an expert advisor on the company website. An advisor will walk you through the steps to take to protect yourself from any possible identity misuse. 

If you receive a breach notice due to the Barnes & Noble or Dickey’s BBQ events or any other data compromise and you’d like to know how to protect yourself, contact the ITRC to speak with an expert advisor. Also, download the free ID Theft Help App to access advisors, resources, a case log and much more. 

Join us on our  weekly data breach podcastto get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.  


Read more of our latest articles below

Identity Theft Resource Center® Reports 30 Percent Decrease in Data Breaches so Far in 2020

Election Scams Begin to Surface with the General Election Less than One Month Away

Recent Insider Attacks Stress the Importance of Smart Business Practices

While data breaches are down, a single ransomware attack at Blackbaud exposed information from at least 247 organizations that have issued their own breach notices 

SAN DIEGO, October 14, 2020 – Today, the Identity Theft Resource Center® (ITRC), a nationally recognized non-profit organization established to support victims of identity crime, released its U.S. data breach findings for the third quarter of 2020. 

According to the data breach analysis, publicly-reported U.S. data breaches have dropped 30 percent year-to-date compared to 2019. More than 292 million individuals have had their identities compromised so far in 2020, a 60 percent drop from 2019. Mass data breaches of personal information continue to decline while cyberattacks are up as threat actors focus on ransomware, phishing, and brute force attacks that use already available identity information to steal company funds and COVID-19 related government benefits. 

Despite the encouraging data breach numbers, a single ransomware attack at Blackbaud exposed information from at least 247 organizations that have issued their own breach notices as of September 30, 2020

Cyberattacks were the primary cause of data compromises reported in Q3 2020, with phishing and ransomware attacks the most common attack vectors. However, viewing Blackbaud as a series of attacks and not a single event, supply chain attacks were the most common exploit.

Download the Identity Theft Resource Center’s 2020 Third-Quarter Data Breach Analysis and Key Takeaways 

“It is encouraging to see the number of data breaches continue to decline in 2020,” said Eva Velasquez, president and CEO of the Identity Theft Resource Center. “If data breaches continue at this pace for the remainder of 2020, we could see our lowest number of breaches since 2015.” 

While data breaches are dropping, the Blackbaud data breach has skewed the numbers significantly. Of the 247 organizations to issue breach notices to their customers, only 58 have disclosed the number of individuals impacted by the breach – 6,981,091. If the Blackbaud data breach is treated as a series of events, data breaches have only decreased by 10 percent compared to 2019.  

“If anyone gets a breach notice connected to the Blackbaud data breach, they should act immediately because their information could still be available,” Velasquez said. “Whenever someone receives a breach notice, they need to act quickly and decisively because of the risks that come with personal information being exposed.” 

For more information about recent data breaches, or any of the data breaches discussed in Q3, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free. 

For consumers who have been victims of a data breach, the ITRC recommends downloading its free ID Theft Help app to manage the various aspects of an individual’s data breach case. 

Anyone can receive free support and guidance from a knowledgeable live-advisor by calling 888.400.5530 or visiting www.idtheftcenter.org to live-chat. 

About the Identity Theft Resource Center® 

Founded in 1999, the Identity Theft Resource Center® (ITRC) is a nationally recognized non-profit organization established to support victims of identity crime in resolving their cases, and to broaden public education and awareness in the understanding of identity theft, data breaches, cybersecurity, scams/fraud, and privacy issues. Through public and private support, the ITRC provides no-cost victim assistance and consumer education through its call center, website, social media channels, live-chat feature and ID Theft Help app. For more information, visit: https://www.idtheftcenter.org

Media Contact 

Identity Theft Resource Center 
Alex Achten  
Earned & Owned Media Specialist 
888.400.5530 Ext. 3611 
media@idtheftcenter.org  

  • Shopify and Instacart recently suffered data breaches from insider attacks, stressing the importance of not allowing too much access to employees. 
  • Consumers who receive a breach notice regarding either data breach should follow the advice. They should also change their username and password to any breached accounts, add two-factor authentication if possible, and watch for attempts like phishing emails looking to collect personal information. 
  • Businesses should reduce access and privileges based on an employee’s position, adopt a zero-trust framework, and put tools in place to track data movements.  
  • To learn more about the latest data breaches, visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notifiedTM
  • If you believe you are a victim of a data compromise, contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website. 

Not all data breaches are the result of professional cybercriminals hacking their way into a company. Sometimes, data compromises happen because of malicious insiders who want to make a quick buck. That’s what happened to Shopify, a popular online e-commerce platform used by small retailers and global brands alike.  

Subscribe to the Weekly Breach Breakdown Podcast  

Every week, the Identity Theft Resource Center (ITRC) looks at some of the top data compromises from the previous week, and other relevant cybersecurity news in our Weekly Breach Breakdown podcast. This week, we look back at the Shopify data breach in an episode titled “Shopify ’til You Drop.” 

About Shopify 

Shopify is a Canadian e-commerce company founded in 2006 that’s considered a go-to vendor for online retailers of all sizes worldwide. Shopify provides an e-commerce platform that supports over one million merchants in 175 countries. Some of the merchants include big names like Tesla, Sephora and Kylie Cosmetics. Shopify also has smaller mom and pop-type retailers. 

Shopify Data Breach 

As the ITRC reported at the beginning of the month, the Shopify data breach happened when two Shopify’s employees collected information from merchants on the Shopify platform. Information siphoned-off includes personal information about customers and their transactions, email addresses, names, physical addresses, products, and services purchased, as well as partial payment card information. 

In late September, Shopify notified the impacted merchants and posted a notice online informing website visitors of the data breach caused by the now-former malicious employees. Once Shopify security teams figured out what was happening, the number of compromised companies was nearly 200. 

How Does This Happen? 

Attacks from malicious insiders are not rare. However, they are not common, either. IBM’s 2019 data breach report shows that seven percent of all data events studied are from insiders intent on stealing information. 

When an insider attack happens, it’s almost always because companies allow rogue employees, contractors or partners too much access. Another problem is so many employees working remotely, making it difficult for cybersecurity teams to keep up with who is moving data and where. 

Other Recent Insider Attacks 

The Shopify data breach is not the only malicious insider attack in the past two months. Instacart and Tesla both disclosed similar incidents in the last 45 days.  

Instacart says two tech support vendor employees possibly reviewed more shopper profiles than necessary in their roles as support agents. Since the incident, Instacart notified around 2,200 shoppers of the data breach. 

One week after the Instacart compromise, Tesla announced the company was targeted by a Russian cybercrime organization that tried to recruit U.S. employees to install malware on a Tesla factory’s internal network. Rather than take the deal, the Tesla employee being recruited reported the attempt to Tesla and the FBI. 

What Consumers Should Do 

If anyone receives a breach notice from a Shopify or Instacart merchant, don’t ignore it. Consumers should take the advice in the letter and complete the following actions: 

  • Change your username and passwords for any breached accounts. Make sure you have a unique password for every account you have. 
  • Add two-factor authentication to your accounts, if possible. 
  • Watch out for phishing emails, texts, links to websites and other attempts to collect financial or other personal information.  

What Businesses Should Do 

Business leaders should consider some steps to take to protect their company and customers from insider threats. Those steps include: 

  • Reduce privilege access based on the employee and their position. Ensure they have access to the least amount of information needed to do their jobs and provide a good customer experience. 
  • Watch data movements across the entire company environment, whether employees are on or off the network.  
  • Adopt a zero-trust framework so your security team can better track who is coming in and out of your network.  
  • Put tools in place to give visibility into file movements, enabling your security team to verify that corporate intellectual property and sensitive data is not leaving the organization.  

notifiedTM  

For more information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free. 

Contact the ITRC 

If you received a breach notice due to the Shopify of Instacart insider attacks, or any other data compromise, and you’d like to know what steps to take to protect yourself, contact the ITRC to speak with an expert advisor toll-free at 888.400.5530. You can also live-chat with an advisor on the company website. Victims of a data breach can download the free ID Theft Help App to access advisors, resources, a case log and much more.  

Join us on our  weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform. 


Read more of our latest blogs below

Blackbaud Ransomware Attack Significantly Impacts Q3 Data Breach Trends

Shopify Data Exposure Affects Hundreds of Online Businesses

50,000+ Fake Login Pages for Top Brands from Credential Theft

  • Data breaches are down 30 percent in Q3 of 2020 compared to Q3 of 2019 when you look at the Blackbaud ransomware attack as a single event. 
  • Data breaches are down 10 percent in Q3 of 2020 compared to Q3 of 2019 when you look at the Blackbaud ransomware attack as a series of data breaches.  
  • Regardless of how the Blackbaud ransomware attack is viewed, the number of individuals impacted by a data breach is down nearly two-thirds.  
  • Anyone who believes they are a victim of a data breach is encouraged to contact the Identity Theft Resource Center to learn more about the next step to take. Victims can call toll-free at 888.400.5530 or live-chat with an expert-advisor on the company website. 

2020 has seen many different data breach trends. In the first half of 2020, the Identity Theft Resource Center (ITRC) reported a 33 percent decrease in data breaches and a 66 percent decrease in individuals impacted. The ITRC has compiled the Q3 2020 data breach statistics, and the number of compromises has dropped. However, there is one data breach that skews all the data. 

Two Ways to Look at the Numbers 

With the ongoing global pandemic and one particularly nasty ransomware attack against IT service provider, Blackbaud, reported in the third quarter, the Q3 numbers can be interpreted in two ways. 

Data Breaches Down 30 Percent Treating Blackbaud as a Single Event 

If we treat the Blackbaud attack as a single event, the number of data compromises reported so far in 2020 remains well below the 2019 trend line, with nearly a 30 percent decrease year-over-year. Looking at the rest of 2020, absent a significant data breach, 2020 could end with just over 1,000 data breaches. That would be the lowest number of breaches in five years, dating back to 2015. 

Data Breaches Down 10 Percent Treating Blackbaud as a Series of Breaches 

If the Blackbaud ransomware attack is treated as a series of data breaches, the year-over-year trend line changes significantly. However, the number of data breaches is still down in comparison to 2019. There have been 247 data breaches reported as a result of the Blackbaud ransomware attack. Once you add those to the overall number of data compromises, we go into Q4 with a 10 percent decrease in data breaches compared to this time last year.  

Individuals Impacted by Data Breaches Down Two-Thirds 

No matter how Blackbaud is categorized, one data point remains the same: the number of individuals who have been impacted in 2020 by an information breach. So far in 2020, roughly 292 million people have had their personal information compromised, nearly two-thirds fewer people than in 2019. The ITRC will have more information to share on our Q3 Data Breach Trends Report, which will be released later in October. We will also discuss the details on our sister podcast, The Fraudian Slip, in two weeks. 

Subscribe to the Weekly Breach Breakdown Podcast 

Every week, the ITRC looks at some of the top data compromises from the previous week, and other relevant cybersecurity news in our Weekly Breach Breakdown podcast. This week, we are looking at the Q3 data breach trends and the latest numbers.  

notifiedTM 

For more information about recent data breaches, or any of the data breaches discussed in Q3, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free. 

Contact the ITRC 

If you receive a breach notice due to the Blackbaud ransomware attack or any other data compromise and want to know what steps to take to protect yourself, contact one of the ITRC expert advisors by phone toll-free 888.400.5530, or by live-chat on the company website. Victims of a data breach can also download the free ID Theft Help App to access advisors, resources, a case log and much more. 

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform. 


Read more of our latest news below

Shopify Data Exposure Affects Hundreds of Online Businesses

Dunkin Donuts Data Breach Settlement Highlights Busy Week of Data Compromise Updates

50,000+ Fake Login Pages for Top Brands from Credential Theft