No matter where it occurs, “suspicious activity” is almost never a good thing and it’s important to take it seriously. Whether it’s your own bank statement or a major company’s credit card payment system, acting quickly can minimize the damage and put you back in control.

When Colorado-based restaurant chain Noodles & Co. was alerted to “suspicious activity” by its credit card processing company last May, the result was a third-party investigation that uncovered malware on its network. According to their findings, customers who paid by credit card or debit card at any of its 400 affected locations in the first half of this year may have had their account information stolen.

There are some important things to understand about any kind of data breach like this one:

  1. Notification – Affected consumers will be notified of the possibility of a breach. Depending on whether or not there’s reason to believe the incident could impact their finances, companies may or may not be required to offer credit monitoring services to the customers. If you are sent a letter and told you’re eligible for credit monitoring, do not discard the letter! Follow through with the instructions in order to protect yourself.
  2. A change in how customers are notified – Until recently, victims of a data breach have been notified by mailed letters, but one state has already passed a bill that will let companies email the victims. While email has usually been considered less trustworthy than a mailed letter, it not only reduces the amount of time that passes between discovering the breach and alerting consumers, it’s a tremendous savings to a company who may have to inform millions of people about the breach.
  3. How did the malware get there? – Customers obviously can’t be expected to detect malware in a retailer’s POS system before paying, but this news still pertains to every citizen. In many instances, malware infects a retailer’s network after someone opens the door for a hacker. Several major retail data breaches have been traced back to an employee who accidentally downloaded the malicious software through a phishing attempt, by clicking a link in an email, or some other seemingly harmless behavior. This should serve as a reminder to be very careful of your own online behaviors.
  4. Monitoring yourself – Recent awareness of data breaches and changes to how we investigate suspicious activity has meant major improvements in reporting breaches and informing the victims. What used to take months or even years to uncover and report now takes days in some cases. But that doesn’t mean you should skip the legwork of protecting yourself. Monitoring your credit card statements, bank statements, online and mobile banking sites, and even your credit report will alert you to suspicious activity without having to wait for someone else to inform you. Stay on top of your accounts and watch over them yourself in order to stop any damage as soon as it starts.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

When news breaks of any major event, scammers go to work in an attempt to steal money or personal identifiable information from their victims. Literally within hours of the attacks on the World Trade Center on September 11th, scammers were out soliciting donations to help the relief effort. The same is true of the earthquake that hit Haiti in 2010, the tsunami that hit Japan in 2011, and so on.

But when the headlines are about yet another data breach—an all-too-common occurrence in this climate of record-setting numbers of breaches—there’s still the threat of a scammer stepping in and stealing our money or our information.

How? In an event like a widely publicized data breach, scammers know there may be millions or even tens of millions of victims. It doesn’t even matter if your information wasn’t specifically stolen in the breach. If you’ve ever shopped or dined at the store or restaurant that was breached, all the scammer has to do is tell you that your name is on their list of victims.

The scam within a scam works like this: a store (let’s call it Joe’s) suffers a major data breach. It makes headline news, and consumers begin receiving notification letters. From there, scammers simply start auto-dialing their potential victims, claiming to work for Joe’s or claiming to work for the credit monitoring service that’s been contracted to help the victims. He’ll offer the victim credit monitoring, money as compensation, or any other enticing offer to make you stay on the phone.

The only person who can truly claim to be safe from this scam is someone who has honestly never stepped foot into a Joe’s location in his life. Even if you know you don’t live in a location that was affected by the breach, the scammer just has to tell you that the data breach is bigger than they’d first thought, or that they don’t know how it happened but your card information was found online. He’ll tell you anything to make you believe you’re somehow in danger of having your identity stolen.

There are a few things to look for if you receive a phone call or message that may be part of this kind of scam within a scam. First, if you’re asked to verify all of your sensitive information, don’t do it. The person calling you claims your information was stolen…shouldn’t he already have your information? Your address or phone number should be safe, but why would he need to ask for your complete personal details?

Next, if he asks for your Social Security number, don’t hand it over. Even your birthdate is pretty sensitive, so be mindful of giving that to people who call you. Obviously, a genuine credit monitoring service can’t protect you without knowing your Social Security number and your birthdate, among other pieces of information, but that data is typically gathered via mailed forms that you’ll have to fill out and send back. It’s not collected over the phone from someone who calls you out of the blue.

Finally, watch for the hard sell. Are you being pressured to act now, or told that you only have 24 hours to sign up before the offer is void? Are you being told that your identity has already been stolen and if you don’t do something immediately you could be in danger? Has the caller even hinted that you could be held legally or criminally responsible for something that happens as a result of not signing up? All of those are pressure tactics that scammers use in order to keep you from thinking it through. They want your information and your money, and if they give you time to process what you heard, there’s a good chance you’ll realize it’s a scam.

If you’re ever contacted by letter, phone, or email about a data breach, there will be instructions for you to follow in order to take action. Verify those instructions with the company if you feel like something is amiss, and remember to guard your information against people who are just taking advantage of the latest headline news.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

Hospitals, retail stores, schools, and now parking garages: no business or organization seems to be immune to the effects of hacking. Annapolis, Maryland, residents are now learning about the extent of a recent data breach that seems to have affected three of the city’s parking garages, stealing customer credit card information.

SP+ Municipal Services’ servers were found to be infected with malware earlier in June, and the company immediately switched to cash-only payments for three locations, the Noah Hillman, Gott’s Court and Knighton Garages. In keeping with regulations, the company informed the Maryland Attorney General’s office, then began the process of informing consumers who may have been affected by the breach.

While it might seem like a case of “another day, another data breach,” this incident actually speaks to the progress that agencies have made in spreading the word about hacking, data breaches, and identity theft. An incident like this one once took months of investigation before it was even fully discovered, and then even longer before word finally reached consumers. While the time frame for the breach to impact consumers is believed to span all the way back to December 2015, the suspicious activity was discovered on the servers on June 11th; cardholders were notified ten days later, after the necessary reports to the state government were made.

Any time that news of a data breach makes headlines, it’s a good time to understand what to do when you’re notified of the incident. If you receive a data breach notification letter, make sure you look over it very carefully in order to understand what information was stolen. In this case, only credit card information (numbers, cardholders’ names, and security codes from the back of the card) seems to have been stolen; banks will issue new cards and the cardholders will update their other accounts. But if your personal identifiable information like Social Security numbers and birthdates is stolen, you’ll need to monitor your credit reports for other suspicious activity. In any case, save the copy of your notification letter as proof that your information was accessed in a data breach in case you need to prove that later on.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

O’Charley’s restaurant chain is the latest victim of a restaurant data breach, according to a report from the company. After one of their security tools alerted them to possible unauthorized activity, the company hired a cybersecurity firm to investigate. In early April, the firm discovered tampering within the company’s point-of-sale credit card machines in several of the restaurant’s locations.

There’s always the chance that a skimming film was installed in the machine by someone who had access to it, but due to the more widespread evidence of activity, it’s likely that hackers infiltrated the network and installed malware on the POS system. That means no one would have seen any signs of tampering, but every swipe of a credit card could provide customer data to the thieves.

So far, the only known data to have been accessed is cardholder names and credit card numbers, although in some locations only the credit card number from the magnetic stripe was compromised. Since there’s no evidence yet that identities were stolen or that any money has actually been lost by customers, the restaurant chain isn’t required to provide any kind of corrective or preventive action. For now, the company is simply urging customers who visited their stores in March or April of this year to monitor their accounts and their credit reports carefully.*

Restaurants are a prime target for this kind of theft, largely because patrons pay with their credit cards but typically cannot see the actual transaction take place. Customers have no way of knowing if their servers copied down their card information, if the POS machine has been tampered with or if hackers have installed malware on the network, or any other variation of credit card fraud. Late last year, one of the largest restaurant data breaches was discovered, with more than 300 restaurants, hotels, and casinos owned by Landry’s, Inc., suffering from a POS data breach.

Data breaches are just one of the reasons that more and more restaurants and patrons are turning to mobile payment apps that are specifically designed for the food service industry. There are already dozens of platforms to choose from, offering every form of convenience, including the option to split the check among your tablemates, automatically add a calculated tip, and pay right from your mobile wallet or PayPal account through your smartphone.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.


*To request copies of your credit report from the three major reporting agencies, contact:

Back in 2013, news of a data breach affecting a major retailer took consumers by surprise. Industry watchers, law enforcement, even legal teams had a vested interest in what went wrong, how the victims would recover, and how to prevent it in the future. Not long after, more retailers were hit, leading many experts to wonder if there was a connection.

Also during this time, federal government agencies were being hacked. Both the Office of Personnel Management (OPM) and the IRS—to name only two agencies—were breached, with the OPM actually being breached twice. Millions of Americans had their Social Security numbers and other identifying information stolen, and the number of fraudulent tax returns and identity theft reports has gone up.

For all the headlines that crop up when any major organization or corporation is hacked, the sad truth is that there are hundreds upon hundreds of data breaches each year. In fact, since the Identity Theft Resource Center first started keeping tabs on the numbers of data breaches in 2005, the number has grown almost every single year.

However, with the constant news of data breaches, are consumers losing sight of the threat? Are we becoming complacent, and seeing data breaches as just another 21st century fact of life? Hopefully not. In fact, it is important to know how a data breach occurs and what information is compromised in order to understand how you might be impacted.

Data breaches can be broken into two categories, accidental and intentional. An accidental breach is just what it sounds like: someone inadvertently made sensitive information available to unauthorized people. It could be something like the recent Hellgate High School breach in which a school administrator attached the wrong document to an email and sent more than 1,000 current and former students’ records to dozens of people. An accidental breach could also be something like a security flaw in a website that accidentally invites anyone in to take a peek at all of the employees’ or customers’ records. In either case, no harm was intended, but security was violated.

An intentional breach, though, happens when someone actively goes after information. Again, this can manifest in different ways. A high-tech cybercrime ring can hack into a network and steal thousands or even millions of sensitive records, typically with the goal of selling those complete identities on the dark web. A low-tech version might be an employee accessing sensitive information at work, copying it all down or downloading it, then using it or selling it to criminals.

In any data breach, regardless of how it came about or what the intended purpose was, the victims will receive a notification letter as required by law. The letter itself is critical since it will tell you exactly what information was compromised, what steps you should take to move forward, and what reparations the company may be offering to help safeguard you as much as possible. The letter also serves as a measure of proof that your identity has been compromised, in case you are affected by this crime further down the road. It’s important that victims of a data breach take it very seriously, follow those steps outlined in their notification letters, and then save the letter with other important papers.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

An unfortunate computer user mistake led to one school administrator resigning from her job and more than 1,000 people having very personal information inadvertently shared with dozens of people. Last December, a Montana high school assistant principal attached what she thought were meeting notes in an email to around thirty parents, but the attachment actually contained identifying data, medical records, discipline records, and even mental health data on more than one thousand current and former students of that school.

As in any data breach, one of the first steps is to figure out how the information leak happened. The Missoula County Public School District hired a forensic investigation firm to sort through the issue and make a determination. From what investigators pieced together, after collecting several school computers and conducting a search, the culprit was nothing more than an accidental “cut and paste”-type issue. The administrator may have thought she was cutting and pasting (or dragging and dropping, in other computer parlance) the meeting notes she’d typed up, but the resulting attachment was access to a file that school officials use throughout the work day.

Unfortunately, in this era of record-setting numbers of data breaches and high-tech cybercrimes that can cost billions of dollars, it is easy to forget that sometimes a simple user error can have the same result as a large-scale data breach. This is why CEO phishing is such an effective, costly, and growing form of data breach; more than 120 companies have been the victim of a CEO phishing attack in the first five months of 2016 alone, all due to an employee making a costly mistake. Over the last few years, other large-scale and widely publicized retail data breaches have occurred due to employee errors like clicking on scam links in emails, downloading harmful content over the company’s wi-fi, or failing to implement effective antivirus software.

Accidental data breaches, like the one that which occurred at Hellgate High School, often result in mixed emotions. On the one hand, it was an accident, pure and simple. However, at the same time, regardless of the intention, potentially damaging and confidential information was shared with people who had no right to it. That is why the aftermath of an incident like this one involves figuring out how to prevent this type of mistake in the future. It should also serve as a reminder to all citizens to be careful about what information they share with outsiders. Even without any malicious intent, your Social Security number, your medical profile, even your mental health status could end up in the wrong hands, so make sure that everyone you trust with that information is going to safeguard it, and actually needs it in the first place.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

Anyone who’s familiar with the popular “professional world” social media site LinkedIn has probably already heard the news of their data breach. Hackers reportedly gained unauthorized access to millions of user names and passwords; this is slightly more alarming than a typical credit card breach due to the fact that LinkedIn users are representing their professional lives on the site. The potential for harm to their businesses and their reputations is quite real.

Before anyone gets too worried, though, remember…this breach happened four years ago. But there have been new revelations about the data that was accessed in that breach. Data that was stolen back in 2012 has now appeared online for sale, meaning someone is still attempting to use and profit from the personal profiles.

This has prompted the company to urge its users to change their passwords again, just to be on the safe side. Again, it’s not a new breach, but rather a new use for old information. LinkedIn isn’t taking any chances, though, and they’ve emailed the affected users to remind them to take certain steps. The company has also said it’s a good idea for everyone to change their passwords, affected by the breach or not, just to be on the safe side.

There are two highly important takeaways from this whole situation. The first should actually be common sense: once a thief has stolen your information, it’s not a once-and-done deal. This is why Social Security numbers are so much more lucrative than credit card numbers, for example. Credit card numbers can be changed or even just expire on their own, but Social Security numbers can net a thief a big profit for years to come. If there is a way to use stolen information more than once, you can bet a thief will do it.

But the other very important truth in any situation like this is the potential for scams. Phishing emails have already begun to circulate, piggybacking off the headlines associated with the LinkedIn announcement. Recipients are being told to click the link to reset their passwords, which will undoubtedly install harmful software like viruses on their computers.

The genuine LinkedIn warning email contains no link. It simply offers an explanation as to what happened, and then lists the steps users should take. The first step is to go to LinkedIn.com on their own and change their passwords. Again, there is no “click here” link in the genuine email, mostly because you should never, ever click an unsolicited link that you receive. (It’s also fun to point out that the scammers in the phony LinkedIn emails aren’t even trying…they didn’t even capitalize the name of the company.)

Remember, anytime there are headlines for a major event—a natural disaster that leads to phony charity scams, a specific news story that expects the public to take action, or even reports of a data breach that urge consumers to be watchful of their accounts—scammers will do their best to take full advantage. Keep a close watch on your emails, social media messages, and other anonymous sources of communication in order to avoid being scammed.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

It would be a shame if consumers ever reached the point where news of a data breach did little more than raise eyebrows. But that’s the sad impact of having so many consumer records stolen by cybercriminals on a regular basis. Hopefully, news of this recent data breach will be more cause for alarm.

Investigators anticipate that more than 29,000 emergency room patient records were compromised in an apparent accidental data breach of Indiana University Health Arnett Hospital. The records, which were downloaded to a USB drive, contain names, addresses, personal information, and medical records for patients treated in the past year. It doesn’t appear as though Social Security numbers were impacted, but that remains to be seen given that many hospitals and medical offices still use SSNs as identification numbers and to run credit checks on patients.

According to Komando.com, the flash drive contained spreadsheets of the patient records, and the flash drive wasn’t encrypted or password protected. Another source also says that this information was limited to emergency room patients, and that the flash drive went missing from the emergency room’s office. Why the data was on a flash drive in the first place is also unknown, but the lack of security on it means that anyone with access to a computer can retrieve the information.

Unfortunately, the hospital had this to say: “Patient medical record information is kept on a secure server. This is not the standard method of storing patient data. Officials cannot be certain an incident will never occur, however, they are taking steps to minimize the chance of such an incident occurring in the future.” That means that the information should (in theory) have never been on the flash drive in the first place, especially if hospital policy is to keep that information on a secure server. It’s hard to believe the data appeared on a flash drive by mistake, and that it went missing for any reason other than a malicious one. At this time, however, the hospital has not received any complaints that patients’ information has been used without authorization.

So what are patients supposed to do? The hospital will be sending out letters to affected patients that explain exactly what information was compromised and what steps the hospital will be taking to protect patients. Anyone who receives such a letter should follow the instructions, and if credit monitoring is offered then those patients would be wise to take advantage of it.

This event should also serve as another eye-opening warning to patients who may not yet have been affected by a medical data breach—although, given the number of events per year and the enticing information that hacking a medical facility can produce for an identity thief, that number of people is shrinking every day. When you’re presented with a clipboard full of forms and a pen, ask yourself why the facility needs such detailed information, and then ask the employee what they plan to do with it. Inquire about the safety protocols of the facility, but also remember that those protocols are only as good as the employees who adhere to them. If you’re in doubt about the security of your information, remember that you’re not required to turn it over in order to receive emergency medical treatment.

Last summer’s widespread hacking of several major universities may be behind us, but the effects of knowing that prying eyes were able to infiltrate a secured network is unsettling. Unfortunately, those concerns have only been renewed for one university in the wake of a brand-new, seemingly unrelated data breach.

Investigators have linked last summer’s breach of a handful of University of Virginia faculty email accounts to Chinese hackers, but the latest data breach is far more alarming. Thanks to a phishing email that instructed the recipients to enter their university user names and passwords, more than 1,400 personnel payroll records have been accessed from UVA’s human resource department. While the details of the stolen information aren’t yet clear, payroll records typically include Social Security numbers and birthdates; since the university is providing a year of credit monitoring to the affected victims, it’s very likely that this level of information was compromised.

The days of students hacking into school computers to change their grades may seem long gone. At the same time, 1,400 payroll records are chump change compared to the extent of some notorious data breaches in the past. So what would make hackers go after college faculty members? Apart from the obvious potential for identity theft, there is always the possibility that the information gleaned on a university professor can lead to access to highly sensitive research, as well as the option to pose as that professor in communicating with other researchers to steal information.

Unfortunately, phishing email scams continue to be successful because of the very connected nature of our lives. Even five years ago, receiving an email with instructions to do something unheard of might not have worked, but with so much of our lives going digital, it’s all too easy to fall for a scammer’s tactics.

In order to avoid falling for a scam email, there are a few easy rules to follow. If you refuse to break these rules without verifying it first, you’ll be less likely to expose your entire network to a hacker:

  1. Even if the email looks legitimate, never click on a link or attachment if you weren’t expecting it. The account might appear to come from your family member, your co-worker, or even your employer, but as the UVA personnel hacking shows, a cyberthief can take over an email account and send a virus to everyone in that person’s email contact list.
  2. If you suddenly get an email from someone you haven’t heard from in ages—especially one that contains a link or an attachment—beware. The hacker who stole that person’s email account simply sent the same email to everyone in the contacts list or the sent mail history, which means he had no way of knowing you haven’t emailed this person in years.
  3. Watch out for odd language or poor grammar in an email, but remember that cyberthieves are getting more and more sophisticated. The laughable “Nigerian prince” emails with their “my dearest blessed one” greetings and strangely worded narratives are still out there, but serious hackers are getting better and better at masquerading as someone else.
  4. If you’re ever told that you sent a strange message, there’s an excellent chance your email address was hacked. Change your email password immediately, and monitor your online accounts for any strange

As a consumer, I think about how my information may still reside with a tax preparer or doctor that I have not done business with in 10 years, especially when I read stories of a data breach because of inactive customer information being stolen from an unsecure environment.

Businesses, especially small to medium-sized businesses, need to incorporate a formal document retention and destruction policy. Next, communicate your policy to employees so they understand their responsibility in safeguarding customer information, and to customers so that they have confidence in conducting business with you. High-profile data breach events are just one part of the identity-theft epidemic in the United States. Your past business relationships where your personal information resides is another high-risk factor.

For example, how many of you have worked for the same company your entire life? I suspect very few of you have had only one job. Think about all of the personal information we have left with our past employers including name, address, Social Security number, driver’s license and even bank account information (for direct deposit). And it’s not only past employers, but also their vendors, such as health insurance, dental insurance and supplemental insurance companies, along with payroll service and others where your personal information and even the personal information of your family have been used.

But there is more. Think of any past relationship, including every doctor, dentist, tax-preparation service, auto dealer, bank, school, mortgage broker, student loan servicer and any organization to which we have submitted personal information. Ask yourself, where is your sensitive information being stored today, how is it being secured, and what are the document retention and destruction policies of these organizations? A great resource for business owners is ARMA International, a non-profit professional association and authority on managing records and information. ARMA developed and published principles to foster general awareness of information governance standards.

You can learn more about ARMA’s “Generally Accepted Recordkeeping Principles,” which detail  how to properly retain information as organizations are creating and storing more information than ever before, mostly in electronic form. In addition to document retention, the shredding of documents containing sensitive employee and customer information has become a high priority because of identity theft, data breaches and stolen trade secrets and client information.

Here are some basic shredding tips that your business should include in its information security and governance best practices:

  • Documents destruction services: Choose a company that knows state and federal laws governing storage and destruction of documents. Important things to know include understanding the difference between hard copy document and electronic document requirements.
  • Choose the right shredder: A cross-cut shredder (versus a standard shredder that simply shreds documents into long horizontal strips, some so wide that you can still make out individual words) cuts the paper from two directions and makes it much harder for someone to reconstruct the document.
  • Document destruction compliance is the law: The state and federal regulatory environment regarding information security and governance, including document destruction will be enforced with fines and penalties that could negatively impact your business.

Mark’s most important: Identity theft and data breach can bring a business down. Review and update your document retention and destruction policy each year and communicate your policy to employees and customers.

Mark Pribish is vice president and ID-theft practice leader at Merchants Information Solutions Inc., an ID theft-background screening company based in Phoenix. Contact him at markpribish@merchantsinfo.com.

This article was originally published on AZcentral.com and republished with the author’s permission.