With the tax return filing season fully here, identity thieves are ramping up their work in order to beat consumers to the punch. Two online filing companies—TaxSlayer and TaxAct—have already discovered that they were the victims of an outside data breach last fall, one that compromised the highly-sensitive personal identifiable information for many of their customers.

TaxAct was breached in November by unauthorized third party hackers who accessed an estimated 450 clients’ records; this led the company to also suspend an additional 9,000 users’ accounts after they noticed suspicious activity. This week, TaxSlayer announced that it, too, has been the victim of a third party data breach, but this time the thieves were a little more successful, making off with the complete 2014 tax returns of around 8,800 users. In that event, thieves were able to access anything that appears on a completed or draft tax return, including names, birthdates, Social Security numbers, and even dependents’ SSNs.

While there’s no information yet about whether or not the two hacking events are related, there is a striking similarity: in both cases, the security protocols of the companies were not interrupted or misconfigured. The hackers had access to the customers’ user names and passwords, which the companies believe the thieves got from an online source.

Here are some vital steps to take if you’ve received a notification letter from either of these two companies:

  1. File immediately – Stopping an identity thief from stealing your refund is a race against the clock. Considering that this information was stolen between October and December of 2015, there’s an excellent chance that your tax return has already been filed fraudulently, but that’s no reason to throw in the towel. On the off-chance that the thieves haven’t filed a return yet—or that the less likely reason for the hacking wasn’t for tax refund fraud—it’s still possible that your 2015 return is safe.
  2. Change your user name and password – Your letter should have told you to change your user name and password on your tax prep account, but also on all of your other internet accounts. The hackers found your information on an external website and used it to break into your tax prep account; that means they can be going after your email, your online banking accounts, your credit card accounts, and more, especially if you’re using the same password repeatedly.
  3. Take advantage of the credit monitoring – As part of the notification process, your letter offered you a year of free credit monitoring and contained a PIN number you would need in order to set that up with the contracted company. Do NOT disregard this offer! It’s crucial to helping you stay on top of what damage thieves may do with your information, and it also contains liability insurance that protects you from whatever they do with it.

Remember, you don’t have to receive a notification letter to take some of these steps. If you’ve used these or other tax preparation services in the past, it’s a good idea to change your username and password, just to be safe. Of course, filing immediately also means your return is safe if thieves have accessed your information in some other way, and it helps you get your refund faster.

Some current and former university students and staff may be in for a rude awakening when it comes to their personal identifiable information: it may have been compromised in a recent data breach of University of Central Florida servers.

The breach, which was discovered last month and immediately turned over to law enforcement, compromised the names, birthdates, Social Security numbers, and other pertinent information of 63,000 people who had ties to the university. The University has mailed out notification letters to individuals who were affected by the breach, and did note that no grades, credit card numbers, or scholarship details were impacted. Interestingly, there seem to have been two key groups affected by the event: one was current and former student athletes, and the other was University employees.

This is the latest in a growing list of data breaches at colleges and universities, and there may be multiple reasons—related or not—as to why hackers are going after schools. In the first instance, higher education institutions conduct a lot of research, some of it paid for by government agencies, pharmaceutical companies, and other corporations. Access to this research can be highly sought after since it has a lot of value to other researchers or companies, especially where patents, intellectual property, and occasionally even top secret data are concerned.

Another possibility is the “clean slate” approach to stealing young people’s identities.  Given that many of the targets were college students, the use of their Social Security number to obtain credit is plausible, as opposed to trying to buy a car with a six-year-olds identity, for example. Additionally, it provides clean credit to use without the already established debt and the likelihood of discovery that adults’ identities can have.

Whatever the hackers’ purposes in breaching the university’s servers, it’s vital that all students and employees at UCF change their passwords immediately. It’s unlikely that the hackers only stole 63K records and then stopped because they were unable to access more; changing school-issued passwords and protecting accounts that cross those servers is crucial.

In the case of the notification letters, it’s critical that the affected UCF community—and all consumers who receive a notification letter for any breach, by the way—follow the instructions in the letter completely. Depending on the type of information that was stolen, a notification letter offers important help. It informs the victims of what information was compromised, and may offer them free credit monitoring if things like Social Security numbers were stolen. In more dire circumstances, it can even serve as proof that you may have been the victim of identity theft; this can be every helpful if you ever need to prove your innocence of unauthorized charges, new accounts, or even criminal charges down the road.

One of the commonalities in any kind of data breach—no matter whom, no matter how big or small—is that consumers put their trust in someone and then that trust was violated. Whether it’s turning over your medical records to a hospital or entering your credit card information on a website, we have an expectation that the people in charge will protect us.

Unfortunately, all too often, that trust can be a little misplaced. In this report from a Texas-based news team, even in accidental data breaches consumers have little to no recourse when the people in charge of their identifying information aren’t worthy of controlling it.

As the article states, the Dallas-Ft. Worth CBS I-Team discovered a public records website for Dallas County that contained the names, addresses, phone numbers, Social Security numbers, and more for thousands of area residents. Worse still, this website was maintained by the county courthouse and contained this information on anyone who’d filed court proceedings going back over a decade. In many instances, even children’s identifying information was listed for the entire internet to access.

The story only gets worse, however. The I-Team reached out to the courthouse and was directed to the circuit clerk, who was the only one with the authority to take down the website. The initial clerk response was one of dismay, and the news outlet decided not to immediately make this story public out of fears that identity thieves would flood the system to get the data.

Later, the circuit clerk felt that the danger to the citizens was less imminent than the difficulty the court system faced if the website was taken down. For months, the news team worked to get the site taken down, taking the matter all the way to the Texas State Supreme Court. In every instance along the way they were told that the only person who could remove the site was the circuit clerk.

One person held all of the authority to protect or compromise tens of thousands of people’s identities, and for more than six months after calling attention to the issue the citizens’ information was still readily available. Lawyers, judges, and court officials at every level were horrified by the data that was ripe for any identity thief to take, but nothing could be done to remove it without the clerk’s approval.

Luckily, the nightmare has now ended and the county website uses a new database provider that requires personal information to log in, as well as a fee to use the site. That should go a long way towards stopping identity thieves from sifting through the publicly available data. But this should also serve as another eye-opening event in the ongoing fight against data breaches and identity theft.

One of the most important things any citizen can do to protect his or her identity is to ask important questions about where the data will go and how it will be protected. Even the clerk in question had no idea that the data was available for everyone, and she was in full agreement that something had to be done. She simply reacted to the potential delay of court proceedings instead of the citizens’ security.

There are times that your sensitive data is required, such as in a court filing. But too often, we provide our data to people who don’t actually need it, like a doctor’s office or our children’s schools. Any time you’re expected to turn over your personal identifiable information, inquire about security. Don’t wait for an investigative news team to tackle the issue, and if your sensitive information isn’t absolutely required, then don’t hand it over.

Once upon a time, the content of phishing emails was amusing, if not downright bizarre. These emails included odd stories about deposed royalty from far-off countries, people who barely managed to escape with their lives… and their billions of dollars.

For some inexplicable reason, they couldn’t get the money out of the country themselves, so in exchange for letting them deposit the money into your account (they’re outrunning the coup, but have time to stop off at the bank and transfer the money to you), they would let you keep a lot of it for your trouble.

The so-called Nigerian prince emails—nicknamed that due to the typical story involving Nigerian royalty—have now worked their way into urban legend and pop culture. But what happens when the email isn’t so funny, and the consequences for following through with the instructions are life-altering for a lot of people?

That’s exactly what happened to the employees at popular social media site Snapchat. Unfortunately, an employee received a phishing email, one that even some of the most scam-aware people might not immediately recognize. Instead of Nigerian princes and unbelievable offers of shared millions, the email appeared to come from the company CEO, and the request wasn’t all that outrageous…just forward him the payroll information for all of the employees. It’s easy to understand why, especially here at tax time, an executive of a relatively small company might need that information.

While Snapchat was very quick to point out that its users’ information was not accessed in this breach, their employees’ identities have now been compromised. Unfortunately, even the most heartfelt apology from the company won’t undo that, although they will receive two years of free credit monitoring, more than most corporations provide to employees or customers following a data breach.

There is a silver lining in this event, although it’s slight: when large-scale data breaches like this one first began to make headlines, the timeline was often far more serious. A breach that happened over a long period of time might not even get noticed until months afterwards, and then another long stretch of time passed while they investigated the extent of the breach, usually before ever alerting the authorities or the customers. In this event, the FBI was called four hours after the email was sent to the criminal masquerading as the CEO. If any good can be said to come from this, it does serve as an example to other companies of how to handle a breach or hacking event quickly, as well as speaks to the need for even more in-depth training and awareness of security threats.

So what could the employees have done to prevent their information from being shared with an identity thief? Literally nothing. They were required to turn over their information in order to be employed, so withholding personal identifiable information wouldn’t have applied in this instance, at least not in the way the public is warned never to share their Social Security numbers with schools or medical offices, for example. They also were not aware of the phishing attack, so they couldn’t have prevented that, either.

What employees in every industry and field can do, however, is to make sure their companies are providing training on data breaches, hacking attempts, phishing attacks, and more. Speak up by alerting your supervisors to the need for security protocols and up-to-date, periodic security training. The only things that could have prevented this breach are better awareness of the threats and a company policy about seeking verification before fulfilling an exceptional request, and those are avenues that Snapchat has promised to explore moving forward.

In a case that is almost too mindboggling to be true, the Department of Veterans Affairs sent an email to a citizen in Wisconsin last April that contained the names and complete identifying information (including Social Security numbers) for hundreds of veterans within the state.

The spreadsheet with the information was unsolicited, and was immediately reported. How did such an important document as that list make it past the government’s security filters? A punctuation error.

Currently, the VA’s software blocks outgoing emails that contain SSNs that have been separated by a dash, as in “123-45-6789.” In order to send this information to someone across the VA’s email servers, a password is required. But in the case of the unsolicited file that was sent to a Wisconsin man, the SSNs were written as “123456789,” since the file number for veterans who’ve served from the Vietnam War forward is an SSN that doesn’t contain the dashes. No dashes means no software security protection, and therefore the file was emailed out across the server.

A news channel in the state began its own investigation, and started by “asking six people located around the state of Wisconsin with VA.gov email addresses to send emails from that account to their personal or work email addresses including the words ‘Social Security Number’ and a ‘123456789’ sequence…When it was sent without dashes, each time, the email went through unabated. When the dashes were included, the sender received a ‘Message Blocked’ message from the VA.gov server that included a directive to either ‘remove the SSN or encrypt the email’ if they wanted it to go through. “

The incident was first reported on in April 2015, and state and federal officials moved quickly to demand answers from the VA. At that time, a November 11th deadline was given for the administration to provide answers, and several stakeholders are still awaiting answers.

Wisconsin senator Tammy Baldwin is one such stakeholder, and she’s taking the issue further by introducing legislation in Congress that will put a stop to the use of Social Security numbers as identification numbers for veterans. Baldwin and her co-sponsors on both the legislation and a letter to the VA’s Inspector General are concerned that this issue isn’t limited to Wisconsin, as the VA initially indicated, but that it has the potential to affect the 22 million veterans currently living around the country.

Anyone can be a victim of identity theft, anyone can use our services and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

In late January, Krebs on Security reported on a data breach that apparently affected some Wendy’s restaurant locations, seemingly all located in the Midwest. The breach is believed to have affected the POS payment mechanisms in stores, as a number of financial institutions have reported suspicious card activity on their customers’ debit cards following visits to certain Wendy’s locations.  Apparently? Seemingly? Suspicious? Where are the details of the data breach?

No one is quite certain yet, as Wendy’s corporate office isn’t disclosing any of the details of their investigation, despite the fact that the compromised card activity is thought to have started as long ago as December of last year. While that is a relatively short time period for data breach reporting compared to just a few years ago, the current understanding of hacking events and identity theft threats means companies typically react more swiftly in these incidents. For example, in last month’s Snapchat data breach, company executives disclosed the event to the FBI four hours after it was discovered.

While a data breach and a lengthy wait period before being informed might seem frustrating to consumers, it’s nothing compared to the headaches it can cause for financial institutions. In the case of the Wendy’s breach, the banks and credit unions have just as little information as consumers. When you consider that it’s the banks who have to shoulder a significant financial burden in a data breach for things like replacing customers’ cards with new ones and for the unauthorized charges that consumers aren’t responsible for, it’s no small matter. They want to know how far this has spread, how many more of their customers may be affected, and what the overall impact will be to their bottom line, but so far they don’t have those answers.

For now, there is only speculation about the damage, and it’s not good news. Some agencies who’ve been monitoring the situation have predicted that the overall cost to the issuing banks and credit cards will be even larger than that of the Home Depot data breach, and one credit union has already seen a 34% increase in fraudulent charges on its debit cards. Another bank CEO has anonymously stated that he expects the cost to the financial institutions to be five to ten times higher than what it cost them following the Target data breach in 2013.

Anyone can be a victim of identity theft, anyone can use our services and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

Spoofing, phishing, spearphishing, boss phishing…the latest trend in data breaches may fall into a number of different categories, but it has something that other methods don’t have: it’s almost certain that the victim will fall for it. Why? Because his job could depend on it.

Here’s a better explanation. Many industry watchers and consumers are already familiar with the concepts of spoofing and phishing. A spoof email pretends to come from a known company or individual, such as an email that looks like it came from PayPal, telling you to click here to update your account. A phishing attempt entices you to click a link, make a payment, or any other odd behavior that benefits the scammer; these could be as simple as stating your account profile has to be updated or as involved in getting you to wire money to someone.

Either way, both of these types of scams trick you into doing something the scammer wants. And with more and more awareness of these types of attacks, they’re easier to spot and ignore.

But the newest wave of attacks to hit companies both big and small are combining these two styles of scamming attempts. Recipients get an email from a boss, supervisor, or even a company CEO, instructing them to hand over a password, change an account number, or send over all of the identifying information for the company’s employees. Since the email was spoofed to appear as though it came from the boss, the recipient does as he’s instructed.

The recent boss phishing attacks that affected Snapchat, Evening Post Industries, AmeriPride Services, Main Line Health, and several more were unlike the typical “Nigerian prince” emails that so many of us are used to receiving. The language in these emails is very standard and businesslike, and the requests are plausible. For example, asking a payroll employee to send over all of the company’s W2 forms to the boss, which recently happened to Snapchat, seems like a very likely request at this time of year. Even worse, the email appears to come from the person requesting it, so the instructions are less likely to be questioned.

While you may not be able to prevent an employee from falling for this type of scam and sending your stored information to an identity thief or scammer, there are some things you can do to keep your company safe. If you ever receive any request—logical or otherwise—to send highly sensitive data to someone who requests it, remember these two steps:

  • Verify it with the person who requested it using the company-approved contact – Experts have long warned to hang up on any caller who asks you to make a payment over the phone or verify your identity by providing detailed information. Then, if you’re concerned there might actually be a problem with your account, you’re supposed to call the company back using a phone number that you verified.The same is true of boss phishing. If your supervisor emails you to send over any sensitive information or records, use an established contact method like a company inner-office message system or the telephone to verify that the request is genuine.
  • Use a new email – Don’t hit Reply to this type of message. If you’re copy/pasting or attaching highly sensitive information, even if you verified it, it’s a good idea to initiate a new email with an approved email address. In the case of a boss phishing scam, hitting Reply would be sending the information back to the scammer who spoofed the boss’ account, but sending the information from a new email message would send it over to the legitimate contact.

It’s important to note that there’s a difference between spoofing the boss’ email account and actually taking it over. If the supervisor or CEO’s email account was actually hacked, then even a new email message would end up in the scammer’s hands. That’s why verifying the request (preferably through another means other than email) is a safe bet. If you call the boss and he knows nothing of the information request, there’s an excellent chance his email account was actually infiltrated instead of just spoofed.

Anyone can be a victim of identity theft, anyone can use our services and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

When patients are undergoing treatment for potentially life-threatening illnesses, the last thing they need to worry about is identity theft. Unfortunately, that’s no longer the case for 2.2 million individuals whose identifying information was stolen in a breach of 21st Century Oncology.

The FBI recently informed the Florida-based medical center that a database of their records—including Social Security numbers for their patients—had been accessed by an unauthorized third-party. Hospitals, doctors’ offices, and medical centers seem to be a hot commodity for hackers, and it’s not hard to see why.

Anyone who’s ever been handed a clipboard full of forms to fill out knows that those locations collect a high volume of information on their patients, as well as the patients’ spouses or parents if those individuals are responsible for paying the medical bills. Also, given that patients also supply their insurance information—which was stolen in this data breach as well—the sheer volume of information on patients and their family members makes it very easy to steal their identities.

There are three crucial things to take away from this event:

  1. The oncology center itself wasn’t aware of the breach until the FBI noted it months after it occurred. That means the patients’ identities could very well have already been stolen and used illegally, long before anyone even discovered it. That’s why it’s essential for all consumers to treat their identities as if identity theft might have already occurred; monitor your credit reports routinely in order to be on the lookout for any suspicious activity. One way to get an ongoing look at your credit is to space apart your reports. All consumers are entitled to one free report each year from each of the three credit reporting agencies. If you routinely order one report in January, a different report in May, and another report in September, you will get a more complete look at your credit report than if you order the reports all at the same time.
  2. If you receive a notification letter informing you of a data breach or hacking event, it’s critical that you take it seriously and follow the instructions in the letter. If the nature of the event was so severe—meaning the type of information thieves stole—that you’re offered free credit monitoring, don’t throw away that letter! The letter will contain the contact information and the PIN number you will need to sign up for the service. The letter also serves as proof that your identity has been compromised, which could be useful if the thief actually uses your identity. While you would not be responsible for financial charges that are discovered early enough, there are many other ways that identity theft can hurt you. For example, criminal identity theft in which the thief has provided your name and information at the time of arrest, benefits fraud when the thief applies for benefits in your name (thereby defrauding the government), or more. Your notification letter serves as a layer of proof that someone else had access to your identity.
  3. Finally, data breaches—especially of medical centers—should serve as a warning about the need to safeguard your information more carefully. Do not simply hand over your personal identifiable information just because a form on a clipboard asks for it. In many cases, there is minimal need for your doctor to have your Social Security number, and it’s actually not allowed to be used as an identification number. Be mindful of the places you share that single detail with (as well as other identifiers, like your mother’s maiden name or the town where you were born), and refuse to turn it over if they cannot demonstrate a clear need for it.

Anyone can be a victim of identity theft, anyone can use our services and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

Financial aid is a crucial part of the college application process, and for many students that means filling out countless applications for scholarships, grants, and loans. Unfortunately, one of the inherent requirements for requesting large amounts of education money is the release of highly sensitive, personal identifying information.

Nearly two thousand people were informed this week that their applications for college aid from the Lakes Region Scholarship Foundation may have been accessed by an unauthorized person. The information that was possibly compromised includes names, addresses, birth dates, Social Security numbers, and more. As bad as data breaches are, the sad truth to this breach is that it dates back to applications from as far back as 1996 and extends to those submitted through 2009.

But there is an interesting twist to this story, and it’s a shining example of what can happen when an individual is up-to-date on the latest hacking attempts and internet scams. The entire incident came about because an employee at the Foundation received a phone call from an individual who claimed to be an IT professional. The caller stated that the Foundation’s network had been compromised. The employee had just had a pop-up message appear on the computer screen as well, informing them of a potential threat.

Unfortunately, the caller was granted access to the network in order to see if the system was indeed compromised. When the caller said they’d discovered the threat and could remove it for several hundred dollars, the employee immediately recognized a scam. They hung up the phone, shut down and disconnected the computers, and alerted the IT department.

This quick reaction may have prevented a data breach, but the Foundation isn’t taking any chances. While it appears as though the scammer was simply looking for a quick buck for “cleaning” the network, the experts the Foundation called for help did discover a program that was supposed to root out information at a later time. They were able to remove that program and are certain that no financial information or electronic funds were accessed; however, they can’t be positive that the scammer didn’t access the scholarship applicants’ records.

A notification letter has been sent to all of the applicants whose information was stored on the server, alerting them to the possibility that their information was accessed. This step is simply to encourage them to monitor their credit reports carefully for signs of any suspicious activity.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

When news of a data breach emerges, victims are warned about the potential for identity theft and related crimes. But every so often, the data breach is only discovered because identity theft has already happened. That was the case for Tidewater Community College (TCC), who had over three thousand employees’ complete employment profiles—with Social Security numbers, birthdates, and other identifiable information—accessed by an unauthorized person.

After a number of employees had filed their tax returns this year, only to be told by the IRS that a return had already been filed with their identifying information, the pieces of the puzzle began to fall into place. What had initially been thought of as a coincidence finally led to uncovering the crime.

Tidewater Community College had been the victim of a CEO phishing scam.

CEO phishing, also called “boss phishing,” occurs when someone sends an email that appears to come from the boss’ email account, requesting key information. This information could be employee records, customer credit card information, accounts numbers and passwords, or other sensitive data. In the case of TCC, someone masking as an executive requested the W2 forms for all of the college’s current and former employees; anyone who had received a W2 from the school for 2015 was affected.

There isn’t a lot you can do to keep your information from falling into the wrong hands if someone else falls for a CEO phishing scam. But there is plenty you can do towards keeping this growing threat from happening in your workplace. By raising awareness of the danger and by asking your company to make prevention part of the company’s computer use policy, you can help protect yourself, your co-workers, and your company’s customers.

The first step is to ensure that no sensitive information is passed along through the company—even to the CEO, as companies like Snapchat have fallen victim to emails that appeared to come from the founder himself—without verbal verification. If you receive an email telling you to send over sensitive information, just pick up the phone and confirm it. If the request was not authentic, then you would know that someone has compromised the company’s email system in order to spoof the CEO’s email address.

Second, make it a routine habit to only send sensitive information in a brand-new email instead of hitting reply. If the boss’ email was spoofed (copied instead of actually hacked), then clicking reply will send the information back to the scammer. This step won’t necessarily help if the scammer has actually hacked the supervisor’s email account, so make sure to get that verification first.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.