Cybersecurity firm Trustwave provides an invaluable public service each year when it releases its annual report on data breach activity. This report, the 2015 Trustwave Global Security Report, examines the ways hacking attempts and data breaches were perpetrated, which sectors of industry are hit the hardest, even the corporate and consumer behaviors that lead to data compromise. (Did you know that “Password1” is still the most commonly used password?)

The 2015 report, which was released in June, examined the incidents that Trustwave was asked to investigate last year. Key findings of their research include:

  • 43% of the incidents were in the retail industry, followed by 13% for the food and beverage industry and 12% for the hospitality industry.
  • Half of the incidents that they investigated took place in the United States.
  • In 31% of cases, hackers were after payment card track data on the back of a payment card (these are things like the three-digit code on the back of the card, needed for an in-person transaction).
  • In 20% of the cases, attackers were after financial credentials or proprietary information like payment details.

There were two shocking highlights concerning both consumers’ and hackers’ behaviors, though. In the first instance, 81% of the victims did not discover on their own that they’d been hacked. Trustwave went on to reveal that self-examination vastly speeds up the time to response; in cases where the company discovers they’ve been hacked through self-monitoring, there are usually two weeks between the incident occurring and the company putting a stop to it, but in cases where companies are not running self-checks and uncovering suspicious behaviors, the average time between the breach and containment is over 150 days.

As for the hackers, Trustwave has revealed a crucial statistic when it comes to understanding why hacking events and data breaches are on the rise, and that’s the payout it provides for the criminals. In other words, why do they do it? The answer is, quite simply, because it works.

According to the report, “Attackers receive an estimated 1,425 percent return on investment for exploit kit and ransomware schemes ($84,100 net revenue for each $5,900 investment).” For very little financial investment and even less investment in manpower, hackers can make significant gains, largely thanks to the fact that businesses and consumers are doing their work for them. Weak security protocols, outdated POS systems, failure to recognize malicious spam emails, and useless passwords all offer thieves the opportunity to waltz right in and make some serious money.

So what should we do with this information now? According to Trustwave’s chairman, we must learn from it and adjust the way we do business.

“To defend against today’s sophisticated criminals, businesses must see attacks from their front windshield instead of their rear view mirror,” said Trustwave Chairman, Chief Executive Officer and President Robert J. McCullen. “By providing a wealth of current, actionable data breach trends and threat intelligence, our 2015 Trustwave Global Security Report helps businesses identify what’s coming so that they can engage the people, processes and technologies needed to thwart cybercrime attacks that can generate close to a 1,500 return on investment.”

To view the full 2015 Trustwave Global Security Report, go to https://www.trustwave.com/GSR

Data breaches and identity theft are becoming so prevalent that some industry experts have said they’re inevitable, and that identity theft is basically unavoidable. The good news is there are steps consumers can take to minimize the chances of becoming victims of data breaches or identity theft, but the bad news is those types of crimes don’t only affect your information or even your finances.

In some cases, the consequences of a data breach can actually be deadly. That is, if the entity that was infiltrated is a part of the health care industry. While major health insurance providers like Anthem have already been the victims of data breaches, individual health care systems like the UCLA Health System are also prime targets for hackers. Medical offices, hospitals, and insurance providers are notorious for collecting copious amounts of information on their patients and storing it in centralized computers. Many systems and offices also use outside billing contractors, and research has already shown that in the majority of data breaches, the culprit—intentionally or accidentally—is a third-party vendor or contractor.

UCLA Health System is just the latest in a long line of medical data breaches. In that instance, hackers are believed to have gained access to around 4.5 million patients’ names, addresses, Social Security numbers, health records, and more. The breach is thought to have started in September 2014, and allowed hackers to access this unencrypted information.

But how does that affect patients’ health? Unfortunately, this is a case where you almost hope the hackers just want to steal your financial identity. If they’re able to sell the data to people in order to commit medical identity theft and fraud, then that will allow people to use the stolen information to gain access to healthcare.

The frightening worst-case scenario would involve something like this: a thief goes to the hospital for treatment using your name, insurance information, and more. Doctors discover he’s diabetic, and he’s put on a treatment regimen that includes insulin. Your medical records now not only indicate that you have diabetes (and could be treated as such in an emergency if you can’t confirm that it’s not true), but they also indicate you’re taking insulin. This could cause a host of problems, not the least of which are of a dire nature. It’s also possible that a pharmacy or insurance company would deny you a different medication or treatment option due to “red flags” about how that option would interact with insulin or diabetes.

Of course, that is an overly alarming thought, but the more likely circumstance is of a far more annoying nature. Where there are laws in place that cover an identity theft victim following a financial issue like credit card fraud, those protections aren’t necessarily in place yet for medical identity theft. One article indicated that most victims of financial fraud are responsible for around $50 in charges, if any charges at all. However, “the majority of victims of medical identity theft paid an average of $13,500 to resolve the crime.” Compounded with our strict privacy laws in this country where health care is concerned, it can be difficult to resolve medical identity theft.

As with all data breach and identity theft issues, the best option for now is to prevent a thief from getting as much of your information as possible. While you can’t personally prevent hackers from breaking into the computer network of a major medical center, you can certainly limit the amount of information a thief would find under your name. You are not required to provide your Social Security number to a medical office, for example, and many offices have been found to ask for it without even knowing why they collect it. You can also read over all insurance statements carefully—not just the box that tells you how much you owe—to make sure someone isn’t already using your information without your knowledge.

News came out last week that CVS, the country’s second largest pharmacy chain, may have suffered a data breach of its photo uploading and printing website.

CVS Photo has had a message on its site since Friday that stated there was reason to believe a breach had occurred and that the site would be offline until the issue could be resolved. The message went on to reassure customers of the chain that this only applies to the photo site, not the main website or the physical stores, and to suggest that customers monitor their credit card or bank statements carefully for any suspicious activity.

Following any data breach, forensic experts work to uncover the root cause of the breach. In this case—and in so many others, like the now-famous Target data breach or the Goodwill breach—the weak link in the data protection chain appears to be a third-party company. In CVS Photo’s case, it’s believed to be PNI Digital Media, a Canadian company that handles the credit card transactions for the pharmacy’s photo uploading site.

Unfortunately, this isn’t the only instance in which PNI is believed to have been hacked. Walmart has already issued a warning that it, too, uses PNI’s services for its Canadian photo upload purchases and that it believes customers’ credit cards may have been accessed. Just like with CVS, though, Walmart assured customers that its US-based websites and main stores were not impacted.

Interestingly, in almost every major data breach, experts have traced the break in security to a third-party vendor. According to an article for Info Security Magazine by MacDonnell Ulsch, CEO and chief analyst at ZeroPoint Risk Research,  “One consistent breach finding may get their attention: Almost without exception, a third-party vendor or affiliate is involved. It may be the client, or it may be the origination point of the breach.”

Why are third-parties such a lucrative target? They carry a lot of trust with the companies they contract with, and as such, often have access to avenues of infiltration that hackers need in order to catch the bigger fish. In the case of Target’s breach, for example, the third-party contractor they used to get through the network was a heating, air conditioning, and refrigeration company in Pennsylvania. That same HVAC company has also reportedly done work for three other major retail chains in five states.

Unfortunately, as smaller companies with less manpower and tighter budgets than the corporations they’re contracting with, third-party vendors can also be somewhat of a sitting duck when it comes to keeping sophisticated cyberattacks at bay. The amount of access the company has combined with its lack of resources means vendors often end up as the door through which hackers walk on in.

While this should hopefully serve as a warning to the security industry in general, it does mean that there’s not a lot consumers can do to avoid paying through a third-party vendor. Instead, the smarter course of action is to keep tabs on your information, which is always a necessity. Read your credit card and bank statements carefully before tossing them, and make sure you’re paying close attention to how you dispose of them.

For some time, the government has been working through the aftermath of the Office of Personnel Management hacking event that compromised the highly detailed, sensitive information of as many as 22 million people. In what experts are considering a separate data breach, the National Guard has announced its database has also been compromised.

The information that was inadvertently made accessible by a contract employee is believed to include names, addresses, Social Security numbers, birthdates, and more on “all current and former National Guard members” going back to 2004. It’s important to understand the reactions in this event, as well as the steps that individuals should take. This has been determined to not have been a hacking event, but would fall more into the category of what experts call an accidental internal data breach. The contract employee transferred the files containing the sensitive information to a non-accredited data center, which does not offer any indication that anyone accessed it or has malicious intent. It was simply a matter of the data center not having prior approval to receive that level of information.

No one has clarified yet if the file transfer was even requested by the data center or its employees. However, in this climate of data breaches and identity theft, the National Guard isn’t taking any chances. The affected individuals have been informed of the event, and a website and a call center have been set up that will let Guardsmen and Guard veterans check their credit reports, find identity theft prevention tips, and report any strange activity involving their private data.

Some of the strange activity that affected victims—or anyone who’s ever been the victim of an intentional or accidental data breach, for that matter—should watch for will include new lines of credit or new bank and credit card accounts, any signs of other employment being assigned to their Social Security numbers, medical bills or health insurance statements for treatment they never received, even warrants for their arrest should it go that far.

It’s also vital that anyone impacted by a data breach of any kind be watchful of their tax returns and file as early as possible in order to avoid being the victim of tax refund fraud next year. Anyone who’s already been a victim may also be eligible to place free alerts and freezes on their credit reports, which should prevent unauthorized people from opening new lines of credit.

Internal data breaches occur when an employee of a company or organization uses his or her position to gain access to individuals’ personal identifiable information. Typically, the reason for accessing and gathering the information is so the employee can then sell it to identity thieves or use it to open new accounts and make purchases in the victims’ names.

Sometimes these breaches are accidental, such as when an employee accidentally downloads malicious software to a company computer or loses a company laptop with sensitive information stored on it. Of course, intentional internal data breaches are also prevalent, and occur when the employee begins stealing identifying information from data the company has gathered.

One Florida-based telemarketing company has experienced an internal data breach that almost looks too easy. How? Because the company in question, Advanced Tech Support (operated by Inbound Call Experts), is actually a PC repair and tech support company that can gain remote access to your computer if you’re having an issue. This remote access lets someone on a different computer use your computer in real time, and the scammers needed that ability to pull this off.

The fraudsters, posing as employees of ATS, seem to have been using the remote access feature to sift through the customers’ computers for online banking information, and even contacting customers to say that they owed money to the company, which they would say could be paid via wire transfer. They had to have gained access to the customers’ contact information somehow, and that’s where the internal data breach comes into play.

You might think no one would fall for this, but there’s another angle to this story. Advanced Tech support and a few other companies were sued last fall by the Federal Trade Commission for some shady practices, so the scammers reached out to customers to inform them they’re owed a refund due to being overcharged for services, or due to the outcome of the class-action lawsuit. The fake employees told customers they’ll use the remote access feature to transfer the money back to the customer, but were instead trying to uncover stored sensitive information from the computer.

Making this story even more interesting is a warning that was posted on the ATS website, informing customers of the breach. It went on to state that the guilty party had been terminated, and that no credit card numbers had been accessed. However, this warning was removed after one news source contacted ATS directly to ask about the data breach.

While law enforcement can sort out the details of what has actually happened, there are some important things to remember about protecting yourself from this kind of scam:

  1. You will never be called out of the blue and sent an instant electronic funds transfer as part of a lawsuit settlement. These issues are handled via the postal system.
  2. Of course, electronic funds transfers also don’t require someone to access your computer.
  3. If you receive an unsolicited call from someone who wants remote access to your computer, hang up and call the company using a phone number that you’ve verified yourself—not a number the caller provided you with or one that was on your caller ID.
  4. If you’re ever in doubt about the veracity of the caller’s story, hang up. Even if the person states that an error has occurred—such as the overpayment ploy the scammers used in this case—you’re not required to respond or take action based on a phone call or email. Any legitimate correspondence will come through the mail so that you have a paper trail on the case.

Part of what made this breach work is the scammers were contacting people who already know very little about their computers… that’s why they had signed up for tech support packages with remote access in the first place. It didn’t take much to convince the victims to let them have access to the computer. It’s very important that you know how these issues really get resolved, and to listen to the little voice in your head telling you something might not be right.

Summer is here and though the kids may be on vacation, hackers certainly are not. According to the Identity Theft Resource Center’s Breach List and Data Report, data thieves have been working as hard as ever to get the personal identifying information of millions of Americans in 2015. Year-to-date, the 2015 ITRC Breach List has captured 400 breaches, spread across five industry sectors.

This weekly Data Breach Report is used by experts throughout the world to keep a finger on the pulse of the latest data breaches.  During July’s #IDTheftChat, we will be taking a closer look at the ITRC Breach Report and providing insight into trends and important statistics from 2015, as well as past years. We will be joined by Byron Acohido, the Editor-in-Chief of Third Certainty as our co-host.  As an award-winning journalist and renowned security expert, Byron will be providing excellent insight and answers to participants questions.

This #IDTheftChat  will take place at 12:00 pm PST / 3:00 pm EST on July 2nd 2015.   Here are the questions for July’s chat:

  • What trends are you seeing in data breaches right now?
  • What are some concerns for businesses protecting their data?
  • What future trends in data breaches do you predict?
  • What should a business do if they have been breached?
  • What are some ways for a business to monitor if they have been breached?
  • What issues (financial, legal, etc) do businesses face if they are breached?
  • How can consumers monitor if their information has been stolen in a breach?
  • What should a consumer do if they receive a data breach notification?

In order to participate, users should follow the hashtag #IDTheftChat . Those who would like to participate can RSVP via online invitation.  Anyone is welcome and we hope we will see consumers, businesses and organizations alike! Participants may find it helpful to participate through the #IDTheftChat TweetChat room which can be found at http://www.tweetchat.com/room/IDTheftChat. Anyone who has questions should contact ITRC’s Director of Communications at nikki@idtheftcenter.org. We hope you will join the conversation and bring your friends!

When news came out that the Office of Personnel Management—the agency within the federal government that serves as the HR department over government employees—had been hacked and 4.2 million citizens had their highly sensitive data stolen, that was cause for alarm. But now that the OPM has been hacked again, the damage is quite different.

As part of a 127-page form, a highly in-depth document called the Standard Form 86 requires detailed information on every aspect of the applicants’ lives. Covering everything from education and previous employment to medical conditions, addictions, and mental health issues, this form basically lays everything about the applicants out for others to see.

Unfortunately, the form also asks for contact information for relatives and friends, former teachers, former military service supervisors, former employers, and many other people who can vouch for the applicant. The form then requests the phone numbers, addresses, email addresses, and other identifying items for those individuals that were listed on the document.

That means that any applicant who has applied for a security clearance via this form has now handed the hackers detailed identifying information of many people. If even half of the four million accounts that were hacked filled out this form and applied for a security clearance, and if those people listed only ten contacts each over the scope of the lengthy form, then the contact information for as many as twenty million people could have been breached. The numbers are not known at this time as to how many extra contacts were affected.

It’s tempting to think to yourself, “So what? It’s just some phone numbers and email addresses.” But there are some problems associated with even that amount of information falling into the wrong hands. The first threat is that the personal data can be used as pieces of a bigger puzzle in terms of identity theft. Next, the real danger of being targeted with phishing emails or having their information sold to crooks is always a problem. Finally, there’s the fear that the contact information will be used for extortion; after all, these are people the applicants knew well enough to list on their documents. It’s easy to see how a criminal could reach out to those individuals and demand money in exchange for keeping real or fictitious harm from coming to the applicants.

While the OPM isn’t able to comment on the breaches as an investigation is still underway, there are some things you should remember at this time. You may or may not even know if your name was listed on someone’s 86 Form; after all, it wants the names of former landlords, former teachers and classmates, and more. Therefore, now is the time to brush up on phishing awareness and avoid any strange emails, texts, or unknown phone calls. Never click a link in an email that you weren’t expecting, even if it appears to come from someone you know. If you receive a communication stating that someone you know is being threatened, be sure to confirm it before taking action or following instructions. Safeguard your avenues of communication, and be on the lookout for suspicious activity.

Another week, another breach.  That is how it seems these days.  However, even once a breach has left the headlines, consumers need to keep their guard up because scammers and identity thieves don’t just stop with their initial stolen goods.

People often wonder what happens to consumers’ data following reports of a major breach like the Anthem health insurance breach or the Home Depot breach. With millions of customers’ information potentially floating around, what happens to it?

The IRS might have just found out.

The government agency reported a hacking event recently that seems to have come from bulk access to a lot of consumers’ information. To clarify that, the IRS wasn’t “infiltrated” in the traditional sense that we think of when hackers break into a company’s network; instead, the thieves had the necessary information to log into the stored information of approximately 100,000 citizens, browse around through their tax return status, and then do further harm. Another 100,000 citizens had breaches of their statuses attempted, but the hackers were not successful in those cases.

For those victims whose tax returns were actually breached by the hackers, the threat initially involved stealing the tax refunds of people who were still awaiting their payments. There is now an increased likelihood of follow-up scams for those individuals, like contacting the victims and posing as an agent of the IRS. If that occurs, typically the behavior may include claiming that returns were invalid, stating that more taxes were owed, or even simply that there had been a hacking and they need to update their credentials. However the contact is made, it’s all designed to steal personal identifiable information from the victims while duping them into paying more money.

For now, the IRS is warning consumers to be on guard against fraudulent communications from scammers who pose as IRS agents. Those whose returns were actually accessed will be offered credit monitoring services, but the one hundred thousand consumers whose returns were attacked but not infiltrated are being warned that someone already has their information and is selling it on the black market. They must guard against future identity theft attempts by being vigilant about their data protection and monitoring their credit reports frequently. All consumers, whether their tax information was accessed or not, must remember that the IRS will never send communication via email or phone call; all official correspondence from the IRS will come in the form of a mailed letter, and any other forms of communication are not genuine.

Back in 2008, Heartland Payment Systems, a credit card payment processing center, suffered a data breach that exposed an estimated 130 million credit and debit card accounts to hackers. While this event was certainly a big deal at the time, a more recent data breach of its payroll processing system may have even bigger consequences.

According to the company, a break-in at their offices resulted in the physical theft of computers that contained not only personal identifiable information like names, addresses, and Social Security numbers, but because the computers were part of their payroll processing department—where other businesses can contract with Heartland to handle the payroll for their employees—the information also contained bank account numbers for the affected consumers.

While Heartland’s official comment on the incident hasn’t indicated the type of computers involved, experts have cautioned that if the stolen items were laptops, the information should be safe. State law requires mobile devices that store PII on consumers to be encrypted; if the stolen items were desktop computers, though, that protection isn’t in place unless Heartland voluntarily chose to require password protection on the devices. There is always the chance that the thieves were after tech that can easily be cleaned out and sold, so it’s still possible that their goal wasn’t identity theft.

This is one of those incidents that will hopefully help consumers see the need for constant, vigilant monitoring of their own credit scores, financial accounts, and identities. Unlike credit card breaches where the credit card companies have their own built-in monitoring systems—like the kind that will send up a red flag if any suspicious activity occurs—and have the ability to simply cancel a credit card and issue a new account number, this issue affects a far more permanent system of Social Security numbers (collected for tax reporting, as this is a payroll processing company) and bank account numbers. That means their information may now be “out there” and available for any thief who wants to use it or any black market buyer who wants to pay for it.

While customers whose information was lost in the breach will be offered credit monitoring services, this is a good time remind even those consumers who were not impacted about the need for watching out. Make sure you’re carefully reading any statements that come to you, and be mindful of any suspicious activity. Remember to order your credit reports throughout the year—you’re entitled to one free report from each of the three reporting agencies in every 12-month period, so stagger them throughout the year to get a continuous look at your credit—and report anything that doesn’t seem right. If you have already been the victim of a data breach, be sure to take advantage of the credit monitoring that’s offered to you, and consider putting alerts and freezes on your credit reports in order to minimize the chances that a thief can use your identity to open new accounts.

Some 64 million members of an online dating site have reason to be a little more cautious today after news broke that AdultFriendFinder had suffered a data breach. The scope of the breach isn’t yet known, but the company is already alerting users to the fact that names, addresses, email addresses, sexual orientations, marital statuses, and other sensitive information may have been accessed.

The dating site, which bills itself as a website where members can find other interested parties for casual sex or other spontaneous meetups, is part of a much larger parent company called Friend Finder Networks, which has more than 600 million members across its 40,000 websites.

There are always questions when a data breach occurs, and one of the major ones for consumers is, “What will a thief do with my information?”

If credit card information or Social Security numbers are stolen in a breach, then there’s a good chance there could be financial repercussions. But if those pieces of the puzzle are missing, there are still plenty of ways the data can be useful to a thief. Email addresses can be used for phishing attempts, but can also be sold to online marketers for spam. Physical addresses can lead to mail fraud and “dumpster diving,” which can then easily turn into other potential forms of identity theft, scams, or fraud.

But whenever a “mature” website or similar online activity is at the heart of the crime, there is another concern. While this type of crime will hopefully never befall a victim of identity theft, there is always the potential for extortion. Given that this data breach included highly personal information that many of the members might not want shared, it’s alarming to think that a thief could extort money from some of the members in exchange for not blasting the news of their participation in a site dedicated to sexual relationships with strangers. This practice has unfortunately become so commonplace in the world of social media that it has its own term, sextortion.

Unfortunately, at this stage in the investigation of any data breach, the company involved and the forensic team they’ve brought in to uncover the extent of the damage cannot discuss the details. An official statement from Friend Finder did have this to say: “Until the investigation is completed, it will be difficult to determine with certainty the full scope of the incident, but we will continue to work vigilantly to address this potential issue and will provide updates as we learn more from our investigation.”