News, search, and email giant Yahoo made an announcement today about a hack that has affected an estimated one billion users, or roughly most of its customers worldwide. This is not to be confused with the September 2016 news that the email accounts of 500,000 users had been hacked in 2014; the latest breach is believed to have affected its fans a year prior to the September event.

Why is this newsworthy if both hacks occurred more than two years ago? Because some of the information that is now “out there” is permanent, as far as securing all of your online accounts goes.

There is good news. The newly announced August 2013 breach does not appear to have impacted anyone’s payment information, meaning no credit card or bank account information is believed to have been compromised. Unfortunately, the information that was accessed seems to include names, email addresses, birthdates, phone numbers, and encrypted passwords, as well as unencrypted security questions.

The birthdates and security questions are the first troublesome part of this incident. Your birthdate is a permanent fixture, unless you wish to “change” your birthdate for internet security reasons. Likewise, your security questions—like the name of the city where you were born or the name of your first pet—are typically permanent pieces of information; again, you can create a brand-new persona with fake answers to those questions, but that requires you to remember which web account you gave which answer should you ever need to use the questions to login.

Your security questions are important because they let you change your password if you don’t have access to it. That means that the hackers could potentially change your password if you don’t change your questions. Of course, it may be too little too late for you to change that information. Once the hackers have gained access to the city of your birth—such as Pittsburgh, PA—changing it won’t stop them from using this knowledge to gain access to your other existing accounts if they share the same security questions.

The compromised phone numbers can be problematic as well. Two-step authentication, a security process that requires you to use a secondary form of login before you can access something like your mobile payment app, often relies on your mobile phone number. Unless you want to contact your cellular service provider and change your cellphone number as a precautionary measure, that’s semi-permanent, too.

So what do Yahoo users need to do right now? Change your passwords and your chosen security questions immediately. If you have any online retail accounts or bank accounts that relied on those same security questions, it’s a good idea to change those passwords too. In all fairness, changing your passwords routinely in the event of undisclosed data breaches is a good idea. Taking a few moments to secure your accounts will help keep you one step ahead of the latest data breach.


As always, anyone who believes their identity has been stolen or their personal data has been compromised is invited to connect with the ITRC through our 24-hour toll-free call center at (888) 400-5530, or on-the-go with the new IDTheftHelp app for iOS and Android.

Each year, the Identity Theft Resource Center tracks data breach activity and keeps track of the number of compromised records. For most of the last ten years, data breaches have continued to set new annual records for both the number of events and the number of records that were exposed. But while so many people focus on large-scale breaches that have affected retailers or government agencies, there’s another kind of data breach that can have far more serious—even potentially life-threatening—consequences.

Medical breaches get a lot less attention than something like a dating website breach, for example, and it’s a shame. It’s unsettling that42.5% of survey respondents only a few years ago did not even know what medical identity theft is, and yet 36.6% of this year’s data breach activity involved medical records. More than 15 million patient records were compromised in medical data breaches this year, leaving many to wonder what can happen with that level of information.  In 2015, more than 110 million records were compromised in the healthcare/medical industry.

In 2006, one of the more famous medical identity theft cases occurred. Anndorie Sachs, a mother of four children ages two and up, was informed that she was being invested by child protective services. They stated she’d recently given birth to a baby who tested positive for methamphetamine. The following day, the authorities came to Sachs’ house and threatened to remove her four children from her custody.

As if that wasn’t upsetting enough, the fact that Sachs had not given birth recently and that her driver’s license had recently been stolen didn’t help her much. Sachs finally underwent a DNA test to prove she was not the baby’s mother, and while that helped clear her of criminal wrongdoing and keep her family intact, it did not absolve her from the $10,000 hospital bill for labor and delivery. Much later, the woman who’d actually stolen Sachs’ driver’s license and presented it at the time she entered the hospital was caught and accepted a plea arrangement.

When this incident occurred, receiving prescription drugs and medical care while sticking someone else with the bill was thought to be the motivation. Now, however, experts warn that there’s another reason, one that can have much broader results. Medical histories and patient records often contain every piece of the identity theft puzzle, from names and addresses to ages and birthdates. Even worse, 11.8% of the 2016 medical breaches exposed patient Social Security numbers, and records stolen in medical data breaches ranked the highest in the ITRC’s findings for “data on the move,” meaning information  which was somehow lost or stolen while in transit from one location to another.With one complete stolen record, an identity thief can open new accounts in the victim’s name and use those accounts for a long time to come. If that account is flagged as fraudulent and shut down, it’s no big deal. He can just open another one thanks to the personal identifying information he’s stolen.

As upsetting as that is, it’s hardly life-threatening. So how can medical data breaches possibly result in bodily harm? If the goal was just to steal identifying records from a hospital or doctor’s office, then the patient’s physical health is probably not in danger. But if the opportunity arises to use the victim’s identity for medical care, the criminal’s medical information can be woven into the victim’s file. Blood types, medications in use, pre-existing conditions, and more can all get updated to reflect the imposter’s health, leaving the victim vulnerable to conflicts in care in an emergency situation. As a result of HIPAA regulations, the identity theft victim is not entitled to access to the thief’s patient care, so clearing up the confusion can be problematic.

Anyone who believes their personal data has been compromised is invited to connect with the ITRC through our toll-free call center at (888) 400-5530, or on-the-go with the new IDTheftHelp app for iOS and Android.

It would be downright funny if it wasn’t so alarming: a new study shows that cyberthieves are being hit hard by an economic crisis related to supply and demand. The problem? There is so much stolen information being sold on the dark web that prices have dropped significantly.

Yes, there is such an abundance of of stolen medical information available on the dark web that the value of these complete records has been slashed to less than half of what they used to be worth.

It’s a shame really, considering how much work goes into making a complete record, or a “fullz” as a patient’s full set of information is called online. In many cases, the more complete the individual’s record, the more valuable it becomes and therefore the higher price it can fetch. That would require the additional legwork of not only accessing the original health record, but also cross-referencing that patient’s information with other sources. These sources might include financial records, utility bills, W2 forms, or any other identifiers.

According to research conducted through a joint effort by the Institute for Critical Infrastructure Technology, Flashpoint, and Intel Security, one of the culprits of the price-drop may be the sheer amount of access that unscrupulous people have to these kinds of records. While sophisticated, high-tech hacking can result in entire databases of stolen information, a hospital billing clerk can also potentially leak multiple patients’ records and confidential information. In short, the more information that’s floating around the dark web, the less valuable that information becomes.

In an even more laughable twist, so-called “famous” hackers can still fetch a higher price for their stolen records than an unknown source. In much, the same way that a wedding dress crafted by a famous designer might be worth tens of thousands of dollars while a handmade dress by a local seamstress would only cost a few hundred, hackers with a reputation to uphold can charge more simply because of their name.

Unfortunately, this is where all of the humor comes to a sudden stop. Every stolen record reflects not only a potentially expensive HIPAA violation to the medical facility it originated from but also the possibility of medical identity theft. While other forms of identity theft and fraud are certainly troubling, medical identity fraud can actually result in life-threatening consequences for the victim of the theft once his records are connected to someone else at the time of their treatment.

If you think you may be a victim of identity theft, contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. Find more information about current scams and alerts here.

It’s important that consumers and tech users understand how cybersecurity issues and compromised personal data records occur. One of the many avenues to data loss that advocates and experts have pinpointed is through data breaches.

The Identity Theft Resource Center first started tracking data breaches more than ten years ago, and each year the organization releases its annual data breach report. The report lists which businesses or entities were affected by a breach—whether intentional or accidental—as well as the number of consumer records that were compromised in the breach and what types of personal identifiable information may have been accessed. Understanding that report and the reach that those events have is important for determining how to educate consumers and policymakers about the threat from data breach incidents.

There are some critical factors that are present in any data breach. Was it an intentional attack, or accidental? If it was an inside job, was it the result of employee carelessness or did an employee steal the customer data? Can it be traced back to inadequate security protocols or a lack of workplace policy concerning appropriate computer use? Is it a new form of attack that even industry experts aren’t aware of? What were the hackers after, and how can they cause harm with the information they gleaned in the event?

Those are the questions that forensic tech investigators try to answer in any data breach. If it was accidental, they seek to uncover the circumstances that led to it, like an unsecured network without proper antivirus software in place or a lack of training that could have prevented the breach. If it was an intentional inside job attack, someone with access to sensitive data is to blame and investigators find out who had that access and why. In outside attacks, investigators not only want to uncover the method by which hackers infiltrated the network, but also learn from that method and spread the word so others don’t fall victim. Finally, investigators work to uncover any third-party connections, meaning one company may have been breached, which can then lead to a breach of other connected companies.

It’s very important for consumers and businesses alike to understand what the term data breach actually means, though, and what criteria must be met for it to be recorded. Regarding the rules of inclusion, the ITRC has given a considerable amount of thought to the development of the criteria used when assessing breaches and the integrity of its sources.  Each selected incident is required to have been reported to a state Attorney General’s office or published by a credible media source, such as TV, radio, press, etc.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services

There was a time when hackers sought out retailers’ computer networks, specifically their point-of-sale credit card networks, and used that access to steal credit card and debit card information. Over time, there’s been a shift in the way hackers operate.

After all, stealing your credit card information is a very limited prospect; all you have to do is cancel that card when you notice some suspicious activity, and their efforts will prove fruitless. That’s why hackers have upped their game, going after long-standing information and personal data rather than account numbers that can be changed. The most recent large scale data breach, one that affected more than 500 million accounts, proves that very point.

Several sources have now reported that Yahoo! has experienced a data breach, believed to be the work of foreign, state-sponsored hackers. The sheer volume of user account information that was compromised makes this possibly the single largest data breach in history.

But what would they even want with your personal email account? Plenty. The hackers made off with names, user names, hashed passwords, telephone numbers, and even birthdates and security questions. While no Social Security numbers should have been involved in the stored data, what was accessed is enough to do a world of identity theft damage.

With access to your email account, hackers can change your password and lock you out. From there, they sell the new information to criminals looking to make money off of your other existing accounts, like PayPal, Amazon, or your credit card accounts. By clicking “forgot my password” and responding to the link sent to your email account (which they now control), it becomes a race to see how much money they can make off of you before you’re able to correct the situation. And that’s only the financial damage they can do. If your account provides enough pieces of the identity puzzle, their work can prove to be far more costly in the long run.

So far, the information seems to date back to 2014, so if you’ve changed your password since then, you might be safe. Still, it never hurts to change your password anytime you hear news of a data breach.

Furthermore, one of the most important steps any tech user can take is to make certain to only use that password on one account. If you’ve reused your password, or if you’ve used easily guessed combinations to create your passwords, you run the risk of compromising all of your accounts.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

The reality of most data breaches and hacking events is far less sophisticated than you might think. Thanks to some simple tools that can be found online, everyone from an international cybercrime ring to a person living up the street could be stealing information.

One of the low-tech ways to pull off a breach of some kind is through internet account takeover, typically of social media accounts. By guessing your password—either through software that helps crack it or actual trial-and-error guessing of your weak password—someone logs into your account and gets to work.

Why would someone want to pretend to be you? It could be intentional, in an effort to humiliate or harm you. More often than not, it’s an attempt to spam your contacts’ list with cheesy offers, viruses or malware, or fraudulent requests for money.

However, there’s another method of social media takeover, and that’s the spoofing of accounts with a similar but fake name. In that case, the scammer creates a brand-new Facebook profile, only instead of calling it Irene Davis, it’s lrene Davis. Can you spot the difference? The capital I in the legitimate Irene account has been replaced with a lowercase L in the fake account. The new lrene Davis account begins sending friend requests to all the people listed in Irene’s genuine account, and those people happily accept the request, wondering how they accidentally lost their connection to someone they know.

This account takeover can happen to individuals, but it’s especially rampant for businesses of every size. PayPal can easily be spoofed as PayPaI, and Google is often duped as G00GLE. Sometimes hackers do it for kicks, just to have some fun at the company’s expense, but other times there are intentional efforts to damage a company’s reputation and its relationship with its customers, as well as trick you into handing over your information.

One very serious version of social media takeover that users must be careful of is the spoofing of accounts that pretend to be from news sources. Not only have users created fake social media profiles intended to mask legitimate, respectable news outlets for the purpose of spreading false information—such as an article speaking out against a political candidate or public office holder that looks like it comes from a major news channel—but they can also spread scams, viruses, and malware by getting you to click on something that resembles a fantastic offer from a high-dollar beauty product company, a weight loss product, and more.

It’s important to protect yourself from fake social media accounts, or from accounts that have been taken over. If you suddenly get a friend request on Facebook from someone you’ve been connected with for years, don’t accept it. Contact your friend immediately through another channel and let her know. She can report the account to Facebook—or the customer support division for whatever social media website it happens to be—and ask that it be taken down.

Depending on the social media platform, major businesses or brands will not solicit connections by reaching out to you without a reason, so be very careful of connecting with brand names or seemingly high-profile accounts (is there some reason Kim Kardashian is now following you on Twitter? if not, it’s probably not her) that suddenly want your attention.

Finally, remember to be very wary of “click bait,” whether it’s in the form of a strange news headline or a message you receive. Vaguely misleading wording like, “You won’t believe this picture I found of you!” or “Kanye West Says It’s Finally Over!” could be luring you into clicking on malicious links or downloading viruses to your computer.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

Companies, organizations and agencies that hold and transmit people’s personal information should keep it reasonably secure from unauthorized access and use. But what if there is a data breach that exposes the information? How should the breached entity help those affected? Should it offer them identity theft services?

If so, how should it choose the provider and what features should it look for to ensure that the services will fit the needs of the victims? To help answer those questions, Consumer Federation of America and its Identity Theft Service Best Practices Working Group, which includes consumer advocates and identity theft service providers, have created a checklist“My company’s had a data breach, now what? 7 questions to ask when considering identity theft services.” This isn’t intended to be legal advice, however – always consult with an attorney about how to respond to a data breach.

Identity theft services typically include alerting people about possible fraudulent use of their personal information, mitigating the damage, and/or helping them recover from identity theft. In the checklist we explain the different kinds of monitoring and fraud resolution that may be available and that the features of the programs can often be customized to fit particular breach situations. One of the basic questions to ask is whether the service will provide breach victims with information about how to reduce the potential damage – for example, by changing their account numbers and passwords, monitoring their accounts online, and using fraud alerts, security freezes and other tools.

We also suggest asking:

  • Are services available 24/7?
  • Is there a toll-free number with live operators?
  • What response times will the provider commit to?
  • Can the service handle multiple languages?
  • If monitoring is provided, how quickly are alerts sent?
  • Are there specially trained personnel to help victims of fraud resulting from the breach, and will that assistance continue for problems that aren’t resolved when the contract ends?

Identity theft service providers may offer other assistance as well, such as helping breached entities to write and/or send notices to the victims and handling other communications. Another thing to consider is whether to have identity theft services lined up in advance in case they’re needed. It can be less stressful and save money to pre-negotiate for these services rather than shopping for them in the midst of a breach. The checklist covers how to find reputable identity theft service providers.

Of course, identity theft services aren’t necessary in every breach situation. A good rule of thumb is: if the breached entity is required by state or federal law to notify those affected, it should consider offering these services. In interviewing prospective identity theft service providers it’s important to describe the types of personal information that have been or could be compromised and ask what features would be most helpful to the victims. We also suggest addressing whether and in what manner the identity theft service provider may solicit the breach victims to buy services during the contract period and/or once it ends. As in any contract, the services and terms should be clearly described and accurately reflect what has been agreed to.

CFA’s Best Practices for Identity Theft Services, which was updated last year with input from the working group, and the checklist are intended to encourage good practices in the identity theft service marketplace. There is also a guide for consumers, Nine Things to Check When Shopping for Identity Theft Services and much more about identity theft on CFA’s www.IDTheftInfo.org website.

This blog was written by Susan Grant, Director of Consumer Protection and Privacy at the  Consumer Federation of America.  Ms. Grant also sits in the ITRC’s Board of Directors.

In the Office of Personnel Management breach and the Anthem healthcare breach—just to name two of the record-setting numbers of data breaches that happen each year—millions of US citizens had all of their highly-sensitive personal identifiable information (PII) stolen by hackers. This data included names, birth dates, Social Security numbers, and in some cases even fingerprints, which virtually handed over these citizens’ entire identities to criminals.

In the face of such alarming breaches, it’s all too easy to forget that data breaches happen almost every day, even though they’re on a smaller scale. Retailers have been hard hit by individuals who want to nab everything from usernames and passwords to credit card information. But the alarming trend of consumer complacency where data breaches are concerned has privacy experts concerned.

A hacker doesn’t have to go for the winning combination of your name, birth date, and Social Security number in order to do serious damage to your identity and your credit. But too often, consumers fail to take the threat of a retail data breach seriously; one Ponemon Institute study found that 32% of consumers ignored a data breach notification letter, even though 25% of the letters sent out that same year offered identity theft protection services for free.

What could be behind this trend of “data breach fatigue?” It’s too easy to assume it’s merely business-as-usual in consumers’ minds, although the sheer numbers of breaches could easily make consumers believe there’s nothing they can do to prevent identity theft.

More worrisome is the perception outlined above. Unless the victims’ complete identities have been compromised, they’re less likely to take action. If it’s only some credit card information that was stolen—as in the recently discovered retail data breach involving Eddie Bauer’s point-of-sale payment systems in an undisclosed number of their physical stores—consumers may erroneously believe that they won’t face any threat. Their credit card companies will waive any fraudulent charges and then issue new cards, right?

Not necessarily. If your existing card was hacked and new charges appear on that cared, then your bank or credit card company will take the necessary steps. But if that card information is used to open new accounts in your name—known as “new account fraud”—then you may be responsible for more charges, and you will have to do some legwork in order to get those accounts closed and get them removed from your credit report.

No matter how big or small, whether it was a major cyberattack that stole all of your personal information or just a compromised credit card payment system, the threat of identity theft is very real and must be treated as such. Follow the steps outlined in a notification letter, and watch for news of breaches like the Eddie Bauer breach in order to stay on top of your data. Be sure to request copies of your credit reports regularly in order to monitor them for suspicious activity.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

When news breaks of another large-scale data breach, especially one that affects millions of consumers at a time, it’s all too easy to envision a faceless hacker who sits safely outside the reach of the law. But the reality of data breaches is that a significant number of them are “inside job” attacks, whether intentional or accidental.

An accidental data breach can happen within practically any organization. And with the rise of more sophisticated approaches like “boss phishing,” it only takes a little bit of hacking know-how to pull it off. The rest of the dirty work is done by an unsuspecting employee who complies with the instructions in an email or message.

Accidental data breaches also crop up through the loss or theft of unencrypted company computers, through inadvertently uploading the wrong file to the wrong person, downloading content from an untrustworthy website, and other seemingly innocent but still harmful means.

But intentional data breaches from someone within the company are a whole other problem, and the software industry has stepped up to provide employee monitoring programs that can alert the company to suspicious behavior. This software can alert the administration whenever someone tries to access massive amounts of information, like employee or customer records. It can also send out an alert that an employee has altered the times of day that he’s active on the network, such as someone who suddenly starts logging in at night or on weekends. It can inform the manager if an employee sends higher than normal numbers of emails all of a sudden, which can be a sign of an employee who’s looking to leave the company. Some titles even monitor employees’ social media accounts and report back to the boss on what kind of content they post.

Those last issues have privacy experts concerned, though. It’s one thing to monitor a network to make sure sensitive information isn’t accessed or downloaded. But advocates worry that monitoring employees’ email or social media could be an invasion of their privacy, especially since some monitoring software can look for keywords that the boss can choose.

Does the benefit outweigh the privacy risk? That’s a tough call. When Morgan Stanley suffered an internal data breach in 2014, Galen Marsh downloaded account information for more than 900 high-dollar investment accounts; some sources believe he was trying to leave the company and take the top-tier clients with him. Instead, his defense argued that his own laptop was hacked and the downloaded information was stolen. With employee monitoring software, the resulting data breach might have been avoided as executives would have been notified when Marsh first downloaded the information to his laptop.

There is a middle ground when it comes to preventing internal data breaches. Having a company-wide computer policy and making sure that all employees are up-to-date on the acceptable use of technology is crucial. Keeping your workforce informed of threats like boss phishing and the danger of downloading unscanned content is also important. If a company deals in content that is so sensitive that it warrants employee monitoring software, make sure everyone is informed of the need for it. Let everyone within the company know how it works and what it’s watching out for. It’s there to protect the company and its customers, not to hunt down those who break the rules.

Medical data breaches continue to happen at an alarming rate. It’s bad enough that someone has made off with your complete identity thanks to the amount of information a doctor’s office or medical center needs, they’ve also potentially stolen your complete medical history, and there are many different ways that can hurt you.

Sometimes, though, the hacker isn’t after your identity or your medical records. With the increase in ransomware attacks in recent months, patients may just be the innocent bystanders who got caught in the crossfire. As the name implies, ransomware attacks happen when a hacker infiltrates a network, and either grabs all of the data or locks up the network so no one can access it. From there, he informs the company that the only way to get their data back or unlock their network is to pay the ransom, usually in the form of bitcoins.

Unfortunately, ransomware attacks—especially on medical offices—are effective, which could logically be why they’re increasing. With their network locked up, hospitals can’t provide patient care; the resulting injuries or deaths can lead to lawsuits which would cripple the hospital financially. Of course, if the hacker follows through on his threat to upload the medical records to the internet, the hospital faces severe penalties for each and every HIPAA violation, which are often far greater than the hacker’s ransom demand.

Last month, an alarming 30% of the data breaches in the medical community were traced back to ransomware attacks by hackers (as opposed to more traditional hacking, internal data breaches, or accidental data breaches). This led to more than 100,000 patients’ medical records being exposed. June had an even greater number of attacks, with 41% of medical data breaches being the work of hackers, exposing more than 11 million records.

Unfortunately, unlike some other forms of data breach or identity theft, a medical data breach of this kind is hard for an individual patient to prevent. That’s why it’s important to ask serious questions about your information before you hand it over, such as who has access to it, how it will be stored and protected, and what will the the office do to notify you in the event of a data breach. If you’ve been the victim of a medical data breach, it’s important to follow the steps that were listed in your notification letter, and to inform your doctor and pharmacy that someone may be using your medical identity.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.