The Identity Theft Resource Center provides a number of services related to identity theft prevention and victim support. In order to do that job effectively, it’s important to track the numbers of data breaches each year and the numbers of victim records that have been compromised. But new findings, at least in one state-wide study, found that there were more data breach victims in that state than citizens.

How is that possible? Because the numbers of victims who’d had their data stolen more than once resulted in numbers that were significantly higher. A report by Consumer Affairs found that 7.6 million residents of South Carolina had been victims of data breaches in the past five years, despite the fact that only 4.9 million people live in the state. That works out to an average of 1.6 data breaches for every resident, a number that’s hard to envision.

Of course, being a victim of those 1.6 breaches isn’t the reality for every single citizen. But it does mean that for every SC resident who has not had his or her information stolen in a data breach, other residents have been victimized over and over and over.

It’s important to not be alarmed into thinking that every single day brings a new data breach; to be fair, the bulk of the residents whose information has been stolen typically occurred in large-scale breaches, like the Department of Revenue breach or the Target breach that nabbed millions of consumer records at once. However, residents must keep in mind the fact that “data breach fatigue” is a real and harmful phenomenon. It can be so easy to ignore news of a data breach due to having already been the victim of a previous attack, or deluding yourself into thinking there’s no point in taking action since your data has been compromised in the past.

In any data breach, you’ll likely to receive a notification letter if your records were included in the attack. The letter will outline exactly what information was believed to have been compromised, as well as tell you what steps to take next. Even if you’ve been a victim—and even if you’ve taken these steps in the past—it’s important that you follow through with the protective measures.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

With record setting numbers of data breaches happening each year, there’s an excellent chance that you will become a victim of lost or stolen personal data—if you haven’t already, that is. One of the chief concerns security experts have in this climate of hacking and fraud attempts is that consumers will stop taking the threat so seriously. So what do you need to do if you’re a victim in a data breach?

Your immediate response will vary depending on what information was stolen and how quickly you’re informed of the incident. Some people only find out about a breach or hacking event after their financial institution informs them that their accounts were compromised; in a situation like that, you wouldn’t have to do much of anything. Your bank will correct any fraudulent charges and your new credit card will arrive in the mail.

But other incidents aren’t so clear cut and easy to recover from. That’s why all consumers need to be prepared to take action the moment they’re informed of a data breach.

  1. Determine what information was stolen – Depending on what data the thieves got their hands on, you need to be ready to devote some time to protecting yourself. If your credit card number, physical address, or an email address were the only pieces of the puzzle that they accessed, you’re not completely out of the woods but you also don’t need to put your day on hold to tackle your security.

You need to be mindful of how many other pieces of the puzzle hackers may have accessed from other sources, though. For example, they might have stolen your email address from one data breach, and your password on a separate account from another data breach. This could give them greater access to your information if you’re reusing that password anywhere.

Any time you’re informed of a data breach, it’s a good idea to change your passwords on your crucial accounts. It’s really a good idea to do so even if there hasn’t been a breach; some companies even require users to change their passwords every ninety days just to be on the safe side.

  1. They got it all – Unfortunately, if you’re involved in a data breach in which the hackers took everything—names, addresses, birthdates, Social Security numbers, and more—you’ve got more work to do. You’ll receive a notification letter from the company that was breached, and it will tell you what was believed to have been stolen.

In the event that hackers got everything, you need to contact the three major credit reporting agencies and place alerts or freezes on your accounts. This step will be free if you can provide proof that your information was stolen; your notification letter may serve as that proof, but you may also be required to file a police report. Filing the police report is a good idea anyway, since it will serve as proof down the road that your data was compromised if it’s ever used for criminal purposes.

There’s one more step you need to take, especially if your SSN was stolen, and that’s to alert the IRS. Tax identity fraud is a huge criminal industry now, and alerting the IRS will help add a layer of protection over your tax return in the coming tax filing seasons. You will also want to make sure that you file your legitimate return as early as you possibly can in order to beat a criminal to it.

  1. Monitor your credit reports and your accounts – If your notification letter included free credit monitoring services, don’t ignore it. Take them up on the offer and use it to help protect yourself. Of course, you don’t have to wait for a service to alert you to a problem. You can—and should—request a free copy of each of your credit reports once a year. If you stagger those reports, meaning you request one agency’s report in January, another one in May, and another one in September, you’ll get an ongoing picture of your credit throughout the year. That could make a lot of difference in preventing more widespread damage to your credit.

Data breaches and identity theft might seem like they’re practically unavoidable, and it’s understandable that consumers might feel like they can’t do anything to stop it. But even if you can’t stop a hacker from accessing your information, you can do a lot to make sure the damage he does with your data is kept to a minimum.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

No matter where it occurs, “suspicious activity” is almost never a good thing and it’s important to take it seriously. Whether it’s your own bank statement or a major company’s credit card payment system, acting quickly can minimize the damage and put you back in control.

When Colorado-based restaurant chain Noodles & Co. was alerted to “suspicious activity” by its credit card processing company last May, the result was a third-party investigation that uncovered malware on its network. According to their findings, customers who paid by credit card or debit card at any of its 400 affected locations in the first half of this year may have had their account information stolen.

There are some important things to understand about any kind of data breach like this one:

  1. Notification – Affected consumers will be notified of the possibility of a breach. Depending on whether or not there’s reason to believe the incident could impact their finances, companies may or may not be required to offer credit monitoring services to the customers. If you are sent a letter and told you’re eligible for credit monitoring, do not discard the letter! Follow through with the instructions in order to protect yourself.
  2. A change in how customers are notified – Until recently, victims of a data breach have been notified by mailed letters, but one state has already passed a bill that will let companies email the victims. While email has usually been considered less trustworthy than a mailed letter, it not only reduces the amount of time that passes between discovering the breach and alerting consumers, it’s a tremendous savings to a company who may have to inform millions of people about the breach.
  3. How did the malware get there? – Customers obviously can’t be expected to detect malware in a retailer’s POS system before paying, but this news still pertains to every citizen. In many instances, malware infects a retailer’s network after someone opens the door for a hacker. Several major retail data breaches have been traced back to an employee who accidentally downloaded the malicious software through a phishing attempt, by clicking a link in an email, or some other seemingly harmless behavior. This should serve as a reminder to be very careful of your own online behaviors.
  4. Monitoring yourself – Recent awareness of data breaches and changes to how we investigate suspicious activity has meant major improvements in reporting breaches and informing the victims. What used to take months or even years to uncover and report now takes days in some cases. But that doesn’t mean you should skip the legwork of protecting yourself. Monitoring your credit card statements, bank statements, online and mobile banking sites, and even your credit report will alert you to suspicious activity without having to wait for someone else to inform you. Stay on top of your accounts and watch over them yourself in order to stop any damage as soon as it starts.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

When news breaks of any major event, scammers go to work in an attempt to steal money or personal identifiable information from their victims. Literally within hours of the attacks on the World Trade Center on September 11th, scammers were out soliciting donations to help the relief effort. The same is true of the earthquake that hit Haiti in 2010, the tsunami that hit Japan in 2011, and so on.

But when the headlines are about yet another data breach—an all-too-common occurrence in this climate of record-setting numbers of breaches—there’s still the threat of a scammer stepping in and stealing our money or our information.

How? In an event like a widely publicized data breach, scammers know there may be millions or even tens of millions of victims. It doesn’t even matter if your information wasn’t specifically stolen in the breach. If you’ve ever shopped or dined at the store or restaurant that was breached, all the scammer has to do is tell you that your name is on their list of victims.

The scam within a scam works like this: a store (let’s call it Joe’s) suffers a major data breach. It makes headline news, and consumers begin receiving notification letters. From there, scammers simply start auto-dialing their potential victims, claiming to work for Joe’s or claiming to work for the credit monitoring service that’s been contracted to help the victims. He’ll offer the victim credit monitoring, money as compensation, or any other enticing offer to make you stay on the phone.

The only person who can truly claim to be safe from this scam is someone who has honestly never stepped foot into a Joe’s location in his life. Even if you know you don’t live in a location that was affected by the breach, the scammer just has to tell you that the data breach is bigger than they’d first thought, or that they don’t know how it happened but your card information was found online. He’ll tell you anything to make you believe you’re somehow in danger of having your identity stolen.

There are a few things to look for if you receive a phone call or message that may be part of this kind of scam within a scam. First, if you’re asked to verify all of your sensitive information, don’t do it. The person calling you claims your information was stolen…shouldn’t he already have your information? Your address or phone number should be safe, but why would he need to ask for your complete personal details?

Next, if he asks for your Social Security number, don’t hand it over. Even your birthdate is pretty sensitive, so be mindful of giving that to people who call you. Obviously, a genuine credit monitoring service can’t protect you without knowing your Social Security number and your birthdate, among other pieces of information, but that data is typically gathered via mailed forms that you’ll have to fill out and send back. It’s not collected over the phone from someone who calls you out of the blue.

Finally, watch for the hard sell. Are you being pressured to act now, or told that you only have 24 hours to sign up before the offer is void? Are you being told that your identity has already been stolen and if you don’t do something immediately you could be in danger? Has the caller even hinted that you could be held legally or criminally responsible for something that happens as a result of not signing up? All of those are pressure tactics that scammers use in order to keep you from thinking it through. They want your information and your money, and if they give you time to process what you heard, there’s a good chance you’ll realize it’s a scam.

If you’re ever contacted by letter, phone, or email about a data breach, there will be instructions for you to follow in order to take action. Verify those instructions with the company if you feel like something is amiss, and remember to guard your information against people who are just taking advantage of the latest headline news.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

Hospitals, retail stores, schools, and now parking garages: no business or organization seems to be immune to the effects of hacking. Annapolis, Maryland, residents are now learning about the extent of a recent data breach that seems to have affected three of the city’s parking garages, stealing customer credit card information.

SP+ Municipal Services’ servers were found to be infected with malware earlier in June, and the company immediately switched to cash-only payments for three locations, the Noah Hillman, Gott’s Court and Knighton Garages. In keeping with regulations, the company informed the Maryland Attorney General’s office, then began the process of informing consumers who may have been affected by the breach.

While it might seem like a case of “another day, another data breach,” this incident actually speaks to the progress that agencies have made in spreading the word about hacking, data breaches, and identity theft. An incident like this one once took months of investigation before it was even fully discovered, and then even longer before word finally reached consumers. While the time frame for the breach to impact consumers is believed to span all the way back to December 2015, the suspicious activity was discovered on the servers on June 11th; cardholders were notified ten days later, after the necessary reports to the state government were made.

Any time that news of a data breach makes headlines, it’s a good time to understand what to do when you’re notified of the incident. If you receive a data breach notification letter, make sure you look over it very carefully in order to understand what information was stolen. In this case, only credit card information (numbers, cardholders’ names, and security codes from the back of the card) seems to have been stolen; banks will issue new cards and the cardholders will update their other accounts. But if your personal identifiable information like Social Security numbers and birthdates is stolen, you’ll need to monitor your credit reports for other suspicious activity. In any case, save the copy of your notification letter as proof that your information was accessed in a data breach in case you need to prove that later on.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

O’Charley’s restaurant chain is the latest victim of a restaurant data breach, according to a report from the company. After one of their security tools alerted them to possible unauthorized activity, the company hired a cybersecurity firm to investigate. In early April, the firm discovered tampering within the company’s point-of-sale credit card machines in several of the restaurant’s locations.

There’s always the chance that a skimming film was installed in the machine by someone who had access to it, but due to the more widespread evidence of activity, it’s likely that hackers infiltrated the network and installed malware on the POS system. That means no one would have seen any signs of tampering, but every swipe of a credit card could provide customer data to the thieves.

So far, the only known data to have been accessed is cardholder names and credit card numbers, although in some locations only the credit card number from the magnetic stripe was compromised. Since there’s no evidence yet that identities were stolen or that any money has actually been lost by customers, the restaurant chain isn’t required to provide any kind of corrective or preventive action. For now, the company is simply urging customers who visited their stores in March or April of this year to monitor their accounts and their credit reports carefully.*

Restaurants are a prime target for this kind of theft, largely because patrons pay with their credit cards but typically cannot see the actual transaction take place. Customers have no way of knowing if their servers copied down their card information, if the POS machine has been tampered with or if hackers have installed malware on the network, or any other variation of credit card fraud. Late last year, one of the largest restaurant data breaches was discovered, with more than 300 restaurants, hotels, and casinos owned by Landry’s, Inc., suffering from a POS data breach.

Data breaches are just one of the reasons that more and more restaurants and patrons are turning to mobile payment apps that are specifically designed for the food service industry. There are already dozens of platforms to choose from, offering every form of convenience, including the option to split the check among your tablemates, automatically add a calculated tip, and pay right from your mobile wallet or PayPal account through your smartphone.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

*To request copies of your credit report from the three major reporting agencies, contact:

Back in 2013, news of a data breach affecting a major retailer took consumers by surprise. Industry watchers, law enforcement, even legal teams had a vested interest in what went wrong, how the victims would recover, and how to prevent it in the future. Not long after, more retailers were hit, leading many experts to wonder if there was a connection.

Also during this time, federal government agencies were being hacked. Both the Office of Personnel Management (OPM) and the IRS—to name only two agencies—were breached, with the OPM actually being breached twice. Millions of Americans had their Social Security numbers and other identifying information stolen, and the number of fraudulent tax returns and identity theft reports has gone up.

For all the headlines that crop up when any major organization or corporation is hacked, the sad truth is that there are hundreds upon hundreds of data breaches each year. In fact, since the Identity Theft Resource Center first started keeping tabs on the numbers of data breaches in 2005, the number has grown almost every single year.

However, with the constant news of data breaches, are consumers losing sight of the threat? Are we becoming complacent, and seeing data breaches as just another 21st century fact of life? Hopefully not. In fact, it is important to know how a data breach occurs and what information is compromised in order to understand how you might be impacted.

Data breaches can be broken into two categories, accidental and intentional. An accidental breach is just what it sounds like: someone inadvertently made sensitive information available to unauthorized people. It could be something like the recent Hellgate High School breach in which a school administrator attached the wrong document to an email and sent more than 1,000 current and former students’ records to dozens of people. An accidental breach could also be something like a security flaw in a website that accidentally invites anyone in to take a peek at all of the employees’ or customers’ records. In either case, no harm was intended, but security was violated.

An intentional breach, though, happens when someone actively goes after information. Again, this can manifest in different ways. A high-tech cybercrime ring can hack into a network and steal thousands or even millions of sensitive records, typically with the goal of selling those complete identities on the dark web. A low-tech version might be an employee accessing sensitive information at work, copying it all down or downloading it, then using it or selling it to criminals.

In any data breach, regardless of how it came about or what the intended purpose was, the victims will receive a notification letter as required by law. The letter itself is critical since it will tell you exactly what information was compromised, what steps you should take to move forward, and what reparations the company may be offering to help safeguard you as much as possible. The letter also serves as a measure of proof that your identity has been compromised, in case you are affected by this crime further down the road. It’s important that victims of a data breach take it very seriously, follow those steps outlined in their notification letters, and then save the letter with other important papers.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

An unfortunate computer user mistake led to one school administrator resigning from her job and more than 1,000 people having very personal information inadvertently shared with dozens of people. Last December, a Montana high school assistant principal attached what she thought were meeting notes in an email to around thirty parents, but the attachment actually contained identifying data, medical records, discipline records, and even mental health data on more than one thousand current and former students of that school.

As in any data breach, one of the first steps is to figure out how the information leak happened. The Missoula County Public School District hired a forensic investigation firm to sort through the issue and make a determination. From what investigators pieced together, after collecting several school computers and conducting a search, the culprit was nothing more than an accidental “cut and paste”-type issue. The administrator may have thought she was cutting and pasting (or dragging and dropping, in other computer parlance) the meeting notes she’d typed up, but the resulting attachment was access to a file that school officials use throughout the work day.

Unfortunately, in this era of record-setting numbers of data breaches and high-tech cybercrimes that can cost billions of dollars, it is easy to forget that sometimes a simple user error can have the same result as a large-scale data breach. This is why CEO phishing is such an effective, costly, and growing form of data breach; more than 120 companies have been the victim of a CEO phishing attack in the first five months of 2016 alone, all due to an employee making a costly mistake. Over the last few years, other large-scale and widely publicized retail data breaches have occurred due to employee errors like clicking on scam links in emails, downloading harmful content over the company’s wi-fi, or failing to implement effective antivirus software.

Accidental data breaches, like the one that which occurred at Hellgate High School, often result in mixed emotions. On the one hand, it was an accident, pure and simple. However, at the same time, regardless of the intention, potentially damaging and confidential information was shared with people who had no right to it. That is why the aftermath of an incident like this one involves figuring out how to prevent this type of mistake in the future. It should also serve as a reminder to all citizens to be careful about what information they share with outsiders. Even without any malicious intent, your Social Security number, your medical profile, even your mental health status could end up in the wrong hands, so make sure that everyone you trust with that information is going to safeguard it, and actually needs it in the first place.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

Anyone who’s familiar with the popular “professional world” social media site LinkedIn has probably already heard the news of their data breach. Hackers reportedly gained unauthorized access to millions of user names and passwords; this is slightly more alarming than a typical credit card breach due to the fact that LinkedIn users are representing their professional lives on the site. The potential for harm to their businesses and their reputations is quite real.

Before anyone gets too worried, though, remember…this breach happened four years ago. But there have been new revelations about the data that was accessed in that breach. Data that was stolen back in 2012 has now appeared online for sale, meaning someone is still attempting to use and profit from the personal profiles.

This has prompted the company to urge its users to change their passwords again, just to be on the safe side. Again, it’s not a new breach, but rather a new use for old information. LinkedIn isn’t taking any chances, though, and they’ve emailed the affected users to remind them to take certain steps. The company has also said it’s a good idea for everyone to change their passwords, affected by the breach or not, just to be on the safe side.

There are two highly important takeaways from this whole situation. The first should actually be common sense: once a thief has stolen your information, it’s not a once-and-done deal. This is why Social Security numbers are so much more lucrative than credit card numbers, for example. Credit card numbers can be changed or even just expire on their own, but Social Security numbers can net a thief a big profit for years to come. If there is a way to use stolen information more than once, you can bet a thief will do it.

But the other very important truth in any situation like this is the potential for scams. Phishing emails have already begun to circulate, piggybacking off the headlines associated with the LinkedIn announcement. Recipients are being told to click the link to reset their passwords, which will undoubtedly install harmful software like viruses on their computers.

The genuine LinkedIn warning email contains no link. It simply offers an explanation as to what happened, and then lists the steps users should take. The first step is to go to on their own and change their passwords. Again, there is no “click here” link in the genuine email, mostly because you should never, ever click an unsolicited link that you receive. (It’s also fun to point out that the scammers in the phony LinkedIn emails aren’t even trying…they didn’t even capitalize the name of the company.)

Remember, anytime there are headlines for a major event—a natural disaster that leads to phony charity scams, a specific news story that expects the public to take action, or even reports of a data breach that urge consumers to be watchful of their accounts—scammers will do their best to take full advantage. Keep a close watch on your emails, social media messages, and other anonymous sources of communication in order to avoid being scammed.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

It would be a shame if consumers ever reached the point where news of a data breach did little more than raise eyebrows. But that’s the sad impact of having so many consumer records stolen by cybercriminals on a regular basis. Hopefully, news of this recent data breach will be more cause for alarm.

Investigators anticipate that more than 29,000 emergency room patient records were compromised in an apparent accidental data breach of Indiana University Health Arnett Hospital. The records, which were downloaded to a USB drive, contain names, addresses, personal information, and medical records for patients treated in the past year. It doesn’t appear as though Social Security numbers were impacted, but that remains to be seen given that many hospitals and medical offices still use SSNs as identification numbers and to run credit checks on patients.

According to, the flash drive contained spreadsheets of the patient records, and the flash drive wasn’t encrypted or password protected. Another source also says that this information was limited to emergency room patients, and that the flash drive went missing from the emergency room’s office. Why the data was on a flash drive in the first place is also unknown, but the lack of security on it means that anyone with access to a computer can retrieve the information.

Unfortunately, the hospital had this to say: “Patient medical record information is kept on a secure server. This is not the standard method of storing patient data. Officials cannot be certain an incident will never occur, however, they are taking steps to minimize the chance of such an incident occurring in the future.” That means that the information should (in theory) have never been on the flash drive in the first place, especially if hospital policy is to keep that information on a secure server. It’s hard to believe the data appeared on a flash drive by mistake, and that it went missing for any reason other than a malicious one. At this time, however, the hospital has not received any complaints that patients’ information has been used without authorization.

So what are patients supposed to do? The hospital will be sending out letters to affected patients that explain exactly what information was compromised and what steps the hospital will be taking to protect patients. Anyone who receives such a letter should follow the instructions, and if credit monitoring is offered then those patients would be wise to take advantage of it.

This event should also serve as another eye-opening warning to patients who may not yet have been affected by a medical data breach—although, given the number of events per year and the enticing information that hacking a medical facility can produce for an identity thief, that number of people is shrinking every day. When you’re presented with a clipboard full of forms and a pen, ask yourself why the facility needs such detailed information, and then ask the employee what they plan to do with it. Inquire about the safety protocols of the facility, but also remember that those protocols are only as good as the employees who adhere to them. If you’re in doubt about the security of your information, remember that you’re not required to turn it over in order to receive emergency medical treatment.