In recent weeks, Facebook has come under fire for an event that might change the definition of “data breach.” 

Mark Zuckerberg appeared before the Senate yesterday and Congress today to answer questions about how the platform is handling the situation. Unlike other breaches where the company had no prior knowledge, and perhaps no way of stopping someone from breaking in and stealing information, Facebook suffered a different kind of event, one that is very complex. But we’re still not hearing what the personally identifying information (PII) was accessed beyond the permissions of those using the app.

Facebook allowed a third-party company to operate social media quizzes under the name “This Is Your Digital Life.” The quiz app paid Facebook for the ability to invite users to take quizzes in exchange for access to their public profile information. Also, when one user granted that access, it may have automatically granted access to the individual’s Facebook friends. Even people who’ve never agreed to “This Is Your Digital Life’s” terms may have had their information gathered, including information like name, employer, education, birthdate, and relationships status which was available in their publicly viewable profile. The Identity Theft Resource Center still does not conclusive evidence even after yesterday’s testimony of what exactly was used from each person’s profile. This shared connection is how Facebook has estimates the number of compromised user profiles to be somewhere around 87 million.

Now, Facebook is taking action to inform users. If your information may have been wrongfully accessed, Facebook has put a banner at the top of your feed above the status box where you share what’s happening with you. It allows you check to see if you were compromised and possibly had unauthorized use of your information. It will also direct you to the permissions sections of your settings so you can take a closer look at what you’re letting outsiders’ access. You can also check for yourself by going to the Help Center of Facebook.

Facebook has preemptively disconnected any apps that you may have previously granted permission to access your profile. When you go to log into those connected apps, it will prompt you to reconnect, as well as re-accept permissions (or revoke them). Think carefully as you reconnect and only provide permission to those apps that you trust and to parts of your profile that don’t have important information.

Whether your information was accessed or not, this should serve as another wake-up call to understanding what you share on all of your social media profiles. All social media users should look at the profile questions with a suspicious eye before you include that potential snippet of information.

 Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Customers who used Orbitz, a subsidiary of, to book travel or accommodations between January of 2016 and December of 2017 may have had their personal information accessed by hackers.

While the companies are launching a full investigation of the suspected breach, they have already determined that the unauthorized access was limited to payment card information. That means no Social Security numbers, passport numbers, or other highly sensitive information was gathered by the criminals.

These days, it might almost feel like a relief that the unauthorized access was limited to replaceable information like a credit card, but that false sense of relief can be attributed to a very real phenomenon known as data breach fatigue. Even if the harm only involves payment cards, this is still cause for concern.

Customers must first ascertain whether they used the travel site during the dates specified by the company. From there, it’s a good idea to review your account statements for any cards you may have used on the site, just to be sure you don’t see any unauthorized activity. It’s a good idea to change your Orbitz account password just to be on the safe side, and to make sure you haven’t used that same password on any other sites. Remember, passwords must be “unique” to every account you use for this very reason; if hackers gained access to your account information on one site and you’ve reused it on another account, they potentially have access to that account as well.

Events like this one serve as a wake-up call about account security. Make sure your passwords are strong, unique, and changed from time to time, and be sure to set up “card not present” alerts on your payment cards. That way, you’ll receive a text or email if the card is ever used online or over the phone, letting you take immediate action if the charge was fraudulent. Finally, now is as good a time as any to request a free copy of your credit report from Look it over carefully for any suspicious activity, and take action if you spot something out of the ordinary or that shouldn’t be there.

 Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

It’s been almost five years since the retail world was rocked by the Target data breach, an event that affected millions of US consumers’ credit card and debit card accounts.

The card numbers were stolen by cybercriminals due to malware installed in the point-of-sale system. Since that time, some other major-name companies have experienced similar data breaches. In the most recent event, a hack that stole customer information from Hudson’s Bay Company (the parent company of both Saks 5th Avenue and Lord & Taylor) shows that the same method of attack that affected companies like Target and Home Depot are still being employed.

security company called Gemini Advisory discovered a trove of stolen credit card information for sale online on March 28th. Analysis of the card numbers showed that they’d been used at stores owned by Hudson’s Bay Co., which led the retailer to look into the matter. While the investigation is still underway, Gemini Advisory feels that the 5 million stolen card numbers most likely were accessed via malware infecting the stores’ point-of-sale (POS) systems. That malware may have originated as a phishing email sent to company employees; clicking on the link in the email would then install the harmful software in their network and, from there, the hackers could have gained access to the credit card machines at the chain’s cash registers.

An official statement from one of Hudson’s Bay Co.’s retailers says no highly sensitive data like Social Security numbers or birthdates was accessed. By data breach laws, though, they are offering all affected customers free credit and web monitoring services and assured the victims that they will not be responsible for any fraudulent charges on their affected credit or debit cards.

Consumers can take further steps though, and these additional measures are always a good idea. It’s beneficialto set up purchase alerts or “card not present” alerts on your credit or debit card by contacting the issuing financial institution. This step will ensure you receive an emailed or texted alert any time your card is used without being physically present at the cash register, which is one way that criminals can use stolen card numbers. That means you can immediately see if your card is being used and call the financial institution before you get your statement.

We know you’ve heard to check your statements, but honestly we also know that most card users tend to just file them away. If you think that your data may be included in the breach, your statement will tell you if someone else is using your payment account info. Some issuers have a limitation on fraudulent charges, so better to stay on top of it then to get stuck with them.

Finally, remember to change your passwords and pin numbers on any accounts associated with that card. As always, be sure you’re only using that password on one account to keep criminals from accessing any other accounts you own.

 Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Data breaches continue to set records for numbers of separate events, numbers of compromised consumer records, and amounts of money they cost both businesses and the public. The Identity Theft Resource Center tracks those data breach events to help lawmakers, advocates, law enforcement and individuals be aware and stay prepared.

A new data privacy event is making headlines, but it’s not the same kind of breach we’re used to. In a typical data breach, someone intentionally or unintentionally allows sensitive data to fall into the wrong hands. In the Facebook / Cambridge Analytica case, the data was scooped up by someone who had permission to use only specific aspects of the data, but instead, is accused of scraping it beyond their permissions and using it for purposes beyond what they had agreed.

Facebook has suspended the access to its platform for Cambridge Analytica after learning that the UK-based company was using Facebook users’ data to target them with biased content. Investigations are still underway for activities dating back as far as 2014, and at this point, there is still some question about what data was accessed.

Facebook allows users to input a lot of information about themselves in their account profiles, but they’re also allowed to skip or make private certain key personally identifiable information. Your email address is used to log in, but you’re not required to list it, your hometown, your phone number, your place of employment, your religious or political views or other aspects of who you are. Some users opt to assign a credit card to their profile in order to pay for things like games or send payments to other users; others use the “log in with Facebook” feature in other apps, but that’s a convenience that comes at a price.

Some experts are likening this situation to “weaponized data” rather than a data breach. Users willingly gave their information to the company in order to use take advantage of one-step login,  use third-party apps, play games, take quizzes, and other social media features. What they didn’t agree to, and Facebook expressly prohibited, was the data scraping of their profiles to be used to target Facebook users with highly specific ads, essentially manipulating the posts they would see in their feeds. Moreover, this “information dominance,” as it has been called, gave some organizations a leg up on their competition due to the sheer volume of user profiles that had been gathered.

Additionally, one user does not have the authority to grant permission for another user. Just because a user is friends with someone that provided permission, the “friend” of that user doesn’t surrender their right to grant access to their profile. Users beyond those that originally granted permission to the application involved were unintended victims without any knowledge of how their data was also being used.

It’s important that social media users understand not only their privacy settings and the permissions they are granting when they opt into a third-party site or account, but also how their devices are involved. Some apps ask for access to your device’s location, contacts, files and more. A mobile app can easily lead to a site or another app that you didn’t know you were using and, therefore, didn’t know you were granting access to your data. Any connected site that lets you login by giving access to your Facebook account could potentially access your stored profile information. Know where your digital traffic is going—and where your data can end up—before you click.

 Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.