Internal data breaches occur when an employee of a company or organization uses his or her position to gain access to individuals’ personal identifiable information. Typically, the reason for accessing and gathering the information is so the employee can then sell it to identity thieves or use it to open new accounts and make purchases in the victims’ names.

Sometimes these breaches are accidental, such as when an employee accidentally downloads malicious software to a company computer or loses a company laptop with sensitive information stored on it. Of course, intentional internal data breaches are also prevalent, and occur when the employee begins stealing identifying information from data the company has gathered.

One Florida-based telemarketing company has experienced an internal data breach that almost looks too easy. How? Because the company in question, Advanced Tech Support (operated by Inbound Call Experts), is actually a PC repair and tech support company that can gain remote access to your computer if you’re having an issue. This remote access lets someone on a different computer use your computer in real time, and the scammers needed that ability to pull this off.

The fraudsters, posing as employees of ATS, seem to have been using the remote access feature to sift through the customers’ computers for online banking information, and even contacting customers to say that they owed money to the company, which they would say could be paid via wire transfer. They had to have gained access to the customers’ contact information somehow, and that’s where the internal data breach comes into play.

You might think no one would fall for this, but there’s another angle to this story. Advanced Tech support and a few other companies were sued last fall by the Federal Trade Commission for some shady practices, so the scammers reached out to customers to inform them they’re owed a refund due to being overcharged for services, or due to the outcome of the class-action lawsuit. The fake employees told customers they’ll use the remote access feature to transfer the money back to the customer, but were instead trying to uncover stored sensitive information from the computer.

Making this story even more interesting is a warning that was posted on the ATS website, informing customers of the breach. It went on to state that the guilty party had been terminated, and that no credit card numbers had been accessed. However, this warning was removed after one news source contacted ATS directly to ask about the data breach.

While law enforcement can sort out the details of what has actually happened, there are some important things to remember about protecting yourself from this kind of scam:

  1. You will never be called out of the blue and sent an instant electronic funds transfer as part of a lawsuit settlement. These issues are handled via the postal system.
  2. Of course, electronic funds transfers also don’t require someone to access your computer.
  3. If you receive an unsolicited call from someone who wants remote access to your computer, hang up and call the company using a phone number that you’ve verified yourself—not a number the caller provided you with or one that was on your caller ID.
  4. If you’re ever in doubt about the veracity of the caller’s story, hang up. Even if the person states that an error has occurred—such as the overpayment ploy the scammers used in this case—you’re not required to respond or take action based on a phone call or email. Any legitimate correspondence will come through the mail so that you have a paper trail on the case.

Part of what made this breach work is the scammers were contacting people who already know very little about their computers… that’s why they had signed up for tech support packages with remote access in the first place. It didn’t take much to convince the victims to let them have access to the computer. It’s very important that you know how these issues really get resolved, and to listen to the little voice in your head telling you something might not be right.

Summer is here and though the kids may be on vacation, hackers certainly are not. According to the Identity Theft Resource Center’s Breach List and Data Report, data thieves have been working as hard as ever to get the personal identifying information of millions of Americans in 2015. Year-to-date, the 2015 ITRC Breach List has captured 400 breaches, spread across five industry sectors.

This weekly Data Breach Report is used by experts throughout the world to keep a finger on the pulse of the latest data breaches.  During July’s #IDTheftChat, we will be taking a closer look at the ITRC Breach Report and providing insight into trends and important statistics from 2015, as well as past years. We will be joined by Byron Acohido, the Editor-in-Chief of Third Certainty as our co-host.  As an award-winning journalist and renowned security expert, Byron will be providing excellent insight and answers to participants questions.

This #IDTheftChat  will take place at 12:00 pm PST / 3:00 pm EST on July 2nd 2015.   Here are the questions for July’s chat:

  • What trends are you seeing in data breaches right now?
  • What are some concerns for businesses protecting their data?
  • What future trends in data breaches do you predict?
  • What should a business do if they have been breached?
  • What are some ways for a business to monitor if they have been breached?
  • What issues (financial, legal, etc) do businesses face if they are breached?
  • How can consumers monitor if their information has been stolen in a breach?
  • What should a consumer do if they receive a data breach notification?

In order to participate, users should follow the hashtag #IDTheftChat . Those who would like to participate can RSVP via online invitation.  Anyone is welcome and we hope we will see consumers, businesses and organizations alike! Participants may find it helpful to participate through the #IDTheftChat TweetChat room which can be found at http://www.tweetchat.com/room/IDTheftChat. Anyone who has questions should contact ITRC’s Director of Communications at nikki@idtheftcenter.org. We hope you will join the conversation and bring your friends!

When news came out that the Office of Personnel Management—the agency within the federal government that serves as the HR department over government employees—had been hacked and 4.2 million citizens had their highly sensitive data stolen, that was cause for alarm. But now that the OPM has been hacked again, the damage is quite different.

As part of a 127-page form, a highly in-depth document called the Standard Form 86 requires detailed information on every aspect of the applicants’ lives. Covering everything from education and previous employment to medical conditions, addictions, and mental health issues, this form basically lays everything about the applicants out for others to see.

Unfortunately, the form also asks for contact information for relatives and friends, former teachers, former military service supervisors, former employers, and many other people who can vouch for the applicant. The form then requests the phone numbers, addresses, email addresses, and other identifying items for those individuals that were listed on the document.

That means that any applicant who has applied for a security clearance via this form has now handed the hackers detailed identifying information of many people. If even half of the four million accounts that were hacked filled out this form and applied for a security clearance, and if those people listed only ten contacts each over the scope of the lengthy form, then the contact information for as many as twenty million people could have been breached. The numbers are not known at this time as to how many extra contacts were affected.

It’s tempting to think to yourself, “So what? It’s just some phone numbers and email addresses.” But there are some problems associated with even that amount of information falling into the wrong hands. The first threat is that the personal data can be used as pieces of a bigger puzzle in terms of identity theft. Next, the real danger of being targeted with phishing emails or having their information sold to crooks is always a problem. Finally, there’s the fear that the contact information will be used for extortion; after all, these are people the applicants knew well enough to list on their documents. It’s easy to see how a criminal could reach out to those individuals and demand money in exchange for keeping real or fictitious harm from coming to the applicants.

While the OPM isn’t able to comment on the breaches as an investigation is still underway, there are some things you should remember at this time. You may or may not even know if your name was listed on someone’s 86 Form; after all, it wants the names of former landlords, former teachers and classmates, and more. Therefore, now is the time to brush up on phishing awareness and avoid any strange emails, texts, or unknown phone calls. Never click a link in an email that you weren’t expecting, even if it appears to come from someone you know. If you receive a communication stating that someone you know is being threatened, be sure to confirm it before taking action or following instructions. Safeguard your avenues of communication, and be on the lookout for suspicious activity.

Another week, another breach.  That is how it seems these days.  However, even once a breach has left the headlines, consumers need to keep their guard up because scammers and identity thieves don’t just stop with their initial stolen goods.

People often wonder what happens to consumers’ data following reports of a major breach like the Anthem health insurance breach or the Home Depot breach. With millions of customers’ information potentially floating around, what happens to it?

The IRS might have just found out.

The government agency reported a hacking event recently that seems to have come from bulk access to a lot of consumers’ information. To clarify that, the IRS wasn’t “infiltrated” in the traditional sense that we think of when hackers break into a company’s network; instead, the thieves had the necessary information to log into the stored information of approximately 100,000 citizens, browse around through their tax return status, and then do further harm. Another 100,000 citizens had breaches of their statuses attempted, but the hackers were not successful in those cases.

For those victims whose tax returns were actually breached by the hackers, the threat initially involved stealing the tax refunds of people who were still awaiting their payments. There is now an increased likelihood of follow-up scams for those individuals, like contacting the victims and posing as an agent of the IRS. If that occurs, typically the behavior may include claiming that returns were invalid, stating that more taxes were owed, or even simply that there had been a hacking and they need to update their credentials. However the contact is made, it’s all designed to steal personal identifiable information from the victims while duping them into paying more money.

For now, the IRS is warning consumers to be on guard against fraudulent communications from scammers who pose as IRS agents. Those whose returns were actually accessed will be offered credit monitoring services, but the one hundred thousand consumers whose returns were attacked but not infiltrated are being warned that someone already has their information and is selling it on the black market. They must guard against future identity theft attempts by being vigilant about their data protection and monitoring their credit reports frequently. All consumers, whether their tax information was accessed or not, must remember that the IRS will never send communication via email or phone call; all official correspondence from the IRS will come in the form of a mailed letter, and any other forms of communication are not genuine.

Back in 2008, Heartland Payment Systems, a credit card payment processing center, suffered a data breach that exposed an estimated 130 million credit and debit card accounts to hackers. While this event was certainly a big deal at the time, a more recent data breach of its payroll processing system may have even bigger consequences.

According to the company, a break-in at their offices resulted in the physical theft of computers that contained not only personal identifiable information like names, addresses, and Social Security numbers, but because the computers were part of their payroll processing department—where other businesses can contract with Heartland to handle the payroll for their employees—the information also contained bank account numbers for the affected consumers.

While Heartland’s official comment on the incident hasn’t indicated the type of computers involved, experts have cautioned that if the stolen items were laptops, the information should be safe. State law requires mobile devices that store PII on consumers to be encrypted; if the stolen items were desktop computers, though, that protection isn’t in place unless Heartland voluntarily chose to require password protection on the devices. There is always the chance that the thieves were after tech that can easily be cleaned out and sold, so it’s still possible that their goal wasn’t identity theft.

This is one of those incidents that will hopefully help consumers see the need for constant, vigilant monitoring of their own credit scores, financial accounts, and identities. Unlike credit card breaches where the credit card companies have their own built-in monitoring systems—like the kind that will send up a red flag if any suspicious activity occurs—and have the ability to simply cancel a credit card and issue a new account number, this issue affects a far more permanent system of Social Security numbers (collected for tax reporting, as this is a payroll processing company) and bank account numbers. That means their information may now be “out there” and available for any thief who wants to use it or any black market buyer who wants to pay for it.

While customers whose information was lost in the breach will be offered credit monitoring services, this is a good time remind even those consumers who were not impacted about the need for watching out. Make sure you’re carefully reading any statements that come to you, and be mindful of any suspicious activity. Remember to order your credit reports throughout the year—you’re entitled to one free report from each of the three reporting agencies in every 12-month period, so stagger them throughout the year to get a continuous look at your credit—and report anything that doesn’t seem right. If you have already been the victim of a data breach, be sure to take advantage of the credit monitoring that’s offered to you, and consider putting alerts and freezes on your credit reports in order to minimize the chances that a thief can use your identity to open new accounts.

Some 64 million members of an online dating site have reason to be a little more cautious today after news broke that AdultFriendFinder had suffered a data breach. The scope of the breach isn’t yet known, but the company is already alerting users to the fact that names, addresses, email addresses, sexual orientations, marital statuses, and other sensitive information may have been accessed.

The dating site, which bills itself as a website where members can find other interested parties for casual sex or other spontaneous meetups, is part of a much larger parent company called Friend Finder Networks, which has more than 600 million members across its 40,000 websites.

There are always questions when a data breach occurs, and one of the major ones for consumers is, “What will a thief do with my information?”

If credit card information or Social Security numbers are stolen in a breach, then there’s a good chance there could be financial repercussions. But if those pieces of the puzzle are missing, there are still plenty of ways the data can be useful to a thief. Email addresses can be used for phishing attempts, but can also be sold to online marketers for spam. Physical addresses can lead to mail fraud and “dumpster diving,” which can then easily turn into other potential forms of identity theft, scams, or fraud.

But whenever a “mature” website or similar online activity is at the heart of the crime, there is another concern. While this type of crime will hopefully never befall a victim of identity theft, there is always the potential for extortion. Given that this data breach included highly personal information that many of the members might not want shared, it’s alarming to think that a thief could extort money from some of the members in exchange for not blasting the news of their participation in a site dedicated to sexual relationships with strangers. This practice has unfortunately become so commonplace in the world of social media that it has its own term, sextortion.

Unfortunately, at this stage in the investigation of any data breach, the company involved and the forensic team they’ve brought in to uncover the extent of the damage cannot discuss the details. An official statement from Friend Finder did have this to say: “Until the investigation is completed, it will be difficult to determine with certainty the full scope of the incident, but we will continue to work vigilantly to address this potential issue and will provide updates as we learn more from our investigation.”

Whenever news of a hacking event or data breach comes out, there’s always the logical question: what will a thief actually do with the information? Whether it’s just accessing your name or email address or actually infiltrating the files that contain more sensitive information like credit card numbers or Social Security numbers, the real threat is in how that information can be used.

Depending on who caused the attack and what information was gleaned, there are a lot of options. It might be a simple matter of selling batches of information on black market internet sites, or it could be opening accounts in the victims’ names. If SSNs were stolen, it could lead to tax refund or employment and benefits fraud. It really all depends on what the thieves were able to find out.

But a new issue has cropped up involving Starbucks’ gift cards and its mobile payment app, and this one is so twisted that it takes a map to keep track of the aftermath. Basically, many consumers who have these payment methods set up to auto-reload—meaning their credit cards are associated with the gift card or app via the Starbucks website, and their mobile accounts will automatically refill off that credit card once a pre-determined balance is reached—are finding their cards charged, drained, and reloaded over and over. One customer who spoke to industry watcher Bob Sullivan actually watched this process happen on her phone in real time, although Starbucks has formally stated that there’s no evidence that the mobile app for payment has been breached.

Since Starbucks gift cards are a common gift or promotional item, the Starbucks site also lets you combine different gift cards. If you’re carrying a card in your wallet with six dollars left on it and you receive a new card from your boss for employee appreciation day, you can combine the cards into one balance right there on the website. Since using your same registered gift card and refilling it gives you rewards points, many people choose to transfer the balance from a new gift card to the one that they have stored in the Starbucks computer… and it’s also the one they have set to auto-reload off their credit cards.

That’s where hackers step in. They simply log into your Starbucks account, change the email address associated with your account to one that they control, and then link all of your gift cards to a new one that they have possession of. Then when they drain your gift card balance and put it on their own cards, your credit card kicks in and adds money automatically without the thief ever having to know your credit card details. Then they simply repeat the cycle, as many times as they want, all in a matter of a few minutes.

What can the hacker do with a fully-loaded gift card? Use it himself or sell it on the black market. Gift card fraud has grown in recent years, and in some cases thieves simply use the gift card to purchase high-end items which they then sell online, pawn, or return for cash, depending on the store’s policies.

In order to protect yourself from this and other similar types of gift card fraud you must have strong, unique passwords on all of your online accounts; make sure your password is a long combination of letters, numbers, and symbols, and do not use the same password on multiple websites and accounts.

Whenever I speak publicly, I always talk about how information technology and hacking are the “sizzle” that helps create the headline news for data-breach events.

However, this week’s news that 31 world leaders, including President Obama – who had their personal information breached, including name, date of birth and passport number – should remind employers and employees that human error is a significant factor in data breach events. In this case, an Australia immigration service employee mistakenly e-mailed the sensitive information of the above-mentioned world leaders days before November’s G-20 summit in Brisbane, Australia. However, the Australian immigration department did not report the breach to the world leaders even though it was a clear violation of the privacy laws of three of the affected countries, including the U.K., France and Germany, all of which require mandatory notification for data breach victims.

Well it gets worse. In IBM’s 2014 Cyber Security Intelligence Index, “95 percent of all security incidents involve human error.” According to the IBM’s report, “many of these are successful security attacks from external attackers who prey on human weakness in order to lure insiders within organizations to unwittingly provide them with access to sensitive information.” In January, Vormetirc, a data security firm, released its 2015 Insider Threat Report and found that 93 percent of U.S.-based organizations surveyed believed that they were vulnerable to insider threats.

The Vormetric survey received responses from more than 800 organizations worldwide. I read with great interest the following four highlights:

  • 59 percent of U.S. respondents believed privileged users posed a threat to their organization.
  • 46 percent named contractors and service providers as a risk to their organization.
  • 43 percent said that business partners were a threat.
  • 59 percent agree that most information technology security threats from insiders are the result of innocent mistakes.

I believe businesses, especially small- to medium-size businesses, need to understand that current and former employees, vendors and even customers are a potential threat to a future data breach event, whether it is an accidental release of information or an act of malicious intent. For the purpose of transparency, half of my company is in the ID theft and data breach risk management business and the other half is in the background screening and behavioral testing business. My colleague Jim Collins, a longtime background screening expert, said that “as per industry best practices, businesses should not underestimate the insider threat.”

Collins said, “While most organizations require background checks at the time of employment, very few employers conduct regular screening of their employees, such as annual background checks.” This means that longtime employees who have access to the most sensitive personal, company and proprietary information could be a threat based on “unknown changes in that employee’s personal and professional life,” Collins said. The Vormetric threat report said that “almost half of the U.S. organizations polled experienced a data breach or failed a compliance audit in the past year – which tells us the situation has probably gotten more complicated.”

Mark’s Most Important: It doesn’t take the president or world leaders to recognize that employees — or even you — can make a mistake in data management and protection. Focus on increased employee education on information security.

Mark Pribish is vice president and ID-theft practice leader at Merchants Information Solutions Inc., an ID theft-background screening company based in Phoenix. Contact him at markpribish@merchantsinfo.com.

This article was originally published on AZcentral.com and republished with the author’s permission.

Merchants Information Solutions is a proud sponsors and provides financial support to the ITRC. For more information on the ITRC’s financial support relationships please see our sponsorship policy.

When the retail shopping chain Target experienced a large-scale data breach in 2013, consumers and advocates alike flew into a near-panic mode. It was an eye-opening event, to be sure, and one that has been repeated with a number of other large retailers. While the end result was hundreds of millions of dollars in damage to the corporation, the plus side to it is consumers are more aware than ever about the potential for data breaches.

On the other hand, when the Anthem healthcare breach happened more recently, consumer outcry was far quieter even though healthcare data breaches stand to cause far more damage to citizens than a retail data breach. To understand why, you have to uncover what it is that cyber criminals get in a healthcare breach and what they can do with it. So many consumers are largely unfazed since their financial information isn’t accessed, but there is a much larger problem they may now face.

In the famous Target data breach, hackers accessed the credit card and debit card information for an estimated 70 million to 110 million customers. Some of those individuals also had their names, addresses, email addresses, and phone numbers accessed. The damage a hacker can do with that information is still very serious, but the thieves would typically rely on tactics like phishing email campaigns, selling the information to spammers, or other additional action ploys.

So what can a hacker gain during a healthcare data breach? Your name, address, Social Security number, family members’ names and Social Security numbers, employers’ name, bank account numbers, and more.

According to a study by Kaiser-Permanente, there were around 1,000 medical data breaches between 2010 and 2013; 29 million individual health records are believed to have been accessed by criminals in those breaches. Five states—California, Florida, Illinois, New York, and Texas—accounted for more than one-third of all the medical breaches in the country.

But consumers still seem to respond more proactively to retail data breaches than to medical data breaches. If you receive a letter informing you that your credit card number was accessed by a cybercriminal, what do you do? You get a new credit card from your account issuer, and the old account number is useless. But how do you go about getting a new Social Security number if hackers access your medical information? You don’t.

A financial data breach is serious and must be acted upon immediately, but it’s vital to remember that a healthcare data breach is potentially even more serious. A hacker can use your identity for years to come once he gains access to that level of personally identifiable information.

There are steps you can take to minimize the potential for problems in a healthcare data breach, and most of it comes down to what you choose to share with your health care provider. On the required forms in the doctor’s office, are you using your physical address, or a post office box if you have one? Are you listing your Social Security number, even though it’s not required for medical treatment and is legally not to be used as an identification number? Are you providing the doctor’s office with a check (which contains your bank account number), or paying by credit card and then paying that off immediately?

While certain pieces of information are going to be included in your health insurance profile, the trail you leave behind in the provider’s office is a good place to start with preventing identity theft. By adopting an air of caution when it comes to your information, you can work to minimize the effects of a medical data breach.

When the retail shopping chain Target experienced a large-scale data breach in 2013, consumers and advocates alike flew into a near-panic mode. It was an eye-opening event, to be sure, and one that has been repeated with a number of other large retailers. While the end result was hundreds of millions of dollars in damage to the corporation, the plus side to it is consumers are more aware than ever about the potential for data breaches.

On the other hand, when the Anthem healthcare breach happened more recently, consumer outcry was far quieter even though healthcare data breaches stand to cause far more damage to citizens than a retail data breach. To understand why, you have to uncover what it is that cyber criminals get in a healthcare breach and what they can do with it. So many consumers are largely unfazed since their financial information isn’t accessed, but there is a much larger problem they may now face.

In the famous Target data breach, hackers accessed the credit card and debit card information for an estimated 70 million to 110 million customers. Some of those individuals also had their names, addresses, email addresses, and phone numbers accessed. The damage a hacker can do with that information is still very serious, but the thieves would typically rely on tactics like phishing email campaigns, selling the information to spammers, or other additional action ploys.

So what can a hacker gain during a healthcare data breach? Your name, address, Social Security number, family members’ names and Social Security numbers, employers’ name, bank account numbers, and more.

According to a study by Kaiser-Permanente, there were around 1,000 medical data breaches between 2010 and 2013; 29 million individual health records are believed to have been accessed by criminals in those breaches. Five states—California, Florida, Illinois, New York, and Texas—accounted for more than one-third of all the medical breaches in the country.

But consumers still seem to respond more proactively to retail data breaches than to medical data breaches. If you receive a letter informing you that your credit card number was accessed by a cybercriminal, what do you do? You get a new credit card from your account issuer, and the old account number is useless. But how do you go about getting a new Social Security number if hackers access your medical information? You don’t.

A financial data breach is serious and must be acted upon immediately, but it’s vital to remember that a healthcare data breach is potentially even more serious. A hacker can use your identity for years to come once he gains access to that level of personally identifiable information.

There are steps you can take to minimize the potential for problems in a healthcare data breach, and most of it comes down to what you choose to share with your health care provider. On the required forms in the doctor’s office, are you using your physical address, or a post office box if you have one? Are you listing your Social Security number, even though it’s not required for medical treatment and is legally not to be used as an identification number? Are you providing the doctor’s office with a check (which contains your bank account number), or paying by credit card and then paying that off immediately?

While certain pieces of information are going to be included in your health insurance profile, the trail you leave behind in the provider’s office is a good place to start with preventing identity theft. By adopting an air of caution when it comes to your information, you can work to minimize the effects of a medical data breach.