Back in 2013, news of a data breach affecting a major retailer took consumers by surprise. Industry watchers, law enforcement, even legal teams had a vested interest in what went wrong, how the victims would recover, and how to prevent it in the future. Not long after, more retailers were hit, leading many experts to wonder if there was a connection.

Also during this time, federal government agencies were being hacked. Both the Office of Personnel Management (OPM) and the IRS—to name only two agencies—were breached, with the OPM actually being breached twice. Millions of Americans had their Social Security numbers and other identifying information stolen, and the number of fraudulent tax returns and identity theft reports has gone up.

For all the headlines that crop up when any major organization or corporation is hacked, the sad truth is that there are hundreds upon hundreds of data breaches each year. In fact, since the Identity Theft Resource Center first started keeping tabs on the numbers of data breaches in 2005, the number has grown almost every single year.

However, with the constant news of data breaches, are consumers losing sight of the threat? Are we becoming complacent, and seeing data breaches as just another 21st century fact of life? Hopefully not. In fact, it is important to know how a data breach occurs and what information is compromised in order to understand how you might be impacted.

Data breaches can be broken into two categories, accidental and intentional. An accidental breach is just what it sounds like: someone inadvertently made sensitive information available to unauthorized people. It could be something like the recent Hellgate High School breach in which a school administrator attached the wrong document to an email and sent more than 1,000 current and former students’ records to dozens of people. An accidental breach could also be something like a security flaw in a website that accidentally invites anyone in to take a peek at all of the employees’ or customers’ records. In either case, no harm was intended, but security was violated.

An intentional breach, though, happens when someone actively goes after information. Again, this can manifest in different ways. A high-tech cybercrime ring can hack into a network and steal thousands or even millions of sensitive records, typically with the goal of selling those complete identities on the dark web. A low-tech version might be an employee accessing sensitive information at work, copying it all down or downloading it, then using it or selling it to criminals.

In any data breach, regardless of how it came about or what the intended purpose was, the victims will receive a notification letter as required by law. The letter itself is critical since it will tell you exactly what information was compromised, what steps you should take to move forward, and what reparations the company may be offering to help safeguard you as much as possible. The letter also serves as a measure of proof that your identity has been compromised, in case you are affected by this crime further down the road. It’s important that victims of a data breach take it very seriously, follow those steps outlined in their notification letters, and then save the letter with other important papers.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

An unfortunate computer user mistake led to one school administrator resigning from her job and more than 1,000 people having very personal information inadvertently shared with dozens of people. Last December, a Montana high school assistant principal attached what she thought were meeting notes in an email to around thirty parents, but the attachment actually contained identifying data, medical records, discipline records, and even mental health data on more than one thousand current and former students of that school.

As in any data breach, one of the first steps is to figure out how the information leak happened. The Missoula County Public School District hired a forensic investigation firm to sort through the issue and make a determination. From what investigators pieced together, after collecting several school computers and conducting a search, the culprit was nothing more than an accidental “cut and paste”-type issue. The administrator may have thought she was cutting and pasting (or dragging and dropping, in other computer parlance) the meeting notes she’d typed up, but the resulting attachment was access to a file that school officials use throughout the work day.

Unfortunately, in this era of record-setting numbers of data breaches and high-tech cybercrimes that can cost billions of dollars, it is easy to forget that sometimes a simple user error can have the same result as a large-scale data breach. This is why CEO phishing is such an effective, costly, and growing form of data breach; more than 120 companies have been the victim of a CEO phishing attack in the first five months of 2016 alone, all due to an employee making a costly mistake. Over the last few years, other large-scale and widely publicized retail data breaches have occurred due to employee errors like clicking on scam links in emails, downloading harmful content over the company’s wi-fi, or failing to implement effective antivirus software.

Accidental data breaches, like the one that which occurred at Hellgate High School, often result in mixed emotions. On the one hand, it was an accident, pure and simple. However, at the same time, regardless of the intention, potentially damaging and confidential information was shared with people who had no right to it. That is why the aftermath of an incident like this one involves figuring out how to prevent this type of mistake in the future. It should also serve as a reminder to all citizens to be careful about what information they share with outsiders. Even without any malicious intent, your Social Security number, your medical profile, even your mental health status could end up in the wrong hands, so make sure that everyone you trust with that information is going to safeguard it, and actually needs it in the first place.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

Anyone who’s familiar with the popular “professional world” social media site LinkedIn has probably already heard the news of their data breach. Hackers reportedly gained unauthorized access to millions of user names and passwords; this is slightly more alarming than a typical credit card breach due to the fact that LinkedIn users are representing their professional lives on the site. The potential for harm to their businesses and their reputations is quite real.

Before anyone gets too worried, though, remember…this breach happened four years ago. But there have been new revelations about the data that was accessed in that breach. Data that was stolen back in 2012 has now appeared online for sale, meaning someone is still attempting to use and profit from the personal profiles.

This has prompted the company to urge its users to change their passwords again, just to be on the safe side. Again, it’s not a new breach, but rather a new use for old information. LinkedIn isn’t taking any chances, though, and they’ve emailed the affected users to remind them to take certain steps. The company has also said it’s a good idea for everyone to change their passwords, affected by the breach or not, just to be on the safe side.

There are two highly important takeaways from this whole situation. The first should actually be common sense: once a thief has stolen your information, it’s not a once-and-done deal. This is why Social Security numbers are so much more lucrative than credit card numbers, for example. Credit card numbers can be changed or even just expire on their own, but Social Security numbers can net a thief a big profit for years to come. If there is a way to use stolen information more than once, you can bet a thief will do it.

But the other very important truth in any situation like this is the potential for scams. Phishing emails have already begun to circulate, piggybacking off the headlines associated with the LinkedIn announcement. Recipients are being told to click the link to reset their passwords, which will undoubtedly install harmful software like viruses on their computers.

The genuine LinkedIn warning email contains no link. It simply offers an explanation as to what happened, and then lists the steps users should take. The first step is to go to on their own and change their passwords. Again, there is no “click here” link in the genuine email, mostly because you should never, ever click an unsolicited link that you receive. (It’s also fun to point out that the scammers in the phony LinkedIn emails aren’t even trying…they didn’t even capitalize the name of the company.)

Remember, anytime there are headlines for a major event—a natural disaster that leads to phony charity scams, a specific news story that expects the public to take action, or even reports of a data breach that urge consumers to be watchful of their accounts—scammers will do their best to take full advantage. Keep a close watch on your emails, social media messages, and other anonymous sources of communication in order to avoid being scammed.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

It would be a shame if consumers ever reached the point where news of a data breach did little more than raise eyebrows. But that’s the sad impact of having so many consumer records stolen by cybercriminals on a regular basis. Hopefully, news of this recent data breach will be more cause for alarm.

Investigators anticipate that more than 29,000 emergency room patient records were compromised in an apparent accidental data breach of Indiana University Health Arnett Hospital. The records, which were downloaded to a USB drive, contain names, addresses, personal information, and medical records for patients treated in the past year. It doesn’t appear as though Social Security numbers were impacted, but that remains to be seen given that many hospitals and medical offices still use SSNs as identification numbers and to run credit checks on patients.

According to, the flash drive contained spreadsheets of the patient records, and the flash drive wasn’t encrypted or password protected. Another source also says that this information was limited to emergency room patients, and that the flash drive went missing from the emergency room’s office. Why the data was on a flash drive in the first place is also unknown, but the lack of security on it means that anyone with access to a computer can retrieve the information.

Unfortunately, the hospital had this to say: “Patient medical record information is kept on a secure server. This is not the standard method of storing patient data. Officials cannot be certain an incident will never occur, however, they are taking steps to minimize the chance of such an incident occurring in the future.” That means that the information should (in theory) have never been on the flash drive in the first place, especially if hospital policy is to keep that information on a secure server. It’s hard to believe the data appeared on a flash drive by mistake, and that it went missing for any reason other than a malicious one. At this time, however, the hospital has not received any complaints that patients’ information has been used without authorization.

So what are patients supposed to do? The hospital will be sending out letters to affected patients that explain exactly what information was compromised and what steps the hospital will be taking to protect patients. Anyone who receives such a letter should follow the instructions, and if credit monitoring is offered then those patients would be wise to take advantage of it.

This event should also serve as another eye-opening warning to patients who may not yet have been affected by a medical data breach—although, given the number of events per year and the enticing information that hacking a medical facility can produce for an identity thief, that number of people is shrinking every day. When you’re presented with a clipboard full of forms and a pen, ask yourself why the facility needs such detailed information, and then ask the employee what they plan to do with it. Inquire about the safety protocols of the facility, but also remember that those protocols are only as good as the employees who adhere to them. If you’re in doubt about the security of your information, remember that you’re not required to turn it over in order to receive emergency medical treatment.

Last summer’s widespread hacking of several major universities may be behind us, but the effects of knowing that prying eyes were able to infiltrate a secured network is unsettling. Unfortunately, those concerns have only been renewed for one university in the wake of a brand-new, seemingly unrelated data breach.

Investigators have linked last summer’s breach of a handful of University of Virginia faculty email accounts to Chinese hackers, but the latest data breach is far more alarming. Thanks to a phishing email that instructed the recipients to enter their university user names and passwords, more than 1,400 personnel payroll records have been accessed from UVA’s human resource department. While the details of the stolen information aren’t yet clear, payroll records typically include Social Security numbers and birthdates; since the university is providing a year of credit monitoring to the affected victims, it’s very likely that this level of information was compromised.

The days of students hacking into school computers to change their grades may seem long gone. At the same time, 1,400 payroll records are chump change compared to the extent of some notorious data breaches in the past. So what would make hackers go after college faculty members? Apart from the obvious potential for identity theft, there is always the possibility that the information gleaned on a university professor can lead to access to highly sensitive research, as well as the option to pose as that professor in communicating with other researchers to steal information.

Unfortunately, phishing email scams continue to be successful because of the very connected nature of our lives. Even five years ago, receiving an email with instructions to do something unheard of might not have worked, but with so much of our lives going digital, it’s all too easy to fall for a scammer’s tactics.

In order to avoid falling for a scam email, there are a few easy rules to follow. If you refuse to break these rules without verifying it first, you’ll be less likely to expose your entire network to a hacker:

  1. Even if the email looks legitimate, never click on a link or attachment if you weren’t expecting it. The account might appear to come from your family member, your co-worker, or even your employer, but as the UVA personnel hacking shows, a cyberthief can take over an email account and send a virus to everyone in that person’s email contact list.
  2. If you suddenly get an email from someone you haven’t heard from in ages—especially one that contains a link or an attachment—beware. The hacker who stole that person’s email account simply sent the same email to everyone in the contacts list or the sent mail history, which means he had no way of knowing you haven’t emailed this person in years.
  3. Watch out for odd language or poor grammar in an email, but remember that cyberthieves are getting more and more sophisticated. The laughable “Nigerian prince” emails with their “my dearest blessed one” greetings and strangely worded narratives are still out there, but serious hackers are getting better and better at masquerading as someone else.
  4. If you’re ever told that you sent a strange message, there’s an excellent chance your email address was hacked. Change your email password immediately, and monitor your online accounts for any strange

As a consumer, I think about how my information may still reside with a tax preparer or doctor that I have not done business with in 10 years, especially when I read stories of a data breach because of inactive customer information being stolen from an unsecure environment.

Businesses, especially small to medium-sized businesses, need to incorporate a formal document retention and destruction policy. Next, communicate your policy to employees so they understand their responsibility in safeguarding customer information, and to customers so that they have confidence in conducting business with you. High-profile data breach events are just one part of the identity-theft epidemic in the United States. Your past business relationships where your personal information resides is another high-risk factor.

For example, how many of you have worked for the same company your entire life? I suspect very few of you have had only one job. Think about all of the personal information we have left with our past employers including name, address, Social Security number, driver’s license and even bank account information (for direct deposit). And it’s not only past employers, but also their vendors, such as health insurance, dental insurance and supplemental insurance companies, along with payroll service and others where your personal information and even the personal information of your family have been used.

But there is more. Think of any past relationship, including every doctor, dentist, tax-preparation service, auto dealer, bank, school, mortgage broker, student loan servicer and any organization to which we have submitted personal information. Ask yourself, where is your sensitive information being stored today, how is it being secured, and what are the document retention and destruction policies of these organizations? A great resource for business owners is ARMA International, a non-profit professional association and authority on managing records and information. ARMA developed and published principles to foster general awareness of information governance standards.

You can learn more about ARMA’s “Generally Accepted Recordkeeping Principles,” which detail  how to properly retain information as organizations are creating and storing more information than ever before, mostly in electronic form. In addition to document retention, the shredding of documents containing sensitive employee and customer information has become a high priority because of identity theft, data breaches and stolen trade secrets and client information.

Here are some basic shredding tips that your business should include in its information security and governance best practices:

  • Documents destruction services: Choose a company that knows state and federal laws governing storage and destruction of documents. Important things to know include understanding the difference between hard copy document and electronic document requirements.
  • Choose the right shredder: A cross-cut shredder (versus a standard shredder that simply shreds documents into long horizontal strips, some so wide that you can still make out individual words) cuts the paper from two directions and makes it much harder for someone to reconstruct the document.
  • Document destruction compliance is the law: The state and federal regulatory environment regarding information security and governance, including document destruction will be enforced with fines and penalties that could negatively impact your business.

Mark’s most important: Identity theft and data breach can bring a business down. Review and update your document retention and destruction policy each year and communicate your policy to employees and customers.

Mark Pribish is vice president and ID-theft practice leader at Merchants Information Solutions Inc., an ID theft-background screening company based in Phoenix. Contact him at

This article was originally published on and republished with the author’s permission.

With the tax return filing season fully here, identity thieves are ramping up their work in order to beat consumers to the punch. Two online filing companies—TaxSlayer and TaxAct—have already discovered that they were the victims of an outside data breach last fall, one that compromised the highly-sensitive personal identifiable information for many of their customers.

TaxAct was breached in November by unauthorized third party hackers who accessed an estimated 450 clients’ records; this led the company to also suspend an additional 9,000 users’ accounts after they noticed suspicious activity. This week, TaxSlayer announced that it, too, has been the victim of a third party data breach, but this time the thieves were a little more successful, making off with the complete 2014 tax returns of around 8,800 users. In that event, thieves were able to access anything that appears on a completed or draft tax return, including names, birthdates, Social Security numbers, and even dependents’ SSNs.

While there’s no information yet about whether or not the two hacking events are related, there is a striking similarity: in both cases, the security protocols of the companies were not interrupted or misconfigured. The hackers had access to the customers’ user names and passwords, which the companies believe the thieves got from an online source.

Here are some vital steps to take if you’ve received a notification letter from either of these two companies:

  1. File immediately – Stopping an identity thief from stealing your refund is a race against the clock. Considering that this information was stolen between October and December of 2015, there’s an excellent chance that your tax return has already been filed fraudulently, but that’s no reason to throw in the towel. On the off-chance that the thieves haven’t filed a return yet—or that the less likely reason for the hacking wasn’t for tax refund fraud—it’s still possible that your 2015 return is safe.
  2. Change your user name and password – Your letter should have told you to change your user name and password on your tax prep account, but also on all of your other internet accounts. The hackers found your information on an external website and used it to break into your tax prep account; that means they can be going after your email, your online banking accounts, your credit card accounts, and more, especially if you’re using the same password repeatedly.
  3. Take advantage of the credit monitoring – As part of the notification process, your letter offered you a year of free credit monitoring and contained a PIN number you would need in order to set that up with the contracted company. Do NOT disregard this offer! It’s crucial to helping you stay on top of what damage thieves may do with your information, and it also contains liability insurance that protects you from whatever they do with it.

Remember, you don’t have to receive a notification letter to take some of these steps. If you’ve used these or other tax preparation services in the past, it’s a good idea to change your username and password, just to be safe. Of course, filing immediately also means your return is safe if thieves have accessed your information in some other way, and it helps you get your refund faster.

Some current and former university students and staff may be in for a rude awakening when it comes to their personal identifiable information: it may have been compromised in a recent data breach of University of Central Florida servers.

The breach, which was discovered last month and immediately turned over to law enforcement, compromised the names, birthdates, Social Security numbers, and other pertinent information of 63,000 people who had ties to the university. The University has mailed out notification letters to individuals who were affected by the breach, and did note that no grades, credit card numbers, or scholarship details were impacted. Interestingly, there seem to have been two key groups affected by the event: one was current and former student athletes, and the other was University employees.

This is the latest in a growing list of data breaches at colleges and universities, and there may be multiple reasons—related or not—as to why hackers are going after schools. In the first instance, higher education institutions conduct a lot of research, some of it paid for by government agencies, pharmaceutical companies, and other corporations. Access to this research can be highly sought after since it has a lot of value to other researchers or companies, especially where patents, intellectual property, and occasionally even top secret data are concerned.

Another possibility is the “clean slate” approach to stealing young people’s identities.  Given that many of the targets were college students, the use of their Social Security number to obtain credit is plausible, as opposed to trying to buy a car with a six-year-olds identity, for example. Additionally, it provides clean credit to use without the already established debt and the likelihood of discovery that adults’ identities can have.

Whatever the hackers’ purposes in breaching the university’s servers, it’s vital that all students and employees at UCF change their passwords immediately. It’s unlikely that the hackers only stole 63K records and then stopped because they were unable to access more; changing school-issued passwords and protecting accounts that cross those servers is crucial.

In the case of the notification letters, it’s critical that the affected UCF community—and all consumers who receive a notification letter for any breach, by the way—follow the instructions in the letter completely. Depending on the type of information that was stolen, a notification letter offers important help. It informs the victims of what information was compromised, and may offer them free credit monitoring if things like Social Security numbers were stolen. In more dire circumstances, it can even serve as proof that you may have been the victim of identity theft; this can be every helpful if you ever need to prove your innocence of unauthorized charges, new accounts, or even criminal charges down the road.

One of the commonalities in any kind of data breach—no matter whom, no matter how big or small—is that consumers put their trust in someone and then that trust was violated. Whether it’s turning over your medical records to a hospital or entering your credit card information on a website, we have an expectation that the people in charge will protect us.

Unfortunately, all too often, that trust can be a little misplaced. In this report from a Texas-based news team, even in accidental data breaches consumers have little to no recourse when the people in charge of their identifying information aren’t worthy of controlling it.

As the article states, the Dallas-Ft. Worth CBS I-Team discovered a public records website for Dallas County that contained the names, addresses, phone numbers, Social Security numbers, and more for thousands of area residents. Worse still, this website was maintained by the county courthouse and contained this information on anyone who’d filed court proceedings going back over a decade. In many instances, even children’s identifying information was listed for the entire internet to access.

The story only gets worse, however. The I-Team reached out to the courthouse and was directed to the circuit clerk, who was the only one with the authority to take down the website. The initial clerk response was one of dismay, and the news outlet decided not to immediately make this story public out of fears that identity thieves would flood the system to get the data.

Later, the circuit clerk felt that the danger to the citizens was less imminent than the difficulty the court system faced if the website was taken down. For months, the news team worked to get the site taken down, taking the matter all the way to the Texas State Supreme Court. In every instance along the way they were told that the only person who could remove the site was the circuit clerk.

One person held all of the authority to protect or compromise tens of thousands of people’s identities, and for more than six months after calling attention to the issue the citizens’ information was still readily available. Lawyers, judges, and court officials at every level were horrified by the data that was ripe for any identity thief to take, but nothing could be done to remove it without the clerk’s approval.

Luckily, the nightmare has now ended and the county website uses a new database provider that requires personal information to log in, as well as a fee to use the site. That should go a long way towards stopping identity thieves from sifting through the publicly available data. But this should also serve as another eye-opening event in the ongoing fight against data breaches and identity theft.

One of the most important things any citizen can do to protect his or her identity is to ask important questions about where the data will go and how it will be protected. Even the clerk in question had no idea that the data was available for everyone, and she was in full agreement that something had to be done. She simply reacted to the potential delay of court proceedings instead of the citizens’ security.

There are times that your sensitive data is required, such as in a court filing. But too often, we provide our data to people who don’t actually need it, like a doctor’s office or our children’s schools. Any time you’re expected to turn over your personal identifiable information, inquire about security. Don’t wait for an investigative news team to tackle the issue, and if your sensitive information isn’t absolutely required, then don’t hand it over.

Once upon a time, the content of phishing emails was amusing, if not downright bizarre. These emails included odd stories about deposed royalty from far-off countries, people who barely managed to escape with their lives… and their billions of dollars.

For some inexplicable reason, they couldn’t get the money out of the country themselves, so in exchange for letting them deposit the money into your account (they’re outrunning the coup, but have time to stop off at the bank and transfer the money to you), they would let you keep a lot of it for your trouble.

The so-called Nigerian prince emails—nicknamed that due to the typical story involving Nigerian royalty—have now worked their way into urban legend and pop culture. But what happens when the email isn’t so funny, and the consequences for following through with the instructions are life-altering for a lot of people?

That’s exactly what happened to the employees at popular social media site Snapchat. Unfortunately, an employee received a phishing email, one that even some of the most scam-aware people might not immediately recognize. Instead of Nigerian princes and unbelievable offers of shared millions, the email appeared to come from the company CEO, and the request wasn’t all that outrageous…just forward him the payroll information for all of the employees. It’s easy to understand why, especially here at tax time, an executive of a relatively small company might need that information.

While Snapchat was very quick to point out that its users’ information was not accessed in this breach, their employees’ identities have now been compromised. Unfortunately, even the most heartfelt apology from the company won’t undo that, although they will receive two years of free credit monitoring, more than most corporations provide to employees or customers following a data breach.

There is a silver lining in this event, although it’s slight: when large-scale data breaches like this one first began to make headlines, the timeline was often far more serious. A breach that happened over a long period of time might not even get noticed until months afterwards, and then another long stretch of time passed while they investigated the extent of the breach, usually before ever alerting the authorities or the customers. In this event, the FBI was called four hours after the email was sent to the criminal masquerading as the CEO. If any good can be said to come from this, it does serve as an example to other companies of how to handle a breach or hacking event quickly, as well as speaks to the need for even more in-depth training and awareness of security threats.

So what could the employees have done to prevent their information from being shared with an identity thief? Literally nothing. They were required to turn over their information in order to be employed, so withholding personal identifiable information wouldn’t have applied in this instance, at least not in the way the public is warned never to share their Social Security numbers with schools or medical offices, for example. They also were not aware of the phishing attack, so they couldn’t have prevented that, either.

What employees in every industry and field can do, however, is to make sure their companies are providing training on data breaches, hacking attempts, phishing attacks, and more. Speak up by alerting your supervisors to the need for security protocols and up-to-date, periodic security training. The only things that could have prevented this breach are better awareness of the threats and a company policy about seeking verification before fulfilling an exceptional request, and those are avenues that Snapchat has promised to explore moving forward.