Citizens in the state of Connecticut had reason for alarm recently when news broke of a security breach of the state’s Affordable Care Act agency. While not the same as the federal HealthCare.gov website that has been at the center of so much technological criticism and concern, the state’s agency—known as Access Health CT—allowed people to sign up through the state office for health care coverage.

But the Hartford-based Access Health CT office received a call from local law enforcement officials about a potential data breach when a backpack filled with handwritten note pads was found across the street from the agency’s offices. The notepads contained the names, Social Security numbers, and other personal information of more than four hundred applicants.

This recent security breach isn’t a political issue or a show of support or condemnation for the ACA, but hopefully reminds the public of an even bigger threat to their personally identifiable information. Whether we like it or not, opportunistic criminals are everywhere and can be found in just about any industry. The combination of low wages and high debt can lead people to take advantage of an opportunity that sits right in front of them on their computer screens, eight hours a day.

There seems to be no workplace that is completely immune from the danger of an employee stealing its customers’ identities. The hotel and restaurant industries are actually the single largest source of “inside job” identity thefts, but many other workplace environments lend themselves to this kind of crime. Medical offices are notorious for incidences in which billing office staff or medical transcriptionists—two positions that are often outsourced to third party companies or individuals—gather personal information and sell it to identity thieves. Public schools have also been the subject of multiple investigations, and reports have surfaced that staff members had stolen and sold the Social Security numbers of as many as four hundred students in one Florida elementary school alone. Even police officers have been arrested for using the state’s driver’s license database to steal citizens’ identities.

But if this kind of crime happens without the victim’s knowledge, what are you supposed to do to protect yourself?

First, make sure that any agency or office that you give your personal information to actually has a right to it and a need for it. Doctors’ offices, schools, and private businesses are not entitled to your Social Security number, but many of them ask for it as a means of identification or in order to turn you over to collections if you fail to pay. Remember, that number is not to be used for either of those purposes, and businesses, schools, even your child’s day camp do not have the right to ask for it.

But some agencies or institutions will need it, such as a bank or the DMV. Be sure you know who is receiving that application and what will happen to it once it leaves your hands. Sometimes, just indicating to the person that you want to know how they plan to protect your information is enough to keep them from letting it be used against you.

Most important of all is to check your information periodically for any suspicious activity. Check your bank and credit card statements for charges you’re not aware of, check your health Explanation of Benefits and confirm that those payments were for actual medical visits for you or your family.. Request your credit report annually and review it closely for unauthorized debts or accounts you didn’t open. When your Social Security report comes each year, look at it carefully for any sources of income that don’t belong to you and that could indicate someone is using your number.

These steps can help you put a stop to criminal activity associated with your identity in a timely way, and hopefully before too much damage is done.

This blog is a part of the ITRC’s ongoing commitment to spreading knowledge and awareness of data breach issues.  This work would not be possible without the generous support ofIDT911 and their commitment to keeping the public informed regarding this issue.  The ITRC Data Breach Report is available weekly and all information is free to the public.

Music subscription site Spotify made a surprising announcement recently when the company announced that a hacker had broken through their security protocols and gained access to private information that had been submitted by its users.

Unlike recent data breaches with major companies like Target and eBay, Spotify stated that it had confirmed some positive news: no financial or sensitive personally identifiable information like Social Security numbers had been obtained.

That wasn’t the only good news, of course. Again, unlike cybertheft events like the one involving eBay in which about 145 million users’ names, addresses, emails, passwords, and PayPal connections may have accessed for criminal purposes, the damage in Spotify’s case is thought to be far less widespread.

One person.

Yes, the tech leaders at Spotify believe that their recent cyber attack involved one individual, and that this individual’s sensitive information wasn’t accessed at all.

If that’s the case, why inform people in the first place? If one person had his account hacked and all the would-be thieves got for their trouble was his user name and maybe an email address, why go to the trouble of issuing a statement at all?

The first answer is accountability. eBay is still reeling from the poor criticism and bad press associated with their attempts at not being very forthcoming about their data breach. The site posted a minor news blurb on their corporate site, a site which a tiny percentage of their users look at, and even then tried to downplay the seriousness of the issue by simply telling users it would be a good idea to change their passwords.

The second reason, though, may have more to do with the confidence the company places in its technical security. When a hacking event occurs and is overwhelmingly unsuccessful, companies have a choice to make. Do they tell people and possibly alarm them, all while inviting copycat hackers to see if they can do a better job? Or do they quietly hush it up and sweep it under the rug?

Hopefully, companies who want to keep their consumers’ trust will choose the first one. Even if the event is minimal and barely requires sending out an email about the breach, it’s important that the companies we trust with our secure information let us know when something goes wrong. The only way consumers can protect themselves after the fact is by following up with the three credit reporting agencies, and by changing and resecuring any passwords. Without the knowledge to begin those processes, thieves can continue to benefit from your data until such a time as you discover the problem.

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit http://www.idtheftcenter.org/anyone-3.

By now, news of a major corporation like a retail chain or internet-based platform being hacked is hardly news. Companies like Target have been attacked in recent months, and the end result was that millions of customers’ personally identifiable information fell into the wrong hands. How a company responds to this kind of data breach is important, and it can tell consumers a lot about the type of corporation with whom they are doing business.

Typically, when a data breach occurs, a company alerts its customers so they can be vigilant about securing their personal information. This lets those customers whose accounts have been compromised keep a close eye on their bank accounts, their credit card statements, even their credit reports. If the customers do find suspicious activity involving their finances or identities, they can take swift action instead of waiting to find out after months of nefarious spending has happened.

Unfortunately, there’s sometimes a mind-set to downplay an incident or minimize the so-called “bad press” that stems from this kind of hacking event. In those cases, corporations sit on the information and consumers are none the wiser, which can lead to a farther reaching net of criminal activity involving the accessed information.

One such company is eBay. When a cyberattack led to the breach of some 145 million user accounts during the week of May 19th, eBay’s response was to wait several days and then post a cryptic message about the breach on its lesser-trafficked corporate website. After widespread complaints about the message that simply told users to change their PayPal passwords, only then did eBay admit to the breach on the main website, almost a week after the attack.

How serious was the cyberattack? Names, addresses, emails, home phone numbers, and encrypted passwords were accessed, all of which were tied to users’ PayPal accounts. Those accounts are also linked to the users’ bank accounts in order to send and receive payments.

So how are consumers supposed to trust corporations if their interests aren’t being looked after in a timely way? First, and this may seem unfair, the only way to know for certain that you’re being kept in the loop about your safety and security is to assume that companies won’t tell you about a data breach, either because it’s bad for business or because they simply don’t know about it themselves. Taking action like not providing all of your information without just cause can help, such as not providing your real birthdate to social media sites or not giving your home phone number to retail companies.

Savvy consumers have actually started to keep smaller accounts for their online transactions, such as keeping a bank account that isn’t connected to your main checking and savings accounts, or signing up for a low-balance credit card for online use only. Those are tedious steps, but they can help minimize the damage and the work that you have to put into clearing up the effects of a corporate cyberattack.

Make changing your passwords from time to time a part of your online behavior. Frequent password changes can help you stay ahead of any damage an identity thief may attempt. Of course, passwords can only work securely if you use different passwords on different websites, and if you make sure that they are strong, untraceable combinations of letters, numbers, and symbols. Never use an app that stores all of your passwords in your phone or tablet, and make sure that you don’t check the box to remember your password on any computer or device that can be accessed by others.

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit http://www.idtheftcenter.org/anyone-3.

Most tech-savvy consumers are aware of the dangers of sharing personal information online. By now, the horror stories of stolen identities have circulated far enough that (hopefully) and internet-based request for your Social Security number or checking account number would be an automatic red flag.

But with the seemingly daily reports of hackers working their way into major corporate accounts, consumers are becoming more and more wary of even using their cards in physical locations. Target is one of the largest and most widely recognized companies to have suffered an account breach that left an unknown number of customers’ accounts at risk; citizens in California who used the state’s streamlined online payment system to renew their driver’s licenses and license plates were possibly at risk of having their account information stolen. The extent of the damage in both of those cases is still uncalculated, and they are far from alone.

Short of never shopping or renewing your license again, what’s a consumer to do?

First, you can take preventive measures by keeping your accounts and your passwords secure. Don’t follow the increasingly popular trend of generating one password that only changes one letter or number for each different site you use; that practice is courting identity theft danger, especially if you’re consistent about it.

Also, be sure to keep routine tabs on your accounts. Don’t wait for an evening news story to tell you that your personal information may have been accessed. Read your account statements carefully to look for suspicious activity, and check your credit report each year to ensure that no new credit cards have been opened in your name without your knowledge.

There are a few proactive things you can do as well. With the availability of free checking accounts and low-interest credit cards, some savvy shoppers have taken to establishing low-limit accounts that they use specifically for online transactions. By linking the smaller cards or checking accounts to their online shopping and then only transferring money to those accounts when they make purchases online, they’re limiting the amount of damage and hassle that a thief can cause.

Questions about identity theft? Connect with the ITRC through our toll-free call center at (888) 400-5530, live chat feature or on-the-go through our IDTheftHelp app for iOS and Android.

The number of UPMC employees that have been affected by a recent data breach at the University of Pittsburgh Medical Center now stands at 322, the hospital system said last week.  That appears to be in addition to more than 1,300 current and former patients the center has also informed of the breach through their notification letter.

The breach allowed someone to use the employees’ and patients’ personal information to electronically file fraudulent income tax returns.  Officials said they are trying to determine the source of the ID theft and are working with the FBI, IRS, postal inspectors, and the Secret Service. The U.S. Attorney’s Office inPittsburgh confirmed it opened an investigation.  The information compromised includes names, dates of birth, contact information, treatment and diagnosis information, and Social Security numbers.

According to the letter, those affected are spread across several UPMC locations.  In a statement, UPMC stressed the stringent protocols they use to keep patient and employee information safe.  They did not give specific details on how the breach occurred, or what steps are being taken to prevent similar incidents in the future. Identity crimes surrounding fraudulent tax returns are unfortunately becoming increasingly common, as a recent report from the Treasury Department’s Inspector General can attest.  According to the audit, in the first six months of 2013, 1.6 million taxpayers were affected by identity theft.  That’s a huge increase in the number of incidences in only a few short years.

In response to the breach, UPMC has established a payroll hotline, published information for employees on the company’s internal website, hired a tax firm to help employees complete an IRS identity theft form, and will reimburse employees up to $400 to use their own accountant. Additionally, UPMC will provide credit monitoring services to the affected employees and reimburse them if they have to pay for police reports.

In the wake of the breach, two former employees have filed suit against the Medical Center.  The three-count lawsuit claims negligence, invasion of privacy and breach of implied contract. According to the language in the suit, plaintiffs allege that UPMC’s computer system allowed for the breach and the company did not reasonably safeguard the sensitive information in its care. The plaintiffs are seeking credit monitoring services for 10 years and unspecified damages, costs and legal fees. Attorney Elizabeth Pollock-Avery from the downtown Pittsburgh firm of Kraemer, Manes & Associates, LLC filed the complaint on behalf of the two plaintiffs.

If you have questions relating to this or any other data breach, please feel free to contact the Identity Theft Resource Center toll-free at (888) 400-5530.  You can also get free information from the website at www.idtheftcenter.org.

“University of Pittsburgh Medical Center the Latest Victim of Data Breach was written by Matt Davis.  Matt is Director of Business Alliances at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

New Mexico may be joining the 46 other states in the nation that have a state data breach notification law dictating when and how entities that suffer data breaches must report the incident. State representative William R. Rehm introduced the Data Breach Notification Act (HB 224) on January 29, 2014 and the House recently passed the bill in February.

The bill would require companies to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal identifying information from unauthorized access, destruction, use, modification or disclosure”. When personal identifying information is to be disposed, the bill mandates that the disposal procedure “make the personal identifying information unreadable or undecipherable”via “shredding, erasing, or otherwise modifying” the information.

In addition to the data security requirements imposed upon the entity which maintains personal identifying information, the bill requires any entity that discloses personal identifying information “pursuant to a contract” require the third party recipient to comport with the same standard of data security set by this bill.

The Data Breach Notification Act establishes strict requirements regarding notification to consumers of a data breach. The bill implements a ten-day deadline for a breached entity to notify the victims of the data breach unless a law enforcement agency determines the notification “will impede a criminal investigation; or the notification will impede efforts to determine the scope of the security breach and restore the integrity, security and confidentiality of the data system”.

The bill requires the data breach notification contain:

  • The name and contact information of the entity
  • A list of the types of personal identifying information that was breached
  • Date of the security breach
  • A general description of the data breach
  • A statement clarifying whether the notification was delayed for any reason
  • Toll free telephone numbers and addresses of the three credit reporting agencies
  • Advice directing the victim to review personal account statements and credit reports
  • Advice explaining the victim’s rights under the Fair Credit Reporting and Identity Security Act

Should a notification of a data breach be required for more than 50 New Mexico residents, the entity would also have to provide notification to the New Mexico Attorney General and all consumer reporting agencies within ten days. Section 10 of the bill has an interesting requirement that when an entity is breached and the compromised data included credit card numbers or debit card numbers, the entity would have to provide notice to the merchant service providers to which the payment card data was transmitted. We will keep a close eye on the progress of this bill as it moves to the Senate for review.

“Data Breach Notification Bill Introduced in New Mexico” was written by Sam Imandoust, Esq., CIPP, CIPA. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

A recent incident in South Korea gave us all a look at how countries react differently to the theft of consumer information through a breach of a large corporate entity.  In the U.S. and many other western economies, while the consumer population becomes ever more cognizant of the risks associated with a data breach, most of the major corporate offenders seem content with writing a mass apology letter before shrugging and moving forward with business as usual.

They may even offer credit monitoring or a discount before looking to turn the page…assuming they report the breach to begin with of course. Not so on the Korean Peninsula. They don’t mess around. South Korea’s financial services regulators announced Sunday that three firms, two of which are major 
conglomerates (KB Financial Group, owner of South Korea’s largest bank, KB Kookmin, and Tokyo-based supermarket giant, Lotte Group), all lost consumer data following data breaches last year.  As a result, the regulators announced that all three will be prohibited from issuing new credit cards or loans until mid-May, effectively preventing them from doing business at all for the first five months of the year.  This is a cost to each company in the many millions of dollars. This punishment was handed down even after the alleged thieves were arrested.  And the punitive steps didn’t end there.

Executives at the three companies involved had to demonstrate their regret to the public by making bows and personal apologies on national TV. Some executives even reportedly resigned out of shame over the theft. While most countries don’t require such punitive actions after a data breach, to say that laws are getting more restrictive all across the globe is not an overreaching statement.

In the EU, legislation has been proposed to create a uniform code for data breach notification across all member countries. While this is still in the discussion phase, the fact that EU member countries are concerned and taking action bodes well, and most experts believe that some sort of uniform law will be in effect in the next few years. In Japan, the government is specifically targeting financial firms, raising the penalty for not disclosing when an individual user’s data has been breached from 500 yen to 10,000 yen ($75) per user.  Multiply that out by thousands or potentially even millions, if the breach is large enough, and you’re talking about a very large financial deterrent where there wasn’t really one before.

Even in China, a government that usually looks at anything that may increase the cost of doing business as something to avoid the way one might seek to avoid the plague, is throwing its hat in the ring.  In recent months, the Chinese government has devoted a significant amount of attention to protecting personal information through numerous new data regulations, seeking to prevent and punish the illegal use of one’s personal information for profit. With many of the economically viable nations in the world becoming aware of, and trying to rectify the problem of data security, it is hoped that criminals that operate in the cracks between the laws of nations may soon have much less space to hide.

“Data Breaches Worldwide – A Brief Look at How Other Nations Handle Data Breach Incidents” was written by Matt Davis.  Matt is Director of Business Alliances at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

On February 25, 2014, Hold Security, LLC announced that it had discovered almost 360 million stolen account credentials including email addresses and passwords and 1.25 billion records solely containing email addresses in just the first three weeks of February.

The massive discovery is a result of multiple data breaches that Hold Security, LLC is currently investigating. Hold Security, LLC believes the credentials stolen were likely stolen in breaches not yet publicly reported and the breached entities may not know that their customers’ information has been compromised yet.

What is different about this data breach is that these records contain email account credentials, or usernames and passwords. This doesn’t sound quite as dangerous as, say, the Target breach because the Target breach contained payment card data. The compromise of payment card data is certainly dangerous and has a lot of potential to cause damage to victims; however, email account credentials can be just as dangerous if not more so.

First, the email usernames and passwords can obviously be used to access the actual email accounts themselves. This is an unsettling consequence of the data breach and poses significant harm to the victims because email accounts generally have copious amounts of sensitive personal information. Think about what is stored in your email account. Think about how long you may have had this email account. How many times did you email financial documents, work documents, tax documents, private pictures, reminders of passwords to other accounts, bank information and more? Just the email account itself can be a treasure trove of sensitive personal information to an identity thief who knows how to abuse it.

Second, we are all guilty of recycling a password, using it across multiple accounts so it is easy to remember. Identity thieves know this, and will use the passwords found by Hold Security, LLC to attempt to gain access to other accounts the victim has created. These could be bank accounts, retirement accounts, eBay accounts, PayPal accounts, and a multitude of online shopping accounts. This kind of widespread account access would be devastating to a victim.

Third, the account credentials can be used for spam and other phishing scams. A phishing scam is when a thief sends an official looking email from a business or individual, requesting that the recipient either divulge sensitive personal information or click on a link that loads a virus onto their computer or smartphone. Phishing is a very common tactic used by identity thieves and is listed as one of the top scams of the year by the IRS.

We are bringing this information to your attention to remind everyone that it is not just your Social Security Number that is valuable to identity thieves. You must take a comprehensive approach to protecting yourself. This means that you are vigilant about protecting all your data, including your mail, Social Security Number, medical insurance card, account usernames and passwords, passports, financial documents, tax documents, medical records and the list goes on. You must cast a critical eye on all sources of information about yourself and constantly destroy anything that is not absolutely necessary. Cross-cut shred all unneeded paper documents, delete any electronic information, and safely store any sensitive personal information that you absolutely can’t do without and you will be well on your way to being one step ahead of identity thieves.

“Hold Security, LLC Discovers Massive List of Stolen Credentials” was written by Matt Davis.  Matt is Director of Business Alliances at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

As regular readers of the ITRC blog already know, data breaches can occur in a variety of ways.  Either by hacking, employee error or negligence, or some form of physical theft, access to customer information is given to criminals who may then use that information for illicit purposes.

The financial fallout of these breaches often leads to lawsuits which can cost the breached company serious dollars.  Below are some of the most expensive, high profile breaches in the past year and the litigation that resulted from them.

Target:  The Target data breach is almost certainly the largest and most visible cyber-attack since the breaches of Heartland Payment Systems or TJX. Currently the retail giant is facing a plethora of legal actions resulting from the breach of more than 40 million customers’ credit and debit card information.  Many of these lawsuits stem from accused negligence on the part of Target .  Banks associated with this breach assert that the necessity to issue new credit and debit cards, as well as cleaning up any resulting fraud, could end up costing them millions.

Neiman Marcus:  The Neiman Marcus data breach was perpetuated by hackers who stole personal information from more than 1.1 million debit and credit cards over a period of months.  It is generally assumed that the malware used for this breach was similar to that which was used to access  Target’s system.

There is currently a pending lawsuit alleging that Neiman Marcus knew about the stolen information but waited several weeks before informing affected consumers.  According to most data breach notification laws, the only relevant reason for waiting to notify affected consumers is if to do so would compromise an ongoing criminal investigation or expose some national security objective.

Michaels:  Michaels Arts and Crafts Supply Store is also facing a pending class-action lawsuit due to the fallout of a data breach.  Exact information about the number of records exposed or damage in dollars is still limited, but the current suit alleges that Michaels failed to report its last major breach in May of 2011.  In addition, they failed to adequately monitor its payment systems in a way which would allow the retailer to detect fraud or other signs of tampering, allowing the breach to continue unnoticed for an extended period of time.

It is imperative, not only for the good of the consumer, but for the businesses that handle sensitive personal information themselves, to have  best practices and protocols in place to immediately and effectively identify a breach incident and subsequently mitigate any resulting harm.  In the event that a data breach occurs, it is imperative that businesses work against the traditional inclination to be silent on the matter.

The companies that recover from breaches the fastest and with the least amount of public relations damage are those that get out ahead of the issue   They have a Data Breach Incident Response Plan to notify their consumers about what happened, provide information on what they have done to correct the situation, they inform customers about the steps they are taking to minimize the risk of it happening again, and they provide necessary remedies to customers to rebuild their customers’  confidence and trust.  For specific questions relating to data breaches, please visit our website at www.idtheftcenter.org or call us toll free at (888) 400-5530.

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit http://www.idtheftcenter.org/anyone-3.

The compromise of millions of consumers’ information now has Target sending out millions of data breach notification letters and emails to victims and potential victims all over the country.  If you’re among that population, you may have already received some form of communication from Target informing you of the potential exposure of your information and what you might do about it.

But consumer beware. The high profile nature of this breach has scammers and identity thieves swooping in to ravage this already exposed population like vultures after a carcass. The primary method seems to be sending fraudulent emails or notification letters purporting to be representing Target in an effort to trick consumers into giving them their personal information.  So if you’ve received a letter from “Target,” here are a few ways to check to ensure the letter you’ve received is legitimate, and not an attempt to scam you.

  1. The Email Address:  Actual Target breach emails are coming from TargetNews@target.bfi0.com.  If your email is from any other address, be very careful.
  2. The Letter Sounds Urgent:  Target is currently offering free credit monitoring for victims of the exposure, provided they sign up by April 30, 2014.  If the email you receive urges you to respond immediately, there’s a good bet it’s a scam. Scammers don’t want you to take time to think, they want your information.
  3. They Ask For Personal Information: A legitimate organization will never ask for personally identifying information in an email. Period. The End. Any time such a request is made, you can bet your bottom dollar it’s from a would-be scammer.  The actual Target email will send you a token inside an email which will take you to a secure website to enter your information. That website is creditmonitoring.target.com.  At your request, they will send you an activation code which, following an email authentication, will allow you to sign up for the free service.
  4. There Are Spelling and Grammatical Errors:  Target is a huge corporation. They can afford to hire people that can speak and write the English language with proper grammar.  If your letter has glaring spelling or grammatical errors, you can be assured it’s a scam email; likely from another country where English isn’t the first language.
  5. Signup requires a pre-paid money card, online Pay Pal transfer, or Western Union transfer:  Target’s credit monitoring offer is free, so there’s no need to pay anything. Any attempt to collect payment through any method whatever is a fraudster’s attempt to rip you off.

Consumers with additional questions should contact the Identity Theft Resource Center toll free at (888) 500-4430 or visit them online at www.idtheftcenter.org.

“To Victims of Target Breach: Don’t Let Crooks Double Dutch You was written by Matt Davis.  Matt is Director of Business Alliances at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.