Companies, organizations and agencies that hold and transmit people’s personal information should keep it reasonably secure from unauthorized access and use. But what if there is a data breach that exposes the information? How should the breached entity help those affected? Should it offer them identity theft services?

If so, how should it choose the provider and what features should it look for to ensure that the services will fit the needs of the victims? To help answer those questions, Consumer Federation of America and its Identity Theft Service Best Practices Working Group, which includes consumer advocates and identity theft service providers, have created a checklist“My company’s had a data breach, now what? 7 questions to ask when considering identity theft services.” This isn’t intended to be legal advice, however – always consult with an attorney about how to respond to a data breach.

Identity theft services typically include alerting people about possible fraudulent use of their personal information, mitigating the damage, and/or helping them recover from identity theft. In the checklist we explain the different kinds of monitoring and fraud resolution that may be available and that the features of the programs can often be customized to fit particular breach situations. One of the basic questions to ask is whether the service will provide breach victims with information about how to reduce the potential damage – for example, by changing their account numbers and passwords, monitoring their accounts online, and using fraud alerts, security freezes and other tools.

We also suggest asking:

  • Are services available 24/7?
  • Is there a toll-free number with live operators?
  • What response times will the provider commit to?
  • Can the service handle multiple languages?
  • If monitoring is provided, how quickly are alerts sent?
  • Are there specially trained personnel to help victims of fraud resulting from the breach, and will that assistance continue for problems that aren’t resolved when the contract ends?

Identity theft service providers may offer other assistance as well, such as helping breached entities to write and/or send notices to the victims and handling other communications. Another thing to consider is whether to have identity theft services lined up in advance in case they’re needed. It can be less stressful and save money to pre-negotiate for these services rather than shopping for them in the midst of a breach. The checklist covers how to find reputable identity theft service providers.

Of course, identity theft services aren’t necessary in every breach situation. A good rule of thumb is: if the breached entity is required by state or federal law to notify those affected, it should consider offering these services. In interviewing prospective identity theft service providers it’s important to describe the types of personal information that have been or could be compromised and ask what features would be most helpful to the victims. We also suggest addressing whether and in what manner the identity theft service provider may solicit the breach victims to buy services during the contract period and/or once it ends. As in any contract, the services and terms should be clearly described and accurately reflect what has been agreed to.

CFA’s Best Practices for Identity Theft Services, which was updated last year with input from the working group, and the checklist are intended to encourage good practices in the identity theft service marketplace. There is also a guide for consumers, Nine Things to Check When Shopping for Identity Theft Services and much more about identity theft on CFA’s website.

This blog was written by Susan Grant, Director of Consumer Protection and Privacy at the  Consumer Federation of America.  Ms. Grant also sits in the ITRC’s Board of Directors.

In the Office of Personnel Management breach and the Anthem healthcare breach—just to name two of the record-setting numbers of data breaches that happen each year—millions of US citizens had all of their highly-sensitive personal identifiable information (PII) stolen by hackers. This data included names, birth dates, Social Security numbers, and in some cases even fingerprints, which virtually handed over these citizens’ entire identities to criminals.

In the face of such alarming breaches, it’s all too easy to forget that data breaches happen almost every day, even though they’re on a smaller scale. Retailers have been hard hit by individuals who want to nab everything from usernames and passwords to credit card information. But the alarming trend of consumer complacency where data breaches are concerned has privacy experts concerned.

A hacker doesn’t have to go for the winning combination of your name, birth date, and Social Security number in order to do serious damage to your identity and your credit. But too often, consumers fail to take the threat of a retail data breach seriously; one Ponemon Institute study found that 32% of consumers ignored a data breach notification letter, even though 25% of the letters sent out that same year offered identity theft protection services for free.

What could be behind this trend of “data breach fatigue?” It’s too easy to assume it’s merely business-as-usual in consumers’ minds, although the sheer numbers of breaches could easily make consumers believe there’s nothing they can do to prevent identity theft.

More worrisome is the perception outlined above. Unless the victims’ complete identities have been compromised, they’re less likely to take action. If it’s only some credit card information that was stolen—as in the recently discovered retail data breach involving Eddie Bauer’s point-of-sale payment systems in an undisclosed number of their physical stores—consumers may erroneously believe that they won’t face any threat. Their credit card companies will waive any fraudulent charges and then issue new cards, right?

Not necessarily. If your existing card was hacked and new charges appear on that cared, then your bank or credit card company will take the necessary steps. But if that card information is used to open new accounts in your name—known as “new account fraud”—then you may be responsible for more charges, and you will have to do some legwork in order to get those accounts closed and get them removed from your credit report.

No matter how big or small, whether it was a major cyberattack that stole all of your personal information or just a compromised credit card payment system, the threat of identity theft is very real and must be treated as such. Follow the steps outlined in a notification letter, and watch for news of breaches like the Eddie Bauer breach in order to stay on top of your data. Be sure to request copies of your credit reports regularly in order to monitor them for suspicious activity.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

When news breaks of another large-scale data breach, especially one that affects millions of consumers at a time, it’s all too easy to envision a faceless hacker who sits safely outside the reach of the law. But the reality of data breaches is that a significant number of them are “inside job” attacks, whether intentional or accidental.

An accidental data breach can happen within practically any organization. And with the rise of more sophisticated approaches like “boss phishing,” it only takes a little bit of hacking know-how to pull it off. The rest of the dirty work is done by an unsuspecting employee who complies with the instructions in an email or message.

Accidental data breaches also crop up through the loss or theft of unencrypted company computers, through inadvertently uploading the wrong file to the wrong person, downloading content from an untrustworthy website, and other seemingly innocent but still harmful means.

But intentional data breaches from someone within the company are a whole other problem, and the software industry has stepped up to provide employee monitoring programs that can alert the company to suspicious behavior. This software can alert the administration whenever someone tries to access massive amounts of information, like employee or customer records. It can also send out an alert that an employee has altered the times of day that he’s active on the network, such as someone who suddenly starts logging in at night or on weekends. It can inform the manager if an employee sends higher than normal numbers of emails all of a sudden, which can be a sign of an employee who’s looking to leave the company. Some titles even monitor employees’ social media accounts and report back to the boss on what kind of content they post.

Those last issues have privacy experts concerned, though. It’s one thing to monitor a network to make sure sensitive information isn’t accessed or downloaded. But advocates worry that monitoring employees’ email or social media could be an invasion of their privacy, especially since some monitoring software can look for keywords that the boss can choose.

Does the benefit outweigh the privacy risk? That’s a tough call. When Morgan Stanley suffered an internal data breach in 2014, Galen Marsh downloaded account information for more than 900 high-dollar investment accounts; some sources believe he was trying to leave the company and take the top-tier clients with him. Instead, his defense argued that his own laptop was hacked and the downloaded information was stolen. With employee monitoring software, the resulting data breach might have been avoided as executives would have been notified when Marsh first downloaded the information to his laptop.

There is a middle ground when it comes to preventing internal data breaches. Having a company-wide computer policy and making sure that all employees are up-to-date on the acceptable use of technology is crucial. Keeping your workforce informed of threats like boss phishing and the danger of downloading unscanned content is also important. If a company deals in content that is so sensitive that it warrants employee monitoring software, make sure everyone is informed of the need for it. Let everyone within the company know how it works and what it’s watching out for. It’s there to protect the company and its customers, not to hunt down those who break the rules.

Medical data breaches continue to happen at an alarming rate. It’s bad enough that someone has made off with your complete identity thanks to the amount of information a doctor’s office or medical center needs, they’ve also potentially stolen your complete medical history, and there are many different ways that can hurt you.

Sometimes, though, the hacker isn’t after your identity or your medical records. With the increase in ransomware attacks in recent months, patients may just be the innocent bystanders who got caught in the crossfire. As the name implies, ransomware attacks happen when a hacker infiltrates a network, and either grabs all of the data or locks up the network so no one can access it. From there, he informs the company that the only way to get their data back or unlock their network is to pay the ransom, usually in the form of bitcoins.

Unfortunately, ransomware attacks—especially on medical offices—are effective, which could logically be why they’re increasing. With their network locked up, hospitals can’t provide patient care; the resulting injuries or deaths can lead to lawsuits which would cripple the hospital financially. Of course, if the hacker follows through on his threat to upload the medical records to the internet, the hospital faces severe penalties for each and every HIPAA violation, which are often far greater than the hacker’s ransom demand.

Last month, an alarming 30% of the data breaches in the medical community were traced back to ransomware attacks by hackers (as opposed to more traditional hacking, internal data breaches, or accidental data breaches). This led to more than 100,000 patients’ medical records being exposed. June had an even greater number of attacks, with 41% of medical data breaches being the work of hackers, exposing more than 11 million records.

Unfortunately, unlike some other forms of data breach or identity theft, a medical data breach of this kind is hard for an individual patient to prevent. That’s why it’s important to ask serious questions about your information before you hand it over, such as who has access to it, how it will be stored and protected, and what will the the office do to notify you in the event of a data breach. If you’ve been the victim of a medical data breach, it’s important to follow the steps that were listed in your notification letter, and to inform your doctor and pharmacy that someone may be using your medical identity.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

Data breaches are a possible threat to any business, no matter how big or small and no matter what type of industry. In fact, since the Identity Theft Resource Center started tracking data breaches in 2005, almost every year has seen a record number of breaches and hacking events in everything from major retailers to mom-and-pop businesses.

One of the major contributing factors in a significant number of data breaches is employee culpability, or the fact that sometimes it’s the company’s own workers who are directly or indirectly responsible for the breach.

When an employee is indirectly responsible for the loss of sensitive data, it’s clearly referred to as an accidental breach. These accidental events happen in several different ways, though. The more innocuous accidental breach can be a simple matter of bad planning, such as having a company laptop wind up lost, especially if it wasn’t password protected and its data wasn’t encrypted. The end result is still devastating for the company, but there was no malicious intent.

Another form of accidental breach that’s been making headlines lately happens when an employee thinks he’s doing his job, but in reality he’s doing the work of scammers or hackers. The so-called “boss phishing attack” is a prime example, and it happens when scammers pose as someone higher up in the company—usually through email—and essentially trick an employee into turning over sensitive data. Again, there was no malicious intent on the part of the poor employee, but the end result is still a data breach.

But what about when the employee’s actions are far from honorable? Morgan Stanley suffered one such data breach in 2015 when an employee stole the complete account profiles for around 900 of the investment firm’s wealthiest clients, then uploaded that information to an internet site. During the criminal proceedings in the case, the prosecutors alleged that the employee was leaving the company and wanted to take his top-tier clients with him, but the defense claimed hackers nabbed the data from his computer.

Fortunately, there’s a new high-tech tool that lets companies build a safety net around their data while still preserving some respect for employee privacy. A number of software developers have created programs that will monitor a business’ network for signs of suspicious activity, then report that suspicious activity to executives before an employee can accidentally or intentionally compromise company data.

The monitoring software searches the network for noticeable changes in employees’ computer behavior. Just like software that tells you if anyone in your workforce is hanging out on Facebook during work hours or downloading unsavory videos, this software specifically looks at changes in employees’ computer habits and emails. A sudden increase in the number of emails might mean that an employee is communicating with someone about company information, and a drastic change in late night emailing might mean he’s doing it when no one else is around to look over his shoulder. Even certain trigger words in emails could raise an alert, indicating an intentional attempt to steal information or a phishing attack that’s about to occur.

Privacy experts have likened this type of network monitoring software to typical forms of employee oversight, and said that so long as employees know their computer activity is being watched and tracked, there’s really no problem. The only problem some industry watchers have had with this type of software is when it alerts an employer that someone within the company might be looking for another job based on seemingly unrelated computer activity, which is one of the features that some software titles offer.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

News broke this week that an alleged data breach may have exposed the email accounts and passwords of millions of Yahoo users, resulting in the sale of their information online. What makes this an “alleged” data breach? The fact that Yahoo has yet to confirm it, and the fact that anyone can claim to have hacked and stolen personal information.

Alleged data breaches are making big headlines lately, since there seems to be a treasure trove of old data floating around the dark web, much of it useless. It takes no effort or skill for someone to pose as a hacker, grab up an entire database of old email addresses and passwords, then try to pass it off as current information.

For example, following the LinkedIn breach, the same hacker claimed to have accessed over 427 million MySpace accounts, stealing the email addresses, user names, passwords, and more. The only problem is MySpace topped out at around 300million+ accounts. Unless over 100 million people had a second MySpace account for some reason, a significant number of those accounts were believed to have been bogus. Further investigating proved that many of the email addresses associated with the MySpace accounts weren’t real, and that over 200 million of them were limited to either Yahoo, Gmail, or Hotmail addresses. That, along with the incredibly random passwords, led investigators to believe that someone had created all of these accounts in order to extort money from MySpace, claiming they’d been stolen in a data breach.

Now, the same hacker has taken credit for stealing millions of Yahoo email account logins. Once again, however, outside teams tried to connect with over one hundred of those accounts, but most of them came back as undeliverable or old email accounts that were no longer active. This has led some experts to speculate that the hacker—who goes by the name Peace—is simply grabbing old databases of leaked information and trying to sell it online as newly hacked data.

Unfortunately, just because the information was old or was stolen some time ago, that doesn’t necessarily mean it can’t still come back to haunt you. One thing the alleged MySpace and LinkedIn breaches taught us was that reusing your password can have serious consequences; even if you haven’t checked in with MySpace in a while—or, like many people, you forgot you even have an account—there’s a good chance that your email address on that account coupled with the password you used back then could still be in effect on a different account that you use today. If you created a Facebook account shortly after opening your MySpace account, for example, you might have used the same email/password combination, and therefore given access to your Facebook account to a scammer.

Besides being yet another example of why you’ve got to have strong, unique passwords on all of your accounts, this is a good reminder of why you need to change your passwords from time to time. Login information that was valid two years ago shouldn’t still be usable today. Also, whether it’s a real data breach or not, anytime news breaks of a potential hacking event, let that be another reminder to change your passwords in order to protect yourself.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

The latest in a growing list of major retail data breaches is the popular Cici’s Pizza chain, who announced that locations in seventeen states had suffered a data breach within the POS system. The result of this breach was that customers’ payment cards were compromised.

There are some interesting differences in this breach, compared to that of other retailers who’ve suffered an attack on their POS systems. A typical method of infiltrating a business’ credit card “swiper” is to send a virus as a link via an email or message, and then entice an employee to click the link. This installs the virus, which then lets the hacker breach the network. Once that happens, he can gather up customers’ payment information indefinitely, or at least until the breach is detected.

In this case, though, scammers had a different approach than the old emailed virus. They actually contacted the company and posed as tech support workers in order to retrieve customer card data. Other businesses have now reported this same group of scammers doing the same thing to their POS systems.

KrebsOnSecurity, who is an industry-leading expert on cybersecurity and data breaches, did a lot more digging into the breach and discovered an entire spider web of hacking involved. His findings eventually even involved the Secret Service and Datapoint, the company who provides POS service for Cici’s and a number of other retailers. The Datapoint website, though, appeared to have been compromised by hackers as well.

The twists and turns involved in the Cici’s breach eventually ended up pointing to the recent TeamViewer breach, with the possibility that hackers used the TeamViewer remote access software to spread viruses by pretending to be providing tech support. It’s possible that someone gave the hackers access to the network by falling for a tech support scam, in which the hacker calls and states that there’s a problem with the computer and he needs access in order to correct it.

The breach investigation is still ongoing, but there are several takeaways for consumers. First, if you or your company use an outside vendor to provide any type of technical service—from payment systems to tech support—make sure you have protocols in place to protect yourself from scammers who pose as employees of those vendors. An ID confirmation, for example, or a passcode that the vendor must provide before gaining access to your network is a good idea. Also, if you are ever notified that your payment information may have been compromised in a data breach, make sure you follow the steps in the notification letter. You will be told what data was stolen, and given options to protect yourself.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

The Identity Theft Resource Center provides a number of services related to identity theft prevention and victim support. In order to do that job effectively, it’s important to track the numbers of data breaches each year and the numbers of victim records that have been compromised. But new findings, at least in one state-wide study, found that there were more data breach victims in that state than citizens.

How is that possible? Because the numbers of victims who’d had their data stolen more than once resulted in numbers that were significantly higher. A report by Consumer Affairs found that 7.6 million residents of South Carolina had been victims of data breaches in the past five years, despite the fact that only 4.9 million people live in the state. That works out to an average of 1.6 data breaches for every resident, a number that’s hard to envision.

Of course, being a victim of those 1.6 breaches isn’t the reality for every single citizen. But it does mean that for every SC resident who has not had his or her information stolen in a data breach, other residents have been victimized over and over and over.

It’s important to not be alarmed into thinking that every single day brings a new data breach; to be fair, the bulk of the residents whose information has been stolen typically occurred in large-scale breaches, like the Department of Revenue breach or the Target breach that nabbed millions of consumer records at once. However, residents must keep in mind the fact that “data breach fatigue” is a real and harmful phenomenon. It can be so easy to ignore news of a data breach due to having already been the victim of a previous attack, or deluding yourself into thinking there’s no point in taking action since your data has been compromised in the past.

In any data breach, you’ll likely to receive a notification letter if your records were included in the attack. The letter will outline exactly what information was believed to have been compromised, as well as tell you what steps to take next. Even if you’ve been a victim—and even if you’ve taken these steps in the past—it’s important that you follow through with the protective measures.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

With record setting numbers of data breaches happening each year, there’s an excellent chance that you will become a victim of lost or stolen personal data—if you haven’t already, that is. One of the chief concerns security experts have in this climate of hacking and fraud attempts is that consumers will stop taking the threat so seriously. So what do you need to do if you’re a victim in a data breach?

Your immediate response will vary depending on what information was stolen and how quickly you’re informed of the incident. Some people only find out about a breach or hacking event after their financial institution informs them that their accounts were compromised; in a situation like that, you wouldn’t have to do much of anything. Your bank will correct any fraudulent charges and your new credit card will arrive in the mail.

But other incidents aren’t so clear cut and easy to recover from. That’s why all consumers need to be prepared to take action the moment they’re informed of a data breach.

  1. Determine what information was stolen – Depending on what data the thieves got their hands on, you need to be ready to devote some time to protecting yourself. If your credit card number, physical address, or an email address were the only pieces of the puzzle that they accessed, you’re not completely out of the woods but you also don’t need to put your day on hold to tackle your security.

You need to be mindful of how many other pieces of the puzzle hackers may have accessed from other sources, though. For example, they might have stolen your email address from one data breach, and your password on a separate account from another data breach. This could give them greater access to your information if you’re reusing that password anywhere.

Any time you’re informed of a data breach, it’s a good idea to change your passwords on your crucial accounts. It’s really a good idea to do so even if there hasn’t been a breach; some companies even require users to change their passwords every ninety days just to be on the safe side.

  1. They got it all – Unfortunately, if you’re involved in a data breach in which the hackers took everything—names, addresses, birthdates, Social Security numbers, and more—you’ve got more work to do. You’ll receive a notification letter from the company that was breached, and it will tell you what was believed to have been stolen.

In the event that hackers got everything, you need to contact the three major credit reporting agencies and place alerts or freezes on your accounts. This step will be free if you can provide proof that your information was stolen; your notification letter may serve as that proof, but you may also be required to file a police report. Filing the police report is a good idea anyway, since it will serve as proof down the road that your data was compromised if it’s ever used for criminal purposes.

There’s one more step you need to take, especially if your SSN was stolen, and that’s to alert the IRS. Tax identity fraud is a huge criminal industry now, and alerting the IRS will help add a layer of protection over your tax return in the coming tax filing seasons. You will also want to make sure that you file your legitimate return as early as you possibly can in order to beat a criminal to it.

  1. Monitor your credit reports and your accounts – If your notification letter included free credit monitoring services, don’t ignore it. Take them up on the offer and use it to help protect yourself. Of course, you don’t have to wait for a service to alert you to a problem. You can—and should—request a free copy of each of your credit reports once a year. If you stagger those reports, meaning you request one agency’s report in January, another one in May, and another one in September, you’ll get an ongoing picture of your credit throughout the year. That could make a lot of difference in preventing more widespread damage to your credit.

Data breaches and identity theft might seem like they’re practically unavoidable, and it’s understandable that consumers might feel like they can’t do anything to stop it. But even if you can’t stop a hacker from accessing your information, you can do a lot to make sure the damage he does with your data is kept to a minimum.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

No matter where it occurs, “suspicious activity” is almost never a good thing and it’s important to take it seriously. Whether it’s your own bank statement or a major company’s credit card payment system, acting quickly can minimize the damage and put you back in control.

When Colorado-based restaurant chain Noodles & Co. was alerted to “suspicious activity” by its credit card processing company last May, the result was a third-party investigation that uncovered malware on its network. According to their findings, customers who paid by credit card or debit card at any of its 400 affected locations in the first half of this year may have had their account information stolen.

There are some important things to understand about any kind of data breach like this one:

  1. Notification – Affected consumers will be notified of the possibility of a breach. Depending on whether or not there’s reason to believe the incident could impact their finances, companies may or may not be required to offer credit monitoring services to the customers. If you are sent a letter and told you’re eligible for credit monitoring, do not discard the letter! Follow through with the instructions in order to protect yourself.
  2. A change in how customers are notified – Until recently, victims of a data breach have been notified by mailed letters, but one state has already passed a bill that will let companies email the victims. While email has usually been considered less trustworthy than a mailed letter, it not only reduces the amount of time that passes between discovering the breach and alerting consumers, it’s a tremendous savings to a company who may have to inform millions of people about the breach.
  3. How did the malware get there? – Customers obviously can’t be expected to detect malware in a retailer’s POS system before paying, but this news still pertains to every citizen. In many instances, malware infects a retailer’s network after someone opens the door for a hacker. Several major retail data breaches have been traced back to an employee who accidentally downloaded the malicious software through a phishing attempt, by clicking a link in an email, or some other seemingly harmless behavior. This should serve as a reminder to be very careful of your own online behaviors.
  4. Monitoring yourself – Recent awareness of data breaches and changes to how we investigate suspicious activity has meant major improvements in reporting breaches and informing the victims. What used to take months or even years to uncover and report now takes days in some cases. But that doesn’t mean you should skip the legwork of protecting yourself. Monitoring your credit card statements, bank statements, online and mobile banking sites, and even your credit report will alert you to suspicious activity without having to wait for someone else to inform you. Stay on top of your accounts and watch over them yourself in order to stop any damage as soon as it starts.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.