When news of a data breach emerges, victims are warned about the potential for identity theft and related crimes. But every so often, the data breach is only discovered because identity theft has already happened. That was the case for Tidewater Community College (TCC), who had over three thousand employees’ complete employment profiles—with Social Security numbers, birthdates, and other identifiable information—accessed by an unauthorized person.

After a number of employees had filed their tax returns this year, only to be told by the IRS that a return had already been filed with their identifying information, the pieces of the puzzle began to fall into place. What had initially been thought of as a coincidence finally led to uncovering the crime.

Tidewater Community College had been the victim of a CEO phishing scam.

CEO phishing, also called “boss phishing,” occurs when someone sends an email that appears to come from the boss’ email account, requesting key information. This information could be employee records, customer credit card information, accounts numbers and passwords, or other sensitive data. In the case of TCC, someone masking as an executive requested the W2 forms for all of the college’s current and former employees; anyone who had received a W2 from the school for 2015 was affected.

There isn’t a lot you can do to keep your information from falling into the wrong hands if someone else falls for a CEO phishing scam. But there is plenty you can do towards keeping this growing threat from happening in your workplace. By raising awareness of the danger and by asking your company to make prevention part of the company’s computer use policy, you can help protect yourself, your co-workers, and your company’s customers.

The first step is to ensure that no sensitive information is passed along through the company—even to the CEO, as companies like Snapchat have fallen victim to emails that appeared to come from the founder himself—without verbal verification. If you receive an email telling you to send over sensitive information, just pick up the phone and confirm it. If the request was not authentic, then you would know that someone has compromised the company’s email system in order to spoof the CEO’s email address.

Second, make it a routine habit to only send sensitive information in a brand-new email instead of hitting reply. If the boss’ email was spoofed (copied instead of actually hacked), then clicking reply will send the information back to the scammer. This step won’t necessarily help if the scammer has actually hacked the supervisor’s email account, so make sure to get that verification first.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

The recent increase in data breaches has many consumers thinking twice about where they do business, where they share their personal information, and how they monitor their finances and credit. But the reality of the changing identity theft landscape is that the “old ways” of identity theft and data breaches are still a threat, even if they’re not as newsworthy as hacking or cybercrimes.

Citizens in one Florida town are learning that the hard way. After a DeLand, Florida, woman spotted an unbelievable amount of litter flying out of a truck—reportedly by accident—along a busy highway, she took a closer look at the full-sized sheets of paper covering the side of the road. Official documents that had been tossed in a trash dumpster were now strewn about, documents which contained everything from names and addresses to Social Security numbers and birthdates for a lot of people.

Even though this incident is accidental in nature, this certainly qualifies as a data breach, or an event in which highly sensitive stored information was not safeguarded. But what could have caused this data breach?

Further investigation showed that an area building had been sold, and that these documents had been left behind in the building when the ownership changed hands. When the new owners had the building cleaned out, the papers were thrown in a dumpster outside instead of being permanently destroyed, despite the fact that former employees’ personal identifiable information was included in the paperwork.

It might seem like this wasn’t all that big of a deal, especially if you compare this data breach to something like the Target breach or the MedStar hospital system’s ransomware attack. Admittedly, identity thieves probably aren’t resorting to roaming the highways, hoping to find dropped pieces of paper; however, “dumpster diving” for personal data is still a viable threat in identity theft, and it’s why consumers are warned to shred any important papers before discarding. More importantly, this breach demonstrates a lack of care on the part of those who gathered this information in the first place. No employee records should have been left behind when the property changed hands, but that was actually the case.

While you can’t personally guarantee what will happen to your information once you turn it over to an employer, a creditor, or a government agency, you can ask the hard questions about how this information is stored and protected. At the same time, if you work in a location that stores large amounts of personal data, find out what your company’s policies are for protecting the people who’ve turned over their information. With more attention to this kind of detail and more awareness about the need to protect the public, hopefully these types of accidental breaches will stop.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

The Home Depot data breach might seem like yesterday’s news to some people, which is understandable considering it happened almost two years ago. Of course, plenty of other big-name breaches have since made headlines over the past few years. But the aftermath of an event like that one isn’t so easy to get over, especially for people who experienced significant financial fallout from the event.

Since the 2014 incident, there have been 57 individual lawsuits filed against the retailer due to this single data breach, which were then consolidated into one class-action suit. Now, Home Depot has reached an agreement to pay $19.5 million to consumers—$13 million for out-of-pocket losses due to having their credit card information stolen, and another $6.5 million to cover the cost of providing credit monitoring services for the customers affected by the breach. While the company hasn’t admitted any wrongdoing as part of the settlement, this agreement will be a way to move forward and put the incident behind them without incurring further costs; after all, the court costs and legal fees for this case are expected to reach nearly $9 million.

There are other unintended victims in any kind of breach like this one, and that’s the banks who have to front the cost of replacing their customers’ credit cards, as well as the credit card companies themselves who forgive the fraudulent purchases that were made after identity thieves sold or used the victims’ credit card information.

But apart from the money that will be paid out to cover fraudulent charges, another major aspect of the settlement looks at how Home Depot plans to move forward, and it’s something that all companies who’ve experienced a breach have to contend with: how do we keep this from happening again?

In all, around 40 million customers had their credit cards stolen in this single event, and a total of 54 million email addresses were stolen in connection with the individuals’ accounts. Home Depot has had to take a good look at what kind of problem caused this breach to occur in the first place, and what steps will prevent it down the road.

The investigation into the breach originally revealed that hackers stole the customers’ payment data through the point-of-sale credit card system, after the hackers got the username and password for one of Home Depot’s third-party vendors; that’s eerily similar to how hackers infiltrated Target’s network in 2013. As a result, the home improvement company has agreed to revamp their entire payment system and to hire a chief information security officer to oversee customers’ security in the future. Hopefully those steps will be enough to protect both the retailer and its customers from now on.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

In what is possibly one of the most embarrassing data breaches in recent history, 37 million account holders on “hookup” site AshleyMadison.com woke up to the devastating news last August that hackers had infiltrated the website and released the members’ names online.

The website, which reportedly helps its members connect for the specific purpose of having extramarital affairs, was targeted by a hacking group over faulty claims of anonymity; in other words, the site was charging its members to “delete” their information, but then not actually deleting it.

Now, anonymity is coming back to haunt the victims of the breach yet again. More than forty plaintiffs represent a class action lawsuit filed against AshleyMadison’s parent company, Avid Life Media, but a judge has now ruled that the plaintiffs cannot remain anonymous. In order to file their suit and move forward, they must agree to be identified in court records, or drop down to being members of the class action suit instead of representatives.

The privacy issue at the heart of this matter isn’t just the release of the names. In this case, AshleyMadison charged individuals and collected a fee to remove any trace of them from the site. When the data breach happened, these former members’ names were revealed because of the receipt process the website used after payment. The only reason someone would need a $19 receipt from AshleyMadison is if they had at one time had an account, which serves as an indication that they’d planned on having an affair. Whether the individuals ever followed through or thought better of it isn’t the point; they paid to be erased, and the very process of erasing them is what caused their names to be part of the stolen database.

Lawyers have already predicted that this will be a tough lawsuit, whether the plaintiffs reveal their names or not. Essentially, the individuals in question did engage in the behavior they’re now claiming their spouses found out about, namely, seeking out sexual partners. The lawsuit stems from the fact that their lives were irreparably affected by having this secret revealed, and legal experts have cautioned that if it was actually a viable and life-altering concern for the plaintiffs, they wouldn’t have done it in the first place. The sentiment is that they can’t get upset that their privacy was violated, if they were the ones who set the violation in motion.

But there’s another element to the loss of privacy, and that’s the failure to notify AshleyMadison members that a data breach was forthcoming. The hacker group who stole the databases and released the information online warned Avid Life Media first, and stated that failure to take down their site due to this very receipt policy would result in publishing the information. Attorneys have claimed that failure to notify the members after the initial contact from the hackers is the same as failing to notify any consumer of a data breach, and therefore makes the website culpable for the harm that has been done.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

Just when parents might have thought it was safe to go back online, another data breach that affects the user accounts of millions of individuals—mostly children and teens—has taken place.

Sanrio, the Japanese company behind Hello Kitty and all of her cute character friends, was recently informed by a security expert that a database with more than three million user accounts had been leaked online, along with two backup servers that had been mirrored.

The information in the databases included users’ first and last names, birthdays, genders, countries of origin, email addresses, unsalted SHA-1 password hashes, password hint questions and corresponding answers, and other key information that’s relevant to the use of the website.

The affected websites include several different countries’ Hello Kitty sites, as well as sites connected to another Sanrio character, My Melody. While there is an e-commerce aspect to the websites where users can make purchases, it doesn’t appear that any financial information was compromised.

So what do hackers want with this information, if it’s not about the money? That’s hard to tell since there are multiple possibilities. In the case of the very recent VTech breach that affected around 12 million adults and children, the culprit has stated that he did it simply to prove to VTech that its security was useless and that its users were vulnerable. Of course, that’s something he could probably have done without stealing the information and frightening millions of people.

Initially, investigators were worried that the VTech breach had an even more malicious purpose since children’s photos, genders, ages, birth dates, and names were stolen. That information could have been cross-referenced with the parents’ physical addresses—also stolen—and used for unspeakable crimes. Fortunately, the VTech hacker has stated he would never have sold or used children’s information, but only did this to prove a point.

In Sanrio’s case, however, there’s no guess at this point in the investigation. The websites’ users themselves are global, and therefore securing their information and their personal safety will be tough.

Both of these recent events do have a silver lining in that they should serve as a warning to parents about oversharing and about really understanding how your family’s personal information is used online. Especially where children are concerned, there’s very little reason to upload a child’s photograph to a website with millions of users, and even less reason to use a real name, birth date, or other identifying information. The VTech app would have worked just as well with slightly altered data on each child, and parents would have had the peace of mind of knowing the stolen information wasn’t even accurate.

Last June, the federal government’s Office of Personnel Management (OPM) made a startling announcement: it had been the victim of a sophisticated, large-scale hacking event.

The resulting data breach compromised the highly sensitive information of more than four million government employees, including names, Social Security numbers, birthdates, and more. It didn’t take long before another data breach was discovered. The federal workers who have the highest levels of security clearance were among those employees who were affected by the second data breach. That’s important because their applications for those clearances (SF-86) were lengthy—more than one hundred pages of personal history, information, and in some cases, even fingerprints.

These stored files included highly-detailed information on practically everyone they’d ever met: college roommates, former coaches and employers, distant relatives, and more. When cybercriminals stole that extensive data, it brought the number of people affected by the hacking event to well over 21 million, many of whom might have had no idea the government even had their information. As of this week, the OPM and the Department of Defense have finished mailing out the notification letters to everyone who was impacted by this event. With the abundance of mail coming through the postal system at this time of year, it may be a few more days before those letters reach all their intended recipients.

So what do you do if you receive a letter from the OPM? The same thing you do if you receive any notification letter informing you that your data has been compromised. First, you don’t panic, but you also don’t disregard it as just another 21st century crime. You read it very carefully for any specific instructions, you follow those instructions, and you put the letter in a safe place.

A typical notification letter starts by informing you exactly what information was compromised in the breach. In the case of the four million employees, hackers got everything. But for the “outsiders” in the secondary breach who were only listed as additional sources of verification and reference, their Social Security numbers, for example, aren’t believed to have been gathered in the first place and therefore weren’t compromised. In any hacking event or data breach, always read the notification carefully to learn exactly what personal information the thieves obtained in the incident.

The letter should also provide you with suggested steps you should take. For a breach that only compromised email addresses and account passwords, you might be instructed to simply change your account password and look over your account history carefully. However, in a situation where all of your sensitive identifying information was obtained, you will be given more detailed instructions and possibly even offered credit monitoring and protection.

Finally, it’s important that you put your notification letter in a safe place once you’ve read it and followed the instructions. It may help you down the road by serving as proof that your identity was stolen, which is especially important if someone commits a crime with your good name.

Travelers, beware! At least that’s the sentiment of many people who’ve had their credit card and payment information stolen while traveling, specifically while staying in hotels.

Hotel data breaches are nothing new. Experts have warned vacationers for quite some time about the dangers of turning over your payment card at a check-in or check-out desk, as unscrupulous hotel employees can easily make a copy of your card using the magnetic key card machine. For that reason, travelers have long been warned about letting their cards out of their sight.

But a rash of large-scale data breaches at major hotel chains have been linked back to hackers, specifically those involving the hacking of the point of sale payment networks through hotel gift shops. As recently as September 2015, Krebs on Security reported about a data breach involving the Hilton properties, and hotels around the world like Mandarin Oriental and White Lodging Properties have also been affected.

Now, news broke this week about another major hotel data breach involving 54 different Starwood Hotels & Resorts Worldwide properties. Once again, the breach seems to have impacted only the point-of-sale network within the hotel shops, and not the actual check-in desk or reservations system.

As the busy holiday travel season approaches, there’s no reason to think the situation will get better instead of worse. Hackers know they have an easy target in out-of-towners, especially as guests buy essential items or gifts from the hotel stores. Since this isn’t something you can easily plan ahead for or prevent, it’s better to take proactive steps before the issue occurs.

For starters, you can opt to pay with cash at hotel properties or, if possible, apply any charges to your hotel room.  Another way to minimize harm is to designate one low-limit credit card for all of your travel spending. This method will also help you by reducing the chances that you could go over your travel budget. The main thing to remember is not to use a debit card in these situations as they do not allow for the same level of protections that apply to credit card transactions.

More importantly, though, is the need for monitoring all of your account statements both before and after you travel. That way, you’ll have a clear picture of how much you’ve spent and where your funds have gone. If anything remotely out of the ordinary occurs, you’ll be prepared to head it off with your financial institution.

It’s important to remember that in most of these major hotel data breaches, there has been a long window of opportunity during which thieves gathered credit card information, then used that information for criminal purposes. Don’t think that just because your information was safe in the days after you returned home, you’re in the clear. Keep a close eye on your statements all year long to stay on top of any potential threats.

It was only two years ago that shoppers during the Black Friday madness received an unwelcomed gift: their personal details and credit card information were stolen by hackers in what was then one of the largest known retail data breaches.

Now, just in time for the busiest shopping week of the year, one of the world’s largest online retailers has found some equally unwelcomed news, that some of its customers’ passwords may be in jeopardy.

Amazon reached out to affected customers this week with the information, letting them know that their passwords may have been improperly stored or transmitted in a way that could open them up to outsiders. While there’s no known link yet between this password exposure and any hacking activity, Amazon conducted a “forced reset” of those passwords. Even if you didn’t receive a notification from Amazon, it’s recommended that you change your account passwords immediately.

Besides the obvious fear of hacking and data loss, there are some other valid fears associated with this kind of issue. First, there’s a real threat that scammers will swoop in with their own emails in an attempt to copycat this incident; if you receive an email that even looks as though it’s from Amazon—informing you that your account may have been compromised in some way, and offering you a link to reset your password—ignore the link and handle it yourself. By going directly to the retailer’s website on your own and changing your password instead of using a link that arrives in a message, you can avoid any phishing scams that come through your email inbox.

Also, this incident serves as a cautionary reminder of why it’s vital that you take your account passwords seriously. There are some features that “good” passwords have, namely that they’re strong and that they’re unique. A unique password is pretty much what the name implies; you only use it for one account or website. If you use the same password (or even a close variation of it) on multiple websites, you’re potentially handing over your entire web identity to a hacker.

As for being strong, that’s a different matter. A strong password is at least eight characters long, and contains at least one letter, one number, one symbol, and one uppercase character. It’s also not an easily guessed combination, like “Password1!” or your last name.

Finally, there’s one last piece of the “good” password puzzle, and that’s the frequency with which you change it. Think of your password as being the key to a highly lucrative lock; the more that a hacker stands to gain from breaking into your account—like your credit card, banking, or major retailer’s account—the more often you should update your password. If you have a strong, unique password on your local library’s website, for example, one that cannot be used to guess other passwords, then the danger from a hacker is less severe. But if you have an account that contains significant and lasting information about you, the more often you change your password, the better off you’ll be.

“Poor communications, lack of leadership and lack of board oversight are barriers to effective incident response,” according to a new Ponemon Institute research report titled “The Importance of Senior Executive Involvement in Breach Response.”

The study sponsored by HP Enterprise Security Services surveyed 495 senior executives in the United States and United Kingdom to understand their perspective about the importance of executive- and board-level involvement in achieving an effective incident-response process.

I have delivered many speeches citing the need for senior executives and board members to get significantly involved in cybersecurity and data-breach risk management. Ponemon’s findings suggest that too many at the top of corporations are not properly engaged, even though their employees, customers and intellectual property are vulnerable.

Poor communications, lack of leadership and lack of board oversight are barriers to effective incident response. Seventy percent of respondents say poor communications is a barrier and 68 percent of respondents believe organizations do not have the appropriate leadership in place to deal with data-breach incidents.

Senior executives believe their involvement in the incident-response process is necessary. Seventy-nine percent of respondents say executive level involvement is necessary to achieving an effective incident response to a data breach and 70 percent believe board level oversight is critical.

Current incident response plans are more reactive than proactive. Less than half, (44 percent of respondents) characterize their organization’s incident response process as proactive and mature.

Executive level oversight is critical to minimizing financial loss and protecting reputation and brand. How do senior executives view their responsibility when an incident occurs? Senior executives are most concerned about the long-term effects and sustainability of the organization when sensitive and confidential information is stolen. Their focus is on minimizing financial loss and avoiding reputational damage.

Understanding the risk and approving incident response plans should be on the board of directors’ agenda. Seventy-seven percent of respondents say the board should be involved in reviewing risk assessments followed by approving the incident response plan (69 percent). Receiving regulatory and compliance updates (68 percent) and approving insurance coverage (66 percent) are other areas in which the board should be engaged.

From the perspective of a senior executive, what makes a data breach significant? In the context of this research, a material breach is one that requires more resources to resolve in order to minimize financial loss and reputational damage.Fifty-seven percent of respondents say the lost or theft of more than 10,000 records containing confidential or sensitive information constitutes a significant data breach.

Negligent and malicious insiders are considered the biggest security risks.Senior executives are more concerned about the threat within than with external risks caused by cyber criminals and hacktivists. Forty-two percent of respondents say they worry most about negligent insiders followed by 25 percent who say they are concerned about malicious insiders.

Incident response should focus on understanding the cause of an incident and addressing the negligent insider risk. Forensics investigations are key to responding to a breach (86 percent of respondents) followed by training and awareness of employees (81 percent)—probably because of executives concern about negligent insiders.

Mark’s most important: Note to small and large company leadership: Get involved in cybersecurity from top to bottom because it’s essential, the right thing to do and it will help mitigate and/or eliminate your risk specific to the 47 state notification laws, FTC Red Flags Rule, and HIPAA HITECH act.

Mark Pribish is vice president and ID-theft practice leader at Merchants Information Solutions Inc., an ID theft-background screening company based in Phoenix. Contact him at markpribish@merchantsinfo.com.

Two foreign nationals who worked for a third-party data company are suspected of stealing the personal information of as many as 4,000 Dow Corning employees. The two men, who worked for HCL America, are believed to have downloaded names, Social Security numbers, income records, and more, then transferred that data to a USB drive. The drive—and the information—are unaccounted for as of now.

HCL America is a third-party contractor that provides paid services to clients like Dow Corning. As such, they are responsible for conducting thorough background checks, employee verifications, and other authenticating procedures. Many businesses rely on this type of contractor to complete certain company tasks while saving on the hiring costs and benefits associated with bringing in full-time employees.

Internal data breaches like this one are certainly nothing new. One particular incident resulted in a conviction of a former Morgan Stanley financial advisor who stole account records from the database and downloaded them to his personal laptop; although he still claims that he never released or sold the records, batches of those same account records were found on a black market website.

What is different about this incident with Dow Corning, however, is the speed with which the incident was detected and the suspects’ names revealed. News of data breaches in the past has often involved months or even years between the breach occurring, investigators discovering it, and then the company notifying the victims. In this case, Dow Corning discovered the breach in late-September, and a hearing is scheduled for November 17th. A federal judge has already issued a mandate to prevent the two suspects from destroying any evidence, and the men have been detained as they are considered a flight risk.

But regardless of whether the guilty parties are apprehended or how the breach occurred, the outcome for the thousands of victims is the same: their highly-sensitive data has been stolen. Since there’s no evidence yet that it has been used or released anywhere, the affected individuals are only being cautioned to monitor their credit reports and financial statements at this time. It’s also a good idea for victims of a data breach to change their passwords on significant accounts like their email, to install robust anti-virus and anti-malware software, and to keep the notification letter in a safe place as proof that their identities may have been compromised.