The Target breach can now be added to a long list of historical events that occurred on December 19th.  It should rank somewhere between King Henry II being crowned King of England in 1154 and Italy besting Chile for the 65th Davis Cup in 1976.  At least we hope that is the case.

There has been a proliferation of articles and communication across multiple media channels highlighting this incident.  Most of the articles have provided sensible tips to consumers on what steps to take and how to react.  Many have included stories from consumers expressing their outrage.  Some have even vilified Target for the incident.  Why then would an organization such as the ITRC, built on advocacy and consumer trust, actually want to thank Target?  Because breaches happen all the time! In fact, we have documented more than 600 breaches, THAT WE KNOW ABOUT, in 2013 alone.  But this time, everyone is talking about it.  Finally.

It is unfortunate that it took an incident from such an iconic brand, during the holidays and in such a broad scope, to cause this kerfuffle.  But in our estimation, this reaction is long overdue.  Consumers need to be aware that the information and data they have floating all over the place is vulnerable.  They need to know that their data can be breached, even if they themselves follow all the best practices.   There – I said it.  Individual consumers are powerless to stem the tide of data breaches.  That last statement will cause both advocates and consumers to cringe.  But it’s the truth and someone needs to say it.

There are things people can do to minimize the damage which can result from a data breach, but that is different from doing things to stop a breach (ways to minimize damage after a breach will be covered in depth in Part 3).  Right now, the services we consumers use, and the businesses we trust to safeguard our data, are the ones that must take steps to ensure that the risk to us is lessened.  And we think that in many ways, the business community on the whole is making efforts in this area.  Do we really think that Target WANTED to admit to a data breach, during the holiday season, right before the second busiest shopping day of the year (according to Shoppertrack data predictions).   Of course not.  But once they were outed by a security expert they were compelled, in part, by the laws that govern the reporting of breaches to affected parties.

For those of you that don’t believe that laws elicit compliance, I remind you of an old saying among the financial detectives I used to work with: “Locks are for honest people.”  After all, a thief would simply break a lock and take off with whatever valuable goods are inside.  Honest people are deterred by “locks” and, when presented with guidelines and guardrails, they generally practice restraint, even if a little bit tempted, because they don’t want to be a criminal.  Laws are an outside force that compel us to govern ourselves because we don’t like the consequences (think speed limits, and jay walking laws). In the case of a data breach, mandatory breach reporting laws are locks.  The fact that there are still four states (Alabama, Kentucky, New Mexico and South Dakota) that still do not have laws/regulations regarding mandatory reporting is troubling.

Breach reporting laws keep the honest companies in compliance and ensure a safer environment for consumers on the whole.  Untrustworthy members of industry won’t report a breach regardless of the law.  Compliance and noncompliance can be useful indicators to consumers when they are sorting out what companies to trust in this complex landscape.  This incident may well have us on our way to more dialogue about a robust federal data breach notification law.  Why?  Because now consumers will be engaged in the dialogue and we need that critical participation from them. The business community can (and mostly does) support a law that promotes uniformity in the reporting guidelines across all states, thus simplifying their breach reporting process.  After all, with national and international companies (like Target) why should your right to know be based upon where you reside?  That is an oversimplification , but you get my point.

Let’s be hopeful that 2014 will bring a new round of meaningful dialogue in this area and let us hope that consumers, with this new awareness, are stronger participants in the conversation.

Why I want to say Thank You to Target (Part 1 of a 3 part series)” was written by Eva Velasquez. Eva is the CEO/President of the Identity Theft Resource Center. You can follow her on Twitter at @ITRCCEO. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit http://www.idtheftcenter.org/anyone-3.

Target Corporation confirmed on December 19, 2013 that approximately 40 million of their customers’ credit and debit card accounts may have been compromised. The unauthorized access occurred between November 27 and December 15, 2013, meaning anyone who shopped at Target and used a payment card during this time period may be at risk for fraud.

The ITRC recommends that anyone who used a payment card at a Target store between November 27 and December 15, 2013 to follow the steps below to minimize your chances of identity theft or fraud.

VICTIMS OF THE TARGET DATA BREACH SHOULD:

  • Immediately review your debit and credit card statements for any suspicious activity.
  • Contact your bank or financial institution and inform them of the incident. Discuss with them your options to protect your accounts and your identity. You may want to request a new card with a new card number and PIN number.
  • Periodically monitor your credit reports for fraudulent activity by ordering your free credit reports on www.annualcreditreport.com.
  • Place a 90 day fraud alert on your credit profile with the three major credit reporting agencies regardless of whether you detect any suspicious activity on your credit reports.
  • Should you find any suspicious activity on your credit reports, request that the creditor and credit reporting agency delete the information from your credit profile.
  • Once any fraudulent accounts have been deleted from your credit profile, considering placing a security freeze on your credit profile to reduce any risk of fraud. While the security freeze is in place, you will not be able to view your credit reports or open any new lines of credit; however, you can always unfreeze your credit profiles at any time.
  • Should you need any assistance, at any time, please call the Identity Theft Resource Center at toll-free 888-400-5530, or visit our website www.idtheftcenter.org for more information on identity theft and what you can do to protect yourself.

It does not seem that any Social Security Numbers were breached in this incident; however, customers’ names, card numbers, expiration dates and security codes may have been accessed by the hackers. “Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause,” said Gregg Steinhafel, chairman, president and chief executive officer of Target. “We take this matter very seriously and are working with law enforcement to bring those responsible to justice.” Target has posted an online breach notice located at the top of their homepage providing details of the incident and what information was exposed.

We will be closely following the situation and will provide you with updates shortly.

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit http://www.idtheftcenter.org/anyone-3.

It’s never fun to receive a breach letter in the mail. Out of nowhere, you’re informed that through no fault or ill-advised action of your own, your personally identifying information (PII) has been compromised and may have been exposed for all the world to see.  This can cause panic on the part of the consumer. As we at the ITRC often see firsthand, in addition to being scary, it can confound and confuse.  What information was exposed? What does this mean? Am I a victim of identity theft? What should I do now?

Identity TheftThe first thing you need to know is that a breach letter is never in and of itself, a declaration that you are now a victim of identity theft. If you’ve received a letter of this type, it’s because according to the law of the state, an entity that’s had an exposure where consumer information was improperly exposed is required to notify you.  Read the letter carefully, as they must disclose exactly what type of information was exposed and when.  They’re also required to inform you in a timely manner. The only permissible reason for a delay in notification is if it would compromise an ongoing criminal investigation into the perpetrator of the exposure (if there was specific criminal intent in the case of this particular breach).

So, really all the letter is informing you of is that some portion of your PII was improperly exposed. The letter will detail exactly how and where the information was compromised.  What it means in simple English is that your information was exposed and as a result you may be at greater risk for identity theft or fraud than the average consumer.  Sometimes credit monitoring or other aid services are offered as part of the company’s attempt to make amends for the breach (or to offset the tarnishing of their public image).  If such services are offered free of charge it is always advisable to take advantage of them. The letter will usually have numbers to call for the service in addition to the numbers for the credit reporting agencies or information services to help walk you through the process.  Be sure to use them all.

Check your credit reports and issue fraud alerts through the credit reporting agencies. Remember, the more information you have about exactly what happened and when, the better position you’ll be in to mitigate any added risk or resulting damage to your identity. If you have additional questions or want to be talked through exactly what you should be doing, it never hurts to call the ITRC toll free at (888) 400-5530.

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit http://www.idtheftcenter.org/anyone-3.

The Identity Theft Resource Center has been receiving hundreds of calls regarding a specific data breach notification letter from a debt collection law firm in the state of Florida. The letter was sent to people who may have had their personally identifiable information (PII) exposed, detailing the cause of the exposure, the firm’s response, and some tips for people to protect themselves.

The letter explains that a former employee may have possibly viewed people’s names, addresses, date of birth, driver’s license number, and/or Social Security number. The letter stresses that the firm does not believe that people’s personally identifiable information was used to inappropriately obtain or use their credit, but “out of an abundance of caution” wanted to inform people of the possible exposure of their data so they could take proactive measures to minimize their risk of identity theft or fraud.

The firm’s letter recommended some actions for recipients to take including continuously obtaining credit reports from the three major credit reporting agencies, reporting any inaccuracies to creditors and the credit reporting agencies, and placing security alerts on credit reports. Lastly, the firm recommended that recipients of the letter call the ITRC for additional information and support services.

The ITRC is not in any way affiliated with said firm, but is always available to help victims and potential victims of identity theft and related fraud. The steps outlined for people to protect themselves in the letter are great first steps, but we at the ITRC would like to provide some additional steps people can take to dramatically minimize their risk of identity theft and fraud.

If you are a recipient of this data breach notification letter:

  1. Call the three credit bureaus (Experian, Equifax, and Transunion) and request a 90 day alert be placed on your credit.
  2. Request your annual free credit report from each of the aforementioned credit bureaus and review them for any inaccuracies. Should you find any inaccuracies please call the Identity Theft Resource Center at our toll-free number, (888) 400-5530, so one of our experienced Identity Theft Victim Advisors can personally assist you in resolving them.
  3. If you do find any inaccuracies, call the three credit bureaus and request a security freeze be placed on your credit. This may cost a nominal fee depending on the state that you are in and does not allow new credit lines to be processed until you personally unfreeze your credit. Even if you do not find any inaccuracies, you may want to consider putting a security freeze on your credit as a precautionary measure.
  4. File your tax returns as early as possible to avoid an identity thief filing a tax return under your name in order to receive fraudulent tax refunds.
  5. Contact the Social Security Administration and request your wage report to ensure that an identity thief has not reported fraudulent wages which you may have to pay taxes on if not resolved.
  6. For more details on what to do if you have received a data breach notification letter, please read our ITRC Fact Sheet FS 129.

Regardless of whether you have reason to believe your personally identifiable information has been exposed or not, it is always a good idea to be proactive about protecting your identity. Monitor your credit reports and properly dispose of or protect your personal information. Visit us at www.IDTheftCenter.org for more information about identity theft, fraud and what you can do to protect yourself.

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit http://www.idtheftcenter.org/anyone-3.

Recently, Barnes and Noble discovered that criminals stole customers’ credit card information who shopped at over 60 stores located across the United States. States affected by the breach include California, New Jersey, New York, Pennsylvania, Rhode Island, Illinois, Massachusetts, Connecticut and Florida. It is not clear exactly how the hackers infiltrated the Barnes and Noble payment systems, but it was determined that the PIN pad devices that customers will swipe and enter their pin number into were the culprits.

They have determined that only one PIN pad device per each of the 63 stores were compromised. Despite this fact, Barnes and Noble opted to disconnect all PIN pads at all their 700 stores for inspection to be extra cautious.

Barnes

While the hacking discovery was made around September 14, Barnes and Noble waited until October 24 to begin notifying customers. The reason for this delay is that the Justice Department requested Barnes and Noble to delay notification so as not to jeopardize an FBI investigation into who was behind the attacks. Barnes and Noble has received two letters from the United States Attorney’s Office for the Southern District of New York informing them that they were not required to report the attacks during law enforcement investigation. Most states have data breach notification laws that allow companies that are breached to delay notification to customers if a law enforcement agency determines that notification may impede their investigation.

It is important that anyone who has done any shopping at Barnes and Noble stores in the affected states quickly change their PIN number for their debit card as the hackers can make fraudulent purchases with the information they stole. In addition, anyone who used a debit or credit card at Barnes and Noble recently should immediately review their account statements for unauthorized charges and notify their banks as soon as possible if any have occurred.

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit http://www.idtheftcenter.org/anyone-3.

As an organization specializing in monitoring and tracking data breaches, the ITRC has come across varying degrees of breaches and reasons for notification due to the varying types of compromised information. We would like to take this opportunity to address some of the differences and provide some insight into our approach for tracking data breach incidents.

 

According to most state laws, a data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property. Note that under these state breach laws, non-personal identifying information is not included.

Next, let’s consider hacking. By definition, “hacking” is the deliberate and unauthorized access, use, disclosure, and/or taking of electronic data on a computer. Hacking efforts target all types of information – from high level intellectual property down to individual personal information, both sensitive and non-sensitive information. Taken together, these two situations result in nearly 26% of the “reported breaches” included on the 2011 Identity Theft Resource Center Breach List.

This brings us to the definition of “reported breaches”. ITRC only publishes breach incident information which is available from credible, public resources. Breach incidents are tracked daily from sources such as state Attorneys General offices, a variety of media sources, and other well-recognized and respected entities that track and capture this information from publicly available sources. This approach means that the ITRC Breach Report only reflects the tip of the iceberg.

In 2011, 41% of the breaches on the ITRC report show the number of records exposed as “unknown.” In addition, ITRC is aware of a significant number of breaches that are not made public. As a result, it is not possible to provide truly accurate numbers – either for the number of breaches or the number of records. The majority of “reported breaches” included in the list are those which have met “breach notification triggers” established by the various state laws regarding this issue. Usually these incidents are electronic in nature, and must also expose information identified as PII, such as first and last name combined with a social security number, driver’s license or state identification number and/or financial account numbers (including debit and credit cards). Some states have expanded this “trigger” definition to include medical and healthcare information. This situation leaves large loopholes for breaches to remain unreported.

Currently we know that :

  • An undeterminable number of breaches go unreported, even when notification should have been triggered according to the applicable state laws.
  • Many breach notifications (at least what is disclosed by the entity) underreport the number of records
  • Many breach notifications also do not clearly define the types of information exposed.
  • Public information is often incomplete in detailing how the breach occurred
  • Many breaches involving non-PII, such as email addresses, user names, and passwords, are not reported because they do not meet “breach notification triggers” as established by various state laws

To date state laws have not added notification “triggers” for paper breaches, or those incidents which involve non-personal types of information, i.e. passwords, usernames and email information. Paper breaches have been captured and categorized on the ITRC Breach Reports since 2005, even though these types of breaches did not trigger breach notifications. Paper breaches are typically “outed” by external sources (consumers, media, etc.), and are not usually reported since there is no mandatory reporting. The reality is paper breaches present a higher level of “risk of harm” because the information is often “ready to use” and may even include signatures.

Since there is no mandatory reporting for these types of breaches, individuals have no way of knowing they should be concerned about having their information exposed, and subsequently used for identity theft. Over the past five years, even without a requirement for notification, paper breaches have represented an average of 19.6% of the total breaches.

Another issue that is excluded from the current set of state breach notification laws is how to handle those data breach incidents which expose non-sensitive personal information. This non-sensitive personal information is a rich source for phishing scams. User names and passwords are a wonderful place to start hacking, since most people use variations of passwords on multiple accounts. Even an email takeover can be an easy way to request a friend’s help to “get back from London,” or to start a directed “spear phishing” attack on employees of your company. Due to these types of risk, the ITRC began to capture and track these non-PII breach incidents even though they did not often include the types of personal identifying information necessary for a breach notification.

One thing that remains clear is that when it comes to electronically stored information, the ability of the cyber-criminal to gain access to this information will always outpace legislative and law enforcement efforts to curb their malicious activity. All businesses should take note of these changes and react aggressively to protect themselves, their employees, and their customer base from harm. The current call for a Cybersecurity bill in the U.S. Senate should underscore the need for all businesses to strengthen their security efforts.