In 2019, the Identity theft Resource Center (ITRC) saw a 17 percent increase in data breaches compared to 2018. Credential stuffing attacks exploded in 2019, as well as third-party contractors being breached. 2020 has been a different story.

While scams are up due to COVID-19, publicly-reported data breaches are down in the U.S. Despite millions of Americans shifting to working from home – where cybersecurity and data protections may not be as strong as their regular workspace, the number of data breaches has dropped by one-third (nearly 33 percent) in the first six months of 2020 compared to 2019. The data compromise decrease statistics do not stop there. More significantly, the number of individuals impacted by breaches dropped by 66 percent over the same time period one year ago.

ITRC-Year-over-Year-Jan-Jun-Breaches-2020-v2
Year -over-year January – June 2020 data breach trends provided by ITRC

The 2020 data breach statistics are good news for consumers and businesses overall. However, the emotional and financial impacts on individuals and organizations are still significant. In fact, the impact on individuals might be even more catastrophic as criminals use stolen personally identifiable information (PII) to misappropriate government benefits intended to ease the impact of the COVID-19 pandemic.

External threat actors continue to account for most successful data compromises (404), compared to internal threats from employees (83) and third-party contractors (53). Internal threat data compromises are the lowest they have been since 2018.

In comparison, January 1, 2019 to June 30, 2019 saw 588 breaches caused by an external threat actor, 126 breaches caused by an internal threat actor and 89 involved a third-party. The data compromise decrease can be attributed, in part, to more people working from home.

Due to the increase in remote work, employees have less access to the data and systems necessary to easily steal PII. However, businesses and employees are also hyper-focused on preventing identity theft.

Unless there is a significant uptick in data compromises reported, 2020 is on pace to see the lowest number of data breaches and data exposures since 2015.

Year-over-year data breach trends 2020 provided by ITRC
Year-over-year data breach trends 2020 provided by ITRC

With that said, there is reason to believe the lower number of breaches is only temporary. Cybercriminals have been using the billions of data points stolen in data breaches during the last five years to execute different types of scams and attacks, which include phishing, credential stuffing and other exploits that require PII. With so much data being consumed and so much focus on improved cyber-hygiene, both at work and at home, the available pool of useful data is being reduced.

At some point, cybercriminals will have to update their data, which should lead to a return of the normal threat pattern. While there are signs of increased cyberattacks that – if successful – could lead to PII being compromised, it is too early to tell when the uptick may occur. Even then, it is more likely to be a “dimmer switch” approach rather than just flipping on a light switch, meaning it will not happen all at once.

The ITRC will continue to monitor all of the publicly-reported data breaches daily and analyze them to keep businesses and consumers educated on what the cybercriminals are doing.

If someone believes they have had their information exposed as part of a data compromise, or is a victim of identity theft due to a data breach, they can live-chat with an ITRC expert advisor. They can also call toll-free at 888.400.5530. Advisors can help victims create action plans that are tailored to them.

Victims can also download the free ID Theft Help App. The app lets them track their case in a case log, access resources and tips to help them protect their identity and more.

For more information on the ITRC’s data breach tracking and trend analysis, or if your organization would like to subscribe to our monthly data breach product, please email notifiedbyITRC@idtheftcenter.org.

Every week the Identity Theft Resource Center (ITRC) takes a look at the most interesting data compromises from the previous week. The ITRC has the most comprehensive databases of information about publicly-reported U.S. data breaches. The ITRC has been compiling data breach information for the last 15 years, recording close to 12,000 publicly-notified data breaches. This week we are highlighting a couple of longer-term unconventional 2020 data breach trends and what is behind them (specifically, publicly-reported breaches in the U.S.) and what cybercriminals are doing with all of the personal information they have stolen the past few years.

Tune in to the Identity Theft Resource Center’s newest podcast – the Weekly Breach Breakdown with host, James Lee, Chief Operating Officer.

Since 2015, data breaches and the number of people impacted has been on the increase, with the exception of one year. However, 2020 is shaping up to be very different. While many believed employees working remotely due to COVID-19 would lead to a spike in data breaches and identity theft, the data tells a different story. The number of publicly-reported data breaches are down 33 percent in the first six months of 2020 over the same period in 2019. More importantly, the number of individuals impacted by data compromises is down 66 percent compared to last year. In the first six months of 2020, the ITRC tracked 540 data breaches and approximately 164 million people affected, including those who received more than one breach notice.

While the 2020 data breach trends are good news for businesses and consumers, the emotional and financial impacts on organizations and individuals due to data breaches are still significant. In fact, the impact on individuals could be even more damaging as criminals use stolen identity information to misappropriate government benefits intended to ease the impact of the coronavirus. While the ITRC sees a drop in data breaches reported, it also sees an increase in reports of identity-related fraud.

There is never just one reason why data breaches go up or down. It is a complicated issue with many moving parts. However, related trends give a clue about one of the primary drivers of the reduction in mass data theft: all the identity information stolen in data breaches over the past few years. In fact, a new research report shows there are 15 billion credentials for sale in the marketplace where identity criminals buy and sell personal information. That is a lot of information – and right now, cybercriminals are cashing in on all of that data by running COVID-19 and other scams that require identity data. Cybercriminals are striking with phishing attacks and other automated attacks using apps designed to crack open accounts using stolen credentials that cost as little as $4.

In other words, right now identity thieves do not need any more data. They are consuming more data than they are gathering. Unless there is a significant increase in the number of reported data compromises, 2020 is on pace to see the lowest number of data breaches and data exposures since 2015, an unconventional 2020 data breach trend that might not have been expected at the beginning of the year – and is counter to other reports. With that said, there is reason to believe the 2020 data breach trends of a lower number of breaches is only temporary.

At some point, cybercriminals will have to update their data warehouses. When they do, the ITRC expects a return to the normal threat pattern. It could happen in the second half of 2020, or early 2021. Whenever it happens, it is not expected to happen overnight. Rather, it is expected to gradually happen over time.

For more information, as well as analysis of the 2020 data breach trends, subscribe to our data breach newsletter.

If someone believes they are a victim of an identity crime or believes their identity has been compromised, they can live-chat with an expert advisor or call toll-free at 888.400.5530 to get started on the resolution process. Victims can also download the free ID Theft Help App. The app lets them track their case in a case log, access resources and tips to help them protect their identity and more.

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.


You might also like…

School District Data Breaches Continue to be a Playground for Hackers

Magecart Data Breaches Grow in Popularity

Gaming Data Breaches are a Loot Chest of Data

School districts are a playground for hackers. While the education sector does not see as many data breaches as some others (it ranked third in the Identity Theft Resource Center’s 2019 Data Breach Report with 113 breaches), recent school district data breaches – and breaches of their software systems – have highlighted the value to data thieves.

There have been multiple large school district-related data breaches in the last two years, including Georgia Tech, which affected 1.3 million people; education software developer Pearson, which affected 13,000 educational institutions; and education software developer Aeries, which could have affected over 600 school districts. According to Insurance Business America, a study done by Comparitech said that since 2005, K-12 school districts, as well as colleges and universities across the country, have experienced more than 1,300 data breaches affecting more than 24.5 million records. The AZ Mirror reports that Arizona schools have leaked 2.8 million records since 2005. Arizona is second only to California, who has leaked close to 2.9 million records in that same span.

Fortunately, many of the recent school district data breaches do not involve Social Security numbers (SSN). However, a child’s SSN is a common target for hackers because children are not looking at their information for years. By stealing a child’s SSN, medical insurance card or birthdate, hackers could have up to an 18-year head start before a child discovers there is a problem with their credit or personally identifiable information. Threat actors will likely continue to try to find ways to access children’s SSNs to commit child identity theft and synthetic identity theft.  

Hackers also see school district data breaches as a prime opportunity to target financial accounts, social media accounts and retail accounts that might be linked to email addresses that they obtain. With email account information, hackers can target victims with spam emails, phishing attempts and harmful software viruses, not to mention credential stuffing to gain access to more sensitive data.

There are steps that parents and children can take to reduce the risk of child identity theft from a school district-related data breach. They include:

  • Freezing a child’s credit until they are an adult or plan on using it (for financial aid as an example)
  • Not feeling obligated to give a child’s Social Security number on every form; limit the number of places it is given
  • Changing email passwords and the passwords of any other accounts that use the same password if impacted by a data breach where an email is compromised
  • Considering the use passphrases instead of passwords, which are easier to remember and harder to guess
  • Filing an ID Theft Report with the Federal Trade Commission (FTC) and contacting all three credit reporting agencies (CRA’s) to request free credit reports if personal information is being misused

If someone believes they are a victim of a school district data breach, they can live-chat with an Identity Theft Resource Center expert advisor or call toll-free at 888.400.5530. They can also download the free ID Theft Help App for access to resources, a case log and much more.


You might also like…

Distance Learning Stresses the Importance of Child Privacy and Internet Safety Tips for Kids

Non-Traditional Data Compromises Make Up the Latest Week of Breaches

Mystery Shopper Scams Surface During COVID-19

Data breaches can come in all different forms. Some occur from ransomware attacks and formjacking, while others are related to security lapses at third-party vendors or cyberattacks using stolen credentials. Hackers are always thinking of new ways to target and attack businesses and consumers. Magecart data breaches have grown as the years have gone by. One of the most notable Magecart attacks was on Macy’s in October 2019 when web skimmer malware was discovered on Macy’s website collecting customers’ payment card information.

Magecart is a particular type of malware used by hacking groups that targets the payment information entered into forms on various websites while allowing the transaction to complete without the consumer being any wiser. Magecart hacks third-party components that are common on e-commerce sites. According to Forbes, by October 2019, over 18,000 websites had been infected with Magecart card skimming malware. In the article, RiskIQ said they had spotted Magecart skimmers in action more than two million times. Other notable Magecart data breaches include attacks on the Baseball Hall of Fame, international hotel chains, Ticketmaster and British Airways.

While Magecart attacks will continue, businesses should do their part to protect their customers’ data, and consumers must also exercise caution. According to SC Media, cybersecurity teams at businesses should consider a variety of defenses that limit the risk of threat actors taking advantage of software flaws to infiltrate websites.

Consumers also have a role to play in helping thwart payment information theft, starting with being cautious about where to use payment cards online. Consumers should also consider using newer payment technologies that have more built-in security features than traditional credit and debit cards. Digital wallets like Apple Pay and Google Pay, along with “virtual” payment cards that rely on random, single-use card numbers make card information useless to identity thieves.  

While cyberattacks constantly evolve, it is important for businesses and consumers to also change to ensure their information is safe. If anyone has questions or believes they might be the victim of a Magecart data breach, they can live-chat with an Identity Theft Resource Center expert advisor. They can also call toll-free at 888.400.5530. Data breach victims will get guidance on the next steps they need to take. Finally, victims can also download the free ID Theft Help App, which includes a case log to track the steps taken, additional resources to refer to, instant access to an advisor and much more.


You might also like…

Stalker Data Breach Leads to Sale of Users’ Credentials

Non-Traditional Data Compromises Make Up the Latest Week of Breaches

Mystery Shopper Scams Surface During COVID-19

Gaming companies can be a common target for hackers. The recent Stalker (S.T.A.L.K.E.R. (Scavengers, Trespassers, Adventurers, Loners, Killers, Explorers and Robbers)) data breach is a prime example. Online video games are big business for companies that develop action-packed, web-based games. These companies make money through initial game subscriptions, advertising within the game, data harvesting of the users’ information and microtransactions for tools and extras used in the games, although many of them allow users to play for free. Since a single popular game title can have millions of users, they can become a target for hackers who make money from having access to data.

Stalker Online, an MMO (massively multi-player online) game that lets users all over the world play the role-playing game, recently suffered an attack on its server owned by BigWorld Technology. The usernames and passwords, email addresses, phone numbers and IP addresses for more than 1.3 million players were compromised in the Stalker data breach since the data was stored in a relatively low-level security MD5 algorithm. Once the attack occurred, some sources believe the for-hire hacker Instakilla then managed to extract all of the data and post it for sale on the Dark Web.

While financial information and sensitive data like Social Security numbers were not accessed in the data breach, there is still a lot of harm that hackers and purchasers can cause with the Stalker data. Apart from phishing attacks and ransomware that can occur via email, if any of the Stalker players reused these login credentials on other accounts, then anyone who has access to the stolen data can also access the accounts. Credential stuffing can lead to account takeover or fraud.

Anyone who believes they might be a victim of the Stalker data breach should immediately change the password on their account, as well as the password of any other accounts that have the same password. Users are also encouraged to switch to using a nine to ten character passphrase instead of a more basic password since it is easier to remember and harder for hackers to guess. It is also a good idea to enable two-factor authentication where applicable for an extra layer of protection.

Victims of the Stalker data breach can live-chat with an Identity Theft Resource Center expert advisor or call toll-free at 888.400.5530. They can also download the free ID Theft Help app. The ID Theft Help App offers case management for tracking a case, the ability to directly chat in real-time with an advisor, the option to click-to-call for a customized remediation plan and much more.


You might also like…

Identity Theft Resource Center Announces Change to Board of Directors

Google Alert Scam Sends Fake Data Breach Notifications Embedded With Malware

Hackers Take Advantage of COVID-19 Closures to Launch Claire’s Data Breach

Another week has gone by and there are new data compromises for the Identity Theft Resource Center (ITRC) to educate businesses and consumers on in our “Weekly Breach Breakdown” podcast. Since 2005, the ITRC has tracked publicly-notified data breaches and has tracked over 10,000 breaches since then; using 25 different information fields and 63 different identity attributes that are updated daily. This week the ITRC is focusing on three different events that defy the traditional definition of a data breach.

The first non-traditional data compromise comes from what is known as a supply chain attack – where threat actors don’t attack an organization directly to steal data, but to instead find a vendor with weak security. In this particular case, hacktivist group “Anonymous” breached a web development firm and stole more than one million records from various law enforcement agencies that were stored in the company’s system. Anonymous turned the information over to leak-focused activist group, “Distributed Denial of Secrets,” who then published the 269-gigabytes of stolen data as part of the national protests focusing on police actions. Investigative files from over 200 local, state and federal law enforcement agencies were exposed, including emails, audio, video and intelligence documents.

It is important that businesses understand that while they may have cybersecurity practices that are nearly perfect, they do not matter if their vendors do not. Businesses should hold their suppliers to the same high security standards. That is good cybersecurity policy and, increasingly, it is the law.

The second non-traditional data compromise might not meet the definition of a data breach, as it included information being removed from the computer system where it was stored. There is a lot of unknown information regarding this data compromise. However, we do know that billions of records about individual consumers were exposed for nine months on the internet for anyone to see, all because someone forgot to add a password to a massive marketing database operated by BlueKai and a sister company, both owned by Oracle.

BlueKai is a marketing data firm that uses website cookies and other trafficking technology to follow people around the internet; reportedly more than one percent of all internet traffic flows through BlueKai’s system. Knowing which websites people visit allows marketers who use BlueKai to learn as much as possible about those people — including their income, education, political views and buying habits – to target them with ads that match their interests.

Online publication TechCrunch reviewed the data uncovered by a security researcher and found names, addresses, email addresses and other personal information in the open database. The data also revealed users’ sensitive web browsing activities, ranging from purchases to newsletter unsubscribes in, so far, the largest data compromise in 2020. In a statement, Oracle said it determined BlueKai and the sister company did not properly configure their services and additional measures were taken to avoid a repeat occurrence. However, Oracle has not indicated that billions of records were taken by anyone, a requirement to trigger a mandatory data breach notification to impacted consumers.

If someone’s business collects, uses and maintains information about consumers, they need to make sure they have the right cybersecurity and privacy protection tools in place; and that their security team configures the password feature on the database. They should also brush up on the latest data privacy and security laws and regulations that apply to them since they change rapidly.

The third and final non-traditional data compromise highlights the people who steal data to commit identity crimes and how crafty they can be. They are always looking for new and creative ways to separate people and businesses from their information and money. In this particular case, cybercriminals have been publishing fake data breach notifications online to spread malware or operate scams to steal personal information. For more information, click here.

Fortunately, there is a way to verify whether or not a data breach notification is real. Businesses and consumers can contact the ITRC via live-chat to speak with an expert advisor or they can call toll-free at 888.400.5530. Victims are also encouraged to reach out to an advisor. Advisors will help answer any questions people may have and help them create an action plan customized to their needs. Victims can also download the free ID Theft Help App. The app lets them track their case in a case log, access resources and tips to help them protect their identity and more.

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.


You might also like…

Identity Theft Resource Center Announces Change to Board of Directors

Google Alert Scam Sends Fake Data Breach Notifications Embedded With Malware

Hackers Take Advantage of COVID-19 Closures to Launch Claire’s Data Breach

A Claire’s data breach has some affected consumers looking for next steps. The popular jewelry and accessories retailer Claire’s, and its sister-company Icing, suffered a data breach of customers’ payment card details in an event that is believed to be the work of a Magecart attack. Magecart attacks are typically initiated by hackers using malware to insert harmful code into the company’s website. Once the hackers’ own code is in place within the website’s existing code, it can then be used to glean information that is entered during the checkout process without any change to the transaction process.

In the Claire’s data breach, the Magecart attack began skimming payment card information from the retailer’s website around April 20 but may have been inserted as early as March 20, the day after Claire’s physical locations were closed due to COVID-19. With the increase in online traffic from store closings and the reduced workforce available to oversee any possible threats, hackers were able to steal transaction details. The company is still investigating but has already said that no in-store transactions leading up to these dates were compromised.

Claire’s was informed of the breach by security researchers at Sansec; the company immediately shut down its site and removed the malicious code, as well as implemented additional measures to reinforce the security of their platform. Anyone who may have made an online transaction between April 25 and June 13 should consider proactive steps, such as contacting their financial institutions to cancel their payment cards and request new ones. They should also change their usernames and passwords on their Claire’s or Icing online account, as well as any other accounts that may use those same login credentials. Finally, consumers who may have been affected by the Claire’s data breach should know that copies of credit reports from each of the three major credit reporting agencies are free every week until April 2021; a credit report can help consumers monitor their information for suspicious activity in order to report it.

Victims of the Claire’s data breach or any other data compromise event can also live-chat with an Identity Theft Resource Center expert advisor or contact one by calling toll-free at 888.400.5530. Advisors will help victims create an action plan that is tailored to their needs. They can also download the free ID Theft Help App for iOS and Android for access to a case log, resources, advisors and much more.


You might also like…

U.S. MARSHALS SERVICE DATA BREACH EXPOSES IDENTITIES OF 387,000 PRISONERS

BOMBAS, COLUMBIA COLLEGE OF CHICAGO AND ST. JOSEPH’S HEALTH SYSTEM DATA BREACHES AMONG LATEST WEEK OF COMPROMISES

YEARS OF FORMJACKING LEADS TO BOMBAS DATA BREACH

As many as 387,000 current and former prisoners of the U.S. Marshals Service had their complete identities stolen in a data breach, including names, addresses, birth dates and Social Security numbers. The U.S. Marshals Service data breach appears to have been discovered by a new cybersecurity monitoring tool that was developed for the Justice Security Operations Center. From there, the Department of Justice alerted the U.S. Marshals Service in December 2019; the U.S. Marshals Service data breach was investigated and then announced.

The attempted attack involved a public-facing server (also called customer-facing); public in that the public or a business’ customers can access it. The server housed a system called DSNet, which is supposed to enable the tracking of U.S. Marshals Service prisoners with the federal courts, Bureau of Prisons and the agency itself.

The U.S. Marshals Service is tasked with serving as the law enforcement division for the federal courts system. The agency arrests fugitives and serves federal warrants; in 2019, the U.S. Marshals Service served more than 105,000 warrants and arrested more than 90,000 individuals. As a result of the need for accurate identification, the U.S. Marshals Service collects and stores a large amount of information on each prisoner. Both prisoners who are currently serving sentences and individuals who were only detained for a short time may have both been impacted by the U.S. Marshals Service data breach in the number of compromised records.

The U.S. Marshals Service has issued data breach notification letters and recommends that affected individuals file an ID theft report with the Federal Trade Commission, place a credit freeze or fraud alert with one of the credit reporting agencies and obtain a copy of their reports at no cost.

Anyone who has been affected by the U.S. Marshals Service data breach can live-chat with an Identity Theft Resource Center expert advisor via the website or call toll-free for help at 888.400.5530. Victims are also encouraged to download the free ID Theft Help App for iOS and Android to access the resources, advisors, a case log where victims can track all their steps and much more.

You might also like…

YEARS OF FORMJACKING LEADS TO BOMBAS DATA BREACH

WATCH OUT FOR 2020 SUMMER SCAMS

CREDIT REPORTING AGENCIES ANNOUNCE FREE CREDIT REPORTS EVERY WEEK THROUGH 2021

Since 2005, the Identity Theft Resource Center (ITRC) has tracked publicly-notified data breaches. Over the last 15 years, the ITRC has tracked over 10,000 breaches; and now records a weekly podcast on the most interesting data compromises from the previous week. This week’s “Weekly Breach Breakdown” features an old school data breach, one that includes universities being threatened to pay a ransom and one that led to years of formjacking.

For many years, dumpster diving was the preferred method of stealing personal information. Breaking into a computer did not get fraudsters the amount of confidential information needed to commit identity theft at the scale most of the threat actors wanted. Now, in the era of massive databases filled with petabytes of information (which is roughly 745 million floppy disks), breaking into computer systems is the most common method for hackers.

However, the St. Joseph’s Health System data breach proved hackers are still willing to steal data the old-fashioned way. Patients and employees of Indiana’s St. Joseph’s Health System and seven other health care providers were recently notified that their personal information was discovered dumped at a location in South Bend. Some of the information exposed in the St. Joseph’s Health System data breach, which included legally protected health data, dated back to 1999 and was believed to be destroyed or stored by a now closed document management company. Now, the records have been properly destroyed or moved to a secure storage location. However, the St. Joseph’s Health System data breach is an example that not all data breaches involve sophisticated cybercrimes.

With that said, most of the time data breaches do involve some form of cyberattack. Right now, a popular method of attack is ransomware. Ransomware is when a cybercriminal locks a company’s computer system until a ransom is paid. Ransomware attacks came to the surface in the mid-2000s. However, in the past five years, they have grown to be one of the most common forms of attack. In fact, by 2018, the number of ransomware attacks had grown to more than 180 million per year globally.

The number of attacks and the average ransom paid – doubling in 2019 to $84,000 per attack – continue to grow. However, not everyone pays the ransom. That is why data thieves are using a new method to force companies to pay. Cybercriminals are now using a tactic where they threaten to sell personal information to the highest bidder on the dark web if their demands are not met. Columbia College of Chicago and the University of California at San Francisco recently fell victims to attacks like this, following a similar attack the week prior at Michigan State University.

The attackers posted what appear to be screenshots of student and faculty records on their blog, a popular way for cybercriminals to communicate. The records look to include personally identifiable information, which the hackers described as a sample of what they plan to make public on the dark web if they are not paid.

The hackers sent the following direct note to Columbia College: “If we don’t hear from you soon, all data like Social Security numbers and others will be sold on open markets of the dark web. Either way, we are getting paid. Now you choose how you want to handle this incident.”

The easiest way for people to prevent the impacts of a ransomware attack is to make sure to back-up their systems and data on a regular basis, as well as keep their software patched.

Finally, this past week Bombas, an apparel company known for its clothing and donations to homeless shelters, discovered malicious code in their system that could have been used to steal credit card information. One of the problems with the reducing rate of data breaches is that it can be very difficult, and lengthy, to find the root cause for many cyberattacks that result in identity information being compromised. The Bombas data breach is a case in point since the malware was present as early as 2016. For more information on this data breach, click here.

If anyone wants to learn more about how to protect themselves or their company from an identity compromise, as well as how to respond in the event of a data breach, they can find it on this website. If someone believes they are the victim of an identity crime or their identity has been compromised, they can live-chat with an ITRC expert advisor or call toll-free at 888.400.5530. Victims can also download the free ID Theft Help App. The app lets them track their case in a case log, access resources and tips to help them protect their identity and more.

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.


You might also like…

YEARS OF FORMJACKING LEADS TO BOMBAS DATA BREACH

WATCH OUT FOR 2020 SUMMER SCAMS

CREDIT REPORTING AGENCIES ANNOUNCE FREE CREDIT REPORTS EVERY WEEK THROUGH 2021