According to our 2018 End-of-Year Breach Report, there were a total of 135 financial, credit and banking data breaches, exposing 1,709,013 records last year. In the report, banking/credit/financial had the third-highest amount of data breaches of the five industry categories the Identity Theft Resource Center tracks. Of all the data breaches recorded in 2018, hacking was the most common form of data breaches. That trend has been noticeable throughout our 10,000 Breaches Later blog series and continues to play a role when it comes to financial, credit and banking data breaches.

Sign up for our ITRC Monthly Breach Newsletter for more information on these data breaches.

This is one of many reasons why the ITRC  has been working to empower financial, credit and banking identity theft victims with the resources they need to resolve their cases since 1999. That includes helping people proactively reduce their risk of becoming a victim of identity theft. Since 2005, the ITRC has recorded over 10,000 publicly notified data breaches with monthly and cumulative end-of-year reports.

Last month, we looked at some of the largest government and military data breaches. Now we shift our focus to the top five most impactful financial, credit and banking data breaches (as well as a bonus breach) for consumers.

Capital One

Just three months ago on July 29, 2019, Capital One announced that a hacker had gained access to 100 million U.S. and six million Canadian Capital One customers’ accounts and credit card applications in March of 2019. Individuals and small businesses were affected by this data breach that disclosed names, addresses, dates of birth, email addresses, credit scores, credit limits, payment history and balances. Roughly 140,000 Social Security numbers (SSNs) and 80,000 linked bank account numbers were also exposed. At the time of the breach, the ITRC urged consumers to take action, freeze their credit, be aware of scams and to document all of their steps they were taking if they were impacted (utilizing our ID Theft Help App as one tool). This breach was particularly impactful due to the high amount of SSNs and bank account numbers exposed and the gigantic amount of accounts accessed. A stolen Social Security number can lead to multiple types of identity theft, including financial identity theft, government identity theft, criminal identity theft, medical identity theft and utility fraud.

JPMorgan Chase & Co.

First reported in August of 2014, JPMorgan Chase & Co. experienced a cyberattack that allowed hackers to access the personal information of 76 million households and seven million small businesses. The information accessed included names, addresses, phone numbers, email addresses and internal JPMorgan Chase & Co. information of those users. Customers affected by this breach were those who used Chase.com, JP Morgan online, Chase Mobile and JP Morgan Mobile. Many JPMorgan Chase & Co. customers were impacted because JPMorgan Chase & Co. did not have to send out notification letters to affected consumers in many states because the breach did not expose sensitive information like account numbers, passwords, dates of birth and Social Security numbers. Instead, Chase posted a blanket statement on the homepage of their website. That left some individuals affected on their own to figure out what to do.

CardSystems

Credit card processing company, CardSystems Solutions, Inc., discovered in May 2005 and reported one month later that they had experienced a  data breach in which a hacker was able to insert a virus into the computer system that captured customer data. Around 40 million Visa and MasterCard credit and debit card accounts were affected. Following the breach, Visa said it would continue to work with CardSystems when the case was resolved. MasterCard said that it would give CardSystems a limited amount of time to demonstrate compliance with MasterCard’s security requirements. The data breach led to Visa and MasterCard dropping CardSystems as their credit card processor. An important point for consumers to understand in this instance, in particular, is that many institutions utilize third-party vendors that can have a detrimental impact on their data even if the consumer is as vigilant as possible.

BNY Mellon Shareowner Services

On February 27, 2008, Bank of New York Mellon (BNY Mellon) lost a box of backup tapes in transit to a storage facility that contained the names, addresses, dates of birth and Social Security numbers of 12.5 million customers. Connecticut Attorney General Richard Blumenthal said he was alarmed and deeply concerned at the time of the breach. Notification letters were sent to those affected in May and the breach had such a large impact the bank went on to hire more customer service representatives to handle the influx of calls from concerned customers. This is a reminder that if you are impacted by a breach, it is important to take the necessary steps to protect yourself.

Scottrade

In October 2015, retail stock brokerage firm, Scottrade, INC., disclosed that hackers had stolen client contact information and SSNs for 4.6 million customers. In an email notice sent to customers, Scottrade said that although SSNs, email addresses and other sensitive data were contained in the accessed system, they believed that only client names and street addresses were the focus of the hack. However, the company said it would offer those affected identity theft protection services “as a precaution.” At the time of the breach, federal authorities were also investigating similar thefts at other financial services companies. It is important for consumers to realize that even if a company believes that only certain records where the targets, any data that may have been compromised opens those impacted to much more risk than an organization may communicate in its notification.

Bonus Breach: First American Financial Corp.

In May 2019, it was reported that financial services corporation, First American Financial Corp., had been exposing a massive 885 million real estate and mortgage-related documents through its website. By simply altering a nine-digit record number attached to a transaction link, users were able to potentially pull up other transaction documents containing information such as names, phone numbers, addresses, driver’s licenses, Social Security numbers, bank account numbers and statements, mortgage and tax records and wire transactions receipts. In an update posted by First American regarding the financial, credit and banking data breach, the investigation only identified 32 consumers whose non-public personal information was likely accessed without authorization. This breach could have led to mortgage fraud where a hacker tries to take out a loan in the victim’s name as well as other types of fraud like title fraud.

As we recap the last 10,000 breaches, the ITRC hopes to help those impacted understand how to minimize their risk and mitigate their data compromises. If you have received a data breach notification letter, call us at 888.400.5530 or LiveChat to talk with a live-advisor on what you should do.

In our final 10,000 Breaches Later blog, we will take a look at some of the biggest education data breaches since 2005 and the effect they have had on children, parents and teachers. For a look at all of ITRC’s 10,000 breaches blogs, visit https://www.idtheftcenter.org/10000-data-breaches-blog-series/.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

10,000 Breaches Later: Top Five Military and Government Data Breaches

10,000 Breaches Later: Top Five Medical and Healthcare Data Breaches

10,000 Breaches Later: Top Five Business Data Breaches

A lot of data breaches are the work of highly-skilled hackers who use technical know-how to infiltrate a company’s cyber defenses. Others are not so elaborate, such as when a low-level criminal sends a phishing email to a company employee, one that contains a virus purchased on the dark web. While those two malicious scenarios involve different ability levels, there is a whole other possibility for data breaches, that being accidental overexposures. The Adobe account information leak followed a similar scenario.

When a company employee allows information to simply exist in a way that anyone can steal it, it is called an accidental overexposure. Unfortunately, recent news has demonstrated that far too many businesses are storing their sensitive data in cloud-based storage solutions, then failing to secure it.

As the recently announced Adobe Creative Cloud breach, leading to Adobe account information leaked shows, all it takes is uploading a few customers’ login credentials—or in this case, about seven million customers’ data—to a cloud-based storage bucket and then not switching the default setting of “no password required” to a password-protected option.

Security researcher Bob Diachenko and Comparitech discovered the database of emails, usernames and product selections online, available to anyone who stumbled upon it in their web browser. While some estimates show that the database was left exposed for about a week, there is no way of knowing how long it was visible. The experts who found it alerted Adobe, who secured the database that same day after Adobe Account information leaked.

Unfortunately, with such a common occurrence as this, there is really only one recourse consumers have. It is imperative that all tech users rely on strong, unique passwords for all of their online accounts, and that they change these passwords regularly. That way, if a database is left exposed and a nefarious actor discovers it, the password contained in the database will be useless because it is outdated.

Also, as the information contained in this breach event shows, learning how to spot spam and phishing emails is another way to protect yourself. With limited information such as this, scammers can easily send users emails that masquerade as communications from Adobe, even going so far as to list the exact products the recipients use. Be alert to this kind of tactic, and know how to protect yourself from emailed threats.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

Hy-Vee Cards Stolen in Recent Data Breach Are Fetching a Higher Price on Dark Web Websites

Millions Of Venmo Payments Accessed Publicly

Best Western Open Database Exposes Government Records

Dark web websites contain a lot of stolen information, and that now includes Hy-Vee cards selling at unusually high prices. When an identity thief steals your information, you might be surprised to discover how little you are actually worth, at least when it comes to posting your data for sale on dark web websites. Hackers often fetch as little as $1 apiece for complete identities, largely because they can sell them to multiple people and because they often upload entire databases containing thousands of identities at a time.

However, a recent data breach shows an alarming departure from the ordinary. Hy-Vee stores suffered a breach in which customers’ credit card information was stolen, and these and other Hy-Vee cards are now appearing on dark web websites for as much as $17 to $35 each. What brought on such an unheard-of price increase?

First, these Hy-Vee cards are verified to work. Unlike phony cards or even ones that were stolen from your wallet, for example, this is a massive trove of card numbers that were used recently. If they were listed for sale on dark web websites before Hy-Vee was notified of a breach, then there would have been no reason for the cardholders to cancel them. Even if a client bought a hundred or a thousand sets of card numbers, some of the Hy-Vee cards should still be working.

Security experts say that credit cards have begun fetching a higher price overall recently, possibly due to the ability to use a credit card online before even paying the thief who stole them, just to prove they still work. From there, criminals use the cards to buy high-priced items that they can sell for a quick profit on dark web websites.

Remember, if you receive a data breach notification letter, it is important that you take it seriously. Follow the steps outlined in the letter and contact your credit card company immediately if your card was affected.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

California Improves Outdated Privacy Law with Biometric Protection

How Zombie Apps and Accounts Can Come Back To Life

Worst Places in the U.S. for Identity Theft

While data breaches of any kind are alarming enough, a business data breach that can leak information from an open database relating to national security can be very scary. For example, the Office of Personnel Management breach in 2015 leaked the complete identities, sometimes including background checks, fingerprints and even information pertaining to security clearances, for about 21.5 million people who work for or are related to an employee of the U.S. government.

A data breach of a hotel chain reservation system might not seem as significant as the OPM breach, but in its own way, it could be. Autoclerk, a reservation management system used by the Best Western Hotels and Resorts company, was the target of a breach of an open database that leaked names, addresses, birth dates, obscured credit card information, dates of reservations and even room numbers for thousands of people. In total, there are expected to be hundreds of thousands of individual reservations in the cache of data.

Hotel reservations might not seem that serious, but any data breach of government records is a notable event. It is especially troubling when many of these guests are military or government personnel traveling on official business. The information pertaining to locations, dates and names could prove useful to someone with an interest in it. The data from the open database contained past travel arrangements and upcoming scheduled trips for officials in the military and the Department of Homeland Security. The government records even reportedly included the names of officials who have scheduled trips to Russia and Israel, among other places.

What is worse is that the information from this data breach was discovered online with no encryption. Anyone who had reason to look for it could locate it and sift through its contents.

This is the kind of event that should serve as a wake-up call to anyone who uses technology. There is no such thing as a “foolproof” system that can keep every hacker out. It is up to individuals to do their part in keeping outsiders from finding out too much about their personal information and their activities. Protecting your information and your sensitive details should be paramount when operating any type of technology.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

Popular VPN Provider, NordVPN, Breached by Hackers

FBI Warns of Hackers Bypassing Some Types of Two-Factor Authentication

Facebook Lottery Scam Brings Attention to Hoaxes, Phishing Attempts and Account Takeovers

Many security-minded tech users employ a virtual private network (VPN) when they’re online as their own private tunnel on the internet. But, it could be a bit of a disaster if someone managed to break into a VPN provider’s servers and uncover what its subscribers have been up to. That appears to be what happened to one of the world’s most highly recommended providers, NordVPN.

The Impact on Users

In response to the NordVPN breach, the company has issued a statement following online speculation about a breach of its system. Apparently, someone gained access to an expired internal private key, which let them recreate one of NordVPN’s servers on their own system. Some sources have said that the only way this would have been possible is if the hacker had “root access to a container server,” which would have let them uncover a lot of information, but that has not been confirmed by the company. In fact, NordVPN’s statement indicates that no compromising information could have been accessed since the company does not gather, store, or sell its customers’ logs.

While the company assures its users that their login credentials and internet activity could not have been accessed, it’s important to understand that tools like a VPN are only an additional layer of protection. They’re not meant to be the entire fortress that protects your browsing or your identity. Interestingly, two other VPN providers have been mentioned in this same incident as having also been breached, but those have not been confirmed.

Protect Your Browsing

Obviously, VPNs are supposed to keep people from being able to see what you do when you’re browsing, shopping, using your financial accounts, and more. Also, they have a special feature that allows you to “reroute” where the internet thinks you’re logging in from. That means someone in one country can use a VPN and appear as though they’re logging in from another country; there are quite a few legal reasons why someone might want to do that.

As such, everyone from privacy-focused parents who want to protect their kids online to journalists who are reporting from deep within a dangerous zone might benefit from a VPN. Business users are especially likely to use one since they can help protect proprietary information, keep sensitive documents from leaking to the public, safeguard new projects, and more.

Keep Up Your Identity Hygiene

Protect yourself online and via mobile by locking down your identifying information, securing everything with strong passwords, and using two-factor authentication when you can. Remember, cybersecurity is often a leap-frogging game of catch-up; as new security tools come to market, hackers find new ways to break into them or abuse them. Therefore, it’s important that you treat all of your security measures as safety nets, not the sum total of your online protection.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

One Simple Way to Not Get Your Twitch Account Hacked

FBI Warns of Hackers Bypassing Some Types of Two-Factor Authentication

Are You CyberSmart? Majority of U.S. Adults Lack Digital Knowledge

According to the Bureau of Labor Statistics, there are nearly 22 million government employees in the United States; according to the New York Times the U.S. has 1.3 million active-duty troops and 865,000 military members in the reserves. That is over 24 million Americans combined in the U.S. government and military.

The Identity Theft Resource Center’s 2018 End-of-Year Data Breach Report showed 79 data breaches impacting military and government entities, exposing 5,302,846 records. In 2017 those numbers were even higher with 99 breaches that exposed 9,927,798 records. You can learn more by signing up for our ITRC Monthly Breach Newsletter.

While the government/military industry category had fewer breaches in 2018, the ITRC continues to empower identity theft victims – particularly those that are victims of both government agencies and the military breaches – with the resources and tools to resolve their cases. Our mission, since our founding in 1999, is to help people proactively reduce their risk of becoming a victim and to empower them to mitigate their cases if they have become one. Since 2005, the ITRC has recorded over 10,000 publicly notified data breaches. As part of our 10,000 Breaches Later blog series, last week we took a look at the most impactful medical and healthcare data breaches. This week we continue with our latest installment looking at the top five military and government data breaches that impacted U.S. consumers and personal information that was compromised.

Office of Personnel Management (OPM)

For the third time in our 10,000 Breaches Later blog series, OPM makes the list. In June 2015, The U.S. Office of Personnel Management (OPM) suffered two separate hacking events that exposed background investigation records of 21.5 million Federal government employees and contractors. Some of the information impacted was Social Security numbers (SSN), fingerprint/biometric data and security clearance information. It also exposed personally identifiable information (PII) of dependents including SSNs, birth dates and other information. It was a sophisticated, large-scale hacking event that led to the creation of the National Background Investigations Bureau (NBIB). The impact to those Federal employees and their dependents was potentially catastrophic given the amount and sensitivity of the data compromised.

U.S. Military – National Archives and Records Administration

In October 2009, the Inspector General of the National Archives and Records Administration announced a military and government data breach that impacted 76 million U.S. military veterans. The incident involved a defective hard drive that was sent back to its vendor for repair, determined unrepairable and sent to another firm to be recycled. While sent to be recycled, it still contained PII and sensitive PII of veterans. The hard drive helped power eVetRecs, a system used by veterans to request copies of health records and discharge papers. With that type of information available to a fraudster, the potential for government identity theft and benefits fraud could create havoc for a veteran seeking services.

United States Postal Service (USPS)

Right before the holiday season in November of 2018, and weeks after the Secret Service issued an alert that cybercriminals were using the United States Postal Service’s Informed Delivery feature to commit fraud and identity theft, the USPS announced that they had fixed a flaw in their system that exposed the personal information of 60 million users. Any user could login to an usps.com account to query the system for details belonging to other users due to the flaw. Some of the details users could have had access to included email addresses, usernames, user IDs, account numbers, street addresses, phone numbers, authorized users and mailing campaign data. All of that information meant that not only could a thief potentially know what was coming to your mailbox, but they could also pose as the address-owner and have the mail rerouted, creating a huge issue for folks with sensitive mail on the way to them.

Government Payment Service, Inc. (GovPayNow.com)

In September 2018, Government Payment Service, Inc., who is contracted by thousands of government agencies – including Federal, state, regional and local/city/town governments – to process payments related to government fees and fines, announced that their payment portal had exposed 14 million customer records. The online system allowed registered users to access copies of their receipts. However, access was not properly restricted and unauthorized recipients were able to view other user’s receipts by simply changing the digits displayed in the web address. Information that could be viewed on the receipts included names, addresses, phone numbers and the last four digits of payment card numbers. This breach also covered data stretching all the way back to 2012. The payment service released a statement saying they updated their system to ensure that only authorized users could view their individual receipts.

California Secretary of State

The California Secretary of State announced in December 2017 that they were investigating a cyberattack in which hackers stole the data of California voters and held it for ransom payable in Bitcoin. The information accessed included the names, addresses, phone numbers, email addresses, places of birth and gender of 19.2 million voters. According to DarkReading, the Kromtech researchers stated they had not been able to identify the owner of the database and believe it could have been a political action committee or a specific campaign based on the unofficial title of the repository. However, they reiterated that was only a suspicion. Access to voter records can create a treasure trove of information for a fraudster, but it can also provide a wealth of information from state-actors attempting to influence election outcomes. Consumers should be aware of the sensitive nature of voter data and the potential unique identity theft aspects that could come from its exposure.

Coming Up In 10,000 Breaches Later

As we recap military and government data breaches, the ITRC hopes to help those impacted – both as consumers, businesses and government entities – understand how to minimize their risk and mitigate their identity compromises. If you received a data breach notification letter, do not just toss it aside or file it away. Call us at 888.400.5530 or LiveChat to talk with a live-advisor on what you should do. If you are a government or military entity impacted by a data breach incident, please reach out to the ITRC at itrc@idtheftcenter.org to discuss how we can provide assistance to your impacted customers. Every victim of a data breach should download our free ID Theft Help App to track their activities around any given data breach.

As part of this series, in our next 10,000 Breaches Later blog, we will take a look at some of the top banking, credit and financial breaches since 2005. For a look at all of the 10,000 breaches blogs, visit https://www.idtheftcenter.org/10000-data-breaches-blog-series.


You might also like…

“Federal Government Empowerment Money Program” Scam Circulates on Social Media

In New Scam, Criminals Pose as Government Officials Pretending to Help with Identity Theft

10,000 Breaches Later: Top Five Medical and Healthcare Data Breaches

A Sarrell Dental data breach has led to notification letters being sent to all of its patients after ransomware was discovered on its servers back in July. The software, believed to have been installed as early as January 2019, does not seem to have locked up the network or encrypted any files, and Sarrell Dental, the largest dental provider in the state of Alabama, did not pay any sort of ransom.

However, this is still a serious matter. Sarrell actually shut down its entire network for two weeks following the data breach and hired outside experts to investigate the discovery. The company found no evidence that any patient information was accessed, stolen or compromised, but they are not taking any chances. All individuals who were believed to have been affected by the Sarrell Dental data breach, although that total number has not been disclosed, reportedly received notification letters last month. These letters contained instructions for receiving free credit and identity monitoring for a predetermined period of time.

Medical offices are hot targets for this kind of attack due to the sheer volume of data they collect on patients. Also, the resulting fines and lawsuits related to privacy violations and interruptions to patient care can lead many providers to simply pay the demanded ransom, which can lead hackers to strike in hopes of a nice payoff.

Unfortunately, as some organizations have already learned, paying the ransom in this kind of event does not guarantee the files will be unlocked or the data that was compromised will not be stolen or used. In some reports, hackers have not only withheld the unencryption key following receipt of the ransom payment, but they were also actually unable to unlock the network due to the type of ransomware they had used.

Sarrell’s patients received their notification letters beginning around September 12, 2019. However, there is a strict deadline for taking advantage of the security tools that Sarrell Dental is providing to affected patients following the Sarrell Dental data breach. All applications must be completed by December 12, 2019, and instructions for signing up are in the notification letter.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

One Simple Way to Not Get Your Twitch Account Hacked

Do Your Boss a Favor and Don’t Fall for a Gift Card Scam

Instagram Creates New Feature That Fights Phishing Attacks

According to our 2018 End-of-Year Breach Report, there were a total of 372 data breaches in the medical and healthcare sector that exposed over 10 million records. As of September 2019, there have already been 368 data breaches that have exposed over 36 million records in the sector – poised to push well past the 2018 statistics. In the last two years, the ITRC has seen an increase in medical and healthcare data breaches – more than any other category we track, aside from the business sector.

Sign up for the ITRC Monthly Breach Newsletter for more information on these data breaches.

This is one reason why the Identity Theft Resource Center has been working to empower identity theft victims with the resources and tools to resolve their cases since 1999, including helping people proactively reduce their risk of becoming a victim of identity theft – especially of their highly sensitive personally health information (PHI). Since 2005, the ITRC has recorded over 10,000 publicly notified data breaches with monthly and cumulative end-of-year reports.

Last week we took a look at some of the largest business data breaches. This week we shift our attention to the top five most impactful medical and healthcare data breaches for consumers.

Anthem

In February 2015, Anthem suffered what is considered to be the largest medical and healthcare data breach and the largest Health Insurance Portability and Accountability Act (HIPAA) settlement in the United States. Nearly 80 million consumers were impacted with information like names, birthdates, Social Security numbers, addresses, phone numbers, email addresses and employment data being compromised. Minors on their parent’s healthcare plans were affected, which is particularly troubling due to the long shelf-life of the static data (SSNs) that was compromised. Anthem agreed to take corrective actions in 2018 by paying the U.S. Department of Health and Human Services, Office for Civil Rights $16 million to settle the violations of HIPAA Privacy and Security rules. This created awareness among consumers that while their health information was regulated under HIPAA, that didn’t mean that it wasn’t at risk for exposure – and not just their health information but a host of other components to their identity.

American Medical Collection Agency

Third-party billing and collections agency, American Medical Collections Agency, experienced a medical and healthcare data breach with an intrusion in its payment system in March of 2019. That intrusion exposed personal information of millions of patients. Over 24 million people and 20 entities (so far) were affected by this breach, including Quest Diagnostics who reported approximately 11.9 million of their patients were impacted. Some of the data exposed included names, dates of birth, payment card numbers, names of labs or medical service providers, dates of medical services, referring doctors, banking information, Social Security numbers and certain medical information like patient account numbers and health insurance numbers. The information exposed varied entity to entity since the same information was not provided to AMCA for their patients. As of this blog’s publish date, we’re still receiving notifications of medical industry organizations that were victims of this breach – we will continue to update the numbers as we receive them in our monthly Data Breach Report.

Premera Blue Cross

Major healthcare services provider Premera Blue Cross announced a data breach in March of 2015 that impacted over 11 million of its customers. The data breach was caused by hackers pretending to be Premera IT, sending employees phishing emails with links containing malware. This data breach affected both Premera Blue Cross and Premera Blue Shield of Alaska, as well as their affiliate brands Vivacity and Connexion Insurance Solutions, Inc. Names, birthdays, email addresses, physical addresses, phone numbers, Social Security numbers, member ID numbers, bank account information and claims information that could have been included in clinical information were some of the information exposed. In July 2019, Premera Blue Cross paid a total of $74 million ($32 million in damages and $42 million to improve data security) as part of a settlement. Premera will pay $50 to any class member who submits a claim, and up to $100,000 if class members can provide documents showing proven out-of-pocket damages from the breach.

Excellus Blue Cross Blue Shield

Blue Cross had another breach just six months later, this time including health insurer Excellus Blue Cross Blue Shield. This medial and healthcare data breach affected over ten million plan members and vendors. The cyberattack began in December 2013 and was not detected by Excellus until nearly two years later. Information such as names, dates of birth, Social Security numbers, addresses, phone numbers, claims and financial payment information (including some credit card numbers) was compromised.

Virginia Department of Health Professionals

In May 2009, the Virginia Department of Health Professionals (DHP) announced a security breach impacting the agency’s Prescription Monitoring Program. DHP discovered the breach one month prior after a message was posted on the Prescription Monitoring Program website by a hacker claiming to have stolen eight million patient records and 35.5 million prescriptions. In fact, the message included a ransom note demanding $10 million in seven days or the hacker would sell the data to the highest bidder. The breach was first reported on WikiLeaks.

As we recap the last 10,000 breaches, the ITRC hopes to help those impacted – both consumers and businesses fall victim to the nefarious acts of fraudsters – understand how to minimize their risk and mitigate their data compromises. Medical/healthcare breaches don’t just impact health information. As we can see by these examples, static information like Social Security numbers, date of birth can also be gleaned by those harvesting data through breaches – which puts consumers at an even higher risk of every aspect of identity theft (not just medical).

If you ever receive a data breach notification letter, do not just toss it aside or throw it away. Call us toll-free at 888.400.5530 or LiveChat to talk with a live-advisor on what you should do. If you are a business impacted by a data breach incident, please reach out to the ITRC to discuss how we can provide assistance to your impacted customers.

As part of this series, in our next 10,000 Breaches Later blog we will take a look at some of the largest government and military breaches since 2005 and what they meant for consumers. For a look at all of ITRC’s 10,000 breaches blogs, visit https://www.idtheftcenter.org/10000-data-breaches-blog-series/

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

12 Million Quest Diagnostic Patients Exposed in Third-Party Breach

Medicaresupplement.com Data Breach Caused by Accidental Exposure

10,000 Breaches Later: The Benchmark Breaches That Created Systemic Change

 

Popular game developer Zynga is the company behind such widely popular apps as Words with Friends, Farmville and Draw Something, but these games are not only popular with smartphone users. A well-known hacker named Gnosticplayers has claimed responsibility for stealing the login credentials for around 200 million Android and iOS users who had downloaded those and other games.

These games allow users to find friends online and play long-distance games, as well as to engage in fun challenges with strangers within the safety of the app. Unfortunately, a hacker was able to inject themselves into the system that controls things like usernames, passwords, email addresses and any Facebook accounts that were connected to the app in order to speed up login as part of the Zynga data breach.

While the hacker did not necessarily grab any highly-sensitive information, the information that was stolen in the Zynga data breach can easily be used for malicious purposes. These include spam emailing, scams and phishing attempts. Of course, any users who reused a password on their apps, meaning one that they use on other unrelated accounts, may have put those other accounts at risk as well.

Zynga is urging all of its users who downloaded these apps prior to September 2019 to change their passwords immediately. If you connected the app to your Facebook profile, it is a good idea to go into your settings and remove that connection, then change your Facebook password just to be safe.

In the future, there are two really important things you can do to minimize the risk from this kind of attack like the Zynga data breach.

First, never reuse a password or use one that is easily guessed.

Anyone who nabs your password in any data breach has automatic access to every account where you have reused it.

Second, avoid connecting your apps, especially frivolous ones like games, to your social media accounts.

It might make it easier to login and you can post updates on how many levels you have beaten at some random three-in-a-row game, but you are also opening yourself up to possible harm.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

New Venmo Scam Targets Payment App Users 

Breach Clarity Helps Consumers Make Sense of Data Breaches

10,000 Breaches Later: Three Major Data Breaches Consumers Should Know About

 

On September 26, 2019, a DoorDash data breach was announced by the popular food delivery app, leading to hackers accessing the company’s data system. Approximately 4.9 million customers, restaurants and delivery workers had their personal information exposed, including their driver’s license numbers, names and addresses and bank and credit card information. Users who joined after April 5, 2018 were not affected by this breach.

In a security notice regarding the data breach, DoorDash said earlier this month they became aware of unusual activity involving a third-party service provider. They then immediately launched an investigation that led to the determination they were hacked on May 4, 2019. DoorDash continued on to say that customers who signed up before April 5, 2018 potentially had their names, email addresses, phone numbers, order histories and the last four digits of their credit and debit cards exposed. However, full credit and debit card information was not accessed.

Delivery workers and restaurants could have had the last four digits of their bank account numbers taken. However, once again, the full bank information was not accessed. Approximately 100,000 delivery workers also had their driver’s license numbers hacked.

The food delivery app says they are reaching out directly to those affected by the DoorDash data breach with specific information about what was accessed. If consumers have any questions, comments or concerns, DoorDash has set up a call center that is available for 24/7 support at 855.646.4683. In the meantime, here are some things you can do if you think you may have been affected by the DoorDash data breach.

Change Your Passwords Now

Anytime there is a data breach and you think you might have been affected, the Identity Theft Resource Center urges people to change their passwords immediately. Despite the fact that DoorDash says it will be reaching out to everyone affected, however, it is still a good idea to update your password and make sure it is a strong, unique password.

Track Your Steps

According to Identity Theft Resource Center’s 2018 End-of-Year Data Breach Report last year there were 1,244 data breaches reported. What that is less than 2017, the number of exposed sensitive information significantly increased.

In the event you are a victim of a data breach and have a incurred financial costs or expended time and other resources, the ITRC encourages people to be prepared so you can prove your case in the future. You can do that by downloading our ID Theft Help App, which has a case log manager tool to help track any actions you take in response to a breach.

Consider A Credit Freeze

If you were a DoorDash driver before April 5, 2018, you could have had your driver’s license stolen, as well as potentially the names and contact information. Delivery drivers might want to consider putting a credit freeze on their reports to prevent a criminal from opening an unauthorized account in their name.

It is important to note that a credit freeze will stop someone from taking out a credit card or loan in your name, but it does not prevent identity theft not related to opening up a credit account.

Watch for Suspicious Activity

Be sure to track all your accounts daily for suspicious activity whether you were impacted by the DoorDash data breach or not. This also includes being very careful if you get any emails or phone calls from DoorDash. It is common for scams to happen following a data breach. If you see any suspicious activity do not respond and report it.

For more information on the data breach, you can go to Breach Clarity to see what information was exposed and see the risk score of the DoorDash data breach. You can also call the Identity Theft Resource Center toll-free at 888.400.5530 for assistance or LiveChat online.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

New Venmo Scam Targets Payment App Users 

Breach Clarity Helps Consumers Make Sense of Data Breaches

10,000 Breaches Later: Three Major Data Breaches Consumers Should Know About