1.6 Million people who filed for unemployment claims in 2020 in Washington state have had their personal information exposed in a data breach. The Washington State data breach was due to data stolen from a third-party company, Accellion.  

What Personal Information Was Exposed in the Washington State Data Breach?

· Names

· Social Security numbers

· Driver’s License or state identification numbers

· Bank information

· Place of Employment

Are You One of the 1.6 Million People Impacted by the Washington State Breach? Here’s What You Should Do.

1. A threat actor could attempt to take over existing accounts or open new ones using your information – now or in the future.

Read next: Info Sheet – Email Account Takeover: What to do When You Have Been Hacked

2. Your unemployment benefits could be stolen. Organized cybercriminals have already used stolen credentials and other identity information to apply for unemployment benefits through state websites, including Washington resulting in legitimate claims being denied or payments re-directed. State officials reported more than $500 million in fraudulent claims in 2020.

3. You could find yourself the victim of identity-related tax fraud. Taxpayers in have received Form 1099 G’s that report how much income a taxpayer received from government benefits like unemployment benefits – even though they did not apply for or receive benefits.

Read next: Info Sheet – What Consumers Need to Know About a Data Breach

Steps to Take Now

· Obtain a free credit report

· Freeze your credit for free.

· If you do not want to freeze your credit, consider a fraud alert on your credit report

· Review your accounts and account statement for any suspicious activity

· For free guidance and assistance from the Washington state data breach, call and speak to an ITRC Victim Advisor at 888.400.5530 or click “Chat now.”

· Stay up to date on the latest news about this breach on the Washington State Auditors page: https://sao.wa.gov/breach2021/

Access our free Help Center with more than 50 Info Sheets and Action Plans.

More About Data Breaches & Resources

While data breaches do not automatically mean your identity will be misused, you are at increased risk of an identity crime. The online publication Threat Post pointed out in a Feb 10, 2021 report that “Users who had personal data exposed in a third-party breach were five-times more likely to be targeted by phishing or malware, which highlights just how damaging these types of data breaches can be, even in the long run.”

As noted in the ITRC’s 2020 Data Breach Report, phishing is the most common form of a cyberattack that results in a data breach today, usually in connection with ransomware. Together these attacks represent 62 percent of attacks in 2020 that resulted in the release of consumer information. 

More about Identity Theft

The use of your Social Security number can result in many different forms of identity crimes. Below is information so you know what to look for and what to do if you become a victim. You can call and speak to an ITRC Advisor at any time for active tips and victim assistance at 888.400.5530 or click “Chat now.”

Data Breach Notifications

Tax Identity Theft

  • Bonobos suffered a data breach when the hacking group, ShinyHunters, downloaded and posted a database on a free hacker forum, compromising close to three million accounts.  
  • ShinyHunters also stole a database from online dating website MeetMindful.com, compromising 1.4 million accounts and exposing 2.28 million user’s information. Data in the database included IP addresses, encrypted account passwords and Facebook information. 
  • A U.S. Cellular data breach occurred after hackers were able to scam employees to gain access to one retail store’s computer, affecting 276 people.  
  • For more information about January data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified.   
  • If you believe you are a victim of identity theft from a data breach, contact the ITRC toll-free at 888.400.5530 or through live-chat on the company website. 

Notable January Data Breaches in 2021 

Of all the data breaches the Identity Theft Resource Center (ITRC) tracked in January, three stood out: Bonobos, MeetMindful.com and U.S. Cellular. All three data events are notable for unique reasons. One compromised close to three million accounts; another includes a compromised dating website, leading to the attacker leaking millions of user’s data; the third event happened when criminals successfully targeted a handful of retail store employees, leading to malware being added to the company’s point-of-sale system.  

Bonobos Breach

The E-commerce apparel company, Bonobos recently suffered a data compromise after Black-hat hacker group, ShinyHunters, downloaded a cloud backup of a database and then posted the full database to a free hacker forum, compromising 2.8 million accounts. 

According to bleepingcomputer.com, the 70 GB database consisted of addresses and phone numbers for seven million shipping addresses, account information for 1.8 million registered customers and 3.5 million partial credit card records. The article says that one threat actor claims to have already cracked the passwords for 158,000 accounts. The hacker turned the cracked passwords into a ‘combolist’ used in credential stuffing attacks to log in using the stolen credentials at other sites. 

Bonobos is emailing data breach notification letters to people who may have been affected. 

MeetMindful.com 

Online dating company, MeetMindful, had more than 1.4 million user accounts compromised and 2.28 million user details exposed after the same hacker group, ShinyHunters, struck the dating site by leaking a 1.2 GB file on a publicly accessible hacking forum. 

According to ZDNet, some of the most sensitive information in the file includes names, email addresses, locations, IP addresses, encrypted account passwords and Facebook information. Not all of the leaked accounts have full details included in them. However, for many of the MeetMindful users, the provided data can be used to trace their dating profiles back to their real-world identities.  

U.S. Cellular 

Mobile wireless carrier, U.S. Cellular, recently suffered a data breach after hackers gained access to protected systems by installing malware on a computer at a U.S. Cellular retail store. According to Forbes, hackers targeted multiple U.S. Cellular retail store employees who had access to the company’s customer relationship management (CRM) software.

The Office of the Vermont Attorney General reports that hackers may have gained access to a wireless customer account and wireless phone number. Employees were successfully scammed by unauthorized individuals and downloaded software onto a store computer. Since the employees were already logged into the CRM, the downloaded software allowed the unauthorized individual to remotely access the store computer and enter the CRM system under the employee’s credentials.  

The U.S. Cellular data breach affected 276 people and exposed names, addresses, PIN codes and mobile phone numbers, as well as information about wireless services, including service plan, usage and billing statements known as Customer Proprietary Network Information (CPNI). 

What to Do If These Breaches Impact You 

Anyone who receives a data breach notification letter should follow the advice offered by the company. The ITRC recommends immediately changing your password by switching to a 12+-character passphrase, changing the passwords of other accounts with the same password as the breached account, considering using a password manager, and keeping an eye out for phishing attempts claiming to be from the breached company.

If you receive a suspicious email, especially if it asks to click on a link, download a file, or verify your login & password, ignore it. Victims of the U.S. Cellular data breach should contact U.S. Cellular to establish a new PIN, reset their password, and contact U.S. Cellular at 888.944.9400 with any questions or concerns 

notified  

For more information about January data breaches, or other data breaches, consumers and businesses should visit the ITRC’s data breach tracking tool, notified, free to consumers.

Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.   

Contact the ITRC 

If you believe you are the victim of an identity crime or your identity has been compromised in a data breach, you can speak with an ITRC expert advisor at no-cost by phone (888.400.5530) or live-chat. Just go to www.idtheftcer.org to get started.

Also, victims of a data breach can download the free ID Theft Help app to access resources, a case log and much more.  

  • The Identity Theft Resource Center (ITRC) unveiled its 15th annual data breach report, which revealed a 19 percent decrease in breaches and a 66 percent decrease in individuals impacted. 
  • The ITRC 2020 Data Breach Report identifies a trend that cybercriminals are less interested in stealing large amounts of consumers’ personal information. 
  • Threat actors are now more interested in taking advantage of bad consumer behaviors to attack businesses using stolen credentials like logins and passwords.  
  • The report also states an increase in ransomware attacks, supply chain attacks and unsecured databases. 
  • For more information on the latest data breach information, visit the ITRC’s interactive data breach tracking tool, notified. It is updated daily and free to consumers.   
  • Consumers and victims can receive free support and guidance from a knowledgeable live-advisor by calling 888.400.5530 or visiting idtheftcenter.org to live-chat. 

Each January, the Identity Theft Resource Center (ITRC) releases its annual data breach report, breaking down the numbers, trends, attack methods and much more. For the last 15 years, the ITRC has tracked publicly-reported data breaches in an effort to make businesses and consumers aware of the latest information. While parts of the ITRC’s 2020 Data Breach Report reveal encouraging statistics, some worrisome trends also exist. 

The Number of Data Breaches and People Impacted Decrease 

After a 17 percent increase in data breaches in 2019 (1,473), the number decreased by 19 percent in 2020 (1,108). Even better, the number of individuals impacted dropped by 66 percent. In years past, the ITRC saw data breaches on the rise. However, there is a reason for the decline in breaches and consumers impacted.  

A Shift in the Cybercriminals Tactics 

The ITRC 2020 Data Breach Report shows the continuation of one trend from 2019. Cybercriminals are less interested in stealing large amounts of consumers’ personal information. Instead, threat actors are more interested in taking advantage of bad consumer behaviors to attack businesses using stolen credentials like logins and passwords. It is why ransomware and phishing attacks directed at organizations are now the preferred data theft method by cyberthieves.   

The shift comes as no surprise to the ITRC. One ransomware attack can generate as much revenue in minutes as hundreds of individual identity theft attempts over months or years. Coveware reports that the average ransomware payout has grown from less than $10,000 per event in Q3 2018 to more than $233,000 per occurrence in Q4 2020.    

Other Notable Findings 

There were other notable findings in the report: 

  • Supply chain attacks are becoming increasingly popular with attackers since they can access the information of larger organizations or multiple organizations through a single, third-party vendor. Often, the attacked organization is smaller, with fewer security measures than the companies they serve.   
  • Unemployment benefits fraud hit consumers hard in 2020 and could continue well into 2021. Organized cybercriminals used stolen credentials and other identifying information to apply for unemployment benefits through state websites. In fact, Washington and Maryland each reported more than $500 million in fraudulent benefit claims and California more than $11 billion in 2020. The U.S. Department of Labor estimated the total identity-related fraud at more than $26 billion in all 50 states and the District of Columbia during that same timeframe. The unemployment benefits fraud attacks are another example of it being easier and more profitable to commit a cybercrime using stolen, legitimate credentials than hacking into a company’s computer network.  
  • Case studies on Blackbaud and Vertafore break down what happened in each data compromise and how it happened. For more information on these case studies, download the ITRC 2020 Data Breach Report 

Staying One Step Ahead of the Cybercriminals 

While it is encouraging to see the number of data breaches and the number of people impacted by them decline, businesses and consumers should understand that this problem is not going awayCybercriminals are just shifting their tactics to find a new way to attack businesses and consumers. People need to adapt their practices to stay one step ahead of the threat actors.  

What You Can Do 

Ransomware attacks, stolen credentials and unsecured databases affect consumers and businesses in many different ways. Here are what businesses and consumers can do to protect themselves from each threat: 

  • Ransomware attacks  While ransomware attacks do not typically affect consumers, businesses should 1) frequently back up their systems, 2) patch any software flaws as soon as they are noticed, and 3) refuse to pay any ransomware demands.  
  • Stolen credentials – To protect themselves, consumers should 1) not reuse any passwords, 2) switch to a 12-character unique passphrase, 3) use a password manager if needed, 4) use multi-factor authentication when possible, and 5) consider creating online accounts so cybercriminals cannot open one in your name. 
  • Unsecured databases  It is a misconception that cloud service providers are responsible for cybersecurity. To prevent leaving a database unsecured, businesses should 1) properly configure cybersecurity tools for cloud environments and 2) apply the same level of effort to protecting cloud environments as an on-premise system and data assets. 

To download the ITRC 2020 Data Breach Reportclick here. 

To learn more about the latest data breaches, visit the ITRC’s interactive data breach tracking tool, notified. It is updated daily and free to consumers.   

For anyone that has been a victim of a data breach, the ITRC recommends downloading its free ID Theft Help app to manage the various aspects of an individual’s data breach case.  

Consumers and victims can receive free support and guidance from a knowledgeable live-advisor by calling 888.400.5530 or visiting idtheftcenter.org to live-chat.  

In 2020, the number of individuals impacted by a data breach was down 66 percent from 2019; cybercriminals continue to shift away from mass attacks seeking consumer information and towards attacks aimed at businesses using stolen logins and passwords  

SAN DIEGO, January 28, 2021 – Today, the Identity Theft Resource Center® (ITRC), a nationally recognized non-profit organization established to support victims of identity crime, released its 15th annual Data Breach Report. According to the report, the number of U.S. data breaches tracked in 2020 (1,108) decreased 19 percent from the total number of breaches reported in 2019 (1,473). In 2020, 300,562,519 individuals were impacted by a data breach, a 66 percent decrease from 2019.  

The 2020 Data Breach Report shows the continuation of a trend from 2019: cybercriminals are less interested in stealing large amounts of consumers’ personal information. Instead, threat actors are more interested in taking advantage of bad consumer behaviors to attack businesses using stolen credentials like logins and passwords. Due to the shift in tactics, ransomware and phishing attacks directed at organizations are now the preferred data theft method by cyberthieves.  

Ransomware and phishing attacks require less effort, are largely automated, and generate much higher payouts than taking over individuals’ accounts. One ransomware attack can generate as much revenue in minutes as hundreds of individual identity theft attempts over months or years. According to Coveware, the average ransomware payout has grown from less than $10,000 per event in Q3 2018 to more than $233,000 per event in Q4 2020. 

Download the ITRC’s 2020 Data Breach Report 

“While it is encouraging to see the number of data breaches, as well as the number of people impacted by them decline, people should understand that this problem is not going away,” said Eva Velasquez, president and CEO of the Identity Theft Resource Center. “Cybercriminals are simply shifting their tactics to find a new way to attack businesses and consumers. It is vitally important that we adapt our practices, and shift resources, to stay one step ahead of the threat actors. Although resources continue to decline for victims of identity crimes, the ITRC will continue to help impacted individuals by providing guidance on the best ways to navigate the dangers of all types of identity crimes.” 

One notable case study highlighted in the ITRC’s 2020 Data Breach Report is the ransomware attack on Blackbaud, a technology services company used by non-profit, health and education organizations. A professional ransomware group stole information belonging to more than 475 Blackbaud customers before informing the company the information was being held hostage. The stolen information included personal information relating to more than 11 million people that was later reported to have been destroyed by the cybercriminals after Blackbaud paid a ransom.  

Another notable finding was that supply chain attacks are becoming increasingly popular with attackers since they can access the information of larger organizations or multiple organizations through a single, third-party vendor. Often, the organization is smaller, with fewer security measures than the companies they serve.  

To learn more about the latest data breaches, visit the ITRC’s interactive data breach tracking tool, notified. It is updated daily and free to consumers.  

For anyone that has been a victim of a data breach, the ITRC recommends downloading its free ID Theft Help app to manage the various aspects of an individual’s data breach case. 

Consumers and victims can receive free support and guidance from a knowledgeable live-advisor by calling 888.400.5530 or visiting idtheftcenter.org to live-chat. 

About the Identity Theft Resource Center  

Founded in 1999, the Identity Theft Resource Center® (ITRC) is a non-profit organization established to empower and guide consumers, victims, business and government to minimize risk and mitigate the impact of identity compromise and crime. Through public and private support, the ITRC provides no-cost victim assistance and consumer education through its website live-chat idtheftcenter.org, toll-free phone number 888.400.5530, and ID Theft Help app. The ITRC also equips consumers and businesses with information about recent data breaches through its data breach tracking tool, notified.   

Media Contact 

Identity Theft Resource Center 
Alex Achten 
Earned & Owned Media Specialist 
888.400.5530 Ext. 3611 
media@idtheftcenter.org  

  • A T-Mobile repeat data breach event resulted from unauthorized access to 200,000 customer accounts, including call records.
  • It is the fourth time T-Mobile has sent a data breach notification since 2018. The T-Mobile data breach in December was the second one in 2020.
  • An investigation into the SolarWinds data hack has not revealed any evidence suggesting the attackers sought or stole mass amounts of personal information. The target appears to be either intellectual property or the personal information of particular individuals for espionage purposes.
  • For information about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notifiedTM.
  • Keep an eye out for the ITRC’s 15th Annual Data Breach Report. The 2020 Data Breach Report will be released on January 27, 2021. 
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the Identity Theft Resource Center toll-free at 888.400.5530 or via live-chat on the company website. 
https://soundcloud.com/idtheftcenter/the-weekly-breach-breakdown-podcast-by-itrc-second-verse-same-as-the-first-season-2-episode-1

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for January 8, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. We started this podcast and a sister monthly program in 2020 in response to the shifts in privacy, security and identity issues: the changes in how criminals collect and use consumer and, increasingly, business information.

One of the trends that the ITRC has identified, and will explore in a report this spring, is the rise in the number of repeat data breaches, even as the overall number of data events is declining. That leads us to the title of this week’s episode – “Second Verse, Same as the First.”

While most of us were prepping for a socially distanced Christmas celebration, one of the largest mobile telephone companies posted a data breach notice on its website. It was not the first time T-Mobile issued a breach notice; it was the fourth time since 2018.

T-Mobile Repeat Data Breach Event

T-Mobile announced that an unauthorized party accessed a small percent of customer accounts, about 200,000 accounts, in early December 2020. The compromised data may have included call records — such as when a call was made, how long the call lasted, the phone numbers called and other information that might be found on a customer’s bill.

T-Mobile says the hackers did not access names, home or email addresses, financial data and account passwords or PINs. An investigation is on-going.

The December data event is the second time an attacker accessed customer information in the same year. Just months into 2020, a breach of the T-Mobile employee email system allowed criminals to see customer data and potentially misuse it. Information about more than one million prepaid customers was exposed in 2019, and cybercriminals compromised nearly two million accounts in 2018.

A Shift in Data Thieves Tactics

Research conducted by the ITRC shows the number of consumers who report being the victim of more than one identity crime has increased 33 percent in the past 18 months. It comes at a time when data thieves are shifting their tactics and targets. Our research shows they are focusing more on business data and less on mass amounts of consumer personal data.

While data breaches are dropping, cyberattacks are rising. The two are not the same. That’s an important distinction as a large and consequential cybersecurity breach occurred in late December 2020 and is likely still underway.

SolarWinds Data Hack Update

We talked about the attack in our last podcast before the holiday break, but the scope of this attack warrants an update.

Here’s what happened: A group of professional cybercriminals affiliated with the Russian government’s intelligence service was able to insert software into a common technology service used by governments and private companies, known as SolarWinds. An estimated 18,000 organizations have been exposed to the malware, including some of the largest agencies in the U.S. government – the Departments of Commerce, Treasury, Justice, State and most of the Fortune 500.

The good news for consumers is at this point, after nearly a month of investigation, there is no indication the attackers sought or stole mass amounts of personal information. As is common with this particular group of threat actors, the target appears to be intellectual property or the personal information of specific individuals for espionage purposes – not profit.

We will release a detailed report on the impact of identity-related crimes in May. We will issue our report on 2020 data breaches and trends on January 27, just a few weeks from now.

Contact the ITRC

If you have questions about how to protect your information from data breaches and data exposures, visit www.idtheftcenter.org, where you will find helpful tips on this and many other topics.

If you think you have already been the victim of an identity crime or a data breach and you need help figuring out what to do next, contact us. You can speak with an expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during regular business hours. Just visit www.idtheftcenter.org to get started.

Next week listen to our sister podcast, The Fraudian Slip, which focuses on identity-related fraud when we talk with the Deputy Chief of the Internal Revenue Service’s Criminal Division about identity crimes and how they might impact your taxes.

  • Last week, FireEye, a cybersecurity provider, revealed their tools to detect and block sophisticated cyberattacks were stolen in a security breach. 
  • This week we learned attackers, believed to be affiliated with Russia’s state security service, infiltrated government agencies and potentially thousands of companies through a software update from IT management company SolarWinds that was issued months ago. 
  • So far, there is no indication that the Nation/State attackers were after consumer information. These groups tend to be more interested in information they can use for intelligence or espionage. 
  • For information about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notifiedTM
  • Keep an eye out for the ITRC’s 15th Annual Data Breach Report. The 2020 Data Breach Report will be released on January 27, 2021.  
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the Identity Theft Resource Center toll-free at 888.400.5530 or via live-chat on the company website.  

Subscribe to the Weekly Breach Breakdown Podcast  

Every week the Identity Theft Resource Center (ITRC) looks at some of the top data compromises from the previous week and other relevant privacy and cybersecurity news in our Weekly Breach Breakdown Podcast on SoundCloud. This week, on the last breach breakdown podcast of 2020, we look at the FireEye and SolarWinds hacks, which have shaken the cybersecurity community. 

Also available on Apple Podcasts and Spotify.

Data Breaches Down/Security Breaches Up 

2020 has been a difficult year for many. However, there have been some encouraging trends that the ITRC has talked about in previous breach breakdown podcast episodes. One of the most promising trends includes cybercriminal’s lack of interest in consumer information, resulting in a significant drop in data breaches and the number of people impacted by them.  

Unfortunately, you can’t say the same of a companion crime, security breaches. One cannot have a mass data breach without also experiencing a cybersecurity failure. With that said, it is possible to have a security breach without impacting consumer data. That is what dominates the news as we wrap up 2020 – a massive security breach involving two leading technology companies: FireEye and SolarWinds. 

What You Need to Know About FireEye 

FireEye, a cybersecurity provider, supports large organizations worldwide with tools that detect and defend against cyberattacks. When there are attacks on companies and governments, FireEye often gets the call to figure out what happened and how it happened. 

What You Need to Know About SolarWinds 

SolarWinds, a software company, claims to help more than 33,000 companies, including virtually all Fortune 500 companies and every major agency in the U.S. government. SolarWinds’ software helps organizations with large, complex computer systems manage their networks and devices.  

FireEye and SolarWinds Hacked 

Last week, FireEye revealed their tools to detect and block sophisticated cyberattacks, the kind launched by governments, had been stolen due to a security breach. A few days later, the U.S. Treasury and Commerce Departments announced they were hacked. It was followed by announcements of hacks at the National Institutes of Health as well as the Departments of Homeland Security and State. 

This week, we learned that the security breaches were the result of threat actors believed to be affiliated with Russia’s state security service. The attackers infiltrated these government agencies and FireEye through a software update from SolarWinds that was issued months ago. SolarWinds believes as many as 18,000 customers may be affected by the malware inserted by the attackers into the SolarWinds update.  

What the FireEye and SolarWinds Hacks Mean for Consumers 

It is too early to tell what the FireEye and SolarWinds Hacks mean for consumers. So far, there is no indication that the Nation/State attackers were after consumer information. These groups tend to be interested in information that can be used for intelligence or espionage, not making money by stealing and selling consumer data.  

There is another reason to believe consumer information may be safe from the FireEye and SolarWinds hacks. SolarWinds software does not access or manage consumer data. As ITRC Chief Operating Officer James Lee says in the podcast, think of SolarWinds as a traffic cop. They can tell people what businesses are on the street and how to get there, but they cannot take people there and open the door for them. 

With enough time and motivation, the attackers could have wandered around a SolarWinds customer’s networks to access some consumer information. However, experts don’t believe that happened on a mass scale. The ITRC will post more details if we find consumer information is involved.  

How We Know About the Attacks 

We know about this and other breaches because of laws and regulations that require organizations, even government agencies, to issue breach notices. Many of those rules do not set a specific timeline for when a notice must be given. That is about to change for banks governed by the Federal Deposit Insurance Corporation (FDIC).  

For the past 15 years, the FDIC rules only required that regulators be notified of a data or security breach within a reasonable period of time. This week, the FDIC approved a new regulation that sets the notification period at 36 hours whenever a security issue or system’s failure significantly impacts operations. That is stricter than the 72 hours required by the State of New York, the toughest notification law in the U.S. The FDIC rule only requires regulators to receive a notice. State laws still govern public notices.  

notifiedTM    

For information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.   

Contact the ITRC   

If you believe you are the victim of an identity crime or data breach and need help figuring out what to do next, contact us. You can speak with an expert advisor at no-cost by calling 888.400.5530 or chat live on the web. Just visit www.idtheftcenter.org to get started.  

Twenty-three episodes from 2020 are in the books. We will be back in January to share more insights into data breaches and identity trends. Join us in 2021 on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.   

  • A Canon data breach resulted from a ransomware attack on the company by the Maze ransomware group. Canon is just one of many companies recently hit with a ransomware attack, a trend the Identity Theft Resource Center predicts to continue in 2021.  
  • The mobile video game Animal Jam suffered a data breach affecting 46 million users after threat actors stole a database. However, WildWorks, the game’s owner, has been very transparent throughout the entire process, setting an example of how businesses should approach data breaches. 
  • Insurance tech company Vertafore discovered files containing driver-related information for 28 million Texas residents were posted to an unsecured online storage service.  
  • For more information about recent data breaches, consumers and businesses should visit the ITRC’s data breach tracking tool, notifiedTM.  
  • Keep an eye out for the ITRC’s 15th Annual Data Breach Report. The 2020 Data Breach Report will be released on January 27, 2021. 
  • If you believe you are a victim of identity theft from a data breach, contact the ITRC toll-free at 888.400.5530 or through live-chat on the company website.  

Notable Data Compromises for November 2020 

Of all the data breaches the Identity Theft Resource Center (ITRC) tracked in November, three stood out: Canon, WildWorks – Animal Jam, and Vertafore. All three data events are notable for different reasons. One highlights a trend and prediction made by the ITRC; another shows transparency by the company throughout the process; the third leaves 28 million individuals’ driver-related information exposed. 

Canon 

Camera manufacturer Canon recently suffered a data breach that was caused by a ransomware attack, but the company only acknowledged the attack was the result of ransomware in November. According to techradar.com and Bleeping Computer, the Canon IT department notified their staff in August that the company was suffering “widespread system issues affecting multiple applications, Teams, email and other systems.” On November 25, the company acknowledged the Canon data breach was due to a ransomware attack by the Maze ransomware group.  

It is unknown how many people are affected by the Canon data breach. However, files that contained information about current and former employees from 2005 to 2020, their beneficiaries, and dependents were exposed. Information in those files included Social Security numbers, driver’s license numbers or government-issued identification numbers, financial account numbers provided to Canon for direct deposit, electronic signatures and birth dates. 

Canon is just one of many companies that have been hit with a ransomware attack. As the ITRC mentioned in its 2021 predictions, cybercriminals are making more money defrauding businesses with ransomware attacks and phishing schemes that rely on poor consumer behaviors than traditional data breaches that rely on stealing personal information. As a result of the ransomware rise, data breaches are on pace to be down by 30 percent in 2020 and the number of individuals impacted down more than 60 percent year-over-year.  

WildWorks – Animal Jam 

Animal Jam, an educational game launched by WildWorks in 2010, suffered a data breach after threat actors stole a database. According to the WildWorks CEO, cybercriminals gained access to 46 million player records after compromising a company server. The information exposed in the Animal Jam data breach includes seven million email addresses, 32 million usernames, encrypted passwords, approximately 15 million birth dates, billing addresses and more. 

WildWorks has been very transparent throughout the entire process. The company provided a detailed breakdown of the information taken in the Animal Jam data breach, how the data event happened, where the information was circulated, whether people’s accounts are safe and the next steps to take. The ITRC believes WildWorks has set an example of how other businesses should share information with impacted consumers after a data breach.  

Anyone affected by the Animal Jam data breach should change their email and password for their account (consumers should switch to a 12-character passphrase because it is easier to remember and harder to guess). Users should also change the email and password of other accounts that share the same email and password. If any users think their account was used illegally, they are encouraged to contact the Animal Jam security team by emailing support@animaljam.com  

Vertafore 

Vertafore, a Denver based insurance tech company, recently discovered three files containing driver-related information were posted to an unsecured online storage service. The files included data from before February 2019 on nearly 28 million Texas drivers. Vertafore says the files have since been secured, but they believe the files were accessed without authorization. To learn more about this data breach, read the ITRC’s latest blog, and listen to our podcast on the event. 

Unfortunately, companies continue to leave databases unsecured, which is tied with ransomware as the most common cause of data compromises, according to IBM. Consumers impacted by the Vertafore data event need to follow the advice given by Vertafore and the Texas Department of Public Safety

notifiedTM  

For more information about recent data breaches, consumers and businesses should visit the ITRC’s data breach tracking tool, notifiedTM, free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.  

Contact the ITRC 

If you believe you are the victim of an identity crime or your identity has been compromised in a data breach, you can speak with an ITRC expert advisor at no-cost by phone (888.400.5530) or live-chat. Just go to www.idtheftcer.org to get started. Also, victims of a data breach can download the free ID Theft Help app to access resources, a case log and much more.  

  • Vertafore, a Denver based insurance tech company, discovered three files containing driver-related information were posted to an unsecured online storage service. The files included data from before February 2019 on nearly 28 million Texas drivers.
  • The files included lienholder information, drivers’ license numbers, names, dates of birth, addresses and vehicle registration histories.
  • Failing to secure a cloud database is tied with ransomware as the most common cause of data compromise, according to IBM. The ITRC’s own data breach information corroborates the findings.
  • Consumers impacted by the Vertafore data compromise need to follow the advice given by Vertafore and the Texas Department of Public Safety. Vertafore is offering one year of free credit monitoring and identity restoration services.
  • For more information on the Texas driver’s records exposed, contact the Identity Theft Resource Center toll-free at 888.400.5530 or live-chat on the company website.
  • For the latest on data breaches, visit the ITRC’s data breach tracking tool notifiedTM.

Subscribe to the Weekly Breach Breakdown Podcast

Every week the Identity Theft Resource Center (ITRC) looks at some of the top data compromises from the previous week and other relevant privacy and cybersecurity news in our Weekly Breach Breakdown Podcast. This week, we will discuss the Vertafore data compromise that exposed personal information to the risk of being stolen by a cybercriminal by not installing security on a cloud storage service.

What We Know

There is one thing that almost everyone carries in their pocket – their driver’s license. Without a driver’s license, people can’t legally drive or show proof of age or identity. It is one of the most important forms of identification a person needs in the U.S. That is why a recent event that led to Texas driver’s records exposed has millions of people worried about how it could affect them.

Vertafore, a Denver based insurance tech company, discovered that three files containing driver-related information were moved to an unsecured online storage service. In other words, it was moved to a third-party cloud database with no security. The files included data before February 2019 on nearly 28 million Texas drivers. The files included lienholder information, drivers’ license numbers, names, dates of birth, addresses and vehicle registration histories.

In a statement announcing that Texas driver’s records were exposed, Vertafore says there is no evidence of information misuse. However, the company acknowledges that there is evidence an unknown and unauthorized party accessed the information. Other Vertafore data – including partner, vendor or additional supplier information – and systems remain unimpacted. No Vertafore systems were found to include known software vulnerabilities, and Vertafore immediately secured the suspect files.

Investigators hired by the company believe the unauthorized access to the data occurred between March 11 and August 1 of 2020. The files supported one of Vertafore’s products that helps insurance companies determine insurance policy costs. The files did not contain Social Security numbers or financial information about consumers. Vertafore is offering one year of free credit monitoring and identity restoration services.

Cloud Databases Continue to be Left Unsecured

Unfortunately, this kind of event is far too common. On last week’s podcast, we highlighted another company that left a cloud database unsecured, leading to nearly ten million people’s travel accounts being available online.

Failing to secure a cloud database is tied with ransomware as the most common cause of data compromise, according to IBM. The ITRC’s own data breach information corroborates the findings. Most of the time, there is no evidence data thieves removed or copied the data – meaning the risk of misuse is relatively low. However, it is not zero. It is why consumers impacted by the Vertafore data compromise need to follow the advice given by Vertafore and the Texas Department of Public Safety.

How the Data Ends Up in the Hands of a Private Company

The event that led to Texas driver’s records exposed has prompted consumers to ask questions about how their driver’s license and related data ends up in the hands of a private company. That is not an uncommon question when data breaches, compromises and exposures involve businesses that victims have never heard of – and did not give permission for their data to be shared.

While the answer to the question varies from state to state, the response is almost always some version of “it’s legal.” Also, consumers rarely have the opportunity to “opt-in” or “opt-out” of the sale or sharing of information like driver’s license data by the government.

In response to questions about the Vertafore compromise, the State of Texas issued a statement about the use of driver’s data:

“Texas law permits, and at times requires, the release to authorized parties of driver license and vehicle registration information.”

In the case of Vertafore, the permitted use involves ensuring companies have the data they need to appropriately price insurance premiums for drivers.

Even the nation’s toughest privacy law, the California Consumer Privacy Act (CCPA), allows personal information from government agencies to be sold and shared for certain purposes without the consumers’ consent. Generally, consumers cannot opt-out of these uses if they are designed to prevent fraud or are used to verify someone’s identity.

notifiedTM  

For information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.  

Contact the ITRC

If you have questions about how to protect your information from data breaches and data exposures, or if you want to learn more about the Vertafore data compromise, contact the ITRC. You can speak with an advisor toll-free over the phone (888.400.5530), live-chat on the web, or email itrc@idtheftcenter.org during business hours. Just visit www.idtheftcenter.org to get started. Also, download the free ID Theft Help App to access resources, a case log and much more.  

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform. 

  • The software provider behind some of the largest travel websites, Prestige Software, maintained a cloud database without a password. The unsecured database led to approximately 10 million accounts being available to view online to anyone who knew where to look.  
  • Prestige Software provides technology services to Booking.com, Expedia, Hotels.com, Sabre and other hotel reservation websites around the world. Information included credit card details, payment details and reservation details dating back to 2013.  
  • While there is no evidence the exposed information is being misused, travel website users should change their passwords on their accounts (our experts suggest enacting a passphrase), add two-factor authentication, freeze their credit, monitor their bank statements for any unusual activity and keep an eye out for phishing attempts.  
  • For more information, contact the Identity Theft Resource Center toll-free at 888.400.5530 or live-chat on the company website. 
  • For the latest on data breaches, visit the ITRC’s data breach tracking tool notifiedTM

Subscribe to the Weekly Breach Breakdown Podcast 

Every week the Identity Theft Resource Center (ITRC) looks at some of the top data compromises from the previous week and other relevant privacy and cybersecurity news in our Weekly Breach Breakdown Podcast. This week, we look at the all too frequent event in the world of data – unsecured databases. 

A Lack of Secure Online Databases 

In the context of data protection, repeating the same mistake can have significant consequences. It is why cybersecurity professionals tend to focus on preventing data breaches. That requires them to continually adapt their strategies and tactics to match those of the treat actors who are frequently attacking company systems.  

 Securing online databases continues to slip away from cybersecurity teams. The software provider behind some of the world’s largest travel websites maintained a cloud database without a password, leading to 10 million accounts being available online for access by anyone who knew where to look.  

Forensic researchers believe the available information dates back to 2013 and only relates to hotel reservations. While the information contained in the unsecured database could be used to commit several identity crimes and fraud, right now, there is no evidence the information has been copied and removed from the database. Also, right now, there are no reports of the data being used. 

Software Provider Behind Large Travel Websites Leaves Database Unsecured 

Prestige Software provides technology services to websites that many consumers may have used, including: 

  • Booking.com 
  • Expedia 
  • Hotels.com 
  • Sabre (The reservation system used by American Airlines) 
  • Other hotel reservation websites & mobile apps 

The cloud database was hosted in an Amazon Web Services (AWS) environment that included basic security protections. However, they were not configured. Prestige Software confirmed the database was open to the internet and is now secured.  

Information Exposed Due to Unsecure Prestige Software Database 

The information stored in the unsecured database included large amounts of personal information like full names, email addresses, national I.D. numbers and phone numbers of hotel guests. Additional information stored includes: 

Credit card details: card number, cardholder’s name, CVV and expiration date 

Payment details: total cost of hotel reservations 

Reservation details: reservation number, dates of a stay, the price paid per night, additional requests made by guests, number of people, guest names and much more 

What Impacted Consumers Need To Do 

Consumers who have used these travel websites should assume that any information they shared since 2013 is in the wild and available to be misused in identity crimes, fraud and phishing schemes. Consumers should act as if they have already received a breach notice due to the unsecured database and take the necessary steps to protect their personal information

  • Change your passwords on the travel accounts to a longer, memorable passphrase. Make sure it is unique to the account. Do not use the same passphrase on more than only one account because it helps the bad guys. 
  • Add two-factor authentication. 
  • Freeze your creditif you haven’t already, and monitor your credit card statements for unusual activity over the next few months. 
  • Keep an eye out for phishing attemptsespecially related to any websites affected by this breach or other travel-related websites. Remember, the best protection is to never click on unsolicited links. If you are unsure, contact the company directly.  

How It Impacts Prestige Software 

For the company, the impacts of the lapse in cybersecurity could be significant. Prestige Software is based in Spain and subject to the European Union’s strict privacy and cybersecurity law, known as the General Data Protection Regulation (GDPR). Companies found to have failed to protect consumer information are subject to significant fines up to four percent of their annual revenue.  

Also, companies that process credit cards are subject to self-regulations. The penalty for failing to comply with the Payment Card Industry (PCI) standards include, in some cases, a company losing the right to process debit and credit cards. It is surprising that we have to continue to remind companies of a simple fact: Companies are responsible for securing their cloud environments, not cloud platform providers like Amazon, IBM, Microsoft or any other cloud services companies. Cloud hosts will make basic tools available, but companies have to use them. Also, companies are still responsible for patching their applications and maintaining their advanced cybersecurity tools.  

notifiedTM  

For information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.  

Contact the ITRC 

If you believe you have been affected by the Prestige Software database exposure and want to learn more or think you’re the victim of an identity crime, contact the ITRC at no-cost by calling 888.400.5530 or by live-chat on the company website. Also, download the free ID Theft Help App to access resources, a case log and much more.  

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform. 


Timberline, BankSight and MAXEX Headline the Most Notable Data Breaches in October

California Voters Pass Strongest Privacy Law in the U.S. – The California Privacy Rights Act (CPRA)

Reports Show Consumer Privacy and Cybersecurity Views Have Evolved

  • Timberline Billing Service recently determined a supposed ransomware attack led to encrypted files and information removed from their network. So far, the Identity Theft Resource Center (ITRC) has tracked 14 impacted schools.  
  • A database exposure was recently discovered at BankSight Software Systems, exposing over 300 million records for at least 100,000 people.  
  • MAXEX exposed 9 GB of internal data, including confidential banking documents, system login credentials, emails, the company’s data breach incident response policy, and reports from penetration tests. 
  • For more information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM
  • For more information, contact the ITRC toll-free at 888.400.5530, or by live-chat via the company website. People can also download the free ID Theft Help app to access advisors, resources, a case log and much more. 

There were many notable data breaches in October, all tracked by the Identity Theft Resource Center (ITRC). Since 2005, the ITRC has compiled publicly-reported U.S. data breaches as part of our data breach tracking efforts. The ITRC tracks both publicly-reported data breaches and data exposures in a database containing 25 different information fields that are updated daily. Of the notable data breaches in October, Timberline, BankSight and MAXEX top the list. 

Timberline Billing Service 

Timberline Billing Service, a company that claims Medicaid for education agencies in Iowa, recently determined that someone accessed their network between February 12, 2020 and March 4, 2020. The supposed ransomware attack led to encrypted files and information removed from the system.

However, the investigation was unable to determine what information was removed. The information exposed includes names, dates of birth, Medicaid I.D. numbers, billing information, support service code and identification numbers, medical record numbers, treatment information, medical information regarding diagnoses and symptoms and Social Security numbers. However, the information exposed varies from school to school.  

Of the 190 schools in Iowa Timberline assists, so far, the ITRC has tracked 14 impacted schools: 

  • Fort Dodge Community School District 
  • Iowa City Community School District 
  • Cherokee Community School District 
  • Kingsley-Pierson Community School District 
  • Central Decatur Community School District 
  • Clinton Community School District 
  • Muscatine Community School District 
  • Saydel Community School District 
  • Sheldon Community School District 
  • Mid-Prairie Community School District 
  • Hudson Community School District 
  • Dallas Center-Grimes Community School District 
  • Knoxville Community School District 
  • Oskaloosa Community School District 

Timberline says they are taking steps to enhance their security systems, resetting all user passwords, requiring frequent password rotations and migrating school and student data to a cloud location. Timberline is also offering a year of identity monitoring services through Experian to impacted children. Impacted individuals should monitor their accounts for any suspicious activity and contact the appropriate company and act if needed.  

BankSight Software Systems, Inc. 

vpnMentor’s research team recently discovered an exposed BankSight database, exposing over 300 million records for at least 100,000 individuals. According to vpnMentor, the exposed information includes the following: names, Social Security numbers, email addresses, phone numbers, home and business addresses, employment and business ownership details, financial data for businesses and individuals, and personal notes from people looking for loans or postpone on loan payments, exposing private family and business information.  

vpnMentor says they contacted BankSight, and BankSight shut down the server one day later. The information exposed allows a hacker to create sophisticated fraud schemes and target customers of BankSight’s clients. BankSight customers should contact the company to determine the steps to take to protect their client’s data.  

MAXEX, LLC.  

Of the notable data breaches in October, MAXEX does not impact the most people. However, it potentially creates the most significant risk to affected individuals. According to BankInfoSecurity, MAXEX, a residential mortgage trading company, exposed 9 GB of its internal data, including software development for its loan-trading platform. The data also had confidential banking documents, system login credentials, emails, the company’s data breach incident response policy, and reports from penetration tests done years ago.

The company also leaked the complete mortgage documents for at least 23 people in New Jersey and Pennsylvania. The records include tax returns, IRS transcripts, credit reports, bank account statements, scans of birth certificates, passports and driver’s licenses, letters from employers, divorce records, academic transcripts and Social Security numbers for the mortgage applicants and their children.  

MAXEX says they have retained security experts and contacted law enforcement agencies. They also have a computer forensics unit tracing the source of the breach and providing resolution advice. The company says they have fixed the issue that led to the breach. MAXEX says its mortgage trading platform was unaffected. However, links to the data are circulating on forums where stolen data is posted. On one platform, the information has been downloaded more than 1,000 times, according to BankInfoSecurity.  

While the data compromise only impacted a limited number of people, it does not always matter how many people it affected. Rather, the information that was exposed or stolen. Impacted individuals should begin contacting the appropriate companies to determine the next steps to take. Some of the steps to take include freezing your and your child’s credit, checking your reports for suspicious activity, and taking part in credit monitoring or identity monitoring services.  

notifiedTM 

For more information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free. 

Contact the ITRC 

If you believe you are the victim of an identity crime or your identity has been compromised in a data breach, like one of the notable data breaches in October, you can speak with an ITRC expert advisor on the website via live-chat or by calling toll-free at 888.400.5530. Finally, victims of a data breach can download the free ID Theft Help app to access advisors, resources, a case log and much more. 


Read more of our latest information & educational resources below

QR Code Security Threats Begin to Grow as Digital Barcode Popularity Rises

Unsubscribe Email Scam Looks to Trick Consumers