On February 25, 2014, Hold Security, LLC announced that it had discovered almost 360 million stolen account credentials including email addresses and passwords and 1.25 billion records solely containing email addresses in just the first three weeks of February.

The massive discovery is a result of multiple data breaches that Hold Security, LLC is currently investigating. Hold Security, LLC believes the credentials stolen were likely stolen in breaches not yet publicly reported and the breached entities may not know that their customers’ information has been compromised yet.

What is different about this data breach is that these records contain email account credentials, or usernames and passwords. This doesn’t sound quite as dangerous as, say, the Target breach because the Target breach contained payment card data. The compromise of payment card data is certainly dangerous and has a lot of potential to cause damage to victims; however, email account credentials can be just as dangerous if not more so.

First, the email usernames and passwords can obviously be used to access the actual email accounts themselves. This is an unsettling consequence of the data breach and poses significant harm to the victims because email accounts generally have copious amounts of sensitive personal information. Think about what is stored in your email account. Think about how long you may have had this email account. How many times did you email financial documents, work documents, tax documents, private pictures, reminders of passwords to other accounts, bank information and more? Just the email account itself can be a treasure trove of sensitive personal information to an identity thief who knows how to abuse it.

Second, we are all guilty of recycling a password, using it across multiple accounts so it is easy to remember. Identity thieves know this, and will use the passwords found by Hold Security, LLC to attempt to gain access to other accounts the victim has created. These could be bank accounts, retirement accounts, eBay accounts, PayPal accounts, and a multitude of online shopping accounts. This kind of widespread account access would be devastating to a victim.

Third, the account credentials can be used for spam and other phishing scams. A phishing scam is when a thief sends an official looking email from a business or individual, requesting that the recipient either divulge sensitive personal information or click on a link that loads a virus onto their computer or smartphone. Phishing is a very common tactic used by identity thieves and is listed as one of the top scams of the year by the IRS.

We are bringing this information to your attention to remind everyone that it is not just your Social Security Number that is valuable to identity thieves. You must take a comprehensive approach to protecting yourself. This means that you are vigilant about protecting all your data, including your mail, Social Security Number, medical insurance card, account usernames and passwords, passports, financial documents, tax documents, medical records and the list goes on. You must cast a critical eye on all sources of information about yourself and constantly destroy anything that is not absolutely necessary. Cross-cut shred all unneeded paper documents, delete any electronic information, and safely store any sensitive personal information that you absolutely can’t do without and you will be well on your way to being one step ahead of identity thieves.

“Hold Security, LLC Discovers Massive List of Stolen Credentials” was written by Matt Davis.  Matt is Director of Business Alliances at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

As regular readers of the ITRC blog already know, data breaches can occur in a variety of ways.  Either by hacking, employee error or negligence, or some form of physical theft, access to customer information is given to criminals who may then use that information for illicit purposes.

The financial fallout of these breaches often leads to lawsuits which can cost the breached company serious dollars.  Below are some of the most expensive, high profile breaches in the past year and the litigation that resulted from them.

Target:  The Target data breach is almost certainly the largest and most visible cyber-attack since the breaches of Heartland Payment Systems or TJX. Currently the retail giant is facing a plethora of legal actions resulting from the breach of more than 40 million customers’ credit and debit card information.  Many of these lawsuits stem from accused negligence on the part of Target .  Banks associated with this breach assert that the necessity to issue new credit and debit cards, as well as cleaning up any resulting fraud, could end up costing them millions.

Neiman Marcus:  The Neiman Marcus data breach was perpetuated by hackers who stole personal information from more than 1.1 million debit and credit cards over a period of months.  It is generally assumed that the malware used for this breach was similar to that which was used to access  Target’s system.

There is currently a pending lawsuit alleging that Neiman Marcus knew about the stolen information but waited several weeks before informing affected consumers.  According to most data breach notification laws, the only relevant reason for waiting to notify affected consumers is if to do so would compromise an ongoing criminal investigation or expose some national security objective.

Michaels:  Michaels Arts and Crafts Supply Store is also facing a pending class-action lawsuit due to the fallout of a data breach.  Exact information about the number of records exposed or damage in dollars is still limited, but the current suit alleges that Michaels failed to report its last major breach in May of 2011.  In addition, they failed to adequately monitor its payment systems in a way which would allow the retailer to detect fraud or other signs of tampering, allowing the breach to continue unnoticed for an extended period of time.

It is imperative, not only for the good of the consumer, but for the businesses that handle sensitive personal information themselves, to have  best practices and protocols in place to immediately and effectively identify a breach incident and subsequently mitigate any resulting harm.  In the event that a data breach occurs, it is imperative that businesses work against the traditional inclination to be silent on the matter.

The companies that recover from breaches the fastest and with the least amount of public relations damage are those that get out ahead of the issue   They have a Data Breach Incident Response Plan to notify their consumers about what happened, provide information on what they have done to correct the situation, they inform customers about the steps they are taking to minimize the risk of it happening again, and they provide necessary remedies to customers to rebuild their customers’  confidence and trust.  For specific questions relating to data breaches, please visit our website at www.idtheftcenter.org or call us toll free at (888) 400-5530.

The compromise of millions of consumers’ information now has Target sending out millions of data breach notification letters and emails to victims and potential victims all over the country.  If you’re among that population, you may have already received some form of communication from Target informing you of the potential exposure of your information and what you might do about it.

But consumer beware. The high profile nature of this breach has scammers and identity thieves swooping in to ravage this already exposed population like vultures after a carcass. The primary method seems to be sending fraudulent emails or notification letters purporting to be representing Target in an effort to trick consumers into giving them their personal information.  So if you’ve received a letter from “Target,” here are a few ways to check to ensure the letter you’ve received is legitimate, and not an attempt to scam you.

  1. The Email Address:  Actual Target breach emails are coming from TargetNews@target.bfi0.com.  If your email is from any other address, be very careful.
  2. The Letter Sounds Urgent:  Target is currently offering free credit monitoring for victims of the exposure, provided they sign up by April 30, 2014.  If the email you receive urges you to respond immediately, there’s a good bet it’s a scam. Scammers don’t want you to take time to think, they want your information.
  3. They Ask For Personal Information: A legitimate organization will never ask for personally identifying information in an email. Period. The End. Any time such a request is made, you can bet your bottom dollar it’s from a would-be scammer.  The actual Target email will send you a token inside an email which will take you to a secure website to enter your information. That website is creditmonitoring.target.com.  At your request, they will send you an activation code which, following an email authentication, will allow you to sign up for the free service.
  4. There Are Spelling and Grammatical Errors:  Target is a huge corporation. They can afford to hire people that can speak and write the English language with proper grammar.  If your letter has glaring spelling or grammatical errors, you can be assured it’s a scam email; likely from another country where English isn’t the first language.
  5. Signup requires a pre-paid money card, online Pay Pal transfer, or Western Union transfer:  Target’s credit monitoring offer is free, so there’s no need to pay anything. Any attempt to collect payment through any method whatever is a fraudster’s attempt to rip you off.

Consumers with additional questions should contact the Identity Theft Resource Center toll free at (888) 500-4430 or visit them online at www.idtheftcenter.org.

“To Victims of Target Breach: Don’t Let Crooks Double Dutch You was written by Matt Davis.  Matt is Director of Business Alliances at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

It’s no longer an “if” you’re the target of a data breach; it’s just a matter of “when.” Data loss incidents are becoming an unfortunate rite of passage. More and more businesses have found themselves exposed and ill prepared to manage the fallout.

While the average cost of a breach equals $5.5 million, the public reaction fosters graver implications. The resulting “business shock” not only paralyzes operations, but it also damages relationships with regulators, partners and consumers.

How can you best prepare and defend your organization? How can we all make 2014 the year of “data stewardship?”

At the Online Trust Alliance, we’ve found one of the best things you can do is create a Data Incident Plan (DIP). The DIP is a playbook that describes the breach fundamentals an organization can deploy on a moment’s notice. A good DIP helps you quickly determine the nature of an incident, immediately contain it, ensure evidence is not accidentally ruined, and easily notify regulators. Without a DIP, the breach will harm a company’s brand, increase liability exposure and engender a negative impression on your bottom line. 

So in honor of the upcoming 2014 Data Privacy Day, here are 14 key tips to help you create your DIP:

  1. Know Thy Data. Determine what data you collect and share. Classify it according to its level of criticality and sensitivity. What could be considered PII? Define whether data is “in use,” “in motion,” or “at rest.” Know where the data is physically stored.
  2. Terms & Conditions May Apply. Make sure your privacy policy reflects current data practices (see Tip #1). This includes the use of third party advertisers, analytics and service providers. Periodically review and confirm these third parties comply with your written policies.
  3. You Don’t Know What You’ve Got Till It’s Gone. Conduct annual audits to review whether your data should be retained, aggregated or discarded. Data that’s no longer used needs to be securely decommissioned. Create a data retention policy dictating how long you keep information once it’s fulfilled its original purpose. And of course, continually ask whether that purpose is still valid and relevant.
  4. Practice Or You’ll Breach. Forged email, malvertising, phishing, social engineering exploits and data snooping via unencrypted transmissions are on the rise. From simple controls to sophisticated gears, make sure you’ve implemented leading security “best practices.”
  5. AYO Technology! Data Loss Prevention (DLP) technologies identify vulnerabilities of potential exposures. These work in conjunction with existing security and anti-virus tools. From early warnings of irregular data flows to unauthorized employee access, DLP solutions help minimize and remediate threats.
  6. BYOD is like a BYOB House Party. The lack of a coherent Bring Your Own Device (BYOD) can put an organization at risk. User devices can easily pass malware and viruses onto company platforms. Develop a formal mobile device management program that includes an inventory of all personal devices used in the workplace, an installation of remote wiping tools and procedures for employee loss notification.
  7. Insist on a List. To mitigate the grave impact on your organization, inventory key systems, access credentials and contacts. This includes bank accounts, registrars, cloud service providers, server hosting providers and payroll providers. Keep this list in a secure yet accessible location.
  8. Forensics – Don’t Do This At Home. The forensics investigation is essential in determining the source and magnitude of a breach. This is best left to the experts as it’s easy to accidentally modify or disrupt the chain of custody.
  9. Where the Logs At? Logs are fundamental components in the forensics analysis, helping investigators understand what data was compromised. Types of logs include transaction, server access, firewall and client operating system. Examine all logs in advance to ensure correct configuration and time-zone-synchronization. Routinely back them up, keep copies and make sure they’re protected.
  10. Incident Response Team to the Rescue! Breaches are interdisciplinary events requiring coordinated strategies and responses. The team should represent every functional group within the organization, with an appointed executive who has defined responsibilities and authority. Establish “first responders” available 24/7 (hackers don’t work a 9 to 5 schedule).
  11. Get Friendly with the “Fuzz.” Reach out to law enforcement and regulators prior to an incident. Know who to contact so you won’t have to introduce yourself in the “heat of the battle.” When you have bad news to report, make sure they hear directly from you (a courtesy call goes a long way). Don’t inflame the situation by becoming defensive; focus on what you’re doing to help affected parties.
  12. Rules, Rules, Rules. Become intimately familiar with the international, domestic and local regulations that specifically relate to your organization. The failure to notify the appropriate governmental body can result in further inquiries and fines.
  13. What did you say? A well-executed communications plan not only minimizes harm and potential legal consequences, it also mitigates harm to a company’s reputation. Address critical audiences and review applicable laws before notifying. Tailor your message by geographic region and demographics. Knowing what to say is just as important as knowing what NOT to say.
  14. Help Me Help You. Customers want organizations to take responsibility and protect them from the potential consequences of a breach. The DIP should include easy-to-access remedies that offset the harm to affected parties.

These are just the “tips” of the iceberg when it comes to developing your DIP. A well-documented response plan is only as good as the training and readiness of your organization.To make sure you don’t DIP too far in the water with your incident response plan, join OTA at our upcoming Data Privacy Day Town Hall Events!  In addition to hearing from experts on the latest security, privacy and data protection practices, our Breach Readiness Planning workshop covers the DIP fundamentals. From forensics to customer communications and working with law enforcement, you’ll learn the critical steps to take when dealing with a data loss incident.

For more info and to register go to: https://otalliance.org/dpd.html. These events are eligible for IAPP CPE and CLE credits.   Good luck in developing your DIP and hope to see you on Data Privacy Day!

“Be Breach Prepared With Tips on Your DIP” was written by Heather M. Federman. Heather is the Director of Public Policy at the Online Trust Alliance.

This is the second part of a three part series regarding the recent Target data breach incident.  In Part I, we actually expressed appreciation for some of the positive outcomes of this data breach.

Primarily the fact that it captured national attention from a broad cross section of consumers.  This is positive because consumer engagement in this area is not widespread and any activity that causes consumers to take a more active role in this conversation is valuable.The ITRC call center received hundreds of calls when the information first became public.  One area of confusion was continually brought to our attention: People simply did not understand what the true effect and real risk was regarding that data that was compromised.  Frankly, it boiled down to: I am a victim of the Target data breach – what does that mean? Many consumers were under the impression that the compromised data included information which could be used to obtain NEW lines of credit and/or open new accounts in the consumer’s name.  This is inaccurate.

According to Target, the information that was breached was “payment information”:  The specific card (debit or credit) that was used for payment at a Target location, during the affected time period.  This included information housed on the magnetic strip of the card, and encrypted pin numbers (for debit cards).  To date, Target has not reported that any other Personal identifying information (PII); including Social Security numbers was compromised.  Social Security numbers, a key component in allowing identity thieves to open new lines of credit in your name, are not contained on the magnetic strip.

It is true thieves could take the compromised data and use it to “socially engineer” other information about you, in the hopes they might discover enough to uncover the PII needed to steal your identity.  This does require some effort.  Generally, you would have to be an attractive (i.e. wealthy, public figure, or high profile) individual to warrant such effort.  This is usually not the case with the average consumer.  So while it is possible for this to occur, the likelihood that it will happen is quite small.

The risk to individuals whose data was compromised in the Target data breach is simply this:  The compromised account could be used by someone other than the owner of the account to purchase goods or services.  The recommendation to check the activity on these accounts is solid advice.  The suggestion to close accounts, request new cards, and change PIN numbers (now that we are aware that encrypted PINS were compromised), is also accurate advice. These actions will stop the compromised data from being used, and therefore render it of little value.

Checking credit reports, as a response to this particular breach, is simply ineffective.  It’s important to make it clear that in this particular case, checking your credit reports will have zero effect on minimizing the risks associated with this exposure. Checking your credit report is always a good idea, and the ITRC encourages consumers to do so on a regular basis.  By all means, check your report and ensure that there is no erroneous or fraudulent activity or information on it.  Regularly reviewing your credit report will minimize the amount of damage a thief can do because you will catch the activity earlier.  There is a direct inverse correlation between the date of discovery of identity theft and the level of difficulty in resolving the issue. Just realize this action will not minimize your risk of becoming a victim of identity theft, it only minimizes the amount of damage a thief can perpetrate. In regard to the Target data breach incident, checking your credit report (based upon the information disclosed by Target at this time) will not minimize your risk of having the compromised card numbers used to purchase goods or services.

The high level of confusion among consumers only serves to highlight the importance of ensuring that the general public realizes that the level of risk varies depending on the type of breach that has occurred.   The “risk of harm”, or type of future risk to victims of a data breach, is dependent upon the type of data that was compromised.  Indeed, not all breaches are created equal.  There are many variables to consider because most breaches involve complex and technologically advanced systems.  It should be noted that it is not only the type of data which is breached that helps to define the potential damage, but consumers’ online practices (and offline behaviors to a lesser degree) that increase risk as well.

For example, a breach of usernames and passwords for an online, non-financial account may have little effect on Consumer A because they actively follow best practices to minimize their risk, but it could have a devastating effect on Consumer B because they don’t.  Consumer A regularly checks privacy settings and keeps them on the strictest setting, and uses different passwords for different accounts.  Consumer B, who keeps their social media profiles public, and uses the same password for ALL accounts, including their banking site, could easily be compromised.  The savvy identity thief can easily discover what Consumer B’s email address is, and log-in to other accounts because the consumer uses the same password for everything.  The thief then gains access to financial accounts by using the same log-in and password information.

It is up to the business industry to ensure that they are following best practices and have the most up-to-date and robust systems/mechanisms in place to thwart the thieves.  But consumers need to be aware of the role they CAN play in their individual safety.  Then they need to take those steps and employ those strategies.  While this will still won’t guarantee someone will not become a victim of identity theft, it can help to lessen the chances and the damage if it does occur.

“Why I Want to Say Thank You to Target (Part 2 of a 3 Part Series) was written by Eva Velasquez. Eva is the CEO/President of the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

The Target breach can now be added to a long list of historical events that occurred on December 19th.  It should rank somewhere between King Henry II being crowned King of England in 1154 and Italy besting Chile for the 65th Davis Cup in 1976.  At least we hope that is the case.

There has been a proliferation of articles and communication across multiple media channels highlighting this incident.  Most of the articles have provided sensible tips to consumers on what steps to take and how to react.  Many have included stories from consumers expressing their outrage.  Some have even vilified Target for the incident.  Why then would an organization such as the ITRC, built on advocacy and consumer trust, actually want to thank Target?  Because breaches happen all the time! In fact, we have documented more than 600 breaches, THAT WE KNOW ABOUT, in 2013 alone.  But this time, everyone is talking about it.  Finally.

It is unfortunate that it took an incident from such an iconic brand, during the holidays and in such a broad scope, to cause this kerfuffle.  But in our estimation, this reaction is long overdue.  Consumers need to be aware that the information and data they have floating all over the place is vulnerable.  They need to know that their data can be breached, even if they themselves follow all the best practices.   There – I said it.  Individual consumers are powerless to stem the tide of data breaches.  That last statement will cause both advocates and consumers to cringe.  But it’s the truth and someone needs to say it.

There are things people can do to minimize the damage which can result from a data breach, but that is different from doing things to stop a breach (ways to minimize damage after a breach will be covered in depth in Part 3).  Right now, the services we consumers use, and the businesses we trust to safeguard our data, are the ones that must take steps to ensure that the risk to us is lessened.  And we think that in many ways, the business community on the whole is making efforts in this area.  Do we really think that Target WANTED to admit to a data breach, during the holiday season, right before the second busiest shopping day of the year (according to Shoppertrack data predictions).   Of course not.  But once they were outed by a security expert they were compelled, in part, by the laws that govern the reporting of breaches to affected parties.

For those of you that don’t believe that laws elicit compliance, I remind you of an old saying among the financial detectives I used to work with: “Locks are for honest people.”  After all, a thief would simply break a lock and take off with whatever valuable goods are inside.  Honest people are deterred by “locks” and, when presented with guidelines and guardrails, they generally practice restraint, even if a little bit tempted, because they don’t want to be a criminal.  Laws are an outside force that compel us to govern ourselves because we don’t like the consequences (think speed limits, and jay walking laws). In the case of a data breach, mandatory breach reporting laws are locks.  The fact that there are still four states (Alabama, Kentucky, New Mexico and South Dakota) that still do not have laws/regulations regarding mandatory reporting is troubling.

Breach reporting laws keep the honest companies in compliance and ensure a safer environment for consumers on the whole.  Untrustworthy members of industry won’t report a breach regardless of the law.  Compliance and noncompliance can be useful indicators to consumers when they are sorting out what companies to trust in this complex landscape.  This incident may well have us on our way to more dialogue about a robust federal data breach notification law.  Why?  Because now consumers will be engaged in the dialogue and we need that critical participation from them. The business community can (and mostly does) support a law that promotes uniformity in the reporting guidelines across all states, thus simplifying their breach reporting process.  After all, with national and international companies (like Target) why should your right to know be based upon where you reside?  That is an oversimplification , but you get my point.

Let’s be hopeful that 2014 will bring a new round of meaningful dialogue in this area and let us hope that consumers, with this new awareness, are stronger participants in the conversation.

Why I want to say Thank You to Target (Part 1 of a 3 part series)” was written by Eva Velasquez. Eva is the CEO/President of the Identity Theft Resource Center. You can follow her on Twitter at @ITRCCEO. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit http://www.idtheftcenter.org/anyone-3.

Target Corporation confirmed on December 19, 2013 that approximately 40 million of their customers’ credit and debit card accounts may have been compromised. The unauthorized access occurred between November 27 and December 15, 2013, meaning anyone who shopped at Target and used a payment card during this time period may be at risk for fraud.

The ITRC recommends that anyone who used a payment card at a Target store between November 27 and December 15, 2013 to follow the steps below to minimize your chances of identity theft or fraud.


  • Immediately review your debit and credit card statements for any suspicious activity.
  • Contact your bank or financial institution and inform them of the incident. Discuss with them your options to protect your accounts and your identity. You may want to request a new card with a new card number and PIN number.
  • Periodically monitor your credit reports for fraudulent activity by ordering your free credit reports on www.annualcreditreport.com.
  • Place a 90 day fraud alert on your credit profile with the three major credit reporting agencies regardless of whether you detect any suspicious activity on your credit reports.
  • Should you find any suspicious activity on your credit reports, request that the creditor and credit reporting agency delete the information from your credit profile.
  • Once any fraudulent accounts have been deleted from your credit profile, considering placing a security freeze on your credit profile to reduce any risk of fraud. While the security freeze is in place, you will not be able to view your credit reports or open any new lines of credit; however, you can always unfreeze your credit profiles at any time.
  • Should you need any assistance, at any time, please call the Identity Theft Resource Center at toll-free 888-400-5530, or visit our website www.idtheftcenter.org for more information on identity theft and what you can do to protect yourself.

It does not seem that any Social Security Numbers were breached in this incident; however, customers’ names, card numbers, expiration dates and security codes may have been accessed by the hackers. “Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause,” said Gregg Steinhafel, chairman, president and chief executive officer of Target. “We take this matter very seriously and are working with law enforcement to bring those responsible to justice.” Target has posted an online breach notice located at the top of their homepage providing details of the incident and what information was exposed.

We will be closely following the situation and will provide you with updates shortly.

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit http://www.idtheftcenter.org/anyone-3.

It’s never fun to receive a breach letter in the mail. Out of nowhere, you’re informed that through no fault or ill-advised action of your own, your personally identifying information (PII) has been compromised and may have been exposed for all the world to see.  This can cause panic on the part of the consumer. As we at the ITRC often see firsthand, in addition to being scary, it can confound and confuse.  What information was exposed? What does this mean? Am I a victim of identity theft? What should I do now?

Identity TheftThe first thing you need to know is that a breach letter is never in and of itself, a declaration that you are now a victim of identity theft. If you’ve received a letter of this type, it’s because according to the law of the state, an entity that’s had an exposure where consumer information was improperly exposed is required to notify you.  Read the letter carefully, as they must disclose exactly what type of information was exposed and when.  They’re also required to inform you in a timely manner. The only permissible reason for a delay in notification is if it would compromise an ongoing criminal investigation into the perpetrator of the exposure (if there was specific criminal intent in the case of this particular breach).

So, really all the letter is informing you of is that some portion of your PII was improperly exposed. The letter will detail exactly how and where the information was compromised.  What it means in simple English is that your information was exposed and as a result you may be at greater risk for identity theft or fraud than the average consumer.  Sometimes credit monitoring or other aid services are offered as part of the company’s attempt to make amends for the breach (or to offset the tarnishing of their public image).  If such services are offered free of charge it is always advisable to take advantage of them. The letter will usually have numbers to call for the service in addition to the numbers for the credit reporting agencies or information services to help walk you through the process.  Be sure to use them all.

Check your credit reports and issue fraud alerts through the credit reporting agencies. Remember, the more information you have about exactly what happened and when, the better position you’ll be in to mitigate any added risk or resulting damage to your identity. If you have additional questions or want to be talked through exactly what you should be doing, it never hurts to call the ITRC toll free at (888) 400-5530.

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit http://www.idtheftcenter.org/anyone-3.

The Identity Theft Resource Center has been receiving hundreds of calls regarding a specific data breach notification letter from a debt collection law firm in the state of Florida. The letter was sent to people who may have had their personally identifiable information (PII) exposed, detailing the cause of the exposure, the firm’s response, and some tips for people to protect themselves.

The letter explains that a former employee may have possibly viewed people’s names, addresses, date of birth, driver’s license number, and/or Social Security number. The letter stresses that the firm does not believe that people’s personally identifiable information was used to inappropriately obtain or use their credit, but “out of an abundance of caution” wanted to inform people of the possible exposure of their data so they could take proactive measures to minimize their risk of identity theft or fraud.

The firm’s letter recommended some actions for recipients to take including continuously obtaining credit reports from the three major credit reporting agencies, reporting any inaccuracies to creditors and the credit reporting agencies, and placing security alerts on credit reports. Lastly, the firm recommended that recipients of the letter call the ITRC for additional information and support services.

The ITRC is not in any way affiliated with said firm, but is always available to help victims and potential victims of identity theft and related fraud. The steps outlined for people to protect themselves in the letter are great first steps, but we at the ITRC would like to provide some additional steps people can take to dramatically minimize their risk of identity theft and fraud.

If you are a recipient of this data breach notification letter:

  1. Call the three credit bureaus (Experian, Equifax, and Transunion) and request a 90 day alert be placed on your credit.
  2. Request your annual free credit report from each of the aforementioned credit bureaus and review them for any inaccuracies. Should you find any inaccuracies please call the Identity Theft Resource Center at our toll-free number, (888) 400-5530, so one of our experienced Identity Theft Victim Advisors can personally assist you in resolving them.
  3. If you do find any inaccuracies, call the three credit bureaus and request a security freeze be placed on your credit. This may cost a nominal fee depending on the state that you are in and does not allow new credit lines to be processed until you personally unfreeze your credit. Even if you do not find any inaccuracies, you may want to consider putting a security freeze on your credit as a precautionary measure.
  4. File your tax returns as early as possible to avoid an identity thief filing a tax return under your name in order to receive fraudulent tax refunds.
  5. Contact the Social Security Administration and request your wage report to ensure that an identity thief has not reported fraudulent wages which you may have to pay taxes on if not resolved.
  6. For more details on what to do if you have received a data breach notification letter, please read our ITRC Fact Sheet FS 129.

Regardless of whether you have reason to believe your personally identifiable information has been exposed or not, it is always a good idea to be proactive about protecting your identity. Monitor your credit reports and properly dispose of or protect your personal information. Visit us at www.IDTheftCenter.org for more information about identity theft, fraud and what you can do to protect yourself.

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit http://www.idtheftcenter.org/anyone-3.

Recently, Barnes and Noble discovered that criminals stole customers’ credit card information who shopped at over 60 stores located across the United States. States affected by the breach include California, New Jersey, New York, Pennsylvania, Rhode Island, Illinois, Massachusetts, Connecticut and Florida. It is not clear exactly how the hackers infiltrated the Barnes and Noble payment systems, but it was determined that the PIN pad devices that customers will swipe and enter their pin number into were the culprits.

They have determined that only one PIN pad device per each of the 63 stores were compromised. Despite this fact, Barnes and Noble opted to disconnect all PIN pads at all their 700 stores for inspection to be extra cautious.


While the hacking discovery was made around September 14, Barnes and Noble waited until October 24 to begin notifying customers. The reason for this delay is that the Justice Department requested Barnes and Noble to delay notification so as not to jeopardize an FBI investigation into who was behind the attacks. Barnes and Noble has received two letters from the United States Attorney’s Office for the Southern District of New York informing them that they were not required to report the attacks during law enforcement investigation. Most states have data breach notification laws that allow companies that are breached to delay notification to customers if a law enforcement agency determines that notification may impede their investigation.

It is important that anyone who has done any shopping at Barnes and Noble stores in the affected states quickly change their PIN number for their debit card as the hackers can make fraudulent purchases with the information they stole. In addition, anyone who used a debit or credit card at Barnes and Noble recently should immediately review their account statements for unauthorized charges and notify their banks as soon as possible if any have occurred.

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit http://www.idtheftcenter.org/anyone-3.