This week, Capital One formally issued data breach notification letters to an undisclosed number of its customers, stemming from unauthorized activity between January and April of this year.

There are a number of different ways a data breach can occur. While some of us might envision highly-skilled hackers infiltrating a network from the other side of the world, it’s just as likely that the culprit was someone who worked for the organization. Some data breaches expose account credentials or personal information belonging to millions of customers, while other breaches compromise 200 customers’ files through a lost or missing USB drive. However it comes about, the end result is the same: sensitive information has been released that could impact an individual’s identity.

That’s why it’s important to read data breach notification letters carefully, should you ever receive one. The letter will outline what information was accessed, how it was believed to have been compromised, what action the company will take moving forward, and instructions for the affected customers. If the situation warrants, the company may offer credit monitoring service and will provide details on how to sign up.

Capital One has had to issue such a letter this week to affected customers following an “inside job” data breach. According to the notification, a now-former employee looked at customer records without authorization; since those records contain personal identifiable information like birth dates, account numbers and Social Security numbers, Capital One has to treat this situation seriously.

A reported statistic from a previous Capital One data breach in 2014 highlights an interesting problem. While the overall number of data breaches continues to increase each year, the percentage of those data breaches that were caused by an employee with unauthorized access has remained fairly steady at around 30% of all data breach events.

There is no way of knowing why this employee looked up customers’ accounts—yes, we could playfully assume they were browsing the records looking for a cute baby name, but that’s not very likely. Instead, the company must assume that this former employee was stealing complete identities with the intention of using or selling them. So far, there have been no reports of identity theft or fraud traced back to this specific situation, but Capital One is not taking any chances. They’ve issued the data breach notification letter to affected customers, and are offering two years of credit monitoring service to help customers stay on top of any potential damage.

It’s important that any affected customers take full advantage of the free credit monitoring service. Since Capital One knows that the impacted data contained permanent identifiers like Social Security numbers, there’s a very real possibility of fraud stemming from the event.


 

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

For more than a decade, the Identity Theft Resource Center has tracked data breaches to form a better picture of how this issue continues to occur and to identify trends over time. Now, 2017 has posted a new record.

Almost every single year since this monitoring began, data breaches have continued to set new records for both the number of events and the numbers of compromised consumer records. According to the mid-year report, “The number of U.S. data breaches tracked through June 30, 2017, hit a half-year record high of 791, according to recent numbers released by the Identity Theft Resource Center (ITRC) and CyberScout*. This represents a significant jump of 29 percent over 2016 figures during the same time period. At this pace, ITRC anticipates that the number of breaches could reach 1,500 in 2017, a 37 percent annual increase over 2016 when breaches reached an all-time record high of 1,093.”

How are these events coming about? In the first half of the year, hacking was the single most common form of attack, which included things like ransomware attacks and phishing attempts. The rest of the top three included things like employee error and accidental overexposure, such as when a database of information is accessible on an unsecured web server.

As to what industry is most affected by the data breaches “the business sector continues to top the list at 54.7 percent of the total breaches, followed by the healthcare/medical industry at 22.6 percent. The education sector ranks third at 11 percent of the total breaches followed by the banking/credit/financial industry at 5.8 percent and the government/military at 5.6 percent.”

One of the most alarming findings of the report is that Social Security numbers, the “Holy Grail” of personal identifiable information, continue to be exposed in the majority of breaches. Only a handful of years ago, cybercriminals were happy to get their hands on things like credit card numbers and account information, then use that data to rack up high-dollar debt before the account was closed. Now, SSNs provide criminals with a lifetime of possible new accounts, making them a sought-after part of the data breach equation.

*CyberScout is a financial sponsor of the Identity Theft Resource Center.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

The Identity Theft Resource Center has been tracking data breaches for years and has basically seen it all.

There have been events in which hackers stole the information for millions of credit card accounts. Some breaches have included usernames and passwords for more than a billion email accounts, while others have exposed the complete records—containing all the PII for each of the victims—for just a few hundred individuals, which is only a handful of people in comparison.

There are different outcomes in many data breaches, of course. What kind of information was stolen? Did the hackers get enough information to lead to identity theft? Can the victims’ finances be impacted? Will they need credit monitoring to watch for suspicious or criminal activity?

The type of breach can vary greatly, too. Was it an inside job by an employee with access to records? Did hackers break through what was supposed to be a secured network? Did someone throw away large amounts of papers that contain sensitive information? Did an employee intentionally but innocently forward information to someone who pretended to be the boss?

One other distinction that was recently reported is for an event in which the victims say it wasn’t actually a data breach, but rather just a “data over-exposure.” What’s the difference? For some states and their notification laws, there might not be a difference. But in the case of Dow Jones & Co, and their four million customers whose information was accidentally left open to the public on an unsecured server, the company claims it wasn’t a breach.

There are some minor differences here. First, the data was stored exactly where Dow Jones planned for it to go, but the way it was set up on the Amazon S3 web hosting server left it accessible to others with Amazon web authentication. A security researcher found the informationduring an intentional search for unsecured databases, and so far no unauthorized activity has been reported with the information.

This might be important to Dow Jones, but their approximately four million customers might not feel that this is so minor. The accessible database contained customers’ names, their in-house customer IDs, along with their home and business addresses. The most alarming information was the last four digits of the credit card the victims stored in their customer records, along with their email addresses. This information and the news surrounding the data breach means victims can certainly expect phishing emails that can lead to scams.

No matter how a breach occurs—or whether it was even a full-fledged breach or simply a mislabeled security protocol—consumers need to be prepared to take their security into their own hands. Monitoring their accounts carefully, practicing good password safety, and taking action against suspicious activity immediately can help no matter how your information fell into the wrong hands.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

All across the country, data breach notification laws can differ based on the state in which the breach occurred and the state in which the affected consumers live. With no nationwide notification law as of yet (and two states not even having notification laws in place), that can mean a wide variety of requirements scattered across the country.

Fifteen different states’ attorneys general have come together to clarify what constitutes a notification requirement under their view of existing laws.

Different states define their notification requirements based on the types of personal information that were stolen, viewed, accessed, or used without authorization; in some states, there is also a “combination effect,” meaning notifications are required when certain pieces of information are accessed together, like email addresses and passwords or names and Social Security numbers. Unfortunately, businesses have made the mistake in the past of thinking that only specific pieces of information could trigger the requirement to notify possible victims of a breach, but the letter from these different states makes it clearer.

According to TechnologysLegalEdge.com, “In response to a ‘FAQ’ circulated by [Aptos, Inc], the AGs of New York, Connecticut, Colorado, Pennsylvania, Virginia, Mississippi, Illinois, North Carolina, Kentucky, Oregon, Iowa, Arkansas, Washington, Maryland, and Minnesota wrote that Aptos was incorrect in its view that ‘there is no obligation to notify in those states – the account number plus CVV states – if your customers’ CVV data was not exposed.’ The AGs clarified unequivocally, ‘The CVV number does not have to be disclosed to trigger our states’ notification obligations.’”

What’s the difference?

The CVV number is the three-digit security number on the back of the card. Some entities mistakenly believe that a credit card number on its own can’t benefit identity thieves and scammers, but that isn’t exactly the case. The AGs’ letter informed Aptos that their states require a notification anytime a consumer’s name and payment information is breached, regardless of whether the CVV number was compromised.

This is an important distinction for businesses to understand. The costs associated with issuing a data breach notification—potentially to millions of customers in a large-scale event—can be very serious, and the resulting legal action by banks who have to foot the bill for issuing new cards may be severe. Even worse, failing to notify consumers under the false notion that they’re not required to notify can have serious consequences as well. It’s important for any company that gathers and stores consumers’ information to fully understand their obligation under the different laws.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Each year, hacking events and data breaches continue to set new records for both the numbers of attacks and the numbers of consumer records that are compromised.

The Identity Theft Resource Center keeps a close eye on the numbers, and along with tools like Verizon’s data breach report, provides crucial information to consumers, lawmakers, and other stakeholders.

One of the findings of the most recent Verizon report is an alarming rise—a 50%  increase, in fact—in the number of ransomware attacks over the year before.

As its name implies, ransomware is a form of cybercrime that occurs when hackers hold a computer or network hostage, only agreeing to unlock the system or release its hold on the data if the owners pay up. While this has been a common tactic for some time, in recent years there has been a noticeable increase in “big fish” victims that have a lot to lose from the breach. Victims routinely include hospitals, medical offices, and schools, as those types of businesses have more to lose in a data breach, such as fines for privacy violations and lawsuits related to interruption to care.

There was another interesting finding in Verizon’s study: the method and duration of an attack tend to vary depending on whether the victim is a lone consumer or a corporate entity. When criminals target an individual tech user, the effect tends to be immediate: a box pops up informing you of the situation, telling you how to pay the fine in order to retrieve your decryption key. A business, on the other hand, tends to be a “silent” long-term victim, giving the hacker time to work a virus all the way through the company’s network, hoping to even reach other companies’ computers that are connected to that one in some way. Only after the hacker knows they have complete access do they “lock” the network, potentially ensuring a bigger payday.

While this information looks grim, there was also some good news in the report. Retailers experienced a noticeable decline in attacks that took place at their point-of-sale systems. This method of attack has been responsible for a number of high-profile data breaches, like the ones that affected Target, Home Depot, Wendy’s, and many others. The decline suggests that some of the industry’s defenses are working, as well as speaks to the successful initial rollout of “chip” credit cards.


If you think you may be a victim of identity theft, contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App.

Data breaches have made headlines around the world for the past few years, namely because the record-setting numbers of events have resulted in higher than ever compromised consumer records. But while the big names tend to get all the attention, the reality is they’re not just a “big dog” problem.

The truth is, small businesses are not only just as likely to fall victim to a data breach, in many ways they may actually be more of a target. A smaller budget to spend on high-tech security and a smaller IT department to handle issues as they arise can be enticing to hackers. Multipurpose computers on a single network, meaning that every desktop can access all of the same information regardless of the employee’s job duties, can leave the door wide open for a virus that roots around the entire network. Even the “round the clock” syndrome that a lot of small business owners fall into with their companies can result in a network that is constantly vulnerable to attack without downtime to back up the files, update the antivirus software, and other key tech functions.

How big is the threat? According to the Small Business Association, “More than half of Americans either own or work for a small business, and they create about two out of every three new jobs in the U.S. each year.” Small Business Week is an annual event dedicated to bringing awareness of the important role that these companies play in both the economy and our everyday lives, but also the threats these companies can face.

There are some things that small business owners and employees can do to help make security more of a priority without ruining their already solid budgeting. Some of them will carry costs that are a worthy investment, while others are free steps that everyone can incorporate.

1. Antivirus Software

Keeping strong AV software installed and up-to-date will go a long way towards sniffing out malicious software and preventing it from causing harm. It’s tempting to fall for the “home” versions that are often readily available for free; while they might afford you some protection against threats, they are not intended for workplace use and therefore carry no legal protection if you install them on your company computers.

2. Document Disposal

When it’s time to go through some old files and discard them, it’s important to rely on a full destruction method. Data breaches that can be traced back to lost, stolen or poorly discarded files are proof of that. Whether you use an in-office cross cut shredder or a document destruction service, make sure you’re not leaving key paperwork around for a dumpster diver to find it.

3. Training

Nothing you do will be more important than keeping the security conversation going with all of your employees. It’s important to establish a company policy on computer use—for both business devices and personal devices that can connect to your network—and that you update those policies regularly. Ongoing training on how to spot a hacking or spearphishing attempt, and how to respond to it, can go a long way towards preventing a breach.

One of the most important things your small business can do to avoid a data breach is to be mindful of what information you gather in the first place. It’s not enough to lock it up tight since mistakes can happen and the technology behind hacking gets more and more sophisticated every day. Instead, take a good look at what information you’re gathering in the first place, and then decide whether or not you actually need it. If you don’t need it, don’t request it…and certainly, don’t store it.


If you think you may be a victim of identity theft, contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App.

New changes to how tax preparers in key states operate may mean turning over your driver’s license at the time of filing, which might seem like a good idea. On the surface, it’s just another layer of protection for you as a taxpayer, right?

If you file your taxes yourself, submitting your driver’s license on your forms might not do any good towards preventing tax return fraud. If you rely on an outside source for your filing, this could actually leave you even more vulnerable to data theft. Turning over yet another key piece of personal information means another set of eyes on it, and another individual who could become the weakest link when it comes to protecting your data.

Whether it’s “inside job” attacks or accidental data breaches, any submitted information can be put at risk. That means CPAs and tax prep services have to go to great lengths to secure all of the information they gather. They’re trained—and expected—to safeguard things like your Social Security number, but with different states requiring different forms of identification, they may not all be prepared to treat your driver’s license number with the same level of care.

There’s also the matter of data breach notification. Different states have different laws about when an organization is required to contact you about a breach. For most states, a driver’s license number is considered highly sensitive, protected information, and therefore if it falls into the wrong hands you should be notified. However, not all states have the same requirements or the same stringent policies on timeliness.

One of the most alarming aspects to using a driver’s license number in this way is the public’s own perception about its importance. One survey found that citizens tend to be very protective of their Social Security cards, but when it comes to a lost or stolen driver’s license, it’s seen as more of an inconvenience than a cause for concern.

As citizens, we must be proactive about safeguarding our data and monitoring what happens to it. It’s not good enough to say, “Well, it’s probably already been stolen over the years, the damage has been done.” While it’s true that literally millions of Americans have had their information accessed by an unauthorized person over the years, that doesn’t mean you should wash your hands of your own safety. Ask the tough questions about how your information will be stored and who will be able to see it, and if you don’t get solid answers that you can trust, think twice about handing it over.

If you think you may be a victim of identity theft, contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App.

The ITRC tracks record-setting numbers of hacking events and data breaches every year, and many of them make major news headlines. Sometimes, though, the root cause of a massive breach isn’t nefarious cybercriminals, but just a flaw in the software.

Cloudflare experienced a potential data breach last week that appears to be the result of a bug in its software. The bug has actually been in place for years and went undetected, but recent changes to the company’s software “activated” the bug, making it possible for data to be leaked directly online.

What is Cloudflare? Ironically, it’s a company that provides web protection services to a number of major websites, including Uber, Yelp, Medium, and many, many more. A longer list of those websites that relied on Cloudflare to prevent DDoS attacks, among other things, was published by Gizmodo, but that list is not comprehensive. There are also many other sites like TunnelBear and Crunchyroll that use Cloudflare for some services, but not the kind that was affected by this bug; therefore, several of those websites have already begun informing customers that their user data is safe.

The kind of bug that caused this problem basically allowed information to leak out once the buffering was completed. It rerouted the information back to the search engine, meaning no one should have found your data, but they could have. Now that the leak has been widely publicized, there’s a good chance data miners will go hunting for it.

The leaked information typically included email addresses or usernames, along with passwords. If you’re one of the many people who’ve fallen into the bad habit of reusing your password on multiple websites, you may be at risk of having other accounts compromised. Cloudflare is encouraging users to change their passwords immediately on any of the sites they served, but changing your password on any other site that reuses a Cloudflare-protected password is also a good idea. From there, you need to monitor your online accounts for any signs of unauthorized activity.

How much information are you putting out there? It’s probably too much. We are here to help you stop sharing Too Much Information. Sign up for the TMI Weekly.

Point-of-sale data breaches continue to be an ongoing problem for businesses of every size, and the latest discovered breach is no exception. Arby’s fast food chain appears to have been struck by a malware attack that infected its credit card payment system in multiple corporate-owned locations. At this time, no franchisee locations are believed to have been infected.

When the chain discovered the malware on its servers last month, they immediately notified law enforcement and brought in forensic tech experts to conduct an investigation. While the malware has been discovered, there’s no count yet of how many patrons’ records were compromised; however, the number is believed to already be more than 350,000.

There’s no such thing as a “good” data breach, but there are instances in which the stolen information is not as dangerous as others. In the case of a POS data breach, the compromised records should only include names and credit card or debit card numbers, and pertinent related account information. No Social Security numbers or birth dates, for example, would have been stolen.

So what are concerned citizens supposed to do now? The same thing they should be doing every day! But in cases like this one it’s especially important to monitor your accounts for any signs of unusual activity, and contact your bank as soon as you see anything strange. Your bank might wish to place a hold on your card or even to replace it entirely in order to avoid fraudulent charges on the part of the hackers, but some banks might consider that premature without further reason to believe that you were affected.

If your account was impacted by this breach, you will receive a notification letter from Arby’s with more information on how to protect yourself. If this situation turns out to meet the legal requirements for free credit monitoring, you may be offered that protection for one year at no cost to you.


How much information are you putting out there? It’s probably too much. To help you stop sharing Too Much Information, sign up for the TMI Weekly.

Stolen medical records are the holy grail of identity theft crimes, and hackers can make serious money selling patient records online.

This is largely due to the high-volume of information that your medical record might contain. Your name, birthdate, and address are in there, but your Social Security number and health insurance account numbers may also be listed. Depending on where you live and what type of facility you’ve used, there may even be scanned copies of your driver’s license, from your previous payments, and more.

Three recently reported medical data breaches have resulted in nearly 250,000 medical records being compromised, records that are known to contain the protected health information (PHI) for the patients in question. One of the incidents involved a laptop that contained unencrypted patient files stolen from a locked vehicle while another involved ransomware downloaded to a facility’s servers. The third breach involved unauthorized access to the facility’s network, although no other details have been given as to whether it was an “inside job” or the work of hackers.

There are some important and upsetting takeaways in each of these three unrelated events. First, it shines a brilliant light on the fact that new tactics may have come along, but the old methods of exposing confidential records are still a threat. After all, it’s 2017…why are unencrypted laptops filled with confidential information even still in use? More importantly, there was a significant delay of more than a year in the time it took one of the facility’s to notify the victims following the discovery of the breach. Again, why? Data breaches and hacking events are not new, and if anything, recent innovation and awareness have only shortened the time it takes to notify victims.

All three of these breaches must serve as a warning to the public not to let their guards down when it comes to their personal security and privacy. Individuals have to ask important questions about where their data will end up, how it will be secured, and what steps will be taken in the event that it is compromised. At the same time, the public also has to take ownership for monitoring their credit and the use of their identifying information, as the various entities that already gathered that data are under constant threat of a breach.

How much information are you putting out there? We are here to help you stop sharing Too Much Information. Sign up for the TMI Weekly.