The 2020 year has kicked off with a number of high-profile data breaches that have affected a wide variety of industries. The recently announced Front Rush data breach affecting student-athletes is just another in a long line of attacks that have targeted businesses and their customers.

Front Rush, a tech company whose recruiting software connects colleges, universities and sports teams with up-and-coming student-athletes, suffered a data breach that compromised around 700,000 students’ profiles. The Front Rush data breach was the result of an unsecured Amazon Web Services online storage system, which is another in an ever-increasing number of accidental overexposures that lay out companies’ databases to anyone who looks for them on the web.

This time the exposed victim records included minors, and due to the nature of the information collected, it included SAT scores and grades, medical files and financial aid agreements.

The storage bucket has been taken offline, but there is no way of knowing if anyone accessed the information before Front Rush became aware of the issue. A security researcher discovered the exposed bucket and contacted Front Rush, but they did not receive a reply. The researcher then reached out to the media so that victims’ might be made aware.

Incidents like the Front Rush data breach may be on the rise, but they are also avoidable. By default, the web storage bucket is set to “non-password protected,” and it is up to the client to lock it down and put a password in place. Users who fail to do so are literally leaving their entire database available to anyone on the internet.

The consumers whose information goes into these unsecured storage systems do not have much they can do to prevent these things from happening. That is why it’s very important to monitor your accounts closely, change your passwords frequently (in case someone stumbles on old information online) and be on the lookout for spam email and phishing attempts that come from these kinds of breaches.

If you believe you are a victim of identity theft, you can call the Identity Theft Resource Center toll free at 888.400.5530 to speak with one of our advisors or live-chat with an advisor on our website. They will help you create an action plan for your case while directing you on the next steps you need to take.

For on-the-go identity assistance, check out the free ID Theft Help App from ITRC.

You might also like…

The Identity Theft Resource Center (ITRC) has released it’s annual End-of-Year 2019 Data Breach report, and the information is both surprising and expected. The ITRC has long been a go-to source of help and information about identity theft and fraud, data breaches and other related matters. As part of its mission to empower consumers, law enforcement and lawmakers alike with up-to-date information, the ITRC compiles a data breach report each year to present a clear picture of this type of crime.

The 2019 Data Breach Report has revealed that data breaches are on the rise once again, despite a drop the year before. The lower numbers in 2018 appear to have been an anomaly rather than a sign that businesses are getting better at the kinds of security that hackers cannot breach.

Hacking continued to be the number one method of data breaches.

However, there were some very interesting findings. In 2019 there may have been a record number of data breaches but the numbers of consumers’ personal records that were compromised were dramatically lower than before. While that is in large part to the 2018 Marriott data breach exposing over 380 million records, it could still be a sign that the data hackers are after is not as accessible.

Also, for only the second year in a row, the medical industry was not the number one target for hackers. In the past, the healthcare sector has often been a top priority for data theft due to the high-volume of personal information that doctors offices and hospitals collect on their patients.

Last year, the business sector was the number one target and medical providers were in second place.

There was another unfortunate surprise to come from the 2019 Data Breach Report and the sharing of the findings. Too many people still do not know how to better protect themselves from this kind of crime, and many are unaware of the resources like the ITRC that are here to help them.

In order to try to avoid becoming a victim, it is important to understand what preventive steps consumers can take.

Tactics like the second most common avenue of data breach last year (unauthorized access), for example, can often be thwarted with strong, unique passwords on all of your accounts.

It is also important to monitor your accounts closely for signs of unauthorized use, report any suspicious activity immediately and file a police report if you have been a victim of identity theft.

For a complete look at the ITRC’s 2019 Data Breach Report, click here.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

If you are a LabCorp patient, you should be aware of a recent LabCorp data breach that exposed thousands of patients’ documents. Medical providers, hospitals and insurance companies are often hot targets for data breaches due to the sheer volume of information they gather on their patients. According to the Identity Theft Resource Center’s 2019 End-of-Year Data Breach Report, the medical industry had the second-highest number of data breaches over 2018. When lives are at stake, providers cannot afford to be wrong about which patient is which. Therefore, patient records often contain things like full names, addresses, birthdates and even Social Security numbers. In short, patient records are a gold mine for identity thieves.

Unfortunately, knowing that’s the case is not always enough to protect the public.

TechCrunch recently reported that it discovered a trove of LabCorp patient information in an accidental overexposure breach that contained at least 10,000 patients’ documents. The information was stored for internal retrieval, but once one document was inadvertently made available in a cache of Google data. It was simply a matter of changing the digits in the web document’s address to find many more patients.

It is similar to finding a physical address by searching for it online. You type in a street address and your search engine shows you a picture of the house or the business. By changing the numbers in the street address—either randomly guessing those numbers or doing it systematically—the search engine will then show you more results. In the case of the LabCorp data breach, by changing the numbers in the patient’s address, anyone who knew to look for it could see all of the other available patients’ records.

These records contained detailed personal data, and in some cases, Social Security numbers.

LabCorp has not responded publicly to the report of the LabCorp data breach, although the server has been taken offline and the Google cache link is now useless. TechCrunch reached out to some of the patients whose data they retrieved and confirmed that it was their legitimate records, but LabCorp has not stated what will happen next. This is the second breach of LabCorp’s patient records in a year.

ITRC partner, Breach Clarity, provides a risk score with actions to take after a breach

If you believe you your information was exposed as part of the LabCorp data breach, reach out to the Identity Theft Resource Center toll-free at 888.400.5530 or through live chat to speak with one of our advisors about your next steps.

 Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help app from ITRC.

You may also like…

Tax Identity Theft Awareness Week 2020

California Consumer Privacy Act (CCPA) Goes Into Effect

Epilepsy Foundation Cyberattack Leads to Weaponized Social Media Accounts 

A Landry’s data breach has exposed thousands of people’s information after they had their software compromised. The more things change, the more they stay the same. At least, that is how it appears in the world of cybercrime, data breaches and identity theft. As hackers come up with new tools and tactics to steal information electronically, old methods of gaining financial or identifying information are still just as much of a problem as ever.

A recently announced data breach of Houston-based restaurant and hotel company Landry’s, Inc., proves this point. More than 600 locations in the company’s sixty brands were impacted by unauthorized access to the software that controls their card readers. Patrons who visited these locations between March 13 and October 17 of 2019 are advised to look through their card statements for signs of any unusual activity due to malware that was installed on the company’s servers.

However, Landry’s data breach has a slightly different twist. According to a statement from the company, the issue arose when servers inadvertently swiped payment cards in the wrong type of card reader at a few locations. Some card readers in the locations are used to send food and drink orders directly to the bar or kitchen, and the affected cards appear to have been used in those card readers. The list of brands under the Landry’s, Inc. umbrella can be found here.

All consumers who rely on payment cards for any kind of transaction have to be proactive about their accounts, specifically in watching out for signs that their cards may have been compromised. Enabling security tools from your financial institutions is also helpful, as these tools can alert you to unauthorized transactions the moment they occur.

Landry’s has not mentioned the offer of credit monitoring for affected customers yet, but the company recommends reporting any fraudulent charges from Landry’s data breach to the Federal Trade Commission and to your financial institution.

You might also like…

Concerns Arise Around Possible LinkedIn Password Exposure

Super Bowl Means Super Scams

New York Special Olympics Email List Suffers Hack 

Popular convenience store chain Wawa has announced a breach that potentially stole the payment card information for customers throughout much of this year. In the case of the Wawa data breach, malware was discovered on the company’s payment processing servers on December 10, and that malware was designed to steal cardholders’ names and card numbers at the time of payment. However, there is no reason to believe that PIN numbers, security codes or driver’s license numbers—used to purchase things like alcohol or tobacco—were compromised in the Wawa data breach.

Unfortunately, their investigation has led them to believe that the malware was installed sometime after March 4 of this year. Customers are urged to look back through their transactions and see if there are any fraudulent charges, which the company has said they will not be responsible for. The company is also offering one year of free credit monitoring to affected customers of the Wawa data breach.

The response to the Wawa data breach—discover the malware, contain it, investigate it and report it with corrective action—is all in line with how businesses are urged to handle these kinds of crimes. It is a massive improvement over data breaches from only a few years ago in which the incident might not have been discovered and the victims not notified for a year or longer.

Incidents like the Wawa data breach should serve as an important reminder to take as much preventive action as you can. First, enabling “card not present” alerts with your financial institution or card issuer will inform you immediately if someone uses your card number without the physical card in their possession. You can also ask your bank what other security measures they specifically offer to prevent these kinds of crimes. Finally, it is important that you check your account transactions routinely in order to spot anything unusual. Do not wait for a notification letter or email to tell you that someone has stolen from you.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

Ring Doorbell Data Leak Exposes Over 3,000 Accounts

2019 Identity Crime Wrap-up

Social Security Phone Scam

More than 3,000 Ring customers’ credentials were compromised in a recently announced Ring doorbell data leak. However, according to sources from the company, there has been no data breach or attack on the company’s systems. What’s at stake, and how did it happen?

First, the compromised information from the Ring doorbell data leak includes some payment card information, email logins and passwords, locations and very specific names that the customers assigned to their Wi-Fi-enabled doorbell/camera combos. Ring, which is famous for its doorbell that lets users see, record and interact with someone who comes to their door, also makes interior cameras that are smartphone-controlled over Wi-Fi. These cameras were accessible to the criminals, even in real-time, once the credentials were stolen.

However, a company spokesperson said that Ring’s network and servers were not compromised, which leads to the possibility of credential stuffing being at the core of the Ring doorbell data leak. This happens when a username and password are stolen in an unrelated data breach, and then those credentials are cross-matched to other accounts. If the customer reused the old stolen email and password on their Ring account, that would give the thief access to it. It would also explain why an oddly specific number of accounts, 3,672 according to Buzzfeed, was accessed.

General password hygiene has been a hot topic for a long time, but the message is still not reaching all tech users. The need for strong, unique passwords has been shared, but unless tech users follow through by creating lengthy, seemingly random passwords that they only use on one account, they are simply not protected. Moreover, changing your passwords frequently is a great idea since a treasure trove of old login credentials could end up online or be discovered long after the fact. If you frequently change your password, it does not matter what kind of information a cybercriminal finds since it will no longer provide access to your account.

There is another concerning facet to the news of the Ring doorbell data leak, and that is the relaxed approach so many tech users have taken to internet-enabled invasions of privacy. While things like cameras and voice-activated home assistants are highly beneficial to a lot of people, there is simply no excuse for installing something like a camera that records your child’s bedroom and then not keeping it as secure as possible. A hacker with the right skillset can break into some of the world’s best defenses, but you do not have to make their job easier by failing to protect yourself. Password security is important at all times, but never more so than when your personal safety is on the line.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

Exercise Car Safety to Avoid Leaving Your Identity Behind

2019 Identity Crime Wrap-up

Social Security Phone Scam

As this year winds down, it is important to spend a little time reflecting on the 2019 identity crimes, some of the things that went right in 2019 and the things that did not go as well. This is true for so many subjects, especially identity crime – which includes scams, fraud, data breaches, cybercrime and all of the other types of crimes that go with it.

Fallout from 2018

As in previous years, this past year has been a big one for these kinds of crimes. Tech users are still feeling the aftermath of things like the Facebook/Cambridge Analytica privacy debacle that was uncovered last year; Congress is still at work on what to do about consumer privacy in the social media age. Also, the news that phishing attacks more than doubled last year over the year before had researchers, businesses, lawmakers and consumers alike paying closer attention to the messages they receive.

What Went Right in 2019

Fortunately, new legislation has come along to make our privacy lives a little safer. The General Data Protection Regulation (GDPR) regulations went into effect in Europe last year, for example, and they inflict strict penalties on businesses that gather and store data but let it fall into the wrong hands. New laws in California and Colorado will be taking effect soon, intent on strengthening privacy and consumer choice. Best of all, the awareness of what constitutes these kinds of crimes and how to recognize them is increasing.

Top Security Incidents of 2019

However, this welcome news does not mean that consumers are safe or that hackers are finally giving up. With every new platform, tool or technology, there is even greater potential for new avenues of attack. Healthcare providers and insurance companies continued to be one of the hardest-hit targets this year, thanks to the overwhelming amount of personally identifiable information (PII) they gather. “Accidental exposure” breaches were a common 2019 identity crime for major-name companies, which happens when businesses store huge databases of private information – in an online server then fail to password protect it as an example. Even our entertainment was not safe, as many apps and online gaming portals suffered data breaches that were traced back to reusing passwords on multiple sites.

2019 did not just see a lot of large data breaches, but settlements as well.

Equifax Settlement

In July, Equifax reached a $700 million settlement for harms caused by their data breach. Equifax agreed to spend $425 million to help victims of the breach, leading to lots of discussion on how to file a claim.

Facebook Settlement

While the Equifax settlement was the largest in data breach history to date, Facebook blew it out of the water just two days later, as they were ordered to pay $5 billion. After the settlement, Facebook said it required a “fundamental shift” in Facebook’s approach at every level of the company in terms of their privacy.

Yahoo Settlement

A month and a half later a Yahoo data breach settlement was proposed for $117.5 million after over three billion Yahoo accounts were exposed. Identity Theft Resource Center CEO, Eva Velasquez, stated in a media alert that the settlement trend is moving the needle in the right direction for both consumers and victims. However, that was not without its challenges, including putting the onus on the consumer to tell the settlement administrators how they were harmed and provide proof of it.

10,000 Breaches Reported

This past year the Identity Theft Resouce Center also recorded 10,000 publicly-notified data breaches since 2005. As part of the milestone, the ITRC took a look back at some of the top breaches the last 15 years as part of our 10,000 Breaches Later blog series.

Minimizing Future Risks

While data breach fatigue is a recognized phenomenon, one that can occur when consumers are bombarded with constant news about their data being compromised, the flip side is the kind of paranoia that makes you want to unplug and go live off the grid. However, neither of those is the solution. What does work is an awareness of the threat and some good privacy habits to prevent crimes like the 2019 identity crimes:

We’re Here to Help

Remember, you are not responsible for the criminal behaviors of a hacker. However, you can take steps that reduce your risk of becoming a victim and help minimize the damage if the worst does occur. The Identity Theft Resource Center is always here to help. Call us toll-free at 888.400.5530 or live-chat with one of our advisors.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

Exercise Car Safety to Avoid Leaving Your Identity Behind

Holiday Phishing Scams Target Small Business

Social Security Phone Scam

A recent Macy’s data breach is creating headaches for lots of its shoppers. There are a lot of different ways a cybercriminal can gain access to sensitive data. Not all of those ways involve highly sophisticated technological know-how. Sometimes it is as simple as finding unsecured information online, stealing someone’s work laptop or sending out a fake email that looks like the real thing in order to get the victim to hand over their data.

However, other forms of attack are something straight out of a cyberthriller. Knowledgeable black-hat hackers with a very specific skill set can inject malicious computer code into the script of a website, channeling activity from that website to any location they choose. Even worse, this is often done without the web owner’s knowledge and can continue on undetected for quite some time.

That is the case with the October 2019 Macy’s data breach. A MageCart attack, in which harmful code was embedded into Macy’s retail website, resulted in the loss of customers’ names, addresses, account numbers, credit card information and other related data points. The code was redirecting all of the information that customers entered to another location without Macy’s permission. Imagine the old home phone lines in which two handsets worked on the same phone number. This attack is just like someone picking up the other extension and listening in on a conversation without the other parties knowing.

The Macy’s data breach was discovered about a week after the code was injected into the company’s site. Macy’s has now issued a notification letter to all affected customers of the Macy’s data breach and has established a free 12-month credit monitoring option for those customers. They have also removed the malicious code and enabled safeguards to prevent further attacks of this kind.

As for the customers, there are some key takeaways from Macy’s data breach. First, the only information the thieves managed to steal was data that would be entered when creating your Macy’s account. No Social Security numbers, for example, or the information that was entered upon checkout. Second, this means that the thieves could have used your stored credit card but not establish new lines of credit or open new credit cards in your name. If you have card not present alerts enabled from your financial institution, you would have been alerted the moment a thief tried to use the card you have stored on the Macy’s website.

For now, customers affected by the Macy’s data breach are encouraged to monitor their account statements carefully for any signs of fraud, sign up for the free credit monitoring if offered and remember to activate the kinds of security measures that will protect you in the event something like this happens again. Card not present alerts and two-factor authentication are just two of the tools that many banks and credit card companies offer in order to keep you safe.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

T-Mobile Data Breach Exposes One Million Prepaid Accounts

Hacked Disney+ Accounts Are Being Sold Online

E-Skimming is a New Cybercrime That is Just in Time for the Holidays

T-Mobile has become the most recent telecom giant to announce a data breach affecting a large number of U.S. customers. As part of the T-Mobile data breach, more than one million prepaid service accounts were affected, which included names, addresses, phone numbers and information about customers’ rate plans, calling features and international calling.

This information may not appear to be very damaging. After all, there is no financial information or identifying data from the T-Mobile data breach that could allow thieves to open a new line of credit or a new account. However, the information that was compromised could still be used for malicious purposes. By having detailed information on what plan a customer has and what calling features they subscribe to, it would not be very difficult to convince a T-Mobile associate that the hacker is actually the account holder, and then solicit the employee’s help in taking over the account entirely.

T-Mobile has not answered some key questions about the T-Mobile data breach, such as the specific number of customers who were affected and whether it was a breach of its customer website or another online source. While the company should be applauded for a rapid response to discovering the T-Mobile data breach, there is other pertinent information that the public and security experts alike could benefit from knowing.

Many of the customers have already received a text message notification about the T-Mobile data breach, which is another possible cause for concern. Users have to be able to discern between genuine communications from the company and phishing attempts by hackers who are posing as T-Mobile representatives. Any message that asks you to confirm your information, especially sensitive things like your password or PIN, is suspicious and the company has said it will never contact its customers for that kind of data.

This is true of most companies, whether there has been a data breach or not. Phishing attacks work because the victim thinks they are talking to someone from the business. Instead, it is a cleverly disguised copy of a company communication. In any event, there is never a reason to verify your identifying information for someone who contacts you, no matter what form the communication takes. Ignore the message and go directly to your account online in order to verify that everything is okay.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

Are the Wrong Toys on Your Holiday Shopping List?

Hacked Disney+ Accounts Are Being Sold Online

E-Skimming is a New Cybercrime That is Just in Time for the Holidays