When news of yet another data breach comes out, the reaction can range from panic to “blah.” At the one of end of the spectrum, consumers can be left with documented feelings of stress, fear and even paranoia about further attacks to their identity. At the same time, a very real phenomenon known as “data breach fatigue” occurs when there are so many attacks that consumers stop taking them seriously.

Fortunately, a new tool can help consumers make sense of a data breach; while neither overreaction nor inaction is an appropriate response, this tool can help people who are affected by the breach understand their options and take corrective action.

The Identity Theft Resource Center and Futurion have partnered and launched a tool called Breach Clarity, which takes publicly-available data breach information and breaks down both the threat and that actionable steps for consumers.

Watch Our New Free Webinar: Deciphering the Code of Data Breach Notifications

Unfortunately, far too many consumers do not check up on these kinds of attacks until it is too late. Even then, many victims of data breaches do not follow up on the support that notification letters offer, including things like identity theft protection or credit monitoring.

Breach Clarity lets users type in a general search term for a known breach and see a graphic representation of the threat level based on a number of factors. These include things like understanding whether or not financial information was exposed or if Social Security numbers (or other sensitive PII) were accessed. From there, a one-to-ten risk score is provided so consumers understand just how seriously this could affect them. The Home Depot breach in 2014 only receives a 3 out of 10 because of the nature of the information that was stolen; the 2015 attack on the US government’s Office of Personnel Management was far more serious and received a 10 out of 10 risk score as a result.

Breach Clarity was unveiled at the 2019 KNOW Conference in Las Vegas where it won first place in the third annual Identity Startup Pitch Competition. The criteria for selecting a grand prize winner included factors like the degree to which the entrant meets the customer’s needs and expectations, innovation, originality, and more.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

A security researcher discovered an unsecured online storage server—an all-too-common occurrence known as an accidental overexposure—that linked to 4.9 million lines of patient records from an addiction treatment center called Steps to Recovery. Those millions of lines of information were not all for separate patients, but rather were separate entries on almost 150,000 of the same patients, outlining their medical treatment.

When it comes to data breaches and hacking, personally identifiable information like Social Security numbers are considered the “holy grail” of theft. Credit card information or emails are still very valuable and useful—since the card numbers make purchases until the bank shuts them down, or the email address can be sold to spammers—but Social Security numbers are permanent. With the intact data set of identifying information (PII), a thief can sell the complete records or use them to open new lines of credit in someone’s name, potentially forever.

Unfortunately, a Social Security number is not the very worst PII that can be exposed to hackers. As one report has now demonstrated, leaked patient medical treatment records can have a far more harmful effect, making the victim wish that it was “just” their Social Security number that had been stolen.

There is an unfortunate stigma that still surrounds addiction and mental health, and the possibilities are nightmarish for what a hacker could have done with this information. Whether through blackmail by threatening to expose the patients’ treatment or using the information to target them with malicious content, there are no words to describe how this could have brought harm to vulnerable people who sought help for their conditions.

Fortunately, the discovery was made by a security researcher who then contacted both Steps to Recovery and the company that hosts the treatment center’s online server. While the hosting company responded to confirm that the treatment center took down the information, Steps to Recovery never responded to the researcher’s request for information concerning patient notification. It is still not known whether the center ever informed the patients about the leak.

In order to demonstrate just how serious this is, the researcher went a little further. By cross-matching patient records that were left wide open online with basic, free Google searches, he was able to find a reasonable match for a sampling of patients listed in the leak. Those results provided names, addresses, family members’ names, ages, phone numbers and email addresses, and even political affiliations. This demonstrates just how dangerous this leak truly was, and hopefully the patients have now been informed of the situation.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: New Tool Breach Clarity Helps Consumers Make Sense of Data Breaches 

Microsoft announced a data breach that gave hackers limited access to some of its customers’ email accounts. The hackers were able to see email addresses, subject lines of emails, and folders, but not open any emails or their attachments. They also were not able to obtain the customers’ passwords. Essentially, the hackers were able to do the same exact thing as looking over your shoulder in a coffee shop while your email inbox screen was open.

So what’s the big deal?

First, any time an outside agent is able to access a company’s stored data—especially information on its customers—that’s a big deal. In this case, a hacker compromised the login credentials of a customer service agent. The history of data breaches is filled with examples of cybercriminals reaching their intended target by going through this kind of side door, so to speak.

Read next: New Tool Breach Clarity Helps Consumers Make Sense of Data Breaches

Also, compromising someone’s login credentials should be a difficult-to-impossible task if the right security measures are in place. Microsoft has not provided details on how the credentials were compromised, or even whether or not it was a Microsoft employee or a third-party customer service provider. If someone was able to “guess” the username and login using readily-available hacking software, then the password wasn’t strong enough. If the hackers obtained the credentials from a previous data breach, then those credentials are being reused and not being updated routinely. If they got the credentials through a phishing scam, then the employee may not have been adequately trained on security practices and protocols.

Finally, this event is a big deal because it serves as yet-another warning about password security, email strength, and data breach fatigue. If your first response to the announcement from Microsoft was, “Here were go again…yawn,” then you may be experiencing data breach fatigue. If you read the announcement and thought, “Well, thank goodness it was just the email addresses!” you may be feeling numb to certain kinds of cybercrimes.

It’s important that customers take all data breaches and hacking attempts seriously. Microsoft has locked down the credentials on accounts that it believes were affected—in order to block any potential access the hackers may gain—but urges all Microsoft account users to change their passwords. Password strength, including frequently changing your passwords, is one of the most important things consumers can do to protect themselves from cybercrimes.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Payment App Protection: Keep Scammers Out of Your Accounts

Hackers are targeting vendors of companies for third-party data breach efforts. This trend rose in 2018, with over 4 million records exposed do to criminal efforts focused on vendor security.

Data breaches often occur at the hand, or keyboards, of hackers. Criminals can infiltrate insecure systems and steal personal data owned or stored by a company. The size of company and amount of personal identifying information (PII) they store factor in to the level of risk for consumers presented by the breach. One of the more newsworthy data breaches of 2018 was Marriot International, which exposed hundreds of millions of guest information including passport numbers. Hackers targeted Marriot because of the potential payoff of lots of lucrative PII, versus targeting many companies that might result in more – but smaller – payoffs. Now hackers are reevaluating their strategy and getting smarter about where they exert their efforts.

This new strategy comes in the form of targeting vendors for third-party data breach. Instead of going after one large company’s data, they go after a vendor who works with multiple large companies and collects even more PII. Third-party vendors – like email servers, payment platforms and web plugins – often work with a multitude of companies ranging in purpose or product offered. Therefore by compromising a third-party’s security measures, a hacker gains access to even more PII from a wide variety of consumers.

This attack on third-parties and subcontractors became a trend in 2018. Of the third-party data breaches that were reported in 2018, 4,823,234 records were exposed four times more compared to 2017 third-party breaches. In 2019, eSentire (a cybersecurity firm) commissioned a study to determine how concerned companies are regarding vendor risk given the trend in data breach.

According to the study, 81 percent of respondents said they had an effective third-party risk policy and 74 percent are confident in their vendors’ protections. However, only 35 percent said managing vendor risk was a priority and 20 percent said they trust vendors to uphold privacy standards blindly. The reality is of the respondents surveyed, 44 percent of them (or their employer) had experienced a data breach involving a vendor in the last 12 months. To make matters worse, only 15 percent were notified of the breach by the responsible vendor.

There is a clear disconnect between the effort put forth into managing vendor security and the amount of trust companies put in their vendors. Companies need to start evaluating vendor relationships and security practices more thoroughly to ensure the safety of consumers. On the opposite end, consumers need to remember that the safety of their data ultimately resides with them and take the utmost precautions with their personal information.

If you are a victim of data breach, or have concerns over a recent data breach and your identity, Breach Clarity can help you identify your potential risk and suggest preventative steps. You can also contact ITRC for free assistance regarding your case. Speak with an expert advisor over the phone (888.400.5530) or through LiveChat.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Whenever consumers learn about another data breach, they might envision a team of highly-skilled tech operatives working away at fancy computers in a darkened, windowless shop. That kind of scenario might happen, but the reality is that many data breaches are pulled off by an individual working off a laptop in a coffee shop. It is also a possibility that the breach occurred completely by mistake  – like when someone forgets to password-protect a server that stores millions of records.

These kinds of accidental data breaches have made headlines in recent months. Truthfully, some are discovered by the good guys who then report them to the companies at fault. The security flaws are fixed and the notification letters get sent out if necessary, all of which happens hopefully before anyone has had a chance to discover the exposed data and use it maliciously.

Even if so-called good guys discover the problem your information was out there for the taking. It is not always a matter of your username and password, sometimes much more personal information is available. Like in the Meditab Software Inc. breach that happened in the first quarter of 2019, where entire medical histories and prescriptions were exposed.

In this chilling situation California-based medical software developer, Meditab, left a feature unprotected in one of its tools. Meditab claims to be one of the world’s leading providers of medical record-keeping software, and it also provides fax capabilities through its partner company, MedPharm. The company was storing patient records on an unprotected server, which meant that any time MedPharm handled the faxing of a patient’s medical records, anyone with internet access could have seen it if they knew where to look.

Fortunately, those good guys discovered this one. A Dubai-based cybersecurity firm named SpiderSilk found that Meditab’s unsecured database included names, addresses, some Social Security numbers, medical histories, doctors’ notes, prescriptions, health insurance data and more. Patients affected ranged in age from early childhood to mature adults.

This kind of violation is a very serious matter under the laws surrounding HIPAA privacy, and the US government has a solid record of going after entities that store information and do not protect it adequately. If the breach was accidental and even if there is no proof that anyone used the information for harm, there are still very heavy fines and penalties for failing to store it securely.

Unfortunately, there are not a lot of actionable steps that individual patients can take in cases like this one. You can, however, ask the hard questions before the event occurs: how will my information be stored, who can access it, what company hosts your electronic database, what are you prepared to do if there is a data breach? Also, remember that there is often no need to share your most sensitive information when filling out basic medical forms; feel free to ask the person requesting it why it is needed.

Medical identity theft is a serious matter, and of all the types of identity-related crimes, this one can potentially have physical consequences for the patient if a thief uses their medical history. It is important to safeguard your medical records as much as possible, and to make your healthcare provider aware if there are any past medical identity theft issues with your personally identifiable information that could impact your care.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

As if a devastating natural disaster was not disruptive enough to people’s safety, homes, and finances, a new threat has emerged – one that was caused by the very people tasked with supporting the victims of natural disasters and other emergencies. The Federal Emergency Management Agency (FEMA) shared documents with a third-party contractor that contained highly sensitive information, some of which was a direct violation of current regulations for FEMA to share.

The current industry term for this kind of data breach event is an accidental overexposure, meaning no harmful intent was behind it and there is no indication of damage from the information falling into the wrong hands. Still, the FEMA data breach gave the potential for someone who was not unauthorized to access the information and use it for identity theft and fraud.

In this case, an internal audit found that FEMA’s documents included things like the victims’ names, addresses, and the names of their financial institutions. Some information also included victims’ electronic transfer numbers for moving funds and their bank transit numbers. Sharing this information seems to have been an oversight on FEMA’s part, and a statement about the incident said that FEMA is taking aggressive action to correct the error.

The name of the contractor in this incident has been redacted, but it is a company with direct ties to victim services. The company helps disaster victims find hotel accommodations that are covered under FEMA funding and therefore did need certain pieces of personally identifiable information on the victims it is helping. Impacted victims from the FEMA data breach include those from Hurricanes Irma, Harvey and Maria, as well as the California wildfires in 2017.

Any time consumers’ personally identifiable information is exposed, compromised or attacked, the likelihood of identity theft-related crimes can go up. The Identity Theft Resource Center has partnered with Futurion to create Breach Clarity, an interactive tool that assigns a risk score to different data breach events. It also outlines in easy-to-understand terms the actionable steps that experts recommend for every breach, from something as simple as changing your password to more involved security measures like a credit freeze.

Update 09/13/2019: This data now includes victims affected by hurricane Harvey, Irma Maria and Sandy as well as CA wildfire disaster survivors with a total of 2.5 million records exposed; 1.8 million having their banking information exposed. FEMA is providing 18 months of free credit monitoring for anyone affected.

For more information visit: https://www.fema.gov/survivor-privacy-incident


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Imposter Scams Were The Most Reported Consumer Complaint

A recently announced restaurant data breach relied on a fairly old form of attack—retail point of sale systems—but thanks to the interconnected nature of several different companies within the single brand, there could potentially be a lot of victims. Earl Enterprises, which owns numerous restaurants around the US and in locations like Disney Springs, discovered their system had been compromised after malware was detected on their restaurants’ point of sale systems, or payment card “swipers.”

Anyone who dined at any of Earl Enterprises’ six specific brand locations between May 28, 2018 and March 19, 2019 may have had their payment card information stolen. The restaurants include Planet Hollywood, Buca di Beppo, Earl of Sandwich, Chicken Guy!, Mixology, and Tequila Taqueria. The investigation of the incident does not show that other restaurants owned by the company were affected.

The investigation is still ongoing, and Earl Enterprises has brought in two different cybersecurity firms to uncover what went wrong and how far the restaurant data breach may have spread. They are also working with the state and federal governments on the matter. Just to be safe, though, they recommend that their customers request a free credit check to look for any suspicious activity. You can also request a free credit freeze from each of the three major credit reporting agencies:  Experian, Transunion and Equifax.

There is another very useful tool for consumers that can prove vitally helpful following the announcement of any data breach. Breach Clarity, which recently won the Identity Startup Pitch Competition at the KNOW 2019 Conference, is an interactive database of breach activity. By searching for the name of a company, you can see a threat-score of how serious the event may be, as well as a list of actionable steps you should take if your information may have been compromised as a result.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Imposter Scams Were The Most Reported Consumer Complaint

A recent data breach of Verifications.io, a company that approves or verifies email addresses for third-parties, exposed 763 million consumer records. Verifications.io ensures third-parties’ email marketing campaigns are being sent out to verified accounts, and not just fake emails. The unsecured database discovered online by two security researchers did not contain things like passwords or Social Security numbers; however, it did contain an assortment of data points like mortgage amounts, interest rates on loans and social media email logins, along with identifiers like gender and birthdate.

There have been almost 7.7 billion compromised accounts since data breach tracking began in 2013. The total number of compromised data sets listed on Have I Been Pwned?, a security website that lets users see if their identifying information has been exposed, now exceeds the total number of people on Earth.

The real question that the researchers and Troy Hunt, founder of Have I Been Pwned?, want to know is how Verifications.io got its hands on all of this information in the first place. The Estonian-based company has refused to respond to questions from different news outlets and has taken down its entire website as of March 4, 2019. In fact, Hunt has publicly asked for the data breach victims’ help via Twitter. What are you supposed to do when the company that comes under attack had your information without your direct permission? If you can identify your email address compromised in the data breach and used it uniquely (i.e. for one service), researchers are asking that you contact them so they can try to track the path of data sharing.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: The How and Why of Tax Identity Theft

It’s the ultimate payoff for a scammer: raking in a high-dollar payday with little effort or cybersecurity expertise. Unfortunately, that’s exactly what makes business email compromise scams, or BEC scams for short, so popular among criminals. By gaining access to an email account within a company, the potential for lucrative phishing scams is limitless.

One recent victim? Save the Children Foundation, a well-known non-profit organization that supports relief efforts for children all around the world. After scammers gained access to a staff member’s email address in 2017 and began sending invoices for solar panels to the proper department, the organization was cheated out of around one million.

BEC scams aren’t new. They used to be called “boss phishing” and “CEO phishing,” among other names. Now that criminals have figured out there are more people within a company with high-security access, the scam email can come from a variety of positions within the company.

The fact that BEC scams continue to work is alarming, though. In fact, the FBI reported that there were more than 300,000 cases of cybercrime in 2017, totaling over $1.42 billion in losses. BEC scams accounted for nearly half of those loses at $676 million. These scams saw a 137 percent increase in an eighteen-month period, and a report by WeLiveSecurity stated that social engineering scams like BEC and phishing emails were the third most commonly reported scam last year.

Unfortunately, social engineering scams still work, especially as scammers become more and more involved in the storyline. Those ludicrous old “Nigerian prince” email scams relied on social engineering, or getting the victim to hand over money in order to help someone in need and see a return on that money later. In the case of a BEC scam, the engineering is even simpler: “Bob from accounting” emailed an invoice—or so it appeared—and the recipient cut a check or transferred the funds, just like they do every single day. In other cases, the boss seems to have emailed a request for payroll records or W2 forms for everyone within the company; the assistant who received the email never thinks twice about following a logical request, and hands over the complete identities of everyone who works there.

In the case of business email compromise, the age-old advice isn’t easy to follow. Email scam recipients have always been told to ignore them. But how do you ignore a request from the CEO? How is a charity supposed to ignore an invoice for solar panels in a remote village when the organization’s job is literally to provide these things?

The first way for organizations to fight back against BEC scams is to institute iron-clad policies on submitting sensitive information, issuing payments and funds, changing account numbers or passwords, and other eyebrow-raising activities. The policy has to outline exactly which requests are to be questioned, as well as offer a layer of protection for an employee who requests verbal confirmation. Of course, preventing this kind of crime also starts with ensuring outsiders cannot gain access to a company’s email accounts, namely through strong, unique passwords that are force-changed on a regular basis and multi-factor authentication.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: The Government Shutdown is Hurting Crime Victims