• Identity Management Day 2021 is about informing people of the dangers of improperly managing and securing digital identities. It is also designated to share best practices. 
  • The biggest threat to individual identities is the significant shift away from traditional identity theft fueled by personal information acquired in mass attacks and towards credential theft used to commit identity fraud, according to the Identity Theft Resource Center.  
  • Targeted attacks against businesses are easier for threat actors to execute and result in a larger payout. The average ransomware payment from companies has grown from less than $10,000 in Q3 2018 to more than $312,000 per event today.  
  • To protect themselves, businesses and consumers should follow cyber-hygiene best practices, especially good password management. To learn more or participate in Identity Management Day 2021, visit https://www.idsalliance.org/identity-management-day-overview/

Save the date for the first-ever Identity Management Day! Identity Management Day 2021, hosted by the Identity Defined Security Alliance (IDSA) and the National Cybersecurity Alliance (NCSA), is a day to inform people about the dangers of improperly managing and securing digital identities. It raises awareness, shares best practices and leverages the support of vendors in the identity security space.  

Identity Management Day 2021 is important for both businesses and individuals. According to IDSA, 79 percent of organizations have experienced an identity-related breach in the last two years, and 99 percent believe their identity-related breaches were preventable. A report from the Federal Trade Commission (FTC) shows that identity theft reports have tripled since 2018.  

Technology grows in importance every day as the world moves towards a digital-first model. With the emphasis on technology, it is more vital that people’s digital identities and the systems that protect them work properly. 

The Biggest Identity Management Challenge Facing Businesses & Consumers  

The biggest threat the Identity Theft Resource Center (ITRC) sees to identities is the dramatic shift to credential theft and away from traditional attacks fueled by personally identifiable information (PII) acquired in mass attacks. Today, threat actors are more interested in collecting personal and business logins and passwords that can be used in credential stuffing, phishing (including business email compromises or BECs) and supply chain attacks.  

  • Statistics show that cybercriminals are spending more time and effort on attacks that rely on personal credentials to commit cybercrimes like identity-related fraud. According to the ITRC’s Q1 2021 Data Breach Report, the number of individuals impacted by a data compromise was up 564 percent in Q1 2021 compared to Q4 2020. The rise is in large part to an increase in supply chain attacks. There have been supply chain attacks at 27 third-party vendors and 19 supply chain attack-related data compromises in Q4 2020.  
  • According to the FBI, BEC scams cost businesses more than $1.8 billion in 2020. The ITRC’s 2020 Data Breach Report shows 382 phishing/smishing/BEC attacks, making up 44 percent of all publicly-reported U.S. data breaches in 2020.  
  • The trend toward supply chain attacks shows that cybercriminals are concentrating their efforts by attacking single organizations that give them access to the data of multiple businesses. Instead of attacking 1,000 consumers to gain $300,000, threat actors attack one company and walk away with the same amount or more money with less effort and risk. 

What You Can Do 

The ITRC’s advice is simple and revolves around good password and cyber-hygiene practices.  

  • A long and memorable password (12+ characters) is a great way to keep people out of your account. They are easier to remember and harder for a criminal to use an automated tool to crack. 
  • It is essential to have a unique password for each account. If your credentials for one account are stolen, threat actors will not be able to access any of your other accounts.  
  • Do not use a password from one of your personal accounts on a work account. It puts consumers and businesses at an increased risk. 
  • Multifactor authentication (MFA) is always a good idea because it creates an added layer of security for the account. It is better to use MFA with an app than SMS because hackers can create scams with fake SMS MFA messages.  
  • Never click on a link in an unsolicited email, text or social media direct message. You should directly contact the sender to see if the message is legitimate if there is any doubt.  

The ITRC is honored to participate in Identity Management Day 2021 and hopes to educate business leaders, IT decision-makers and the general public about the importance of managing and securing digital identities. To learn more or participate in Identity Management Day 2021, visit https://www.idsalliance.org/identity-management-day-overview/.  

  • According to a report from Javelin Strategies, traditional identity theft is declining. However, what one might think of as identity theft is being replaced by identity fraud.
  • trend identified by the Identity Theft Resource Center (ITRC) in 2020. Cybercriminals continue to move away from mass data breaches of consumer information to more targeted attacks like phishing, ransomware and supply chain attacks.
  • There is no reason for consumers to panic. One record exposed is one too many, but one can’t determine the risk represented by a data breach based on the size of the breach. Knowing what records are exposed is far more important than how many records are compromised.
  • To learn about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. 
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

The Path is Smooth That Leadeth on to Danger

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for April 2, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. Last week we talked about the FBI’s most recent cybercrime report that shows an exponential increase in cybercrime and the losses associate with it. This week we look at how people can assess what that really means for them or their business.

In his poem, Adonis and Venus, Shakespeare wrote, “The path is smooth that leadeth on to danger.” That is the title of this week’s episode, reflecting how our desire for convenience often leads to risky behaviors.

Traditional Identity Theft is on the Decline

Let’s start with a good and bad news trend. A report from Javelin Strategies is the latest to show that “traditional identity theft” is declining. That’s good news. However, here is the “but” people may be expecting: what we think of as identity theft is being replaced by identity fraud.

Identity Fraud Cases Are on the Rise

What does that mean? It’s part of the general trend we’ve discussed where cybercriminals move away from mass data breaches of consumer information to more targeted attacks. Phishing, ransomware and supply chain attacks are good examples of the kinds of exploits that allow criminals to hit a company. The criminals reap hundreds of thousands of dollars from a single organization instead of the old-school way of attacking thousands of consumers.

However, less risk to individuals is not the same as low or no risk. In fact, the whole concept of identity fraud is based on using consumer behaviors to lure people into a scam. Maybe it’s a text that says someone’s Amazon account has been frozen, and the user needs to click on a link to verify their password to unlock it – and they do. They have just given them their login and password, which regulars of the podcast know are 10x more valuable to a data thief than a consumer’s credit card information.

Maybe someone gets an email from Google or Microsoft claiming their payment card is about to expire. All the user needs to click on is a link to log in and update their information. However, the email and login webpage are deep fakes, and the user just shared their login, password and credit card information with criminals.

All of these phishing techniques are predicated on our behaviors as humans, the need to instantly address any issue that appears by text or email in the most convenient way possible.

While different research reports come up with different identity fraud case totals, they all agree it is on the rise, and the dollar value starts with a B, as in billions. Right now, one might be thinking, “Well, that’s just great. Do I panic now or panic later?”

No Reason for Consumers to Panic

First, there is no reason to panic at all. People may have seen a media headline that talked about more records being exposed in data breaches in 2020 than in the past 15 years combined. While that is attention-grabbing, it’s not particularly meaningful.

One record exposed is one too many, but the reality is one can’t determine the risk represented by a data breach based on the size of the breach. Someone’s date of birth and Social Security number are two records. They may have been exposed thousands of times over the past 15 years, but they are still only two data points, and they don’t change.  However, the risk associated with each data point is very different.

Knowing what records are exposed is far more important than how many records are compromised. Knowing how to protect your own information is the most important information, and that’s where the ITRC can help.

Contact the ITRC

If anyone has questions about keeping their personal information private and how to protect it, they can visit www.idtheftcenter.org, where they will find helpful tips on these and many other topics. 

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. People can speak with an expert advisor on the phone, chat live on the web, or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Visit www.idtheftcenter.org to get started.  

Be sure to check out the most recent episode of our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown.  

  • According to the FBI’s annual report on cybercrime, in 2016, nearly 300,000 cybercrime reports were filed with the FBI. The total impact of the cybercrimes was $1.5 billion. 
  • In late 2020, the number of crimes reported more than doubled to almost 800,000. The rate of loss skyrocketed to $4.2 billion, a 180 percent increase. 
  • However, despite the cybercrime increase, the IC3 Recovery Asset Team scored an 82 percent success rate in helping victims recover money transferred to criminals. Nearly $380 million was restored to victims of cybercrime. 
  • To learn about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified.  
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.  

Since Noah Was a Sailor 

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for March 26, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. This week we look at the FBI’s annual report on cybercrime, highlighting a significant cybercrime increase. It’s been 21 years since the Bureau’s Internet Crime Complaint Center (IC3) was formed to track cybercrime.  

That’s almost as long as the commercial internet has been in existence, or as Shakespeare would put it in Twelfth Night, “since Noah was a sailor.” That is the title of this episode as we look at the long-term trends in cybercrime. 

Changes in Cybercrime 

It’s not particularly instructive to compare cybercrime in 2000 to 2021. It is safe to say that there is a cybercrime increase. Far more cybercriminals commit exponentially more fraud today than when people still had to dial-up their internet connection with a modem. Anyone who remembers doing so is hearing that sound right now in their head. 

What is more helpful is to look at the last five years of data from the FBI. We apologize for listing many numbers and asking everyone to visualize the magnitude of the changes in half a decade. However, the numbers speak for themselves.  

Cybercrime in 2016 

In 2016, Captain America: Civil War was the top box office grossing movie, and Game of Thrones was the undisputed ratings champ on television. The Denver Broncos won the Super Bowl, the Chicago Cubs won a World Series for the first time in 108 years, and nearly 300,000 cybercrime reports were filed with the FBI.  

The total impact of the cybercrimes was $1.5 billion. The number one complaint (81,000 of them) was when someone ordered a product on the internet and did not receive it, or a merchant did not receive payment for a product sold over the web. 

Data breaches were the second-highest complaint at 27,000 reports, followed by phishing, extortion and identity theft with just under 17,000 complaints. 

Cybercrime in 2020 

Fast forward to the end of 2020, with much of the world still on pandemic lock-down. Many people are doing the bulk of their work and business transactions online. 

The number of complaints more than doubled – from nearly 300,000 to almost 800,000. The same can be said of the rate of loss. $1.5 billion in 2016 turned into $4.2 billion in 2020 – a 180 percent increase in losses attributed to cybercrime. 

Where non-payment or non-delivery of goods was the number one complaint five years ago, in 2020, it was phishing in all its various forms. 19,000 reports in 2016 grew to more than 241,000 phishing attacks against businesses and individuals due to the cybercrime increase. Losses attributed to 19,000 business email compromises (a subset of phishing) totaled more than $1.8 billion last year alone. 

IC3 Team Help Victims 

There is some good news in the FBI’s annual cybercrime report around the cybercrime increase. The IC3 includes a team assigned to help victims under certain circumstances recover money transferred to criminals. In 2020, the Recovery Asset Team scored an 82 percent success rate, restoring nearly $380 million to cybercrime victims. 

Contact the ITRC 

If anyone has questions about keeping their personal information private and how to protect it, they can visit www.idtheftcenter.org, where they will find helpful tips on these and many other topics. 

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, including when to report a crime to IC3, they should contact us. People can speak with an expert advisor on the phone, chat live on the web, or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Visit www.idtheftcenter.org to get started.  

Be sure to check out the most recent episode of our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown.  

  • A new Google Photo sharing scam is the latest attempt to steal your credentials to hack and access your accounts.
  • You receive a message claiming to be from Google Photo that says someone is sharing a photo album with you. You’re asked to log into your account, except the message isn’t real, and the criminals take off with your Google credentials.
  • If you receive a message you are not expecting or from someone you don’t know, don’t click on any link in the message.
  • If you want to learn more about the Google Photo sharing scam or if you are a victim, contact the Identity Theft Resource Center toll-free at 888.400.5530 or by live-chat. Just visit www.idtheftcenter.org to get started.

Scammers always try to find different ways to attack consumers. One new attempt is through a text or email that appears to come from Google Photo. The Identity Theft Resource Center (ITRC) recently received a suspicious message that appeared to be a legitimate attempt to share a Google Photo album. However, it was actually a phishing scam.

Like many phishing attacks, the Google Photo sharing scam is an attempt to steal your credentials. The tactic has become more common with cybercriminals shifting away from attacks seeking consumer information and towards attacks that target logins and passwords. 

Who is the Target?

Text message users; email users

What is the Scam?

You receive what appears to be a real attempt to share a Google Photo album. The message claims that someone has shared a photo album with you. However, there is no photo album. Once you click the “View Photo” link, you are prompted to another website to log into your Google account. Since the website captures the login information, you then provide the identity thieves with access to your credentials and account.

What They Want

It’s always easier to steal something when you have the key to a lock instead of having to break into where valuables are kept. Identity criminals want to access personal and work accounts because that’s easier and faster than trying to break into a system. The Google Photo sharing scam is a way for identity criminals to get the credentials needed to access and steal personal and company information. According to the FBI, email compromises cost U.S. businesses $1.8 billion, and phishing schemes cost individuals $54 million in 2020.

How to Avoid Being Scammed

  • Never click on a link in a suspicious or unexpected message. While the message might look legitimate, the links and attachments could still have malware. Instead, if the message comes from a “company,” reach out to the company directly to verify whether the message is real. If it comes from an unknown person, delete the message without clicking any links.
  • Check the URL link and be on the lookout for short links. Sometimes, there are signs in the link that give away it is a scam. For example, a link address might read “Goo.gle” instead of “Google.” You are more likely to see that when a link is shortened, a favorite tactic of cybercriminals. Another tactic is typing out a hyperlinked text to what looks like a legitimate website (like Google.com). However, it actually displays an unknown site when you hover over the link.
  • Use Multifactor Authentication (MFA) on important accounts. Even trained cybersecurity professionals fall for sophisticated phishing attempts that look real. That’s why it’s important to use MFA on any account that offers the feature. Use an authenticator app when possible – Microsoft and Google offer them for free – because they are more secure than just having a code texted to your mobile device. With MFA in place, having your login and password won’t help a criminal access your protected accounts.
  • Never reuse or share passwords. Criminals steal logins and passwords because they know most people use the same password on multiple accounts. Too many people also use the same passwords at home and work. Make sure each account has a unique password that is at least 12 characters long.

If you believe you are a victim of a Google Photo sharing scam or would like to learn more, contact the ITRC toll-free. You can call (888.400.5530) or use the live-chat function on the company website. Just go to www.idtheftcenter.org to get started.   

  • As more people get the coronavirus vaccine, the level of COVID vaccine fraud could rise, particularly around vaccine passport and scheduling apps and vaccination cards.
  • Right now, there are no programs in the U.S. that use or require a vaccine passport app. If anyone receives a message about one, it is a scam trying to steal people’s credentials or get them to pay for a fake app or service.
  • There are apps to schedule a vaccine. However, an app that asks for money or personal health information (PHI) should raise a red flag.
  • Many people are posting pictures online of their vaccination cards once they’ve gotten the COVID shot. The Identity Theft Resource Center (ITRC) does not recommend people post these photos unless they blur out their personal information to reduce identity risks.
  • If anyone wants to learn more about COVID vaccine fraud concerns or believes they have been the victim of a COVID vaccine scam, they can contact the ITRC toll-free by phone (888.400.5530) or live-chat. Just go to www.idtheftcenter.org to get started.

The number of Americans receiving the COVID vaccine is on the rise. According to the Centers for Disease Control and Prevention (CDC), well over 100 million vaccines have been administered, and more than 12 percent of Americans are fully vaccinated. States across the U.S. are moving beyond limited groups to vaccinate the general public, leading to concerns over COVID vaccine fraud. There are several different ways identity criminals could attack.

Vaccine Passport & Scheduling Apps

There are no current programs in the U.S. that use or require a vaccine passport. While the World Health Organization (WHO) says the race is on to develop a vaccine passport, any phone calls or messages to download a COVID vaccine passport app is a scam. However, there are apps for vaccine scheduling, like the CDC’s Vaccine Schedules app and other healthcare apps. With that said, any app that asks for money or personal health information (PHI) could be suspect. Fake apps often attempt to either steal someone’s credentials, get them to pay for the fraudulent app, or use a fraudulent vaccine scheduling service.

Vaccination Cards

Another COVID vaccine fraud concern involves COVID vaccine cards. By now, most people have probably seen at least one of their friends, family members or co-workers post a picture online of their COVID vaccination card. COVID vaccine cards have personal information (name, birth date and vaccination location) on them that people need to safeguard. Posting vaccine cards could help scammers create and sell phony vaccination cards or even hack accounts. The Identity Theft Resource Center (ITRC) recommends people remove or block sensitive information before they post their cards online.

According to a Better Business Bureau (BBB) alert, there have been no reports of fake vaccination cards sold in the U.S. However, in Great Britain, scammers have already been caught selling phony vaccination cards on eBay and TikTok.

How to Avoid a COVID Vaccine Scam

COVID vaccine scams based around fake websites and vaccines have been around since nearly the beginning of the global pandemic. There is no reason to believe the trend will decline as more COVID vaccines are administered. Consumers should be aware of the COVID vaccine fraud attempts and take the following steps to protect themselves:

  • Do not download any apps that claim to be a vaccine passport.
  • Only schedule vaccination appointments through official websites, a local health authority, or your medical provider. Services requiring payment to schedule an appointment are a sign of fraud.
  • Do not post pictures of your vaccination card online unless the personal information is blocked or removed.
  • Only get vaccinated from a licensed medical provider.
  • Do not respond to any calls, emails or text messages about COVID vaccines that ask for your personal information. Also, don’t click on any links, attachments or files unless you initiated the contact. If in doubt, reach out to the entity directly to verify the validity of a message.

Contact the ITRC

For more information on COVID vaccine fraud concerns, or if someone believes they are the victim of a COVID vaccine scam, contact the ITRC toll-free by phone (888.400.5530) or live-chat. Visit our website for the latest news on COVID scams and other identity-related issues. All people have to do is go to www.idtheftcenter.org to get started.

  • The California Attorney General announced a new California Consumer Privacy Act (CCPA) regulation that bans a business practice that makes it more difficult for consumer privacy opt-out.  
  • The new CCPA regulation means businesses will not be able to direct consumers to different web pages or to sit through explanations of why they should not opt-out. It also means the addition of a new button for companies to use to guide people where they can opt-out of having their data sold. 
  • The American Medical Collection Agency (AMCA) settled with 41 state Attorney Generals over the 2019 AMCA data breach. If AMCA does not live up to the settlement terms, it could lead to $21 million in fines to be paid to the states. 
  • For more information on the new CCPA regulation, consumer privacy opt-outs, and the AMCA data breach settlement, listen to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown podcast. 
  • To learn about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified.   
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org

But Wait, There’s More! 

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for March 19, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. 

Back in the early days of infomercials, there would come the point in a television ad selling the latest knife set or blender when the person making the pitch would stop, look earnestly into the camera, and shout, “but wait, there’s more!” That’s the title of this week’s episode, where we look at a new California Consumer Privacy Act (CCPA) regulation and provide an update on a major 2019 data breach.  

New CCPA Regulation and its Effect on Consumer Privacy Opt-Outs 

Even though the CCPA has been in effect for more than a year, there’s an important part of the legislative process that tends to be left out of civics lessons. Most laws require regulations to be adopted to enforce them. 

The new CCPA regulation formally adopted this past week was proposed in response to a practice known as “Dark Patterns.” This practice makes exercising one’s right so confusing or frustrating that people give up trying.  

Consumers may be directed to another web page, forced to click on multiple pages, or scroll through a series of screens. People may even have to sit through a long explanation of why they shouldn’t opt-out of allowing a company to sell their data. 

That’s not what the California legislature had in mind when it passed the law in 2018. There were promises it would be easy for Golden State residents to exercise their new-found privacy rights. Chief among those rights was a requirement for businesses governed by the CCPA to put a “Do Not Sell My Information” button in a prominent place on the web pages.  

Along with banning practices that impede a consumer privacy opt-out of data sales, the new CCPA regulation also includes a new button that companies can use to help guide consumers to where on their website they can go to exercise their privacy rights.  

Known as the Privacy Options icon, the blue website button was designed by Carnegie Mellon University’s Cylab and the University of Michigan’s School of Information. It was tested against other icons to determine the best design for communicating consumers’ privacy choices. 

Look for those coming to a website near you. 

But wait, there’s more! 

American Medical Collection Agency Settles with States over 2019 Data Breach 

In 2019, medical debt collection company, American Medical Collection Agency (AMCA), revealed the company had been the target of an eight-month-long cyberattack. It resulted in a data breach of information regarding at least seven million people and possibly as many as 21 million people. Shortly after announcing the security and data breaches, AMCA filed for bankruptcy. 

Forty-one state attorney generals intervened in the bankruptcy proceeding recently and received the court’s permission to enter into a settlement with AMCA. No financial penalties apply because of the financial condition of the company. However, AMCA agreed to a series of cybersecurity upgrades and ongoing audits. If AMCA fails to live up to the terms of the agreement, it will trigger $21 million in fines to be paid to the states. 

As Steve Jobs would say, just one more thing. 

Contact the ITRC 

If anyone has questions about keeping their personal information private and how to protect it, they can visit www.idtheftcenter.org, where they will find helpful tips on these and many other topics.  

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. People can speak with an expert advisor on the phone, chat live on the web, or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Visit www.idtheftcenter.org to get started.  

Be sure to check out the most recent episode of our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown. 

  • IT security provider Accellion suffered an attack on their file-sharing product. It resulted in multiple entities being impacted by the Accellion data breach, including the Office of the Washington State Auditor.  
  • A data breach at Astoria Company, LLC. led to a database with 300 million user’s data being offered for sale by cybercriminals. According to Night Lion Security, the database is believed to have 20 million users’ Social Security numbers (SSNs) and bank account information, and 30 million users ’ sensitive medical data. 
  • The California Department of Motor Vehicles suffered a security incident after third-party, Automatic Funds Transfer Services, Inc., was the victim of a ransomware attack in early February. The attack may have compromised 38 million records of millions of Californians over the last 20 months. 
  • For more information about February data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified.   
  • If you believe you are a victim of identity theft from a data breach, contact the ITRC toll-free at 888.400.5530 or through live-chat on the company website. 

Notable February Data Breaches in 2021 

Of all the data breaches the Identity Theft Resource Center (ITRC) tracked in February, three stood out: Accellion, Astoria Company, LLC. and the California Department of Motor Vehicles. All three data events are notable for unique reasons. One event happened when a file-sharing product was targeted in a highly sophisticated cyberattack that affected many well-known entities; another event, which occurred after an attack by ShinyHunters, led to a 300 million user database being offered for sale – a database that includes an array of sensitive personally identifiable information (PII); the third event may have compromised as many as 38 million driving records. 

Accellion 

IT security provider, Accellion, was the target of an attack, first disclosed in late December, that targeted Accellion’s 20-year-old file-sharing product, File Transfer Appliance (FTA). According to TechTarget, the attackers utilized a zero-day vulnerability in FTA in what Accellion called a “highly sophisticated cyberattack.” Threat actor motivations were not immediately clear. However, FireEye recently published research that showed the Accellion data breach was the work of threat actors the vendor identified as UNC2546, which have connections to Clop ransomware. 

The Accellion data breach has impacted multiple entities in the U.S. They include Flagstar Bank, Jones Day, Qualys, Kroger, University of Colorado and, most notably, the Office of the Washington State Auditor. The breach may have also impacted Goodwin Law, Southern Illinois University School of Medicine, Trillium Community Health Plan and Harvard Business School.  

Image of Accellion Data Breach impacting multiple entities as tracked in ITRC’s Notified Data Breach dashboard

The information exposed varies by entity. However, a notice from the Office of the Washington State Auditor says the data includes personal information from about 1.6 million unemployment claims made in 2020 to the office, as well as other information from some state agencies and local governments. 

Astoria Company, LLC. 

Marketing company Astoria Company, LLC. fell victim to an attack by the ShinyHunters cybercrime group. According to Night Lion Security, the threat intelligence team became aware of several new large data breaches being sold by ShinyHunters, including a 300 million user database from Astoria.  

The Astoria database is believed to have 40 million users’ Social Security numbers (SSNs), 20 million users’ SSNs and bank account information, and 30 million identities linked to sensitive medical data. Night Lion Security says every lead within the database contained, at a minimum, names, email addresses, dates of birth, mobile phone numbers, physical address and IP addresses. 

California Department of Motor Vehicles 

The California Department of Motor Vehicles (DMV) is investigating a security breach that may have compromised as many as 38 million records of millions of Californians over the last 20 months. According to Patch, a company the California DMV contracts with to verify vehicle registration addresses – Automatic Funds Transfer Services, Inc. – was the victim of a ransomware attack in early February. Automatic Funds Transfer Services, Inc. has access to the names, addresses, license plate numbers and vehicle identification numbers of registrants. However, the DMV says it does not have access to SSNs, birthdates, voter registration information, immigration status or driver’s license information. 

In a recent press release, the DMV said its systems have not been compromised, and it is unknown if DMV data shared with Automatic Funds Transfer Services, Inc. has been compromised. The DMV immediately stopped all data transfers to the company and notified law enforcement, including the Federal Bureau of Investigation (FBI).  

What to Do if These Breaches Impact You 

Anyone who receives a data breach notification letter should follow the advice offered by the company. The ITRC recommends immediately changing your password by switching to a 12+-characterpassphrase, changing the passwords of other accounts with the same password as the breached account, considering using a password manager, and keeping an eye out for phishing attempts claiming to be from the breached company.  

The California DMV asks anyone who spots suspicious activity on their account to report it to law enforcement.  

The Office of the Washington State Auditor has set up a website for the latest information on the Accellion data breach and its impacts on the State Auditor’s Office. 

notified 

For more information about February data breaches, or other data breaches, consumers and businesses should visit the ITRC’s data breach tracking tool, notified, free to consumers. 

Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.    

Contact the ITRC 

If you believe you are the victim of an identity crime or your identity has been compromised in a data breach, you can speak with an ITRC expert advisor at no-cost by phone (888.400.5530) or live-chat. Just go to www.idtheftcer.org to get started. 

  • While there were only a handful of supply chain attacks in 2020, there have already been three high-profile attacks in 2021 with the Accellion data breach, the SITA data breach and the Microsoft Exchange server attack.  
  • The Identity Theft Resource Center (ITRC) began to see a rise in supply chain cyberattacks in the second half of 2020 with the Blackbaud data breach and the SolarWinds cyberattack.  
  • For more information on these incidents and the recent rise in supply chain attacks, listen to the ITRC’s Weekly Breach Breakdown podcast. 
  • To learn about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified.   
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org

Don’t Shoot the Messenger

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for March 12, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. We’ve focused for the past two episodes on data privacy and how state laws are giving consumers more rights and businesses more obligations to keep personal information safe and secure. This week, we talk about the challenges of doing just that – protecting data – while supply chain attacks are on the rise 

In Shakespeare’s Antony and Cleopatra, a messenger is sent to inform the Egyptian Queen that her lover has married another, prompting a threat to treat his eyes as the Ptolemaic version of tennis balls. In response, the messenger reminds Cleopatra that “I that do bring the news made not the match.” Today, we would say the title to this week’s episode is – “Don’t shoot the messenger.” 

Yet, this is where many businesses find themselves now as they send out data breach notices to customers – even though they did not cause the problem. A vendor did. 

A Look Back at the Blackbaud Data Breach 

People might recall that one of the highest-profile cyberattacks in 2020 involved a company known as Blackbaud. The company, an IT provider to nonprofits, healthcare and education institutions, was breached and the data of more than 500 companies and 12 million individuals were held for ransom. People might also recall that these kinds of attacks where a cybercriminal can get the information of many companies from a single vendor is known as a supply chain attack. 

The ITRC’s 2020 Data Breach Report Studies the Blackbaud Data Breach

Supply Chain Attacks on the Rise  

There were only a handful of supply chain attacks in all of 2020. However, so far in 2021, there have been three high-profile attacks – two in the last two weeks. One of the events involves one of the biggest names in technology: Microsoft. 

This cluster of attacks reinforces a trend the ITRC saw take hold toward the second half of 2020 with the Blackbaud breach. It was followed by the block-buster cyberattack against the IT services company SolarWinds, which impacted cabinet-level agencies in the U.S. government and an undetermined number of private sector companies (believed to be in the thousands). 

Accellion Data Breach 

While the SolarWinds attack appears to be the work of cybercriminals seeking intelligence information for the Russian government (not consumer data to sell), the ransomware group that attacked software provider Accellion wanted information that it could hold hostage or sell outright. It did not want information from Accellion, but from the customers whose information could be stolen from Accellion’s tech platform. 

The criminals went to the time and expense of reverse-engineering the 20-year-old Accellion platform and found new flaws, as well as old ones. They unpatched ones that allowed criminals to extract information from high-profile clients – including law firms, telecommunications companies, universities, grocery store chains and government agencies in the U.S. and other countries. 

SITA Data Breach 

We don’t know how a supply chain cyberattack against tech provider SITA was executed. However, we know that the company processes the frequent flier information of 90 percent of the world’s airlines. The company describes the cyberattack as “highly sophisticated,” and member airlines have started informing their frequent fliers of the breach.  

Microsoft Exchange Server Attack 

The third supply chain cyberattack in this most recent string is also the most dangerous. A cybercriminal group based in China was able to exploit flaws in Microsoft Exchange servers. The kinds that run the ubiquitous Outlook email software inside organizations. The threat actors inserted backdoors into company email systems that could be used to take control of the email system from outside the network where the server resides. 

More than 100,000 organizations worldwide could be impacted by the cyberattack, including at least 30,000 in the U.S. Government officials and Microsoft leaders have all encouraged organizations operating Exchange servers to patch their servers immediately. They have also made a series of tools available to help users determine if the attack has impacted them. 

Fortunately, these issues do not involve the cloud-based Microsoft 365 services used by individuals and small businesses that include Outlook email. 

Contact the ITRC 

If anyone has questions about keeping their personal information private and how to protect it, they can visit www.idtheftcenter.org, where they will find helpful tips on these and many other topics. That includes small businesses, too. 

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. People can speak with an expert advisor on the phone, chat live on the web, or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Visit www.idtheftcenter.org to get started. 

Be sure to check out the most recent episode of our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown. 


  • According to ID.me Founder and CEO Blake Hall, the ultimate unemployment benefits fraud totals could be between $200-$300 billion for the last year.  
  • Hall also says that over 50 percent of the claims being paid on are fraudulent, individuals are applying with their own identity in multiple states, and that eligibility fraud is at 30 percent.  
  • To learn more, listen to this week’s episode of The Fraudian Slip.  
  • You can learn more about the identity-related crimes discussed in the podcast and how to protect yourself from identity fraud and compromises by visiting the ITRC’s website www.idtheftcenter.org
  • If you think you are the victim of an identity crime or your identity has been compromised, you can call us, chat live online, send an email or leave a voice mail for an expert advisor to get advice on how to respond. Just visit www.idtheftcenter.org to get started. 

Below is a transcript of our podcast with special guest Blake Hall, CEO of ID.me 

Welcome to The Fraudian Slip, the Identity Theft Resource Center’s (ITRC) podcast, where we talk about all-things identity compromise, crime and fraud that impact people and businesses. 

This month, March, we will explore one of the key issues at the root of the tsunami of fraudulent unemployment benefit claims prompted by the COVID-19 pandemic. The level of benefit fraud has gone from truly unprecedented to staggering. 

In mid-2020, the Inspector General for the U.S. Department of Labor told Congress that stolen unemployment benefits could reach $26 billion. That was before the state of California warned benefit fraud had already exceeded $11 billion just in that state. This past weekend, officials now estimate the amount of fraud to be more than $60 billion.  

Our guest on this month’s podcast, ID.me Founder and CEO Blake Hall, predicts the ultimate unemployment benefits fraud totals will be between $200-$300 billion. He also says over 50 percent of the claims being paid on are fraudulent, individuals are applying with their own identity in multiple states, and that eligibility fraud is at 30 percent.  

This is just one piece of a bigger identity-related fraud puzzle. Complaints to the Federal Trade Commission (FTC) about identity-related fraud more than doubled in 2020, with government credential and benefit fraud topping the list. 

What is the common denominator here? Automated and manual processes are used to prove we are who we say we are. I.D. verification and validation is a bedrock principle of our technology-driven world. Professional cybercriminals have largely figured out how to get around common identity proofing techniques.  

In some cases, well-meaning state officials even “pulled the goalie” last year by relaxing verification standards to help speed benefits to people impacted by the pandemic who desperately needed the help.  

There is good news to be found when it comes to identity verification. Private companies and government agencies are rapidly moving away from traditional I.D. proofing and to more modern, secure, and accurate ways of proving you are who you claim to be. 

We talked with ID.me CEO Blake Hall about the following: 

  • Traditional ways to verify identities, and how they failed in 2020 
  • State of the Art in I.D. verification 
  • What is next for I.D. verification in the age of privacy 

We also talked with ITRC CEO Eva Velasquez about the following: 

  • What happened in 2020 with identity-related fraud  
  • What individuals can do to protect themselves against identity-related fraud 
  • Resources available to help consumers protect themselves from identity-related fraud 

For answers to all of these questions, listen to this week’s episode of  The Fraudian Slip Podcast

  • The Virginia Consumer Data Protection Act (VCDPA) will be the second strongest privacy law in the U.S., modeled after California privacy laws. It is scheduled to take effect on January 1, 2023. 
  • The VCDPA is not limited to people who live in Virginia. It applies to any businesses that collect the data of at least 100,000 Virginia residents during a calendar year, or at least 25,000 Virginia residents, and derives more than 50 percent of its gross revenue from the sale of personal information. 
  • Under the VCDPA, consumers will have the right to access personal data that businesses collect about them, correct inaccuracies in the data, request personal data be deleted in certain exceptions, and opt-in to the use of personal data and opt-out of the sale of personal data in certain circumstances. 
  • For information about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notified.   
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.  

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for February 26, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. Last week we talked about significant privacy changes being driven by a private company – specifically, Apple through an update in the operating system for iPhones. This week we focus on state laws that are fundamentally changing the legal and regulatory landscape across the country.

Some people of a certain age probably remember the School House Rock cartoons that, among other things, taught us about the functions of conjunctions. However, more memorably, about how laws are made. The short cartoon from 1975 gives us the title of today’s episode – “I’m just a bill…sitting here on Capitol Hill.”

New Virginia Privacy Law: “Virginia Consumer Data Protection Act (VCDPA)”

By the time people listen to the podcast or read the transcript, Governor Ralph Northam of Virginia is likely to have already signed the second strongest privacy law in the country, the Virginia Consumer Data Protection Act or VCDPA. Modeled after groundbreaking California privacy laws, the Virginia Consumer Data Protection Act adds new rights for Virginia residents and obligations for businesses that collect information about people who live in the Old Dominion.

However, VCDPA is not limited to businesses based in Virginia. Like the California Consumer Privacy Act (CCPA) and the European Union’s privacy law (GDPR) before that, the VCDPA applies to any business anywhere in the world if it:

  1. Collects the personal data of at least 100,000 Virginia residents during a calendar year; or
  2. Collects the personal data of at least 25,000 Virginia residents and derives more than 50 percent of its gross revenue from the sale of personal information.

Non-profits, government agencies, and colleges and universities are exempt, along with a few institutions regulated by certain federal privacy laws.

Under the Virginia Consumer Data Protection Act, consumers will have the right to:

  • Access personal data that a business collects and uses about them;
  • Correct inaccuracies in that data;
  • Request that personal data be deleted subject to certain exceptions;
  • Opt-in to the use of sensitive data in certain circumstances, with sensitive information being personal attributes like race or sexual orientation, biometric information, children’s information, and location data.
  • Opt-out of the sale of personal information and certain automated processes based on personal data. The VCDPA also requires businesses to let individuals opt-out of the sale of personal data to third parties as well as “targeted advertising.”

When the Virginia Consumer Data Protection Act Will Take Effect

Businesses will have until January 1, 2023 – when the VCDPA goes into effect – to get ready to comply with the law, the same day California’s updated privacy law, the California Privacy Rights Act (CPRA), becomes effective. Unlike the California law, the enforcement of the Virginia law will be the exclusive jurisdiction of the state attorney general – no individual consumer lawsuits are allowed for now.

Other Privacy Laws in the Works

The January 1, 2023 date could be crowded with new state privacy laws. There are currently ten other states considering similar privacy and cybersecurity laws and two that have established study commissions that will be required to report back to their state lawmakers by 2022.

The Possibility of a Federal Privacy Law

What about a federal privacy law passed by Congress that applies uniformly across the country? Even with a new Congress, many of the same roadblocks remain from past Congresses. One side wants state laws to be overruled, and the other side wants a federal law to be a floor, not a ceiling for the states. There is also the unanswered question about the ability of individuals to file lawsuits over violations of privacy.

Contact the ITRC

If anyone has questions about how to keep their personal information private and how to protect it, they can visit www.idtheftcenter.org, where they will find helpful tips on these and many other topics.

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. People can speak with an expert advisor on the phone, chat live on the web, or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Visit www.idtheftcenter.org to get started.

Be sure to check out the most recent episode of our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown.