Right now is a very difficult time for a lot of individuals as concerns around the COVID-19 pandemic continue to be at the top of people’s minds. In addition to the inconvenience of social distancing and isolation and the very real fears for personal health and safety, many people are also facing the stress of reduced hours at work, being furloughed or losing their jobs due to quarantine and business closures.

There is another equally upsetting issue at hand: unemployment benefits identity theft. A record-setting 57+ million people in the U.S. filed for unemployment due to COVID-19 between March and September of 2020.

Unemployment benefits identity theft has hit states hard all over the country

While the California Employment Development Department (EDD) reports that employers added 114,400 nonfarm payroll jobs in July 2021, the unemployment rate for the state remains at 7.6 percent. In September 2020, the California EDD put out an alert asking California residents to keep an eye out for fraudulent activity in regards to unemployment benefits in the state.

According to the Los Angeles Times, as of January 26, 2021, California officials say unemployment fraud has totals of more than $11 billion. California has paid out $114 billion in unemployment benefits since March 2020, and the state EDD has processed 19 million claims.

Some residents of West Virginia are receiving unemployment benefit cards they never requested.

The Colorado Department of Labor and Employment says the state has seen nearly 10,000 fake claims. The identity thieves are believed to be just as busy with the filing, too. Many victims have contacted the Identity Theft Resource Center (ITRC) over complaints of unemployment benefits identity theft.

Unemployment benefits identity theft is nothing new

Unemployment benefits identity theft is nothing new. In fact, it is one of many types of government identity theft that can occur when a scammer uses stolen personally identifiable information to apply for benefits through the government. However, with so many consumers filing at the same time, an unfortunate number of people have already reported that a scammer beat them to it. Their claims have been rejected for being duplicate applications while someone else is now set up to receive their benefits.

Like many forms of identity theft, unemployment benefits identity theft is one that victims may not discover until the damage is done. If a claim is turned down for unemployment benefits due to a duplicate application, it is important for people to contact the unemployment agency immediately; the ITRC is another resource to guide victims in this challenge (888.400.5530). In the meantime, there are other ways consumers should take action if their claims are rejected:

Place a freeze on your credit report if it’s feasible

Victims might need to open a new line of credit while they are out of work, but that shouldn’t stop them from placing a freeze. Thawing a credit freeze is extremely simple and quick. This can help block an identity thief who may have their personally identifiable information (since they applied for unemployment benefits in their name) from using it for other purposes.

Monitor accounts carefully

Once again, if a thief has enough information to apply for benefits, they could have access to other information or accounts. Consumers should keep a careful watch on all of their accounts, including their credit reports, and change any online passwords.

Be aware that applying for unemployment is only one step

An identity thief may also fraudulently apply for nutrition assistance, WIC, medical coverage or other benefits. If there are any issues involving those services and someone’s identity, people should contact those agencies immediately.

It is a stressful time for many, and scammers are looking to add to it in many different ways, including unemployment benefits identity theft. It’s also exceptionally difficult given the volume of calls and reduction in services from organizations that a victim needs to contact.

However, the ITRC is here for anyone who falls victim to government identity theft. Victims can also live-chat with an expert advisor or download the ID Theft Help App that will allow them to track their steps in a case log, and get on-the-go assistance.

The post was originally published on 4/10/2020 and was updated on 9/15/2021

Everything’s Bigger in Texas

Welcome to the Identity Theft Resource Center’s (ITRC’s) Weekly Breach Breakdown for September 10, 2021. Our podcast is possible thanks to support from Experian. Each week we look at the most recent events and trends related to data security and privacy. For the past two weeks, we’ve concentrated on what happens when you receive a notice that your personal information has been compromised. This week, we’re going to talk about a data breach involving personal information for children and the unique risks created when children’s personal information is exposed.

When you grow up in the southern U.S, you learn very quickly that the saying “Everything’s bigger in Texas” is absolutely true. The Lone Star state is twice the size of Germany. Texans eat 54,000 tons of catfish each year. That’s six times the weight of the Eiffel Tower. There are high school football stadiums in Texas that seat more than 19,000 people, enough to fit the entire population of three average-size U.S. cities.

Dallas I.S.D. Data Breach

This week, the Dallas, Texas Independent School District (Dallas I.S.D.) has earned a different distinction: the target of a significant data breach.

More than 145,000 students attend 230 schools across the district that employs 22,000 people. That doesn’t include independent contractors and vendors who also serve the Dallas schools.

School officials announced late Friday before Labor Day that an “unauthorized third-party” had accessed, downloaded and stored personal information on a cloud data storage site. The stolen data included information on current and former students and their parents as well as current and former employees and contractors dating back to 2010.

The compromised information includes full names, addresses, Social Security numbers (SSNs), phone numbers, dates of birth, and employment and salary information for current and former employees and contractors. The breached data also includes full names, SSNs, dates of birth, parent and guardian information, and grades for current and former students. According to the school district, some students’ custody status and medical conditions may have also been exposed.

What Happened

As is typical in the early days of data breaches, there are many unknowns and a lot of reluctance to share information about what happened. Dallas I.S.D. has hired forensic investigators to determine how the cybercriminals gained access to the student, parent and employee information. However, little is known about how cybercriminals got their hands on the employees, contractors and student’s personal information.

School officials are not calling this a ransomware attack. However, they acknowledge that they have communicated with the data thieves who claim the information has not been sold or shared, but has been removed from the cloud database. Ransomware attacks against schools have dramatically increased as students return for the new school year and identity criminals look for children’s personal information. One cybersecurity firm reports seeing more than 1,700 attacks against schools around the world each week in July.

The Impacts of a Children’s Personal Information Being Stolen

Dallas I.S.D. is offering credit monitoring and identity theft recovery services for one year. The ITRC always recommends data breach victims take advantage of those offers. However, the release of student information is especially troubling as criminals who take control of a young person’s identity can cause significant harm over time.

Imagine a high school student applying for college and being denied financial aid or admission because someone had used their SSN to report income or obtain credit. An identity thief can abuse the personal information for children for years before the parents or child learn of the crime.

Freeze Your Child’s Credit

It’s important for parents to not only freeze their own credit, but to freeze their children’s credit, too. That won’t prevent your child’s information from being exposed in a data breach. However, it will keep a cybercriminal from using the children’s personal information to ruin their credit and perhaps their education and work opportunities when they grow up.

Contact the ITRC

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an ITRC expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.

Thanks again to Experian for supporting the ITRC and this podcast. Listen next week as we talk about credit freezes with the founder of Frozen Pii on our sister podcast, The Fraudian Slip. We will be back in two weeks with another episode of the Weekly Breach Breakdown.

  • The Identity Theft Resource Center (ITRC) teams have seen an uptick in subscription renewal scams as a way of stealing your identity. Criminals send emails about auto-renewals for subscriptions in hopes you will click on a malicious link.
  • Identity criminals are after your personal information so they can use it to commit different forms of identity theft and identity fraud.
  • To avoid a subscription renewal scam, ignore any messages about auto-renewals claiming to be from a company where you don’t have a subscription. If it appears to be from a company where you do have a subscription, check the sender’s email address to ensure it’s from the correct company.
  • Don’t click on any links until you confirm the email is legitimate. If the email is a spoof, report it as spam, block the sender and delete the email.
  • To learn more, or if you believe you have received subscription renewal scams, contact the ITRC. Call toll-free by phone (888.400.5530) or live-chat at www.idtheftcenter.org to speak with an expert advisor.

Subscription renewal scams aren’t new. However, ITRC team members have seen a rise in the number of phishing emails claiming it’s time to renew an annual subscription. The phishing attempt pictured below is a subscription renewal scam one ITRC team member received, claiming to be from Geek Squad.

Scammers use emails like these to get you to click on a malicious link and steal your personal information so they can commit identity crimes with it. Many subscription renewal scams look legitimate. It is important you know how to spot one and the steps to stay safe so your sensitive information isn’t compromised.

Who are the Targets?

Text and email users

What is the Scam?

Criminals pose as a recognized company and send texts and emails to people informing them that their annual subscription has been renewed. The phishing emails go on to ask people to click on a link to review the summary details of their renewal. However, the link is malicious and either installs malware on your computer, steals your personal information or takes you to a fake website.

What They Want

Cybercriminals want you to respond to the subscription renewal scams or click on the malicious link in the message so they can steal your personal information. Identity criminals may proceed to use your information to commit an array of identity crimes.

How to Avoid Being Scammed

  • If you receive a text or email about a subscription renewal from a company you do not have a subscription with, ignore it. Don’t click on any links because they could contain malware. If you receive emails you are not expecting, go directly back to the source to see if the message is real.
  • Check the email sender’s address to make sure it is legitimate if you get an email from a company about a subscription renewal with which you have a subscription. If you are still unsure, reach out to the company directly to confirm the validity of the message.
  • If you know the email is a subscription renewal scam, report it as spam, block the sender and delete the email.

Contact the ITRC toll-free by calling 888.400.5530 or using the live-chat function at www.idtheftcenter.org if you’ve received any subscription renewal scams. ITRC expert advisors will help you create a resolution plan with the steps you need to take.

  • It’s standard, if not legally required, for businesses to issue a notice of data breach letter if they were breached. They usually include what information was accessed and offer some form of identity protection, like in the recent T-Mobile data breach notice.
  • The same standard applies to data breach settlement letters. There is often some free product or service offered, like in the recent Wawa data breach settlement.
  • Don’t ignore a notice of data breach letter or lawsuit settlement letters. You could be leaving valuable protections (credit monitoring, anti-spam services, best practices, etc.) and the occasional compensation (a settlement payment) for your trouble on the table.
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC’s) data breach tracking tool, notified.
  • If you believe you are the victim of an identity crime or a data breach, contact the ITRC. Call toll-free at 888.400.5530 or live-chat on the company website www.idtheftcenter.org.    

All’s Well that Ends Well

Welcome to the Identity Theft Resource Center’s (ITRC’s) Weekly Breach Breakdown for September 3, 2021. Our podcast is possible thanks to support from Experian. Each week we look at the most recent events and trends related to data security and privacy. Last week we talked about what it takes to file a successful lawsuit after a data breach. This week we look at what to do when your personal information has been exposed and you receive a notice of data breach letter, and later when you get a notice after a data breach lawsuit has been settled.

Shakespeare dispensed a lot of advice in his plays, none more helpful than in Act 1 Scene 1 of All’s Well that Ends Well: “Love all, trust a few, do wrong to none.” Do you know what else is filled with helpful advice? A well-written data breach notice.

Laws Around A Notice of Data Breach Letter

Every U.S. state, territory and the District of Columbia has a law that requires consumers to be notified when their personal information has been compromised. That’s pretty much where the commonality ends. The definition of personal information, the form of a notice, the distribution method, the length of time that can pass before a notice of data breach letter is issued, and the remedies available to impacted consumers are unique to each state.

However, it’s pretty much standard practice, if not legally required by your state, for businesses to disclose in broad terms what information was accessed and to offer some form of identity protection.  There are often other protection tips in the notice, including changing your passwords.

Consumers Ignore Notice of Data Breach Letters

Unfortunately, most people ignore both the notice and the advice. We’ve talked here about recent studies from the University of Michigan and Carnegie Mellon University that show nearly three-quarters of people who receive a notice of data breach letter don’t even know they received it. Only one-third of data breach victims change their passwords (and those who do used a weaker, similar password to the one that was compromised).

Protection Advice & Free Services Offered by Breached Companies is Improving

The recently breached T-Mobile raised the bar by offering not only credit monitoring, but also identity remediation services in the event a customer’s personal information is misused. T-Mobile is also offering free anti-spam services for all impacted customers and account takeover protections for pre-paid customers.

T-Mobile suggests you change your passwords, so you are not using the same password that has been compromised on any other account. Regular listeners to the ITRC podcasts will be familiar with this advice.

Data Breach Lawsuit Settlement Letters Also Offer Free Products

When a notice of data breach letter is issued, it is not the only time breach victims are offered free swag. When breach lawsuits are settled, there is often some free product or service provided. However, victims are usually required to take some action to get the award.

Wawa Data Breach Settlement

That’s the case with the recent settlement of a lawsuit against the east-coast-based convenience store chain Wawa, better known for its deli sandwiches than the 2019 data breach. Of the 22 million people who received settlement letters and are eligible for a settlement payment, those who made a purchase with a debit or credit card during the breach period but did not see evidence of identity fraud will get $5 gift cards. Those who can present proof of actual or attempted fraud will get a $15 gift card. Those who can show evidence they lost money can receive as much as $500 cash.

All claims must be submitted by November 29, 2021. So, the clock’s ticking if you want a free Wawa meatball grinder with extra cheese.

The Key Takeaway

In both of these scenarios, the key takeaway is the same: do not ignore a notice of data breach letter or lawsuit settlement letters. You could be leaving valuable protections and the occasional compensation for your trouble on the table.

Contact the ITRC

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an ITRC expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.

Thanks again to Experian for supporting the ITRC and this podcast. Be sure to check out our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown.

  • T-Mobile’s most recent 2021 data breach impacts 50+ million people. The exposed information includes Social Security numbers (SSNs), driver’s licenses, phone numbers, and International Mobile Equipment Identities (IMEIs) and International Mobile Subscriber Identities (IMSIs).
  • According to Threatpost, Microsoft’s Power Apps management portal exposed the data of 47 businesses for months, including 38 million people’s personal records. The information exposed varies by company. However, it ranges from names, COVID-19 vaccination status, email addresses, and phone numbers to SSNs and job titles.
  • Approximately 1.4 million people were impacted by a ransomware attack on St. Joseph’s/Candler Health System in Georgia that shut down the healthcare provider’s systems. Information compromised includes health insurance information, financial information and medical records information.
  • Anyone impacted by a data breach should follow the advice in the notification letter, change their password to a long and unique passphrase and keep an eye out for phishing attempts that claim to be from the breached organization.
  • For more information about August 2021 data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified.   
  • If you believe you are a victim of identity theft from a data breach, contact the ITRC toll-free at 888.400.5530 or through live-chat on the company website www.idtheftcenter.org.

Notable August Data Breaches

Of the nearly 160 data events the Identity Theft Resource Center (ITRC) tracked in August, three stand out: T-Mobile, Microsoft and Georgia’s St. Joseph’s/Candler Health System (SJ/C). T-Mobile’s latest 2021 data breach highlights the jump in mobile breaches. The Microsoft data event is significant because it’s due to a flaw in a platform’s security. Finally, SJ/C exposed 1.4 million people’s personal information after a ransomware attack on the healthcare system.

T-Mobile

According to T-Mobile, identity criminals compromised T-Mobile’s systems. The company says hackers gained access to their testing environments and then used brute force attacks and other methods to make their way into other IT servers. T-Mobile located and closed the access point they believe was used to gain entry to their servers.

On August 17, T-Mobile confirmed that approximately 47 million people were impacted by their latest data breach in 2021. T-Mobile also said the data stolen from their systems includes personal information like customers’ names, dates of birth, Social Security numbers (SSNs), and driver’s license/identity information for current, past, and prospective customers.

However, in an update on August 20, T-Mobile said they discovered that phone numbers, as well as the typical numbers that allow a mobile phone to be identified and join a network (the International Mobile Equipment Identity (IMEI) and International Mobile Subscriber Identity (IMSI)), were also compromised in the third T-Mobile data breach since December 2020. T-Mobile identified another 5.3 million current customer accounts with one or more associated names, addresses, dates of birth, phone numbers, and IMEIs and IMSIs illegally accessed. For more information on the T-Mobile data breach and steps to take, click here.

Microsoft

According to Threatpost, research from UpGuard revealed Microsoft’s Power Apps management portal accidentally exposed the data of 47 businesses for months, including 38 million people’s personal records. UpGuard reports that Microsoft’s Power Apps platform was flawed in the way it forced customers to configure their data as private or public. The article says that Microsoft does not consider the data issue a vulnerability, rather a configuration issue that can be improved.

Information exposed varies per business. However, the personal information ranges from names, COVID-19 vaccination status, email addresses and phone numbers to SSNs and job titles. Some of the notable businesses impacted are American Airlines, Ford, the Maryland Department of Health and the New York City schools. 

UpGuard says since disclosure of the issue, Microsoft released a tool for checking Power Apps portals for leaky data. Microsoft also plans to change the product so that permissions will be enforced by default. Microsoft’s data event is one of the first data breaches in 2021 the ITRC has seen due to a flaw in platform security. It is considered one of the rarest forms of data compromise.

St. Joseph’s/Candler Health System

On August 10, SJ/C, a healthcare system in Savannah, Georgia, released information on a ransomware attack on their systems. According to the news release, SJ/C found suspicious activity in its IT network and launched an investigation. The investigation determined that the incident resulted in an unauthorized party gaining access to its IT networks between December 18, 2020 and June 17, 2021 and launching a ransomware attack, making the systems inaccessible.

Nearly 1.4 million individuals were impacted by the data breach, both patients and employees. At-risk information includes SSNs, driver’s license numbers, patient account numbers, billing account numbers, financial information, health insurance plan member I.D. numbers, medical record numbers, medical and clinical treatment information and much more.

SJ/C says, following the incident, they have implemented and will continue to adopt additional safeguard and technical security measures to further protect and monitor its systems. The ITRC has seen similar incidents happen across the U.S., including at Scripps Health in San Diego, California.

What to Do if These Breaches Impact You

Anyone who receives a data breach notification letter should follow the advice offered by the impacted company. The ITRC suggests you immediately change your password and switch to a 12+-character passphrase, change the passwords of other accounts with the same password as the breached account, consider using a password manager, use multi-factor authentication with an app (not SMS/Text) and to keep an eye out for phishing attempts that claim to be from the breached organization.   

T-Mobile recommends all eligible customers sign up for scam blocking protection through the company’s Scam Shield as protection from the latest data breach in 2021. They are also directing people to a customer support webpage with breach information and access to tools.

SJ/C has a toll-free incident response line to answer people’s questions about the latest data breach in 2021. Anyone can call 855.623.1933 Monday through Friday between 8 a.m. and 5:30 p.m. EST. Additional information is available at www.sjchs.org.

notified 

For more information about August data breaches in 2021, or other data compromises, consumers and businesses should visit the ITRC’s data breach tracking tool, notified, free to consumers.   

Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.      

Contact the ITRC 

If you believe you are the victim of an identity crime or your identity has been compromised in a data event, you can speak with an ITRC expert advisor toll-free by phone (888.400.5530) or live-chat. Just go to www.idtheftcer.org to get started.   

When a disaster strikes, there’s often a heart-tugging sadness that comes from the powerless feeling to do something useful. As distanced bystanders, we’re left reeling from the news footage of the horrific events, both human-made and natural. Often, we think to ourselves, “If only there were something I could do to help.” Unfortunately, identity criminals use it as an opportunity to prey on people while they are vulnerable and commit disaster relief scams.

Technology has empowered us to support people in their time of need. Charitable giving websites, crowdfunding campaigns, and even the ability to text a donation for a specific cause and then pay it on the following month’s bill have enabled us to lend a hand when needed.

Disasters Strike Everywhere

In the instance of the 7.0 magnitude earthquake that struck Haiti in 2010, nearly three million people were killed, injured or left homeless. Relief efforts were mobilized within mere minutes. The Red Cross immediately set up a text-to-donate option, and more than $43 million came in via text.

Flooding in Louisiana in 2016 left tens of thousands of people to take up residence in emergency shelters due to severe flooding. Sixty people died, and more than 40,000 people lost their homes. Many were rescued by boat with nothing more than their clothes, and citizens outside the flooded area were ready to respond in a big way. Celebrities also vowed to help in fundraising efforts.

In 2021 Haiti was hit with another earthquake, this one a 7.2 magnitude earthquake. Over 2,000 people died, and nearly 53,000 houses were destroyed. Volunteers and others at the Haitian-American Community Coalition of SW Florida in Fort Myers shipped hundreds of pounds of food, medical supplies and other items for victims.

Hurricane Ida struck Louisiana, leaving many people stranded and over one million people without power. U.S. Coast Guard members and National Guard units from Alabama, Louisiana, Mississippi and Texas conducted search-and-rescue operations. The Red Cross also set up different ways for people to donate to those in need.

Scammers Take Advantage of the Vulnerable

Sadly, the same technology that lets kind-hearted people participate in helping out has also made it possible for scammers to commit disaster relief scams and bill innocent, well-intentioned people out of their money. They can also steal your personally identifiable information (PII), something that’s far more valuable than a donation of a few dollars.

In 2016, Louisiana authorities warned the public to watch disaster relief scams that crop up online. Only a matter of hours after the attack on the World Trade Center on 9/11, scammers were already soliciting donations for relief efforts, but pocketing the money. It’s the same with nearly every high-profile incident that affects large numbers of victims. Scammers take advantage of people when they are most vulnerable and commit disaster relief scams.

How to Avoid Disaster Relief Scams

  • Only work with trusted sources and legitimate agencies. Many times, people will hit the streets claiming to be with an agency offering help. However, they take off with your PII or money.
  • Only use trusted and known charities to donate. If you do not recognize the name of a charity soliciting funds, or if it’s a name that’s too “sudden” to be believed, be cautious. Trustworthy charities will have long-standing reputations of meeting the government’s guidelines for a charitable organization. Other new sites should be treated as suspect and possible disaster relief scams.
  • Verify all phone numbers for charities. If you need to contact a charity by phone, check the charity’s official website to see if the number you have is legitimate. If you’re using text-to-donate, check with the charity to ensure the number is legitimate before donating.
  • Verify the information in social media posts. Double-check any solicitation for charitable donations before you donate. Crowdfunding websites may host individual requests for help. However, they are not always vetted by the site or other sources.
  • Ignore suspicious emails and messages. If you receive a suspicious email or message requesting donations or other assistance, ignore it because it is probably a disaster relief scam. Do not click on any links or open any attachments. Scammers regularly use email and messaging platforms for phishing attacks and to spread malware.
  • Report any fraud. To report suspected fraud or disaster relief scams, call the Federal Emergency Management Agency (FEMA) Disaster Fraud Hotline toll-free at 866.720.5721. You can also file a complaint with the Federal Communications Commission (FCC) about phone scams or the Federal Trade Commission (FTC) about fraud.

Contact the ITRC

If you believe you were the victim of any disaster relief scams, or want to learn more, contact the Identity Theft Resource Center (ITRC). You can speak with an expert advisor toll-free by phone (888.400.5530) or live-chat on the company website www.idtheftcenter.org.

The post was originally published on 8/16/16 and was updated on 8/31/21.  

  • Mobile telecom providers U.S. Cellular, Mint Mobile and T-Mobile have all been breached in 2021. In fact, T-Mobile has been breached twice in 2021, and once in December 2020.
  • If your mobile phone account is breached, you should freeze your credit, change your passwords and PIN numbers, and use multi-factor authentication (MFA or 2FA) using an app, not text messages, to protect yourself when available.
  • You should also follow the steps in any data breach notification letter you receive or read in a public notice.
  • Keep an eye out for phishing emails, closely monitor your financial accounts and contact your Department of Motor Vehicles (DMV) if your license number is exposed in the breach.
  • If you believe your phone account is breached, or want to learn more, contact the Identity Theft Resource Center. Call toll-free (888.400.5530) or live-chat on the company website www.idtheftcenter.org.

The Rise in Mobile Data Breaches

The Identity Theft Resource Center (ITRC) has seen mobile data breaches rise, particularly in 2021. Customers of mobile phone companies that have not reported a breach also want to know what to do if their phone account information is exposed.

In January, U.S. Cellular suffered a data breach after hackers were able to scam employees to gain access to one retail store’s computer. In July, some Mint Mobile customers had phone numbers ported, leading to data being accessed. One month later, T-Mobile was breached when bad actors compromised their systems, impacting millions of documents. In fact, it is the second T-Mobile data breach in 2021 and the third since December 2020. Right now, Bleeping Computer reports that well-known threat actor ShinyHunters claims to be selling a database containing the personal information of 70 million AT&T customers. However, AT&T says they did not suffer a data breach.

Telecommunications companies continue to be targeted by identity criminals due to the importance of mobile devices in our daily lives. The rise in mobile data breaches means everyone needs to be prepared if they are impacted by a compromise. There are steps you can take to protect your information and if your phone account is breached.

What You Should do to Protect Yourself if Your Phone Account is Breached

  • Freeze your credit. Monitoring your credit is informative because it alerts you to changes on your credit reports that may need further investigation if your phone account is breached. However, it does not offer protection. While it tells you what happened, it does not stop anything from happening. A credit freeze does. Freezing your credit is free, easy and does not impact your credit.
  • Change your mobile phone account password and PIN numbers. Also, change the passwords of other accounts with the same password or PINs as the breached account. You do not want the same passwords or PINs on more than one account. Cybercriminals want you to do that because they can commit credential stuffing attacks. The ITRC recommends you switch to a unique 12+ character passphrase because they are harder for criminals to crack. You can also use a password manager to generate and keep track of your credentials.
  • Use multi-factor authentication (MFA or 2FA) on your accounts. MFA and 2FA provide an added layer of security, making it harder for hackers to gain access if your phone account is breached. Also, if possible, use an authentication app rather than having a code sent by text to your phone because the text messages can be spoofed and intercepted in a SIM swapping scheme. Authentication apps are available for free from Microsoft, Google and other software providers.
  • FOR BUSINESSES: Don’t lose control over the information you don’t have. Don’t collect more information than you need. Don’t keep the sensitive information longer than you need to complete the transaction. Keep what data you do collect and maintain safe and secure by encrypting it. Finally, make sure you offer MFA or 2FA for your customers’ and prospects’ protection when logging into their accounts.

Next Steps to Take if Your Phone Account is Breached

  • Watch for data breach notification letters. It is easy to ignore a breach notification. However, there are usually important steps in the notices, like how to activate free identity protection services. Follow the advice offered by the impacted company.
  • Be on the lookout for phishing emails. Identity criminals may look to exploit the data breach to get you to click on a malicious link or share sensitive information.
  • Closely monitor your financial accounts (credit cards, banking, utilities, etc.) If you see anything out of the ordinary, it may be a sign of fraudulent activity.
  • Contact the Department of Motor Vehicles (DMV) if your license is impacted. Notify the DMV in your state that your information may have been exposed. See if you can place an alert on your license number and check your driving record.

Contact the ITRC

Data breaches are inevitable. Consumers can do everything right and still have their phone account breached. If you believe your phone account is breached or want to learn more, contact the ITRC. You can speak with an expert advisor by phone (888.400.5530) or live-chat on the company website www.idtheftcenter.org. Advisors will answer any question you may have and help you through the resolution process.

The ITRC does not want anyone to panic. While it can be frightening if your phone account is breached, you will be able to work through any misuse of your information if you have a plan.

  • Earlier this year, the U.S. Supreme Court issued a major decision that set a new standard. People impacted by data errors cannot file a data breach lawsuit for damages unless there is actual, probable harm.
  • This week the Sixth Circuit Court of Appeals based in Ohio ruled that a person lacked standing to sue, even though their credit score dropped because their mortgage lender reported, by mistake, that they had failed to make a payment.
  • A data breach lawsuit is subject to the same rules for filing a claim. They are all but guaranteed to be tossed out of court unless there is actual harm from the breach at issue.
  • What can be done to address this? Congress can make it clear that organizations that fail to protect data can be sued based on the risk of future harm. Or states can pass their own laws allowing data breach lawsuits based on potential damages.
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC’s) data breach tracking tool, notified.
  • If you believe you are the victim of identity theft, contact the ITRC. Call toll-free at 888.400.5530 or live-chat on the company website www.idtheftcenter.org.   

Measure for Measure

Welcome to the Identity Theft Resource Center’s (ITRC)Weekly Breach Breakdown for August 27, 2021. Our podcast is possible thanks to support from Abine and Experian. Each week we look at the most recent events and trends related to data security and privacy. Today we dive into a subject we haven’t explored before, and for good reason – filing a data breach lawsuit. It’s a bit complex and a little dry. However, it is very important when it comes to the concept of justice for victims of data breaches. So, bear with us as we talk about the legal idea of standing and what recent court rulings mean when it comes to the ability for data breach victims to sue for damages in federal courts.

Shakespeare mentioned the legal profession more than any other, outside of royalty, devoting several of his plays to various concepts of justice. One of his dark comedies – Measure for Measure – is even named for the very concept of justice: punishment should fit the crime.

That’s a concept that cuts both ways – for and against defendants in criminal courts, and the same is true of plaintiffs in civil trials where money damages are the punishment.

“Standing” Needed to File a Civil Data Breach Lawsuit

To file a civil lawsuit in federal court, you must have what is called “standing.” You must have a valid reason to stand at the bar of justice. For years, U.S. courts have been split over what is a good reason when it comes to the standing of a person whose personal information has been exposed in a data breach. Some courts said the mere threat of harm was enough to justify a data breach lawsuit. Others ruled that no, proof of actual harm was required before a data breach lawsuit could be filed. After a data breach, your ability to sue for damages had more to do with where you lived than what happened to your data.

U.S. Supreme Court Sets A New Standard for Data Breach Lawsuits

Earlier this year, though, the U.S. Supreme Court issued a major decision that set a new standard: People impacted by data errors cannot file a data breach lawsuit for damages unless there is actual, probable harm. Inconvenience, threat or harm no longer counts as an acceptable reason in some federal courts. Now, plaintiffs filing lawsuits based on those kinds of claims lack standing. No standing = no lawsuit.

Now, you may have noticed the subtle distinction that the Supreme Court decision was based on data errors, not data breaches. How very observant of you, and you are correct. However, it’s called the Supreme Court for a reason. Lower federal courts are bound to follow the decision of the Supremes and are now applying the new standard to similar but not identical cases.

Ohio Sixth Circuit Court of Appeals Ruling

This week the Sixth Circuit Court of Appeals based in Ohio ruled that a person lacked standing to sue, even though their credit score dropped because their mortgage lender reported, by mistake, that they had failed to make a payment. The lower credit score was inconvenient but not harmful, according to the Court.

What It Means for Data Breach Lawsuits

What does this have to do with data breaches? A data breach lawsuit is subject to the same rules for filing a claim. That means data breach lawsuits are all but guaranteed to be tossed out of court unless there is actual harm from the breach at issue. That’s very difficult to prove in the best of times. When there have already been more than 1,100 data breaches reported this year, how do you prove which data breach caused the harm?

That doesn’t even begin to address the bigger issue of identity criminals don’t always use the data right away, or only once. The risk of harm down the road is high, and the ITRC’s 2021 Consumer Aftermath Report shows nearly three in ten identity crime victims are hit a second or third time, sometimes before the original impacts are resolved.

What Can Be Done?

Congress can make it clear that organizations that fail to protect data can be sued based on the risk of future harm. Or states can pass their own laws allowing data breach lawsuits based on potential damages.

However, the reality is that this is the exact situation that Shakespeare wrote about in Measure for Measure: “O just, but severe law.”

Contact the ITRC

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours. Just visit www.idtheftcenter.org to get started.

Thanks again to Experian and Abine for supporting the ITRC and this podcast. We’ll be back next week with another episode of the Weekly Breach Breakdown.

It can happen to anyone, anywhere. You’re going about your business when suddenly you’ve found a lost wallet on the ground. You look around to see if you can spot the person who lost the found wallet, but they don’t seem to be nearby. You pick it up, open it carefully and are shocked by what you see inside.

This scenario happens every day, and some of the best, most responsible people can be either the wallet loser or the wallet finder. Unfortunately, picking up someone’s personal—and possibly even valuable—property can come with both risks and benefits.

Steps to Take If You Found a Lost Wallet

The very first benefit of a found wallet is the opportunity to be a Good Samaritan, to be a bright spot in someone’s day. After all, they’ve just lost something essential. The consequences for them can range from aggravating to terrible. Returning the found wallet to them in the condition in which they lost it can make you feel good.

At the same time, if you found a lost wallet, you could be opening yourself up to a few risks. What if the owner claims there was a lot of money in it, money that was long gone before you ever found it? What if the owner later accuses you—either innocently or maliciously—of identity theft or financial account takeover? Maybe this chance to help someone is just too big of a burden after all.

Your next steps in a situation like this can vary depending on where you located the wallet.

If you’re in a store or business, your gym, a doctor’s office, or any other location that has a surveillance camera, you’re probably in the clear from accusations.

  • Remain visible while picking the found wallet up, and turn it in at the front desk immediately. If you feel it’s necessary, you can wait while the attendant tries to locate the owner. The driver’s license, credit cards and any retail rewards cards can help. Just call the number on the credit cards or rewards cards and provide the name or account number. They should have a contact number for the owner and can pass along the location of the wallet.

What if you’re out in the open?

A wallet can easily fall out of someone’s pocket, briefcase or handbag. There might not be security cameras to help you prove that you had every innocent intention.

  • It’s best in this case to dial the local police department’s non-emergency number—don’t tie up the 911 dispatch system for something like this—and tell them that you found a lost wallet and are standing near it. Ask for a patrol vehicle in the area to come and take over, and wait with the found wallet if you can.

What should you do if someone comes up and claims to be the owner?

  • Let it go. Whether or not they are the owner is not in your wheelhouse. You are not responsible for someone who may or may not have criminal intentions. Getting into an argument over the property is not worth it in the end.

Should you post it on social media?

  • It’s very tempting to post about the found wallet on social media sites like Facebook in order to track down the owner, but that is not a good idea. You have no way of identifying the real owner. You could risk compromising that person’s identity if you post a photo containing part of the driver’s license, a credit card, a checking account number or other details.

Contact the ITRC

If you found a lost wallet, it is important to take the proper steps to protect it and what is inside it. If you have additional questions, contact the Identity Theft Resource Center. You can get toll-free, no-cost assistance by phone (888.400) or live-chat on the company website www.idtheftcenter.org.

This post was originally published on 7/9/18 and was updated on 8/24/21

T-Mobile recently suffered its second data breach since February 2021 and its third breach since December 2020. The latest T-Mobile data breach leaves many current, former and prospective customers wondering what happened, how it happened and what they need to do to stay safe.

What Happened?

According to T-Mobile, a bad actor compromised T-Mobile’s systems. The company says they located and closed the access point they believe was used to gain entry to their servers.

On August 17, 2021, T-Mobile confirmed that approximately 47 million people were impacted by the data breach. T-Mobile also said the data stolen from their systems included personal information like customers’ names, dates of birth, Social Security numbers (SSNs), and driver’s license/identity information for current, past, and prospective customers.

However, in an update on August 20, 2021, T-Mobile said they discovered that phone numbers, as well as the typical numbers that allow a mobile phone to be identified and join a network (the International Mobile Equipment Identity (IMEI) and International Mobile Subscriber Identity (IMSI)), were also compromised. T-Mobile identified another 5.3 million current customer accounts that had one or more associated names, addresses, dates of birth, phone numbers, and IMEIs and IMSIs illegally accessed.

The Verge reports that the Federal Communications Commission (FCC) is investigating the T-Mobile data breach that may have impacted as many as 100 million customers.

What Does It Mean to You?

Identity criminals can use information like your SSN and driver’s license to commit an array of identity crimes like false applications for loans, credit cards or bank accounts in your name. IMEIs and IMSIs could be used to track your mobile device or assist in SIM swapping attacks where someone hijacks your phone number to intercept multi-factor authentication codes or other information.

What Can You Do to Protect Yourself from the T-Mobile Data Breach?

  • Freeze your credit. T-Mobile is offering identity protection services to impacted customers, including credit monitoring. While monitoring your credit is informative, it does not offer protection. It tells you what happened but does not stop anything from happening. A credit freeze does. Freezing your credit is free, easy and does not impact your credit.
  • Change your passwords and PIN numbers. You want to make sure you do not use the same passwords or PINs on more than one account. The Identity Theft Resource Center (ITRC) recommends you switch to a unique passphrase (something you can remember that is at least 12 characters long). You can also use a password manager to generate and keep track of your credentials. Cybercriminals want us to reuse passwords on more than one account because it makes it easier for them to commit identity crimes.
  • Use multi-factor authentication (MFA or 2FA) on your accounts. MFA and 2FA provide an added layer of security. Also, if possible, use an authentication app rather than having a code sent by text to your phone because the text messages can be spoofed and intercepted in a SIM swapping scheme. Authentication apps are available for free from Microsoft, Google and other software providers.
  • Have a plan if your IMEI or IMSI information is used fraudulently. It’s unknown if or how the IMEI or IMSI information stolen in the T-Mobile data breach will be used. However, it is important you have a plan if it is. There is no reason to panic about your phone being disabled. However, in the unlikely event it is, plan how you will contact T-Mobile. You can do this through their website t-mobile.com, an in-person visit to a T-Mobile store or using a landline telephone.  
  • FOR BUSINESSES: You can’t lose control over the information you don’t have. Don’t collect more information than you need. Don’t keep the sensitive information longer than you need to complete the transaction. Also, keep what data you do collect and maintain safe and secure by encrypting it. Finally, make sure you offer MFA or 2FA for your customers’ and prospects’ protection when logging into their accounts.

What Are the Next Steps to Take?

  • Closely monitor your financial accounts (credit cards, banking, utilities, etc.) for any signs of fraudulent activity.
  • Stay alert for a data breach notification, as well as any potential identity fraud due to the T-Mobile data breach. While it is easy to ignore a breach notification, there are usually important steps in the notices, like how to activate free identity protection services. In T-Mobile’s notification letter, the company offers two years of free identity protection services. They also recommend all eligible T-Mobile customers sign up for scam blocking protection through the company’s Scam Shield, and directs people to a customer support webpage with breach information and access to tools.
  • Be on the lookout for phishing emails exploiting the T-Mobile data breach to get you to click on a malicious link or share sensitive information.
  • Act if your driver’s license is impacted. If your driver’s license information has been compromised, contact the Department of Motor Vehicles (DMV) in your state to notify them your information may have been exposed. See if you can place an alert on your license number and check your driving record.

Contact the ITRC

While this T-Mobile data breach leaves uncertainty for many, the ITRC does not want anyone to panic. As long as you have a plan, you will be able to address any misuse of your information.

The ITRC remains available to help you. If you have questions about the T-Mobile data breach or believe you may be impacted by it, contact the ITRC toll-free by phone (888.400.5530) or live-chat on the company website (www.idtheftcenter.org). ITRC expert advisors will walk you through the steps you need to take and help you create a resolution plan.