In 2020, the number of individuals impacted by a data breach was down 66 percent from 2019; cybercriminals continue to shift away from mass attacks seeking consumer information and towards attacks aimed at businesses using stolen logins and passwords  

SAN DIEGO, January 28, 2021 – Today, the Identity Theft Resource Center® (ITRC), a nationally recognized non-profit organization established to support victims of identity crime, released its 15th annual Data Breach Report. According to the report, the number of U.S. data breaches tracked in 2020 (1,108) decreased 19 percent from the total number of breaches reported in 2019 (1,473). In 2020, 300,562,519 individuals were impacted by a data breach, a 66 percent decrease from 2019.  

The 2020 Data Breach Report shows the continuation of a trend from 2019: cybercriminals are less interested in stealing large amounts of consumers’ personal information. Instead, threat actors are more interested in taking advantage of bad consumer behaviors to attack businesses using stolen credentials like logins and passwords. Due to the shift in tactics, ransomware and phishing attacks directed at organizations are now the preferred data theft method by cyberthieves.  

Ransomware and phishing attacks require less effort, are largely automated, and generate much higher payouts than taking over individuals’ accounts. One ransomware attack can generate as much revenue in minutes as hundreds of individual identity theft attempts over months or years. According to Coveware, the average ransomware payout has grown from less than $10,000 per event in Q3 2018 to more than $233,000 per event in Q4 2020. 

Download the ITRC’s 2020 Data Breach Report 

“While it is encouraging to see the number of data breaches, as well as the number of people impacted by them decline, people should understand that this problem is not going away,” said Eva Velasquez, president and CEO of the Identity Theft Resource Center. “Cybercriminals are simply shifting their tactics to find a new way to attack businesses and consumers. It is vitally important that we adapt our practices, and shift resources, to stay one step ahead of the threat actors. Although resources continue to decline for victims of identity crimes, the ITRC will continue to help impacted individuals by providing guidance on the best ways to navigate the dangers of all types of identity crimes.” 

One notable case study highlighted in the ITRC’s 2020 Data Breach Report is the ransomware attack on Blackbaud, a technology services company used by non-profit, health and education organizations. A professional ransomware group stole information belonging to more than 475 Blackbaud customers before informing the company the information was being held hostage. The stolen information included personal information relating to more than 11 million people that was later reported to have been destroyed by the cybercriminals after Blackbaud paid a ransom.  

Another notable finding was that supply chain attacks are becoming increasingly popular with attackers since they can access the information of larger organizations or multiple organizations through a single, third-party vendor. Often, the organization is smaller, with fewer security measures than the companies they serve.  

To learn more about the latest data breaches, visit the ITRC’s interactive data breach tracking tool, notified. It is updated daily and free to consumers.  

For anyone that has been a victim of a data breach, the ITRC recommends downloading its free ID Theft Help app to manage the various aspects of an individual’s data breach case. 

Consumers and victims can receive free support and guidance from a knowledgeable live-advisor by calling 888.400.5530 or visiting idtheftcenter.org to live-chat. 

About the Identity Theft Resource Center  

Founded in 1999, the Identity Theft Resource Center® (ITRC) is a non-profit organization established to empower and guide consumers, victims, business and government to minimize risk and mitigate the impact of identity compromise and crime. Through public and private support, the ITRC provides no-cost victim assistance and consumer education through its website live-chat idtheftcenter.org, toll-free phone number 888.400.5530, and ID Theft Help app. The ITRC also equips consumers and businesses with information about recent data breaches through its data breach tracking tool, notified.   

Media Contact 

Identity Theft Resource Center 
Alex Achten 
Earned & Owned Media Specialist 
888.400.5530 Ext. 3611 
media@idtheftcenter.org  

By Eva Velasquez, president and CEO, Identity Theft Resource Center 

  • The Identity Theft Resource Center (ITRC) expects to see the number of victims of COVID-19 identity crimes continue to rise in 2021. The ITRC’s new data shows an increase in identity crime victims being targeted multiple times (28 percent in 2019 versus 21 percent in 2018) before pandemic-related identity crimes. The ITRC expects to see victims targeted multiple times continue to rise. 
  • Right now, victim resources are not top of mind for many people. Since 2018, U.S. Department of Justice funds allocated for all crime victim services has fallen from a high of $3.7 billion to $1.9 billion. 
  • Focusing on just the dollar losses of identity fraud paints an incomplete picture because it does not consider long-term impacts or each victim’s unique situation. 
  • Additional pandemic-related benefits and stimulus payments due in early 2021 will also result in more identity crime victims linked to new benefit fraud cases.  
  • Join experts from the ITRC and the Federal Trade Commission (FTC) on Monday, February 1, at 10 a.m. PST (1 p.m. EST) for a free webinar, Protecting Yourself Against Identity Theft in the Age of COVID-19. 

The last year has been a difficult one for many people. Some have lost their jobs, others have had to close their businesses and many people have gotten sick or lost loved ones from the coronavirus. Another segment of people affected has not gotten as much attention: victims of COVID-19 identity crimes.  

The Impacts of COVID-19 Identity Crimes in 2020 

Millions of state unemployment benefit-related identity theft cases have been detected across the country since March 2020. On average, the Identity Theft Resource Center (ITRC) receives less than 20 inquiries regarding unemployment benefits a year. In 2020, the ITRC had more than 700 unemployment benefits fraud victims reach out for help. 2020 also saw a sharp increase in scams. Criminals had countless opportunities to trick people with phishing scams, charity scams, healthcare scams, disaster scams and work-from-home scams.  

What to Expect in 2021 

The ITRC believes COVID-19 identity crimes will impact victims well into 2021. Many victims may not be aware that their identity credentials were misused until they receive an IRS Form 1099 for non-wage income. The ITRC’s research also shows a significant increase in identity crime victims being victimized a second time, even before the rise in fraud, scams and identity crimes in 2020. The post-pandemic analysis should show an even greater spike.  

The Ripple Effects of the Pandemic-Related Identity Crimes 

Resources for identity crimes are not keeping pace with the criminals. Trends identified by the ITRC and many private-sector researchers show that profit-motivated cybercriminals are using consumer’s and employee’s bad security habits, as well as the changing work environment, to attack businesses more often. Yet, resources for cybersecurity training and education along with identity-related crime victim assistants are moving in the opposite direction. 

Since 2018, U.S. Department of Justice (DOJ) funds allocated for all crime victim services has dropped from a high of $3.7 billion to $1.9 billion. Discretionary DOJ grants awarded to victim services organizations dropped from $311 million in 2019 to $144 million in 2020. Funds to programs that support victims of identity crimes and compromises, cybercrime, scams and fraud have been reduced to $0. 

Meanwhile, the average ransomware payment has grown from less than $10,000 per incident in late 2018 to $233,000 as of Q3 2020, with some large enterprises reportedly paying ransoms over $1 million, according to cybersecurity firm Coveware. The most common root cause (55 percent) of ransomware attacks is stolen credentials to access a business system or network remotely. 

Measuring just the dollar amount paints an incomplete picture. A dollar sign does not take into account the trauma, downstream effects and lost opportunity costs for each of the victims whose identity credentials were misused. New ITRC research that will be published in May 2021 reveals an increase in identity crime victims being targeted multiple times. Nearly 28 percent of victims reported a second identity crime in 2019 versus 21 percent in 2018. At the ITRC, we expect to see that number continue to go up, especially after the rise in COVID-19 identity crimes.  

What It Means Moving Forward 

The data shows that COVID-19 identity crimes will continue in 2021, and more victims will suffer from the trauma of a second and even third identity crime. Someone that does not trust an infrastructure that has failed them will continue to disengage. Some victims cannot meet their basic needs or find a job because they cannot pass a background check until they get the fraud resolved. How long does that take? How does someone explain that to an employer? They are simply the victim of a crime that is not acknowledged to have the devasting life impacts that it does.  

The statistics show we are not winning the battle to protect ourselves from cybercriminals. Winning will require us to devote more resources toward assisting victims and devote more time and attention to educating consumers and employees of their need to be cyber-aware and vigilant. 

What to Do If You’re a Victim of Identity Theft 

If anyone believes their information may have been compromised, we suggest contacting us toll-free. Consumers can call (888.400.5530) or live-chat with an identity theft advisor to start their remediation process. Our experts will help advise victims on the best next steps for them to take.  

Learn more  

People can learn more about identity theft and COVID-19. Join experts from the ITRC and the FTC on Monday, February 1, at 10 a.m. PST (1 p.m. EST) for a free webinar, Protecting Yourself Against Identity Theft in the Age of COVID-19. We’ll explore topics including identity theft involving unemployment benefits, federal stimulus payments, Small Business Administration loans and more. Register here

The webinar is being held as part of the FTC’s Identity Theft Awareness Week, February 1-5, 2021. To find out more about the week’s events and the FTC’s free identity theft resources, please visit the FTC’s website

  • According to a survey by Proofpoint, ransomware attacks are now viewed as the top cybersecurity threat by nearly half, 46 percent, of Chief Information Security Officers. 
  • Cybersecurity firm Emsisoft found that at least 2,354 U.S. government agencies, healthcare facilities and schools were the victims of ransomware attacks in 2020. 
  • The Emsisoft report also reports that more than 1,300 companies lost data, including intellectual property and other sensitive information in 2020. 
  • Ransomware attacks cause significant disruption when ambulances carrying emergency patients are redirected, cancer treatments are delayed, lab test results are inaccessible and 9-1-1 services are interrupted. 
  • For information about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notified
  • Keep an eye out for the ITRC’s 15th Annual Data Breach Report. The 2020 Data Breach Report will be released on January 28, 2021.  
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the Identity Theft Resource Center toll-free at 888.400.5530 or via live-chat on the company website. 

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for January 22, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy.  Human beings tend to end a year by looking forward, but begin the new year by looking back. This week, such is the case when researchers, having just finished publishing their 2021 predictions, turn to sharing their annual trend reports. How many of X and the increase or decrease in Y. 

Here, we are interested in the trends that impact consumers and businesses regarding data privacy and security. The first significant report on those topics concludes that ransomware attacks are now the single biggest cyber threat to companies based on what happened in 2020. If it’s a threat to businesses, it’s a threat to consumers. 

You may not know the name Phil Dusenberry, but you know his work. If you saw a Pepsi commercial during the ’80s, ‘90s and early 2000s, you saw his handy work. If you ever saw the “Morning in America” film for President Reagan or the baseball movie, “The Natural”, those belonged to Phil Dusenberry, too. Now, he has contributed to today’s episode when he said: “Writing advertisements is the second most profitable form of writing. The first, of course, is…” Hold that thought, and we’ll come back to it.  

Ransomware Attacks Considered A Top Cybersecurity Threat 

Cybersecurity firm Proofpoint has found that ransomware attacks are now viewed as the top cybersecurity threat by nearly half, 46 percent, of Chief Information Security Officers in a recent survey. Even more alarming is research from New Zealand-based cybersecurity firm Emsisoft that concludes at least 2,354 U.S. government agencies, healthcare facilities and schools were the victims of ransomware attacks in 2020. The impacted organizations include: 

  • 113 federal, state and municipal governments and agencies 
  • 560 healthcare facilities 
  • 1,681 schools, colleges and universities 

These kinds of attacks cause significant, and sometimes life-threatening, disruption when ambulances carrying emergency patients have to be redirected, cancer treatments are delayed, lab test results are inaccessible and 9-1-1 services are interrupted. 

The Impact of Ransomware Attacks on Private Businesses 

Ransomware attacks are not limited to the public sector. Private businesses are very much in the crosshairs of the professional cybercriminals who commit these crimes. According to the Emsisoft report, more than 1,300 companies, many based in the U.S., lost data, including intellectual property and other sensitive information in 2020. That’s just the number of companies with data published on websites where thieves post their ransom notes or stolen data for sale. It does not include the unknown number of companies that paid the ransom before anyone noticed.  

Few cyber-criminal groups released the data they stole in 2020. Only two are known to have done so after companies refused to pay a ransom. However, by the end of 2020, more companies were paying ransom figures over $200,000 on average to avoid the release of their compromised information.  

Many times, they paid the demands even if they didn’t have to do so. Emsisoft has documented cases where businesses with the necessary back-ups to restore their information still paid the ransom for fear their data would be released if they didn’t pay. Proving Phil Dusenberry’s theory, the most profitable form of writing…is a ransom note. 

ITRC to Release Annual Data Breach Report 

Next week, the ITRC will publish its annual report on data breaches. The report includes how many breaches occurred, who was impacted, why they occur and much more. There are some very interesting trends that we’ll discuss in our next episode.  

Contact the ITRC 

If you have questions about how to protect your information from data breaches and data exposures, visit idtheftcenter.org, where you will find helpful tips on this and many other topics.  

If you think you have already been the victim of an identity crime or a data breach and you need help figuring out what to do next, contact us. You can speak with an expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during regular business hours (6 a.m. to 5 p.m. PST). Visit the company website to get started. 

If you want to work ahead and read our 2020 Data Breach Report, our 15th annual edition, it will be posted on our website on Thursday, January 28, as part of Data Privacy Day. Just visit idtheftcenter.org

  • One of the first changes in 2020 due to COVID-19 was the delay in the regular income tax filing date. Soon after that, millions of out-of-work Americans began to receive enhanced unemployment benefits and special small business loans.
  • Soon after that, cybercriminals began to steal those benefits. The Department of Labor estimates that unemployment fraud could total as much as $26 billion. California alone has seen nearly $2 billion in unemployment benefits fraud.
  • With the 2021 tax filing season quickly approaching, many people will receive a 1099 form alerting them that they must claim income they never received from the benefits they never sought.
  • To learn more, listen to this week’s episode of the Fraudian Slip.
  • People can learn about taking advantage of the Internal Revenue Service (IRS) identity protection programs or reporting identity-related issues to the IRS at IRS.gov and clicking on the Identity Theft Protection link at the bottom of the home page.
  • If anyone believes they are a victim of tax identity theft or unemployment benefits fraud, they should contact the Identity Theft Resource Center toll-free at 888.400.5530 or live-chat on the company website idtheftcenter.org.

The below is a transcript of our podcast episode with special guest, IRS

Welcome to the Fraudian Slip, the Identity Theft Resource Center’s (ITRC) podcast, where we talk about all-things identity compromise, crime and fraud, including the impact identity issues have on people and businesses.

In a typical episode, we would focus on something that has happened or is happening that impacts consumers and businesses. Not today. We are going to talk about what’s about to happen, specifically the 2021 tax filing season.

It’s been nearly a year since the COVID-19 pandemic disrupted virtually every aspect of everyday life. One of the first changes in 2020 was the delay in the traditional income tax filing date. Soon thereafter, millions of out-of-work Americans began to receive enhanced unemployment benefits and special small business loans. Shortly after that, cybercriminals began to steal those benefits. The Department of Labor estimates that unemployment fraud could total as much as $26 billion. California alone has seen nearly $2 billion in unemployment fraud.

Fast forward to today, and the spike in benefits fraud is subsiding. However, a second round of victims may soon emerge. Benefits like unemployment payments are considered income and are taxable. Thousands of the unemployment payments made in 2020 were made in the names of people whose identities were misused – and they didn’t know it. With the 2021 tax filing season quickly approaching, many people will receive a 1099 form alerting them that they must claim income they never received from the benefits they never sought. That is on top of the usual identity-related income tax fraud the IRS sees each year.

We talked with Jim Robnett, the Deputy Chief of the IRS – Criminal Investigation Division, about the following:

Overview

  • Before 2020, the number of false income tax returns linked to identity compromises was already falling. What had the IRS done that was working so well to reduce tax-related identity theft?

Pandemic-Related Tax Issues

  • The most obvious change in terms of taxes in 2020 was moving the filing date. From the IRS perspective, what was 2020 like for you?
  • Anytime there is a mass injection of money into the economy, there is fraud. The IRS played a crucial role in delivering the stimulus checks approved by Congress. What kind of response did you expect from criminals, and what did you see? 
  • We know there has been a massive amount of unemployment fraud, and that has had tax implications for victims. Explain why that is and what taxpayers should do if they suspect or know they are the victim of benefit fraud?
  • What should taxpayers do who get a 1099 form they were not expecting?
  • What about small businesses or entrepreneurs who may discover someone took out an SBA loan or other pandemic benefit in their name?

2021 Tax Issues

  • What should taxpayers do to prepare for 2021?
  • The IRS recently announced the expansion of Identity Protection PINs. That’s going to be a great tool for preventing fraud. Explain how that works and what taxpayers need to do to take advantage of the IP PIN program?

For answers to all of these questions, listen to this week’s episode of The Fraudian Slip Podcast.

Learn More From the IRS

You can learn more about taking advantage of the IRS identity protection programs or reporting identity-related issues to the IRS at IRS.gov and clicking on the Identity Theft Protection link at the bottom of the home page.

Contact the ITRC

You can learn how to protect yourself from identity fraud, crimes and compromises – including the tax-related issues we discussed today, by visiting idtheftcenter.org, where you can also read more about the latest data breach trends.

If you think you are the victim of an identity crime or your identity has been compromised, you can call us, chat live online, send an email or leave a voice mail for an expert advisor to get advice on how to respond. Just visit the website to get started.

The release of the 2020 ITRC Data Breach Report and launch of the ITRC’s data breach tracking tool supports the Data Privacy Day 2021 initiative to help build trust among consumers and promote transparency around data collection practices.

SAN DIEGO, January 13, 2021- Today, the Identity Theft Resource Center® (ITRC), a nationally recognized non-profit organization established to support victims of identity crime, announces its commitment to Data Privacy Day on January 28, 2021. The ITRC recognizes and supports the principle that all organizations share the responsibility of being conscientious stewards of personal information.

The ITRC will unveil the 15th annual edition of the ITRC Data Breach Report on January 28, 2021. One of the most widely quoted reports on data breach trends, the report will also explore the fundamental shifts underway in the root causes of identity-related crimes. The release of the 2020 ITRC Data Breach Report coincides with the launch of the ITRC’s new data breach tracking tool, notifiedTM, to assist consumers and businesses in making informed decisions about with whom they do business. Landmark state privacy and security laws, like the California Privacy Rights Act, require businesses to ensure third-party vendors’ cybersecurity processes protect consumer information.

“The ITRC is honored to take part in Data Privacy Day 2021 and to bring awareness to the importance of people and businesses taking action to protect personal and company information,” said Eva Velasquez, president and CEO of the Identity Theft Resource Center. “We want individuals to value protecting their own data and for businesses to keep people’s personal information safe. Likewise, our latest trend analysis shows that consumers have a big role to play in protecting their employer’s valuable business data and systems. It is critical that everyone take part in reducing the number of data compromises moving forward.”

Data Privacy Day is a global effort that generates awareness about the importance of privacy, highlights easy ways to protect personal information, and reminds organizations that privacy is good for business. This year, the focus is on encouraging individuals to “Own Your Privacy” by learning more about how to protect the valuable data that is online, and encouraging businesses to “Respect Privacy” by helping organizations keep individuals’ personal information safe while ensuring fair, relevant and legitimate data collection and processing practices.

According to a Pew Research Center study, 79 percent of U.S. adults report being concerned about how companies use their data. As technology evolves and the COVID-19 pandemic continues to influence how consumers interact with businesses online, data collection practices are becoming increasingly unavoidable, making it imperative that companies act responsibly.

“In recent years, we’ve seen the impact of more global awareness surrounding the abuse of consumer data, thanks to sweeping privacy measures like GDPR and CPRA,” said Kelvin Coleman, Executive Director for the National Cyber Security Alliance. “While legislative backing is key to reinforcing accountability for poor data privacy practices, one major goal of Data Privacy Day is to build awareness among businesses about the benefits of an ethical approach to data privacy measures separate from legal boundaries.”

For more information about Data Privacy Day 2021 and how to get involved, visit https://staysafeonline.org/data-privacy-day/.

For more information on the ITRC’s 2020 Data Breach Report, email media@idtheftcenter.org.

About the Identity Theft Resource Center®  

Founded in 1999, the Identity Theft Resource Center® (ITRC) is a non-profit organization established to empower and guide consumers, victims, business and government to minimize risk and mitigate the impact of identity compromise and crime. Through public and private support, the ITRC provides no-cost victim assistance and consumer education through its website live-chat idtheftcenter.org, toll-free phone number 888.400.5530, and ID Theft Help app. The ITRC also equips consumers and businesses with information about recent data breaches through its data breach tracking tool, notifiedTM.  

About Data Privacy Day

Data Privacy Day began in the United States and Canada in January 2008 as an extension of the Data Protection Day celebration in Europe. Data Protection Day commemorates the Jan. 28, 1981, signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection. NCSA, the nation’s leading nonprofit, public-private partnership promoting cybersecurity and privacy education and awareness, leads the effort in North America each year. For more information, visit https://staysafeonline.org/data-privacy-day/.

About the National Cyber Security Alliance

NCSA is the Nation’s leading nonprofit, public-private partnership promoting cybersecurity and privacy education and awareness. NCSA works with a broad array of stakeholders in government, industry and civil society. NCSA’s primary partners are the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and NCSA’s Board of Directors, which includes representatives from ADP; AIG; American Express; Bank of America; Cofense; Comcast Corporation; Eli Lilly and Company; ESET North America; Facebook; Intel Corporation; Lenovo; LogMeIn; Marriott International; Mastercard; MediaPro; Microsoft Corporation; Mimecast; KnowBe4; NortonLifeLock; Proofpoint; Raytheon; Trend Micro, Inc.; Uber: U.S. Bank; Visa and Wells Fargo. NCSA’s core efforts include Cybersecurity Awareness Month (October); Data Privacy Day (Jan. 28); STOP. THINK. CONNECT.™, the global online safety awareness and education campaign co-founded by NCSA and the Anti-Phishing Working Group with federal government leadership from the Department of Homeland Security; and CyberSecure My Business™, which offers webinars, web resources and workshops to help businesses be resistant to and resilient from cyberattacks. For more information on NCSA, please visit https://staysafeonline.org.

Media Contact  

Identity Theft Resource Center  
Alex Achten   
Earned & Owned Media Specialist  
888.400.5530 Ext. 3611  
media@idtheftcenter.org  

  • The IRS and Treasury Department began distributing stimulus payments the last week of 2020. Direct Deposits, paper checks and debit cards will be sent out to some Americans throughout January. No action is required by anyone to receive their stimulus payment.  
  • Some Americans say they are missing their stimulus payment, while others claim their money was deposited into the wrong bank account. 
  • According to a notice shared with the Identity Theft Resource Center, Turbo Tax recently pointed to an Internal Revenue Service (IRS) error that led to millions of stimulus payments sent to the wrong bank accounts. Turbo Tax expects the issue to be resolved within days.  
  • The IRS says people should visit IRS.gov for the most current information on the second round of Economic Impact Payments rather than calling the agency or their financial institutions or tax software providers. 

Many Americans continue to wait for their stimulus payment, approved as part of the second stimulus package passed by Congress in December 2020. Others claim they are missing their stimulus payment because it was deposited into the wrong bank account. The Identity Theft Resource Center (ITRC) continues to receive calls and live-chats regarding missing stimulus payments. One person reported to the ITRC that they received a message from Turbo Tax claiming millions of stimulus payments were sent to the wrong bank accounts. 

Image provided to ITRC

The message goes on to say the IRS expects the issue will be resolved soon, and stimulus payments will be deposited into the correct bank accounts within days. The Detroit Free Press also reports some taxpayers believe their money is going into the wrong bank accounts. Others say checks are being mailed to them when they received a direct deposit during the first round of payments in April 2020.  

On January 4, the IRS issued a news release urging people to visit IRS.gov for the most current information on the second round of Economic Impact Payments rather than calling the agency or their financial institutions or tax software providers. The release says the IRS phone advisors do not have additional information beyond what’s available on IRS.gov

On January 5, the IRS issued a second news release saying they updated the “Get My Payment” tool with information around the second round of stimulus payments. The Service acknowledged issues and errors with the “Get My Payment” tool, and they encouraged people to check back later. 

On January 8, the IRS acknowledged some payments may have gone into a temporary bank account established when people’s 2019 tax return were filed, and they are taking immediate steps to redirect stimulus payments to the correct account for those affected.  

The ITRC asks consumers to visit IRS.gov and to be patient throughout the process. We will update consumers if new information arises. Anyone concerned about a missing stimulus payment can also contact the ITRC toll-free either by phone (888.400.5530) or via live-chat. All people have to do is go to idtheftcenter.org to get started.  


Stimulus Payment Scams Expected with New Relief Package

Cybercriminals Exploit Google and Microsoft Products to Attack SMBs


The FDA Issues Warning Over Potential COVID-19 Vaccine Scams
  • A T-Mobile repeat data breach event resulted from unauthorized access to 200,000 customer accounts, including call records.
  • It is the fourth time T-Mobile has sent a data breach notification since 2018. The T-Mobile data breach in December was the second one in 2020.
  • An investigation into the SolarWinds data hack has not revealed any evidence suggesting the attackers sought or stole mass amounts of personal information. The target appears to be either intellectual property or the personal information of particular individuals for espionage purposes.
  • For information about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notifiedTM.
  • Keep an eye out for the ITRC’s 15th Annual Data Breach Report. The 2020 Data Breach Report will be released on January 27, 2021. 
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the Identity Theft Resource Center toll-free at 888.400.5530 or via live-chat on the company website. 
https://soundcloud.com/idtheftcenter/the-weekly-breach-breakdown-podcast-by-itrc-second-verse-same-as-the-first-season-2-episode-1

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for January 8, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. We started this podcast and a sister monthly program in 2020 in response to the shifts in privacy, security and identity issues: the changes in how criminals collect and use consumer and, increasingly, business information.

One of the trends that the ITRC has identified, and will explore in a report this spring, is the rise in the number of repeat data breaches, even as the overall number of data events is declining. That leads us to the title of this week’s episode – “Second Verse, Same as the First.”

While most of us were prepping for a socially distanced Christmas celebration, one of the largest mobile telephone companies posted a data breach notice on its website. It was not the first time T-Mobile issued a breach notice; it was the fourth time since 2018.

T-Mobile Repeat Data Breach Event

T-Mobile announced that an unauthorized party accessed a small percent of customer accounts, about 200,000 accounts, in early December 2020. The compromised data may have included call records — such as when a call was made, how long the call lasted, the phone numbers called and other information that might be found on a customer’s bill.

T-Mobile says the hackers did not access names, home or email addresses, financial data and account passwords or PINs. An investigation is on-going.

The December data event is the second time an attacker accessed customer information in the same year. Just months into 2020, a breach of the T-Mobile employee email system allowed criminals to see customer data and potentially misuse it. Information about more than one million prepaid customers was exposed in 2019, and cybercriminals compromised nearly two million accounts in 2018.

A Shift in Data Thieves Tactics

Research conducted by the ITRC shows the number of consumers who report being the victim of more than one identity crime has increased 33 percent in the past 18 months. It comes at a time when data thieves are shifting their tactics and targets. Our research shows they are focusing more on business data and less on mass amounts of consumer personal data.

While data breaches are dropping, cyberattacks are rising. The two are not the same. That’s an important distinction as a large and consequential cybersecurity breach occurred in late December 2020 and is likely still underway.

SolarWinds Data Hack Update

We talked about the attack in our last podcast before the holiday break, but the scope of this attack warrants an update.

Here’s what happened: A group of professional cybercriminals affiliated with the Russian government’s intelligence service was able to insert software into a common technology service used by governments and private companies, known as SolarWinds. An estimated 18,000 organizations have been exposed to the malware, including some of the largest agencies in the U.S. government – the Departments of Commerce, Treasury, Justice, State and most of the Fortune 500.

The good news for consumers is at this point, after nearly a month of investigation, there is no indication the attackers sought or stole mass amounts of personal information. As is common with this particular group of threat actors, the target appears to be intellectual property or the personal information of specific individuals for espionage purposes – not profit.

We will release a detailed report on the impact of identity-related crimes in May. We will issue our report on 2020 data breaches and trends on January 27, just a few weeks from now.

Contact the ITRC

If you have questions about how to protect your information from data breaches and data exposures, visit www.idtheftcenter.org, where you will find helpful tips on this and many other topics.

If you think you have already been the victim of an identity crime or a data breach and you need help figuring out what to do next, contact us. You can speak with an expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during regular business hours. Just visit www.idtheftcenter.org to get started.

Next week listen to our sister podcast, The Fraudian Slip, which focuses on identity-related fraud when we talk with the Deputy Chief of the Internal Revenue Service’s Criminal Division about identity crimes and how they might impact your taxes.

*Updated as of 1/5/2021

  • More stimulus payments are on the way. Scammers are aware, too, which means another round of stimulus payment-related scams.  
  • Remember, the Internal Revenue Service (IRS) will not text, email or call anyone about a stimulus payment. If someone receives an unsolicited message from someone claiming to be with the IRS, it is probably a scam. Consumers should contact the IRS directly to verify before they respond. 
  • Offers that require people to pay to receive a stimulus benefit or to use a service to get a payment faster are also signs of a stimulus payment scam. 
  • Consumers can track their new stimulus checks once they are sent. Then can visit the IRS “Get My Payment” page to follow their payments.  
  •  To learn more about stimulus payment scams, the new stimulus payment or if someone suspects they are the victim of a stimulus scam, they can contact the Identity Theft Resource Center toll-free at 888.400.5530 or by live-chat on the company website.  

New Stimulus Payments Approved by Lawmakers 

Lawmakers have agreed on a new stimulus package, which includes a $600 stimulus payment for anyone who earns $75,000 or less. There is also a reduced payment for anyone who makes $75,000-$99,000. New stimulus checks mean more scams are on the way. With more stimulus payment fraud expected, consumers should know how to spot a scam and what to do if an identity criminal contacts them.  

In the spring of 2020, the first batch of stimulus payments assisted Americans in need of financial relief due to the economic impacts of COVID-19. Criminals took advantage of the situation by offering to help benefit recipients speed access to their stimulus funds. Criminals stole checks from nursing home residents, out of people’s mailboxes, and even from postal trucks. The Identity Theft Resource Center (ITRC) has already seen some of those methods used to steal identity information and stimulus payments the second time around. The ITRC has also had a sharp rise in reported stolen stimulus payments and stimulus payment scams cases.

As of January 3, 2021, the Federal Trade Commission (FTC) had logged more than 298,000 consumer complaints related to COVID-19 and stimulus payments totaling more than $253 million in losses. Two-thirds of the complaints involved fraud or identity theft. The median fraud loss per person is $324.

Possible Stimulus Payment Scams 

Criminals have used different schemes to trick people, and they can be expected to do the same this time, too. Here are a few things for people to watch for that indicate that someone might be the target of a stimulus payment scam: 

  • Text messages and emails about stimulus payments – Criminals use text messages and emails to send malicious links in hopes that people will click on them to divulge personal information or insert malware onto someone’s device. If anyone receives a text message or email about a stimulus check or direct deposit with a link to click or a file to open, they should ignore it. It’s a scam because the IRS will not contact anyone unsolicited by text, email or phone to discuss a stimulus payment. 
  • Asked to verify financial information – The IRS will not call, text or email anyone to verify their information. If information needs to be confirmed, people will be directed to an IRS web page. This includes retirees who might not typically file a tax return.  
  • A fake check in the mail – Anyone who earns $75,000 or less will get $600 per dependent.  People who make between $75,000-$99,000 will receive a reduced amount. Anyone who gets a check and has questions about the amount, or thinks the check seems suspicious, should contact the IRS.  
  • Offers for faster payments – Any claim offering payment faster through a third-party is a scam. All new stimulus checks will come from the IRS, and the IRS says there is no way to expedite a payment.  
  • Pay to get a check – No one has to pay to receive a stimulus check. New stimulus checks will be deposited directly into the same banking account used for previous stimulus payments or the most recent tax refund. If the IRS does not have someone’s direct deposit information, a check will be mailed to the last known address on file at the IRS.
  • Stolen checks – The ITRC has received numerous complaints from consumers about their stimulus checks being stolen. If anyone believes their payment is stolen, they should visit IDTheft.gov, where they can report, “Someone filed a Federal tax return – or claimed an economic stimulus payment – using my information.”

What to Do If You’re a Victim of Stimulus Payment Scams 

 If anyone believes their information may have been compromised or their stimulus payment was stolen, the IRS suggests people report it to the IRS and FTC simultaneously through IdentityTheft.gov. If anyone wants to learn more about stimulus payment scams or if someone believes they are the victim of a stimulus payment scam, they may also contact the Identity Theft Resource Center toll-free. Consumers can call (888.400.5530) or live-chat on the website. People can go to www.idtheftcenter.org to get started.

  • Last week, FireEye, a cybersecurity provider, revealed their tools to detect and block sophisticated cyberattacks were stolen in a security breach. 
  • This week we learned attackers, believed to be affiliated with Russia’s state security service, infiltrated government agencies and potentially thousands of companies through a software update from IT management company SolarWinds that was issued months ago. 
  • So far, there is no indication that the Nation/State attackers were after consumer information. These groups tend to be more interested in information they can use for intelligence or espionage. 
  • For information about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notifiedTM
  • Keep an eye out for the ITRC’s 15th Annual Data Breach Report. The 2020 Data Breach Report will be released on January 27, 2021.  
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the Identity Theft Resource Center toll-free at 888.400.5530 or via live-chat on the company website.  

Subscribe to the Weekly Breach Breakdown Podcast  

Every week the Identity Theft Resource Center (ITRC) looks at some of the top data compromises from the previous week and other relevant privacy and cybersecurity news in our Weekly Breach Breakdown Podcast on SoundCloud. This week, on the last breach breakdown podcast of 2020, we look at the FireEye and SolarWinds hacks, which have shaken the cybersecurity community. 

Also available on Apple Podcasts and Spotify.

Data Breaches Down/Security Breaches Up 

2020 has been a difficult year for many. However, there have been some encouraging trends that the ITRC has talked about in previous breach breakdown podcast episodes. One of the most promising trends includes cybercriminal’s lack of interest in consumer information, resulting in a significant drop in data breaches and the number of people impacted by them.  

Unfortunately, you can’t say the same of a companion crime, security breaches. One cannot have a mass data breach without also experiencing a cybersecurity failure. With that said, it is possible to have a security breach without impacting consumer data. That is what dominates the news as we wrap up 2020 – a massive security breach involving two leading technology companies: FireEye and SolarWinds. 

What You Need to Know About FireEye 

FireEye, a cybersecurity provider, supports large organizations worldwide with tools that detect and defend against cyberattacks. When there are attacks on companies and governments, FireEye often gets the call to figure out what happened and how it happened. 

What You Need to Know About SolarWinds 

SolarWinds, a software company, claims to help more than 33,000 companies, including virtually all Fortune 500 companies and every major agency in the U.S. government. SolarWinds’ software helps organizations with large, complex computer systems manage their networks and devices.  

FireEye and SolarWinds Hacked 

Last week, FireEye revealed their tools to detect and block sophisticated cyberattacks, the kind launched by governments, had been stolen due to a security breach. A few days later, the U.S. Treasury and Commerce Departments announced they were hacked. It was followed by announcements of hacks at the National Institutes of Health as well as the Departments of Homeland Security and State. 

This week, we learned that the security breaches were the result of threat actors believed to be affiliated with Russia’s state security service. The attackers infiltrated these government agencies and FireEye through a software update from SolarWinds that was issued months ago. SolarWinds believes as many as 18,000 customers may be affected by the malware inserted by the attackers into the SolarWinds update.  

What the FireEye and SolarWinds Hacks Mean for Consumers 

It is too early to tell what the FireEye and SolarWinds Hacks mean for consumers. So far, there is no indication that the Nation/State attackers were after consumer information. These groups tend to be interested in information that can be used for intelligence or espionage, not making money by stealing and selling consumer data.  

There is another reason to believe consumer information may be safe from the FireEye and SolarWinds hacks. SolarWinds software does not access or manage consumer data. As ITRC Chief Operating Officer James Lee says in the podcast, think of SolarWinds as a traffic cop. They can tell people what businesses are on the street and how to get there, but they cannot take people there and open the door for them. 

With enough time and motivation, the attackers could have wandered around a SolarWinds customer’s networks to access some consumer information. However, experts don’t believe that happened on a mass scale. The ITRC will post more details if we find consumer information is involved.  

How We Know About the Attacks 

We know about this and other breaches because of laws and regulations that require organizations, even government agencies, to issue breach notices. Many of those rules do not set a specific timeline for when a notice must be given. That is about to change for banks governed by the Federal Deposit Insurance Corporation (FDIC).  

For the past 15 years, the FDIC rules only required that regulators be notified of a data or security breach within a reasonable period of time. This week, the FDIC approved a new regulation that sets the notification period at 36 hours whenever a security issue or system’s failure significantly impacts operations. That is stricter than the 72 hours required by the State of New York, the toughest notification law in the U.S. The FDIC rule only requires regulators to receive a notice. State laws still govern public notices.  

notifiedTM    

For information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.   

Contact the ITRC   

If you believe you are the victim of an identity crime or data breach and need help figuring out what to do next, contact us. You can speak with an expert advisor at no-cost by calling 888.400.5530 or chat live on the web. Just visit www.idtheftcenter.org to get started.  

Twenty-three episodes from 2020 are in the books. We will be back in January to share more insights into data breaches and identity trends. Join us in 2021 on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.