Criminals have developed DNA test scams targeting victims to retrieve medical and sensitive information. DNA test kits have grown in both popularity and affordability in recent years. While not claiming to be foolproof or accurate, they can provide a glimpse into the genetic makeup of your family tree. There have been stories about these swab-at-home test kits providing more important information as well, such as the likelihood of certain medical issues.

Attorneys general in two states have already issued warnings about DNA test scams that steal the victims’ sensitive information. The caller claims to be from a testing agency and offers the victim a free DNA test kit if they meet specific criteria. In one victim’s case, the criteria was a family history of cancer. You would be hard-pressed to find an individual who does not have a relative who has had cancer, so of course, the victim instantly qualifies.

All they have to do to receive their free kit is answer some general questions and provide their medical coverage information. Some experts believe that DNA test scams may have grown out of the recent announcement that Medicare would cover the cost of genetic screening for cancer patients if the kit is an FDA-approved tool.

In some of the reports of these scams, individuals were actually going door to door and offering victims a free kit plus $20 in exchange for their medical coverage information. The kits are easy and cheap to replicate, as they only require some cotton swabs and a mailer envelope. Victims were easily fooled into thinking they were receiving real testing kits.

The best advice for avoiding DNA test scams is remembering that no one will ever call you and offer you something that is genuinely free. Whether it is medical services or anything else, the only reason to offer you anything is because the other person is getting something in return. In this scam victims sensitive data or medical identity is compromised. Remember to always speak with your physician about any potentially necessary tests, or contact your health coverage provider directly to see if there are services or treatments you can use that they cover. Otherwise, steer clear of anyone who wants access to your records or data.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Hackers are targeting vendors of companies for third-party data breach efforts. This trend rose in 2018, with over 4 million records exposed do to criminal efforts focused on vendor security.

Data breaches often occur at the hand, or keyboards, of hackers. Criminals can infiltrate insecure systems and steal personal data owned or stored by a company. The size of company and amount of personal identifying information (PII) they store factor in to the level of risk for consumers presented by the breach. One of the more newsworthy data breaches of 2018 was Marriot International, which exposed hundreds of millions of guest information including passport numbers. Hackers targeted Marriot because of the potential payoff of lots of lucrative PII, versus targeting many companies that might result in more – but smaller – payoffs. Now hackers are reevaluating their strategy and getting smarter about where they exert their efforts.

This new strategy comes in the form of targeting vendors for third-party data breach. Instead of going after one large company’s data, they go after a vendor who works with multiple large companies and collects even more PII. Third-party vendors – like email servers, payment platforms and web plugins – often work with a multitude of companies ranging in purpose or product offered. Therefore by compromising a third-party’s security measures, a hacker gains access to even more PII from a wide variety of consumers.

This attack on third-parties and subcontractors became a trend in 2018. Of the third-party data breaches that were reported in 2018, 4,823,234 records were exposed four times more compared to 2017 third-party breaches. In 2019, eSentire (a cybersecurity firm) commissioned a study to determine how concerned companies are regarding vendor risk given the trend in data breach.

According to the study, 81 percent of respondents said they had an effective third-party risk policy and 74 percent are confident in their vendors’ protections. However, only 35 percent said managing vendor risk was a priority and 20 percent said they trust vendors to uphold privacy standards blindly. The reality is of the respondents surveyed, 44 percent of them (or their employer) had experienced a data breach involving a vendor in the last 12 months. To make matters worse, only 15 percent were notified of the breach by the responsible vendor.

There is a clear disconnect between the effort put forth into managing vendor security and the amount of trust companies put in their vendors. Companies need to start evaluating vendor relationships and security practices more thoroughly to ensure the safety of consumers. On the opposite end, consumers need to remember that the safety of their data ultimately resides with them and take the utmost precautions with their personal information.

If you are a victim of data breach, or have concerns over a recent data breach and your identity, Breach Clarity can help you identify your potential risk and suggest preventative steps. You can also contact ITRC for free assistance regarding your case. Speak with an expert advisor over the phone (888.400.5530) or through LiveChat.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

A new report from the Federal Trade Commission found that tax return fraud actually declined recently, and Social Security scams stepped in to take their place. These scams can manifest in a few different ways, but all of them are intended to steal your money, your identity or both.

Listen to the real scam below:

In one of the Social Security scams circulating, a caller claiming to be from the Social Security Administration informs you that there has been suspicious identity theft activity involving your SSN. You are urged to purchase a prepaid debit card, iTunes gift card or other reloadable funds card and transfer all of your money out of your bank accounts and onto that card. This is supposed to keep those dangerous hackers from getting your money. The agent calls back later to confirm that you have done it, and then tells you the Social Security Administration will record the card’s account number and PIN number in your file, supposedly to protect your money in case something happens to that card. Once you read the card number and the PIN number to the fake agent, they will drain the funds off the card and you will now be completely broke.

The more common of the Social Security scams, is to call a potential victim and claim that their SSN has been suspended. This scam has actually been at work for some time, but there has recently been a renewed number of victim reports. In this Social Security scam, a fake agent tells you that your number has been suspended due to possible identity theft, meaning you will no longer receive benefits, it can no longer be used for health care or other benefits. You are required to confirm your SSN and some other sensitive personal information for the agent in order to reinstate your SSN. After you confirm your personal identifying information, the fake agent steals your identity and uses it for a variety of malicious activities, including opening new lines of credit and claiming your benefits.

In order to protect yourself, you must adopt one ridiculously easy habit: never believe what you hear over the phone. It is far too easy to scam people via phone, and thanks to simple tools that anyone can acquire, the scammer can even change their phone number on your caller ID in order to look legitimate. Therefore, it is vital that you ignore any warning or request from anyone who calls you—and the same is true for emails, social media messages or texts. If there is a genuine problem with your account or your information, you can always contact the organization, agency, or business directly to put the matter to rest.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Whenever consumers learn about another data breach, they might envision a team of highly-skilled tech operatives working away at fancy computers in a darkened, windowless shop. That kind of scenario might happen, but the reality is that many data breaches are pulled off by an individual working off a laptop in a coffee shop. It is also a possibility that the breach occurred completely by mistake  – like when someone forgets to password-protect a server that stores millions of records.

These kinds of accidental data breaches have made headlines in recent months. Truthfully, some are discovered by the good guys who then report them to the companies at fault. The security flaws are fixed and the notification letters get sent out if necessary, all of which happens hopefully before anyone has had a chance to discover the exposed data and use it maliciously.

Even if so-called good guys discover the problem your information was out there for the taking. It is not always a matter of your username and password, sometimes much more personal information is available. Like in the Meditab Software Inc. breach that happened in the first quarter of 2019, where entire medical histories and prescriptions were exposed.

In this chilling situation California-based medical software developer, Meditab, left a feature unprotected in one of its tools. Meditab claims to be one of the world’s leading providers of medical record-keeping software, and it also provides fax capabilities through its partner company, MedPharm. The company was storing patient records on an unprotected server, which meant that any time MedPharm handled the faxing of a patient’s medical records, anyone with internet access could have seen it if they knew where to look.

Fortunately, those good guys discovered this one. A Dubai-based cybersecurity firm named SpiderSilk found that Meditab’s unsecured database included names, addresses, some Social Security numbers, medical histories, doctors’ notes, prescriptions, health insurance data and more. Patients affected ranged in age from early childhood to mature adults.

This kind of violation is a very serious matter under the laws surrounding HIPAA privacy, and the US government has a solid record of going after entities that store information and do not protect it adequately. If the breach was accidental and even if there is no proof that anyone used the information for harm, there are still very heavy fines and penalties for failing to store it securely.

Unfortunately, there are not a lot of actionable steps that individual patients can take in cases like this one. You can, however, ask the hard questions before the event occurs: how will my information be stored, who can access it, what company hosts your electronic database, what are you prepared to do if there is a data breach? Also, remember that there is often no need to share your most sensitive information when filling out basic medical forms; feel free to ask the person requesting it why it is needed.

Medical identity theft is a serious matter, and of all the types of identity-related crimes, this one can potentially have physical consequences for the patient if a thief uses their medical history. It is important to safeguard your medical records as much as possible, and to make your healthcare provider aware if there are any past medical identity theft issues with your personally identifiable information that could impact your care.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

If you have not filed your tax return yet, the deadline is looming. If you have filed already, you are probably still very aware of the date as you anxiously await your return. Whether you have filed or not, there is a good chance you have encountered one or two tax scams this year or in previous. Many scammers take advantage of the lack of knowledge and fear that comes with the April 15th tax day. While there may be fewer calls from shady people demanding your tax information after the 15th passes, that only means that tax scams will take on a new look and scammers will adapt.

First, remember that not everyone will file by the April 15th deadline. Whether due to late activity or previously-approved extensions, a significant number of consumers will mail or e-send those returns in after the date. Scammers know this, and therefore, have no intention of cutting off their activity. It is important to be on the lookout even after the deadline has passed and after you have filed your return.

Of course, extensions or late filing only applies to some people. If you have already filed but a caller tells you that your return was never received, you can probably have a good laugh and hang up the phone. Why? Because the IRS does NOT call you, but rather sends letters through the postal service instead (if you have not received any confirmation that your postal return was received, you might check in with the IRS to be safe, but they still will not call you).

What if the caller has a different story? What if someone posing as an IRS agent tells you that your return had an error, or that they suspect you have been the victim of identity theft since someone else sent in a return in your name? Those scenarios can be very frightening, and that means these tax scams are a lot harder to ignore.

First of all, the same rule from above still applies: the IRS will not call you, even for something as serious as those situations. You will receive a mailed letter if there is an issue, and this letter will provide you with the information you need to take your next steps. Even if your caller ID says “IRS,” you should be very careful since it is most likely a scam.

Next, it is important to develop a good habit of safeguarding your information, no matter who calls or why they claim to need it. If you are ever asked to verify your identity by providing anything more sensitive than your name or home address, do not comply. Instead, take down the caller’s information and contact their company or agency yourself using a verified contact method.

Also, if you are ever told you failed to pay your taxes correctly or owe a penalty, you will never be required to make an immediate payment over the phone (see previous mentions of phone calls). You will have time to look into the matter and take appropriate action. This is very important: you cannot pay with an iTunes or other gift cards, no matter what the scammer tells you. You will also never be required to use an untraceable method like a prepaid debit card or wire transfer. Your own check, a money order, or a cashier’s check are all valid forms of payment.

Finally, tax scams rely on the fear factor of messing up where the IRS is concerned but do not fall for this scare tactic. The burden of proof has been on the IRS’ shoulders for quite some time, not on the individual taxpayer. Do not be frightened into handing over your money or your identity to a thief.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Imposter Scams Were The Most Reported Consumer Complaint

As if a devastating natural disaster was not disruptive enough to people’s safety, homes, and finances, a new threat has emerged – one that was caused by the very people tasked with supporting the victims of natural disasters and other emergencies. The Federal Emergency Management Agency (FEMA) shared documents with a third-party contractor that contained highly sensitive information, some of which was a direct violation of current regulations for FEMA to share.

The current industry term for this kind of data breach event is an accidental overexposure, meaning no harmful intent was behind it and there is no indication of damage from the information falling into the wrong hands. Still, the FEMA data breach gave the potential for someone who was not unauthorized to access the information and use it for identity theft and fraud.

In this case, an internal audit found that FEMA’s documents included things like the victims’ names, addresses, and the names of their financial institutions. Some information also included victims’ electronic transfer numbers for moving funds and their bank transit numbers. Sharing this information seems to have been an oversight on FEMA’s part, and a statement about the incident said that FEMA is taking aggressive action to correct the error.

The name of the contractor in this incident has been redacted, but it is a company with direct ties to victim services. The company helps disaster victims find hotel accommodations that are covered under FEMA funding and therefore did need certain pieces of personally identifiable information on the victims it is helping. Impacted victims from the FEMA data breach include those from Hurricanes Irma, Harvey and Maria, as well as the California wildfires in 2017.

Any time consumers’ personally identifiable information is exposed, compromised or attacked, the likelihood of identity theft-related crimes can go up. The Identity Theft Resource Center has partnered with Futurion to create Breach Clarity, an interactive tool that assigns a risk score to different data breach events. It also outlines in easy-to-understand terms the actionable steps that experts recommend for every breach, from something as simple as changing your password to more involved security measures like a credit freeze.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Imposter Scams Were The Most Reported Consumer Complaint

A recently announced restaurant data breach relied on a fairly old form of attack—retail point of sale systems—but thanks to the interconnected nature of several different companies within the single brand, there could potentially be a lot of victims. Earl Enterprises, which owns numerous restaurants around the US and in locations like Disney Springs, discovered their system had been compromised after malware was detected on their restaurants’ point of sale systems, or payment card “swipers.”

Anyone who dined at any of Earl Enterprises’ six specific brand locations between May 28, 2018 and March 19, 2019 may have had their payment card information stolen. The restaurants include Planet Hollywood, Buca di Beppo, Earl of Sandwich, Chicken Guy!, Mixology, and Tequila Taqueria. The investigation of the incident does not show that other restaurants owned by the company were affected.

The investigation is still ongoing, and Earl Enterprises has brought in two different cybersecurity firms to uncover what went wrong and how far the restaurant data breach may have spread. They are also working with the state and federal governments on the matter. Just to be safe, though, they recommend that their customers request a free credit check to look for any suspicious activity. You can also request a free credit freeze from each of the three major credit reporting agencies:  Experian, Transunion and Equifax.

There is another very useful tool for consumers that can prove vitally helpful following the announcement of any data breach. Breach Clarity, which recently won the Identity Startup Pitch Competition at the KNOW 2019 Conference, is an interactive database of breach activity. By searching for the name of a company, you can see a threat-score of how serious the event may be, as well as a list of actionable steps you should take if your information may have been compromised as a result.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Imposter Scams Were The Most Reported Consumer Complaint

What is on your agenda for today? Go ahead and pencil in changing your Facebook passwords. This item does not need to be near the very top of the list, but it is certainly a good idea to put it on there and follow through.

According to a report by KrebsonSecurity and a follow-up announcement from the company, hundreds of millions of Facebook passwords were left accidently unencrypted. If you are not already aware of what that means for individual users, do not worry there is no evidence that anyone got your password. It just means that those passwords were “visible” in plain-text to anyone who was able to access the servers, which could include hackers—although there is no evidence of that—but certainly included numerous employees of the company.

In fact, Facebook seems to have traced the security issue back to project that centered on employee-created tools, apps, and features. Once the employees accessed the usernames and passwords for their work, those passwords were often stored in plain-text. Some of these employee-created copies of the login credentials—especially the passwords—go back as far as 2012.

Facebook has not released information on how many user accounts were visible or how many employees had access to the information, but KrebsonSecurity has details that put the number of employees at around 2,000—and those employees made approximately 9,000 separate data inquiries into millions of users’ login credentials.

This issue does not fall under data breach notification laws or protections, and Facebook is not recommending or forcing a password reset at this time. However, the social media site will inform users whose information was left potentially exposed, which is why it is important for the users themselves to be proactive about changing their Facebook passwords. There is no way of knowing if anyone other than the authorized employee accessed their information, and also no reason to assume that a company employee could not be the one to maliciously use or sell a large database of credentials.

“Password hygiene” has gotten a lot of attention in recent years, largely due to incidents like this one. If you secure all of your accounts with a strong password that you do not use anywhere else and that you change routinely, announcements like this one probably will not even be a cause for concern. However, if you use an easily guessed password, reuse your passwords on multiple accounts, and keep the same password for years, your risk of harm from a data breach is much greater.

Remember, to keep your online accounts protected:

  • Use a strong password that contains a long string of characters—eight to twelve letters, numbers, and symbols
  • Only use your password on one account
  • Update your passwords routinely, especially on sensitive accounts like email, social media, and financial sites

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Imposter Scams Were The Most Reported Consumer Complaint

In fact, of the 1,255 total data breaches recorded by the Identity Theft Resource Center in 2018, 150 of were because of the mismanagement of information by employees tasked with protecting it. That means 12% of the data breaches were the direct result of mistakes in handling sensitive information, leading to 1,131,288 records exposed and potentially costly consequences for the companies involved.

April is Records and Information Management Month, and while it might not conjure up holiday-themed festive images the same way Christmas does, it is a great reminder that your information and your identity are only as safe as the people who have their hands on it.

What does it mean to mishandle information? There are numerous ways that information can accidentally fall into the wrong hands. It may be losing a flash drive or laptop with customer records on it, the theft of company hardware like laptops or even servers, reusing a weak password that lets hackers easily break into a system or failing to password protect a database of records in the first place. In other cases, the exposure resulted from improper disposal of sensitive information, such as throwing paper records in an unsecured garbage dumpster instead of shredding. In many cases, employees may fall for phishing attempts or respond to requests that appear to come from someone within the company but are actually sent by malicious imposters.

In order to protect all of the sensitive information that businesses gather and store, it is important to understand how to secure it and what can happen if it is compromised. It often starts with a solid company-wide computer use policy that outlines exactly how things like password security, email responses and data access are supposed to be enforced. Helping every employee understand the ramifications of mishandling information is important, too. Finally, a good “delete” housekeeping from time to time to permanently destroy any outdated stored records can thwart a lot of security problems before they arise.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC

Read next: TurboTax Breach Cause By Credential Stuffing

No matter where your spring break plans have taken you, it is important to remember that the security practices you use while at home are even more important when you are on the road. Also, those same good habits that protect you while traveling are just as crucial when you are relaxing at home.

Booking Your Trip and Hotel

No matter when you plan to go, finding affordable travel arrangements can be a minefield of potential scams and fraud. Do not be swayed by flashy sidebar ads or “act now” special offers, as these are rarely a good deal and can lead to identity theft. Of course, old-fashioned scams like bait-and-switch schemes in which your condo does not actually exist or your reservation is not real are still a major threat.

Check Your Tech

Your technology can leave you very vulnerable during an out-of-town getaway. From connecting over unsecured public Wi-Fi to having your device stolen and infiltrated, there are a lot of ways that malicious actors can get their hands on your sensitive information. Make sure you turn off the Wi-Fi on your mobile devices when you do not need it, only go online over a secured, password protected connection and make sure you have passcode protected your phone or tablet. When you are not using your important apps like email and social media, it is a good idea to log out of those too.

Bring the Receipts

Make sure you hang onto receipts while you are out of town. First, it will help you stay money-aware and avoid overspending if you keep tabs each day on how much you have spent. More importantly, you’ will have paper proof to compare to your bank or credit card statement when you get home. If anyone has copied your card and used your information, you will know at a glance.

Activate Alerts from Your Bank

By taking advantage of security tools offered by your financial institution, you can be informed the second any unusual activity occurs with your cards or your account. Card Not Present alerts, for example, will text or email you the moment someone uses your card number online. Some banks will even call if a physical card transaction occurs in a location too far outside your billing zip code. These can help you take immediate action against theft and fraud.

Old School Understanding

Remember, depending on where you travel there are a lot of scams that have been around for decades. You do not want to take extreme action to protect your identity, then fall for something as simple as a common pickpocket. Stay on top of the kinds of threats you are likely to encounter so you can avoid them.

The most important security step you can take happens when you get home. That is the time to post any photos and videos online—not while you are still away—but it is also the time to take inventory of your financial accounts and your identity. It cannot hurt to order one of your three free annual credit reports a few weeks after your trip is over, just to look for suspicious activity. If you begin receiving a higher volume of scam calls and emails, that may also be a sign that something has happened to your security. Check out the available tools to monitor your identity and reach out to the Identity Theft Resource Center for help if necessary.  


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.