A Walgreens data exposure from the company’s mobile app exposed the information of 6,681 customers according to HIPAA Journal. This latest hack is an example of another way your data can be leaked.

Mobile apps are currently one of the retailers’ best tools for engaging customers, developing a loyal following and increasing sales. With these handy smartphone downloads, customers are more likely to return to that place of business and take advantage of special offers that can save them money. Retail apps in certain industries like health and fitness can even make a positive impact on users’ well-being.

The Walgreens pharmacy app, which has had tens of millions of downloads, makes it easy for customers to order their refills, check up on their prescriptions and much more. Unfortunately, a “bug” in the app’s code leaked personal messages that could have contained names, prescription information and some customers’ shipping addresses for app-based orders.

The sample data breach notification letter that Walgreens filed with the state of California stated that the company itself discovered the error in the app. Fortunately, that means the Walgreens data exposure might have been discovered before anyone could use the disclosed information or messages for harm. Walgreens has not issued any examples of what kind of harm could come from the Walgreens data exposure, but they have told patients to monitor their Walgreens accounts and keep tabs on their prescriptions.

It is worth noting that no financial information or permanent identifying information (like Social Security numbers) was exposed as part of the Walgreens data exposure. Also, no health insurance information was compromised. Because of that, no one has to worry about someone ordering prescriptions in a customer’s name.

While this might seem like a minor form of a data breach, it should still serve as a reminder that all of the information we choose to share online or in the cloud could be accessed by someone with the right know-how, or by a faulty piece of code in an app or website. It also highlights the fact that using some of this technology means placing trust in others’ ability to protect that information. If you do not feel confident in how your data will be stored or what information about you will be collected, think twice about downloading or using that technology.


You might also like…

A new PayPal phishing scam is making the rounds that are hard to spot, which emphasizes the importance of using an abundance of caution when you receive a message you are not expecting.

Phishing scams work by tricking people into clicking a link, opening an attachment or redirecting to a website. From there, the scammers might install harmful software on your computer, infect your entire network with a virus, steal your login credentials or other similar tactics. Some phishing scams are much simpler, though, like the infamous Nigerian prince emails that trick people into sending money or paying a fee.

There are two different kinds of phishing scams. Some of them, like the ones that claim the sender needs help getting hundreds of millions of dollars out of the country, can be somewhat unrealistic and filled with grammar errors.

The other kind is more sophisticated. They might contain cut-and-paste corporate logos, copied wording from a real company communication, perhaps a copycat address that could fool savvy consumers. Those phishing attempts are trying to convince the recipient that there is something legitimately wrong with their account, their tax return or some other plausible situation.

A new PayPal phishing scam that pretends to be from PayPal is a good example. This message has a very friendly tone, correct spelling and grammar and even has the company’s image in the message. It informs the recipient that PayPal was unable to process their refund of a high-dollar value amount and to please go to Member Support for assistance. As part of the PayPal phishing scam, the handy link is even provided in the message.

Since the recipient does not remember sending or refunding hundreds of dollars, they might click the link to find out what is going on. That is when the scammers have redirected them to a different site where the consumer will type their login credentials—while the scammers steal that information—and see that it was all a big mistake and nothing is wrong. It is also possible that clicking the link will instead install malicious software like a virus on the user’s computer.

In any event, the same advice as always applies: never click a link, open an attachment, download a file or follow through with any instructions in a message that you were not specifically expecting.

Instead, ignore the message. Simply contact the company yourself using a verified contact method that you looked up, not one that may have been provided in the message (it could lead you right back to the scammers). Once you go to your account or contact customer service, you will discover that everything is fine. On the off chance there really is a problem with your account, you will also be able to fix it right then. The Identity Theft Resource Center is here to help if you believe you are a victim of the new PayPal phishing scam. Call one of our advisors’ toll-free at 888.400.5530. You can also live chat with an advisor. They will walk you through the next steps you need to take.


You might also like…

It seems like there is no end to the ways that hackers can attempt to attack victims. From the loss of funds, lost time from work to handle the matter, even a lost sense of safety and security as reported by victims in the ITRC’s Aftermath report, it can feel like one crisis pops up after another. One victim had to seek help over a whole new kind of identity theft attempt, that being income tax documents from a phone fraud attack that, fortunately, was unsuccessful.

A man in Florida received a phone call that someone had used his identifying information to buy two cell phones at a nationally-known cellular store and racked up a $2,399 debt. He spoke with an agent from the company, explained that he was not the customer—nor did he even have any accounts with that company—and they worked together to resolve the issue. Since identity theft is a widespread and well-documented problem, he thought the phone fraud matter was put to rest.

However, the man then began receiving letters about the two phones and their unpaid bills. He called the company again to explain that this was a case of identity theft. Finally, things came to a head when the man received the most unexpected and unwelcomed surprise: a 1099-C form that he was supposed to include in his income tax filing, claiming the cancelled debt from the fraudulent purchase of the phones as considered income.

How can that be? Easy. Companies can file your unpaid debt with the government as extra income you received. After all, if you owe money to a business but do not pay, you essentially kept that money and therefore it amounts to additional income. The issue is that filing a 1099-C is saying “Yes, this debt is mine and I’m being forgiven” when in reality, this is a case of account fraud and the individual should not have to have the debt reflected on their credit reports for the long-term.

“It’s almost like you’re guilty until you can prove you’re innocent,” said the victim.

What’s so strange in this account fraud case is that it was actually the cellular provider who first contacted the man and said they suspected phone fraud. They were the ones to spot suspicious activity and decided it warranted another look for account fraud. Yet after confirming several times that he was not the one who purchased the phones, they sent him the document for him to claim responsibility.

The identity theft victim eventually reached out to a local news station for help after getting nowhere in resolving the phone fraud case. By shining a larger light on it, a reporter was able to speak with a company representative who said the issue would be corrected by dismissing the case and letting the credit agencies know so that the victim’s credit reports are not impacted.

This event goes to show that there is no such thing as being “safe” from identity theft concerns and that even an old incident can have lasting repercussions. It is also proof that account fraud can happen in many different ways.

Unfortunately, it often falls to the victims to advocate for themselves and make sure that all incidents are handled fully. That is why it is important to keep good records of everyone you have spoken with about an incident, note the dates the conversations took place, keep copies of any documents that you have that can provide a paper trail and even file a police report when you know your identity has been stolen. Try using our free ID Theft Help Case log where you can document the steps you’ve had to take in resolving your account fraud and export to a PDF document.

If you believe you have been a victim of account fraud, or identity theft in general, reach out to the Identity Theft Resource Center for free assistance at 888.400.5530. You can also live chat with us. Our expert advisors will help you create an action plan for your case and point you to who you need to contact and what you need to say.

For on-the-go identity assistance, check out the free ID Theft Help App from ITRC: https://www.idtheftcenter.org/itrcapp/


You might also like…

With graduation just around the corner and college plans already taking shape for a lot of students, this is the time of year when students put in a lot of work in finding sources of financial aid. However, scammers are working just as hard in order to take advantage of students who are trying to spend wisely for higher education with student loan scams. Here are just a few of the ways scammers can put a very expensive damper on your plans.

Scholarship “Finders”

For a hefty fee and access to all of your sensitive information, some notorious sites will claim to seek out scholarships that you are eligible for. The problem is that you still have to do the work of applying for them. So, all this company did was take your money, input your information into a large search database—one that the public can also access for themselves—and send you the results. They literally got paid to do what you could have done for free, only they were hoping you did not know that. This is a classic student loan scam.

“Guaranteed” Acceptance Aid

Any form of financial aid that tells you it is guaranteed is probably a scam. After all, there are a lot of factors at play when it comes to approving requests for financial aid. Your FAFSA form is your first step in filing for financial aid, so start there at FAFSA.gov.

High-Pressure Pitches

Yes, our country is stronger when its young people can access the kinds of educational and work opportunities they desire. However, any company that contacts you relentlessly—whether by email, phone, text or social media ad—has another interest in mind, and that is getting money from you. To avoid a student loan scam, stay away from any website, platform or company that goes with high-pressure, act-now sales pitches.

Loan Erasure Scams

While student loan debt can be a burden for a lot of people, scammers are making it a lot worse. By claiming to offer services that “erase” or forgive your student loans—which are nothing more than government programs that anyone can apply for on their own—scammers take your money in the form of application fees and steal your identifying information. Then they leave you with just as much debt as you had before.

When it comes to student loan scams, a good rule of thumb is to be very wary of anyone who wants your personally identifiable information or who insists on upfront fees. If you do a little bit of homework, you might discover that the company is charging you money for nothing in return. Stay safe this student loan scam season by not falling for the scammer’s tricks.

If you believe you are a victim of identity theft, you can call the Identity Theft Resource Center toll free at 888.400.5530 to speak with one of our advisors or live chat with an advisor on our website. They will help you create an action plan for your case while directing you on the next steps you need to take.


For on-the-go identity assistance, check out the free ID Theft Help App from ITRC.

You might also like…

Medical data breaches can be some of the most damaging breaches because of the types of personal information that hospitals collect. Combine that with the sensitivity of a child’s personal information and there is a potential for child identity theft – medical and financial. San Diego’s Rady Children’s Hospital is just the latest hospital to suffer a data breach. While the Rady Children’s Hospital data breach did not include Social Security numbers, credit card numbers, radiology images, radiology reports or diagnosis, it did include patient names, gender, and in some instances, dates of birth, medical record numbers, parent/guardian names, descriptions of imaging studies and the names of referring physicians.

The hospital learned of the potential incident on January 3, 2020. After an investigation, it was determined that patient names, gender and date and type imaging studies were accessed without authorization through an internet port between June 20, 2019 and January 3, 2020.

The hospital is notifying the 2,360 patients whose information may have been exposed in the Rady Children’s Hospital data breach and providing them with the steps they can take to protect their personal information. In a press release, the hospital states that any patient or legal guardian who receives a letter should review the steps that are outlined in the letter to protect their personal information. The hospital has also provided a toll-free number for people to call who might have questions about the incident (844.902.2025.)

The Rady Children’s Hospital data breach is an example of how thieves might get the personal information of children. However, there are things that the parents can do to reduce their child’s likelihood of falling victim to identity theft following this data breach.

Some red flags of medical identity theft could include:

  • Calls from collection agencies regarding bills or credit cards in your child’s name
  • Your child is denied government assistance or medical insurance because income or benefits have already been assigned to the child’s Social Security number
  • Receiving a medical bill in your child’s name for treatments/services they never received

Keep a close eye on any accounts that may come up in your child’s name. It is recommended to check your child’s credit report because children should not have a credit report in the first place. If one is discovered, parents/legal guardians need to consider placing a freeze on their account and disputing any suspicious activity. Additionally, because of the types of data available in the breach, the potential of a longtail impact to minors is a very real threat. With key information like parents’ name and date of birth, there could be potential risks for children well after the incident is resolved.

If you believe your child may have been the victim of identity theft or their/your information was exposed from the Rady Children’s Hospital data breach, you can call the Identity Theft Resource Center toll-free at 888.400.5530 to speak with one of our advisors. You can also live chat with an advisor on our website. They will help you create an action plan for your case while directing you on the next steps you need to take.


With the REAL ID deadline approaching in October, it is time to determine if you should replace your current government- issued ID, as well as be aware of any scams that may pop around near the time of the change.

What is a REAL ID?

Fifteen years ago, Congress passed the REAL ID Act, which set a uniform standard for how individual states issue driver’s licenses and state IDs. Prior to the 9/11 attacks, each state determined the requirements on how to prove your identity and address when applying for identity documents. Once the ID was issued, it was automatically valid in all other states. Because the 9/11 hijackers used legal, state-issued IDs in their attacks, the federal government created guidelines to standardize the credentials required to travel by air or enter federal government buildings.

After numerous delays in the 15 years since the law was enacted, U.S. residents must now decide if they need a REAL ID or to keep their current state-government issues ID.

What To Consider

It’s important to consider your circumstances and if you truly need a REAL ID. If you are planning to travel domestically by commercial airline within the United States, you will need the enhanced ID. However, if you are NOT planning to travel within the U.S. by air or enter a federal government building, then your regular state identification card or Driver’s License is still valid. If your license is valid—whether it is a REAL ID or not—you will still be able to use it as a form of identification for activities like writing a check.

Important Steps

There are some important steps in order to obtain a REAL ID in your state, as well as specific documents you must have. Be sure to check with your state’s DMV or state police website in order to find out what you must bring with you. According to the Department of Homeland Security’s Frequently Asked Questions (FAQs), “At a minimum, you must provide documentation showing:  1) Full Legal Name; 2) Date of Birth; 3) Social Security Number; 4) Two Proofs of Address of Principal Residence; and 5) Lawful Status.”

For example, to apply for the REAL ID card in California, you need to present one identity document that includes your date of birth and true full name. That could include:

  • Valid, unexpired U.S. passport or passport card
  • Original or Certified copy of U.S birth certificate (issued by a city, county or state vital statistics office). “Abbreviated” or “Abstract” certificates are NOT accepted
  • U.S. Certificate of Birth Abroad or Consular Report of Birth Abroad of U.S. Citizen
  • Unexpired foreign passport with valid U.S. Visa and approved I-94 form
  • Certified copy of birth certificate from a U.S. Territory
  • Certificate of Naturalization or Certificate of U.S. Citizenship
  • Valid, unexpired Permanent Resident Card
  • Valid, unexpired Employment Authorization Document (EAD) Card (I-766) or valid/expired EAD Card with Notice of Action (I-797 C)
  • Valid/expired Permanent Resident Card with Notice of Action (I-797 C) or Approval Notice (I-797)
  • Unexpired foreign passport stamped “Processed for I-551”
  • Documents reflecting TPS benefit eligibility

Potential Scams

With any change in government processes, scammers will try to take advantage. Be on your guard against fraud and hoaxes with the REAL ID deadline approaching.

For example, you cannot upgrade your license or ID over the phone, you will not be required to pay a fee or fine for not having a REAL ID and you will never be asked for the information on your license.

You will not receive a fine from the police for driving with a license that is not a REAL ID as long as it is valid. Also, you cannot be turned away at a polling place if you are a registered voter.

When in doubt, simply reach out to your local agency that issues REAL IDs for more information.

Data Storage & Protection

Once you are done with the process of applying for your REAL ID, don’t forget about data storage and protection. Important papers like your W-2 form, Social Security Administration card and other documents (even your devices) should never be unattended, even in a locked vehicle. Once you get home, it is also important to lock up your documents in a safe place to keep people—even people you thought you could trust—from accessing it. This could be a locked filing cabinet or firebox.

If you believe you are a victim of identity theft, you can call the Identity Theft Resource Center toll free at 888.400.5530 to speak with one of our advisors or live chat with an advisor on our website. They will help you create an action plan for your case while directing you on the next steps you need to take.


For on-the-go identity assistance, check out the free ID Theft Help App from ITRC.

You might also like…

A Department of Defense data breach has exposed the complete identities of potentially multiple high-ranking individuals, emphasizing the importance of businesses increasing their security protocols, and consumers monitoring and freezing their credit reports.

 When hackers break into a computer network, there are varying degrees of harm they can cause depending on what they are able to access. If they are able to install ransomware on the network and lock up the entire system, they might expect a handsome payoff. If they steal a database of customers’ names and emails, they might sell that information to spammers or use it for phishing attacks. However, when hackers manage to get complete identities—meaning names, birthdates, Social Security numbers and more—the possibilities are endless.

Considered a “Holy Grail” of identity theft, a complete record lets the hackers open new lines of credit, submit fraudulent tax returns, apply for government benefits or buy a house. And that is just in the short-term. They can continue using that identity potentially forever, and they can even sell it to other criminals who will do the same thing. The end result can be a never-ending spiral of ongoing identity theft.

Unfortunately, a 2019 Department of Defense data breach has exposed the complete identities of an undisclosed number of people. The real concern is the specific agency in question: the Defense Information Systems Agency, or DISA, which handles IT support and all secure communications for the President, the Vice President and the Secret Service, just to name a few.

The group within the government that is tasked with protecting top-secret communications was infiltrated by hackers, and there is no word yet as to who it was and how much information they accessed. While DISA works on tightening its security protocols and systems, the individuals impacted by the Department of Defense data breach were issued a notification letter of the breach. The usual steps, like free credit monitoring for one year, are in place for those victims. In the meantime, this serves as yet another reminder that we all must be diligent about monitoring our credit reports, placing freezes on our credit reports if we do not need to use our credit soon, keeping our passwords up-to-date and other similar steps.

You might also like…

Last summer, MGM Resorts disclosed an MGM data breach that affected around 10 million guests of the hotel company, including some fairly high-profile clients. The data, which included names, addresses, phone numbers and email addresses appears to have not included sensitive things like payment card information or Social Security numbers. However, that does not mean the information is useless, and it certainly has not stopped hackers from posting the stolen data for sale on the Dark Web.

There are a few different reasons why hackers might target a company or website. They might want to steal information, such as in the case of the MGM data breach, or install malicious software on the company’s servers. They might simply want the “credibility” of breaking into a secure site and bragging about it later, or even the ability to protect the public, as in the case of “white hat hackers” who infiltrate a company in order to show them their own defense weaknesses.

In the case of the MGM data breach, the goal seems to have been profit. The database of information—which included records that claim to belong to Justin Bieber, Twitter CEO Jack Dorsey, U.S. government officials and even a Secret Service agent—has now been discovered for sale online.

What can criminals do with this stolen information once they buy it from the hackers? After all, it does not contain any permanent identifiers or financial account records.

The end goal for this kind of sale is to grab up the email accounts and use them for targeted spam. It could be the annoying kind of spam that floods your inbox with ludicrous consumer offers, but it could also be the dangerous kind. For example, if the hacker wants to infiltrate a government computer, they might send an email with an embedded virus to a former guest with a .gov email address. In order to get the recipient to click the link, the email just has to look like it came from MGM Resorts—or another company the person does business with—and offer some plausible reason why the recipient should open the file.

From there, the malicious software, virus or even ransomware can be installed on the victim’s computer, and then the senders can move forward with whatever plan they intend.

In order to protect yourself from this kind of attack, there are some things you can do to be more proactive. No one can prevent every cyberattack, of course, but you can at least try to slow the bad guys down.

  1. Throwaway email account – Establish an email account that you use specifically for things like booking travel, online shopping or even signing up for gaming apps. There is no reason to use your work email or “official” email for those kinds of activities.
  2. Develop good habits – Never click a link, open an attachment or download a file that you were not specifically expecting. Even if it looks like it comes from someone you know or a company you do business with, it could be spoofed and therefore could be harmful.
  3. Stay up to date on data breaches – Any time there is a data breach and you are informed that your information may have been compromised, that should serve as another reminder that a wave of spam or fake emails is coming your way. Be on the lookout for anything unusual and stay away from those embedded dangers.

For more information on data breaches like the MGM data breach and what they could mean to you, go to idtheftcenter.org and check out the free Breach Clarity tool that helps consumers understand their risks and take the proper steps to protect their identity.

You might also like…

There are more remote workers now than ever, either as telecommuting employees or freelancers. At the same time, more businesses than ever before are relying on these hard-working individuals to keep their companies in operation. The end result is people who don’t work in your building—or even live in your city—and who have never laid eyes on the boss may be the best line of defense when it comes to protecting your business from cybercrimes.

These remote workers can turn out to be the weakest link in the business cybersecurity chain. With their access to company servers, their connection via email to the onsite employees’ network and the fact that they are typically utilizing their own technology—whether it is virus-protected or not—these outsiders could be the avenue that savvy hackers use to deploy their malicious tactics.

Going through an outside source is nothing new for hackers. In fact, the infamous Black Friday breach of Target’s payment card system in 2013 happened because hackers sent a phishing email to a small HVAC repair company. This company had the contract to work on a number of Target locations in its area, and as such, had been connected to Target’s computer network. When hackers tricked an employee of the HVAC company into downloading malicious software on the smaller company’s network, they were able to infiltrate all of the POS systems for Target on the biggest shopping day of the year.

How can a company know that its outside freelancers or remote workers are not falling for phishing attacks? How will they know if those employees’ personally-owned computers and devices are password protected and have antivirus software installed? Without a system of checks in place, businesses are leaving a lot up to chance.

There are a lot of other hidden pitfalls these remote workers and companies face, as shown here, but fortunately, many of the same preventive measures that protect individuals can also protect businesses. Here are some tips on the employee’s end that can reduce the risk of a breach:

  • Locking down your Wi-Fi and your accounts with strong, unique passwords is crucial, and regularly changing your passwords is a good idea
  • Enabling two-factor authentication is a good idea too, as it can keep hackers out of a lost or stolen smartphone or laptop
  • Be sure that antivirus software is installed and up-to-date at all times, and consider using a VPN to hide your information when you are working online

For businesses and employees alike, the most important steps to take involve learning to spot the signs of suspicious activity. Know how to recognize a phishing email, and know what the proper steps are to avoid becoming a victim of a phishing attack. Make it a policy and all-around good habit to never click on a link, open an attachment or download a file that you were not specifically expecting. Create a workspace that rewards employees for verbally confirming even the simplest of commands and requests if there is any doubt that they are legitimate.

Companies have to work together from the top down to create a safe, effective workplace. Avoiding business cybersecurity issues can only happen when everyone works together and knows how to be safe.

If you believe you are a victim of identity theft, you can call the Identity Theft Resource Center toll free at 888.400.5530 to speak with one of our advisors or live chat with an advisor on our website. They will help you create an action plan for your case while directing you on the next steps you need to take.


For on-the-go identity assistance, check out the free ID Theft Help App from ITRC.

You might also like…

When you are on the internet in this day in age, you always have to be cautious about whether games and deals are legitimate fun or a social media hoax. There is no shortage of ways to earn money, win prizes or benefit from free goods online. Contests, giveaways and company discounts are all over, and the chance to score some savings can be very enticing. Sometimes it takes nothing more than “liking and sharing” a page. Other times, it requires you to sign up with your identifying information. Unfortunately, scammers know that as well.

From social media hoaxes and fake contests to outright phishing attempts that steal your information, there is no end to the ways that criminals will try to take advantage of you. Adopting a suspicious air of caution is important whenever you sign up for something, enter a game or contest or any other type of activity that exposes your information.

For example, a new contest has made serious waves online, mostly for its originality but also for its red flags. A group known as MSCHF has had a lot of fun—and shared that fun with a vast community of online users—with innovative and inventive offerings. Their newest project, however—Password of the Day—is no exception.

The way it works is you sign up with your phone number to receive text messages from the company. Every day, users can request the “password of the day.” The reply will include the login credentials for some kind of online account. It might be an Amazon account equipped with Prime, a PayPal account with a $1,000 balance in it, a Disney+ account or any other kind of account. Not knowing is part of the game, after all. The trick is the first person to find the online account that those credentials go to gets to keep it.

Fun, right? Except for some media coverage of this “internet treasure hunt” that failed to point out where exactly these login credentials came from. That left people to speculate as to whether these credentials had been stolen or bought from the Dark Web. Is this the latest social media hoax?

Luckily, no. Upon further research about this game, showed that the creators had established all of the accounts themselves to give away. That might not have been clear at the onset to some users since the game was very mysterious. However, it is a legitimate game that does not steal from others.

It is hard to find fault with the people who were concerned about a social media hoax, though. After all, the internet is filled with too-good-to-be-true offers, fake coupons that require you to turn over your personal data and surveys that go on for page after page and result in a flood of spam emails. Furthermore, this game requires you to submit your cellphone number—in order to receive the text messages—and that can make people stop and think, too.

This should serve as a warning to all internet users to be careful of “crazy” deals and offers. More importantly, do your own homework before signing up for or rejecting a company. Simple Google searches can tell you a lot about whether or not it is a social media hoax. If you are still unsure, contact the company directly or err on the side of caution. In the meantime, enjoy the game when a company has proven itself to be trustworthy!

If you believe you are a victim of identity theft, you can call the Identity Theft Resource Center toll free at 888.400.5530 to speak with one of our advisors or live chat with an advisor on our website. They will help you create an action plan for your case while directing you on the next steps you need to take.


For on-the-go identity assistance, check out the free ID Theft Help App from ITRC.

You might also like…