• T-Mobile recently suffered its third data breach since December of 2020. The T-Mobile data compromise has affected over 40 million people and led to information like Social Security numbers (SSNs) and driver’s license information being hacked.  
  • Cybersecurity researchers claim the T-Mobile data compromise may impact as many as 100 million current, past and prospective customers. 
  • To protect yourself from the T-Mobile data compromise, consider freezing your credit, changing your passwords and PIN numbers to long and unique passphrases, using multi-factor authentication and not ignoring breach notices.  
  • To learn about recent data breaches, like the T-Mobile data compromise, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC’s) data breach tracking tool, notified
  • For more information on the T-Mobile data compromise, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.  

Facts Are Stubborn, But Statistics Are Pliable 

Welcome to the Identity Theft Resource Center’s (ITRC)Weekly Breach Breakdownfor August 20, 2021. Our podcast is possible thanks to support from Abine and Experian. Each week we look at the most recent events and trends related to data security and privacy. This week, we talk about the T-Mobile data compromise, which is one of the most significant data breaches so far this year. We also talk about what you should do in response, even if you are not impacted by it. 

Mark Twain once wrote that “Facts are stubborn things, but statistics are pliable.” Apply that same principle to data breaches and you get the natural pattern that emerges when personal information is suddenly stolen or exposed by a cybercriminal. The typical response goes something like this:  

  • “We don’t have any evidence there has been a breach, but we will investigate.” 
  • Followed by “We have investigated and found that a small number of customers information has been compromised, but we do not believe any sensitive or personal data is at risk.” 
  • That statement is often followed by an update that sounds like this: “We have now determined that more than X million of our valued customers are directly impacted by unauthorized access by cybercriminals of our systems, and the data involved does include Social Security numbers (SSNs) and other personal information.”  

T-Mobile Suffers its Second Data Breach Since February 2021 

We don’t “name and shame” companies at the ITRC. Cyberattacks and data breaches are an unfortunate consequence of our digital society. It’s only logical that the more you investigate, the more you know, meaning numbers change. We have laws, regulations and courts to handle the blame game. We do, though, use anecdotes to help educate consumers and businesses on how to protect themselves.  

What Happened? 

This week, T-Mobile finds itself in the unenviable position of providing a teaching moment thanks to its third data breach since December 2020 and its second data breach since February 2021. The nation’s third-largest mobile telecom provider did not know it had been breached until a cybercriminal posted customer information stolen from T-Mobile in an identity marketplace used by identity thieves. 

Cybersecurity researchers claim as many as 100 million current, past and prospective customers may be impacted by the T-Mobile data compromise. T-Mobile has confirmed the personal information of 47 million people has been compromised, including customers’ first and last names, dates of birth, SSNs and driver’s license/identity information in some instances. 

T-Mobile customers can visit the carrier’s website t-mobile.com to learn more about the company’s actions to help victims of the breach. 

What Should You Do to Protect Yourself After the T-Mobile Data Compromise? 

What should you do if you are a T-Mobile customer? Actually, it doesn’t matter if you are a T-Mobile customer or not. Here are some actions that everyone should take to help protect their personal information today and after a data breach:  

  1. Do not ignore data breach notices. There are a lot of them. However, there are usually important action steps in the notices, like how to activate free identity protection services. 
  1. Freeze your creditCredit monitoring is helpful, but it offers no protection. It tells you what happened, but it doesn’t stop anything from happening. To protect yourself, freeze your credit. It’s free, easy and doesn’t impact your credit. 
  1. Change your passwords and PIN numbers to make sure you do not use the same passwords or PINs on more than one account. Make sure the password is long, at least 12 characters, and is something you can remember. You can also use a password manager to generate and keep track of your credentials. Cybercriminals love it when we reuse passwords on more than one account. 
  1. Use multi-factor authentication (MFA or 2FA) on all your accounts that offer it. If possible, use an authentication app rather than have a code sent by text to your phone. Authentication apps are available for free from Microsoft, Google and other software providers. 
  1. If you are a business, make sure you don’t collect more personal information than you need. Don’t keep it longer than you need to complete the transaction. Also, keep what data you do collect and maintain safe and secure by encrypting it. Make sure you offer MFA for your customers’ and prospects’ protection, too. 

Contact the ITRC 

You can always call us at the ITRC if you have questions about what you should do if you receive a data breach notice or hear about a breach in the media, like the T-Mobile data compromise. Just visit www.idtheftcenter.org, where you’ll find helpful tips. You can speak with an expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST).  

Thanks again to Experian and Abine for supporting the ITRC and this podcast. We’ll be back next week with another episode of the Weekly Breach Breakdown

  • Criminals claiming to be with the Internal Revenue Service (IRS) are targeting people with emails as taxpayers continue to receive the third round of Economic Impact Payments (EIP) that began in March 2021.
  • Identity criminals send messages claiming you can receive an EIP Payment. They say the IRS is sending payments each week to qualified individuals as they continue to process tax returns.
  • However, messages like these are IRS scams seeking your personal and financial information to commit identity theft and fraud.
  • The IRS will never email, text, call or send a message on social media to anyone. If you receive a message claiming to be from the IRS, ignore it. You are also encouraged to forward it to the IRS at phishing@irs.gov and note that it seems to be a phishing scam seeking your personal information.
  • To learn more, or if you believe you have received IRS scams by email, contact the Identity Theft Resource Center (ITRC) toll-free by phone (888.400.5530) or live-chat at www.idtheftcenter.org to speak with an expert advisor.

The third round of Economic Impact Payments (EIP) from the Internal Revenue Service (IRS) began to go out in March 2021. However, the Identity Theft Resource Center (ITRC) continues to receive messages about IRS scams by email, like the one below.

According to an official IRS notice, the Service is still sending EIP Payments weekly as 2020 tax returns are processed. Criminals have been striking with scams since the first stimulus package was passed in 2020. While many EIP Payments have been received, you should beware of scams asking for payment to receive compensation and remember that the IRS will never call, message or email anyone.

Who are the Targets?

U.S. Taxpayers

What is the Scam?

In the latest IRS scams by email, identity criminals send emails to inboxes claiming that they are eligible to receive a payment after the last annual calculation of their “fiscal activity.” The email goes on to say that each week the IRS will continue to send the third EIP Payments to eligible individuals as they process tax returns. The phishing emails also include a button to “claim my payment.”

What They Want

Scammers want you to either respond or click on a malicious link so they can steal your personal and financial information to commit different forms of identity crimes, including financial identity theft.

How to Avoid Being Scammed

  • Ignore emails, texts or social media messages claiming to be from the IRS. Do not respond to the messages or click on any links or attachments because they could be malicious. Acting on the IRS scams by email, text or social media could lead to having your information stolen. The IRS will not email or message anyone. Do not share any personal information, including credit card and bank account numbers, except on the official www.IRS.gov website or the representative you contacted by calling the IRS.
  • Ignore calls claiming to be from the IRS. While IRS scams by email continue to circulate, identity criminals could call you, too. If you receive an unsolicited call claiming to be from the IRS, ignore it. The IRS will not call anyone unsolicited, either.
  • Send phishing emails to the IRS. The IRS asks anyone who receives a phony email to forward it to phishing@irs.gov and note that it seems to be a phishing scam seeking your information.
  • Report the identity crime. You can report any identity fraud to the Federal Trade Commission (FTC) by visiting www.IdentityTheft.gov.

If you have received IRS scams by email, text message, social media or by phone, you can also contact the ITRC toll-free by calling 888.400.5530 or using the live-chat function at www.idtheftcenter.org. ITRC expert advisors will help you create a resolution plan with the steps you need to take.

  • President Joseph R. Biden signed an executive order extending a pause on student loan payments to January 31, 2022. However, some borrowers are already reporting a rise in student loan forgiveness scams where people pose as loan providers that can help pay off student loans.
  • Identity thieves ask for information like Social Security numbers (SSNs), federal student aid I.D.s, bank account information and credit card information to commit different forms of identity theft and fraud.
  • Some loan forgiveness solicitations are not attempts to steal your information. However, they are designed to steer you into high-cost loan repayment programs with high interest rates or fees.
  • Be skeptical of anyone who calls or emails you offering to pay off your student loans. Call your loan provider to see if the message was legitimate, and do research on the loan provider the caller claims to represent.  
  • If you fall victim to an identity scam, call your bank or credit card provider to stop payments or close your accounts. Also, contact your loan servicer so they can monitor your account. Finally, check your credit report for any suspicious activity and strongly consider freezing your credit.
  • To learn more about student loan forgiveness scams, or to create a resolution plan, contact the Identity Theft Resource Center toll-free by phone (888.400.5530) or live-chat on the company website www.idtheftcenter.org.

Student loan forgiveness scams have been around for a long time. However, they have spiked during the COVID-19 pandemic. President Joseph R. Biden recently issued an executive order extending student loan relief until January 31, 2022. While the extension is welcome news to many borrowers, it also means student loan forgiveness scams will continue for the foreseeable future. CNBC reports an uptick in student loan forgiveness scams. The Identity Theft Resource Center (ITRC) has also received inquiries about the scams, like the one below:

While the voicemail might not be a scam, people who receive voicemails like these should use caution. The same advice applies to emails received about student loans resuming, especially if the sender claims to be from a loan provider that was not used to take out the loan. COVID-19 has given criminals and unethical loan processors more ways to take advantage of people who have been hurt financially over the last year and a half. It could be a scammer looking to exploit the pause in payments due to COVID-19, and any potential confusion it brings.

Who are the Targets?

Former and current college students who are paying off student loans

What is the Scam?

Identity thieves call or email people with student loans claiming to be a loan provider or the U.S. Department of Education. They offer to reduce and help pay off monthly payments. Scammers ask for all sorts of personally identifiable information (PII) over the phone so that they can commit different forms of identity crimes like account takeover.

However, not all of the unsolicited student loan calls and emails are identity scams. Some are reported to be attempts to steer borrowers into repayment programs with high fees and high interest rates.

What They Want

Criminals ask for PII like Social Security numbers (SSNs), federal student aid I.D.s, credit card information and bank account information to commit identity theft. Unethical loan processors attempt to enroll borrowers in high-cost loan repayment programs.

How to Avoid Being Scammed

  • To avoid student loan forgiveness scams, be skeptical of anyone who calls you to help you pay off your student loans. Google the name of the loan provider the caller claims to be working for and see if there are any complaints. Also, if you have any doubts, contact your loan provider directly about the inquiry.
  • Look for the name of the program that is being offered to you. CNBC says, in some scams, criminals have claimed they are part of “Biden loan forgiveness” or “CARES Act loan forgiveness,” two programs that do not exist.
  • If you receive an email about student loan forgiveness, check the sender’s email address to make sure the email is coming from an address that ends in .gov.
  • If you provide a scammer with bank account or credit card information, call your bank or credit card provider to stop the payments immediately, and close your accounts if needed. It’s also a good idea to contact your student loan servicer, especially if you provided information such as your federal student aid I.D., so they can monitor your account, and check your credit report for suspicious activity. The ITRC strongly recommends you also freeze your credit.
  • Finally, report the student loan forgiveness scams to the Federal Trade Commission (FTC) at www.IdentityTheft.gov.

To learn more about student loan forgiveness scams, or if you believe you were the victim of a scam, contact the ITRC toll-free by calling 888.400.5530. You can also visit the company website to live-chat with an expert advisor. Go to www.idtheftcenter.org to get started.  

Abine talks with the ITRC in the newest Fraudian Slip podcast about protecting your privacy online and what you can do to keep your information private 

  • The California Attorney General released a new tool to help consumers complain when websites make it difficult to take advantage of the state’s privacy law.  
  • Virginia and Colorado join California on the list of states to give consumers more privacy protections. Also, California’s privacy law will be even stronger in 2023 when voter-approved legislation goes into effect.  
  • The Identity Theft Resource Center (ITRC) sat down with Abine to discuss the changing landscape in online privacy and efforts aimed at protecting your privacy online. 
  • You can learn more about protecting your privacy online and other topics discussed in the podcast, and how to protect yourself from identity crimes by visiting the ITRC’s website
  • If you think you are the victim of an identity crime or your identity has been compromised, you can call us, chat live online, send an email or leave a voicemail for an expert advisor to get advice on how to respond. Just visit www.idtheftcenter.org to get started.   

Below is a transcript of our podcast with special guest Rob Shavell, Co-Founder and CEO of Abine 

Welcome to The Fraudian Slip, the Identity Theft Resource Center’s (ITRC) podcast where we talk about all-things identity compromise, crime and fraud that impact people and businesses. Listen on Apple, Google, Spotify, SoundCloud or Podsite now. This month, August, we look at the ever-changing landscape surrounding personal privacy, particularly protecting your privacy online in an economy fueled by personal data.  

The California Attorney General recently released a new tool to help consumers complain when websites fail to make it easy to take advantage of the state’s privacy law. That law requires a business to have a link on the homepage that is clearly marked “Do Not Sell My Personal Information” so California residents can opt-out of data sales. 

Joining California on the list of states to give consumers more privacy protections are Virginia and Colorado. Also, California’s already strong privacy law will become even stronger in 2023 when legislation approved by voters goes into effect. Ohio, Pennsylvania and New York are also looking to pass similar laws aimed at protecting your privacy. 

Let’s not let this subtle point pass us by: Voter approved. The new California law was approved by a wide margin in 2020, and there is ample research that proves U.S. residents want stronger privacy protections. With that said, who is going to provide them and who will use them?  

Helping us to navigate the troubled waters of online privacy and efforts aimed at protecting your privacy online is the ITRC’s CEO Eva Velasquez and Abine’s Co-Founder and CEO Rob Shavell. Abine is an online privacy company that makes easy-to-use tools for consumers to control what personal information companies, third parties and other people see about them online.  

We talked with Rob Shavell about the following: 

  • What Abine does and its role in protecting your privacy online. 
  • The line between government protections, private sector protections and consumer self-protections. 
  • The concept of data minimization for businesses and consumers. 
  • Actions you should take in protecting your privacy online. 

We talked with Eva Velasquez about the following:  

  • The evolution of consumer attitudes about personal privacy. 
  • The consequences when privacy protections are inadequate or fail. 
  • The concept of data minimization for businesses and consumers. 
  • Actions you should take in protecting your privacy online. 

You can learn more about protecting your privacy online, as well as get help if you have been the victim of an identity crime by visiting the ITRC’s website at www.idtheftcenter.org. While you are there, sign up for our emails that alert you to the latest scamsmonthly data breach updates and tips to protect your identity.  

Be sure and join us next week for our Weekly Breach Breakdownpodcast and next month for another episode of The Fraudian Slip. 

  • data breach of telecommunications company Mint Mobile occurred after some phone numbers were ported and data was accessed. The Mint Mobile data breach is one of the latest data events to affect a telecommunications company, highlighting the risk of mobile breaches. 
  • Insurance company BackNine suffered a data compromise due to a misconfigured database, impacting 711,000 files with information including Social Security numbers (SSNs) and medical diagnoses. The data event stresses the importance of being careful when using cloud databases. 
  • CNA Financial Corporation fell victim to a ransomware attack, leading to a data breach that impacted 75,349 people. Attacks like this, which involved SSNs, on businesses continue to rise. 
  • For more information about July data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified.    
  • If you believe you are a victim of identity theft from a data breach, contact the ITRC toll-free at 888.400.5530 or through live-chat on the company website www.idtheftcenter.org.   

Notable July Data Breaches 

Of the 163 data events the Identity Theft Resource Center (ITRC) tracked in July, three stand out: Mint Mobile, BackNine and CNA Financial Corporation. All three data events are notable for unique reasons. One highlights the risk of mobile breaches. Another is an example of the need to be careful with cloud databases. The third is a ransomware attack that involves Social Security numbers (SSNs).  

Try our Latest Breaches feature at notified.idtheftcenter.org

Mint Mobile 

A Mint Mobile data breach occurred after phone numbers were ported by cybercriminals and data was accessed. Sometime between June 8-10, a threat actor ported the phone numbers for a handful of Mint Mobile subscribers to another carrier without authorization. According to Bleeping Computer, Mint Mobile disclosed that an unauthorized person also potentially accessed subscribers’ personal information, including call histories, names, addresses, emails and passwords.  

Try our Custom Breach Search feature at notified.idtheftcenter.org

Bleeping Computer reports that Mint Mobile has not said how the threat actor gained access to subscribers’ information. However, based on the accessed data, hackers likely hacked user accounts or compromised a Mint Mobile application used to manage customers.  

The Mint Mobile data breach is the latest to shine a light on the risk of mobile data breaches and the need for better security for customer-facing support systems. In January, the ITRC highlighted a similar breach of U.S. Cellular where hackers gained access to protected systems by installing malware on a computer at a U.S. Cellular retail store.  

BackNine 

A data breach of BackNine, an insurance technology startup, led to 711,000 files being impacted. According to TechCrunch, a security lapse exposed insurance applications at BackNine after one of its cloud servers was left unprotected on the internet. The storage server was misconfigured, and anyone with internet access could view the files.  

Personal information exposed includes names, addresses, phone numbers, SSNs, medical diagnoses, medications taken and detailed completed questionnaires about an applicant’s health, past and present. Other files included lab and test results, such as bloodwork and electrocardiograms. Some files also contained driver’s license numbers. The exposed documents date as far back as 2015 to as recent as July 2021.  

The BackNine data event is a prime example of why companies need to be careful when using cloud databases. If a cloud database is not configured correctly, anyone can access it and may commit an array of identity crimes. It is also important organizations do what they can to protect sensitive data to maintain people’s trust.  

CNA Financial Corporation 

Insurance company CNA Financial Corporation suffered a data breach linked to a ransomware attack. According to CNA’s breach notice, an investigation revealed that the threat actor accessed certain CNA systems at various times from March 5, 2021, to March 21, 2021, and copied a limited amount of information before deploying the ransomware.  

The breach notice states that the data event impacted 75,349 people, and information in the stolen files includes names, SSNs and, in some instances, information related to health benefits for certain people. CNA says, right now, there is no reason to believe the data was stolen or misused. However, they are offering free credit monitoring and fraud protection services through Experian. CNA is just one of many ransomware attacks on businesses being seen by the ITRC. 

What to Do if These Breaches Impact You 

Anyone who receives a data breach notification letter should follow the advice offered by the impacted company. The ITRC suggests you immediately change your password and switch to a 12+-character passphrase, change the passwords of other accounts with the same password as the breached account, consider using a password manager and to keep an eye out for phishing attempts that claim to be from the breached organization.   

Mint Mobile warns users affected by the Mint Mobile data breach to protect other accounts that use their phone numbers for validation purposes and reset account passwords since threat actors could have used the ported numbers for additional attacks. 

CNA Financial Corporation asks impacted individuals to review their “Information About Identity Theft Protection” document, which includes information on placing a fraud alert or credit freeze on a credit file.  

notified 

For more information about July data breaches, or other data compromises, consumers and businesses should visit the ITRC’s data breach tracking tool, notified, free to consumers.   

Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.      

Contact the ITRC 

If you believe you are the victim of an identity crime or your identity has been compromised in a data event, you can speak with an ITRC expert advisor at no cost by phone (888.400.5530) or live-chat. Just go to www.idtheftcer.org to get started.   

  • According to IBM’s new report on data breach costs, breached businesses in 2020 paid ten percent more than companies in 2019.
  • In the U.S., the country with the highest number of cyberattack-related data breaches, the average data breach costs a company a little more than $9 million.
  • However, there’s also good news in the report. If an organization has deployed modern security tools and automation, the average breach costs drop by about 80 percent.
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC’s) data breach tracking tool, notified.
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

The Cost of Living

Welcome to the Identity Theft Resource Center’s (ITRC)Weekly Breach Breakdown for August 6, 2021. Our podcast is possible thanks to support from Experian. Each week we look at the most recent events and trends related to data security and privacy. This week we talk about the ever-increasing data breach costs, direct costs to businesses that are breached and the indirect expenses to consumers who are the ultimate victim of the breaches.

Mark Twain once wrote the “the cost of living hasn’t effected its popularity.” The same can be said of data breaches. Despite the billions of dollars spent on improving cybersecurity, the number of cyberattacks that lead to data breaches continues at a high pace.

Breached businesses also continue to see the cost of recovery continue to rise, too. There is nothing in sight that leads experts to believe the costs associated with data breaches will level off or decrease anytime soon.

IBM Releases New Report on Data Breach Costs

The benchmark report of data breach costs is published by IBM Security based on research from the Ponemon Institute. The 2021 report, the 17th annual edition, is based on 537 breaches across 17 countries in 17 different industries – backed by nearly 3,500 interviews.

What’s the bottom line? There are several key findings:

  • Nearly 18 percent of 2020 breaches involved remote workers. Those companies paid $1 million more on average in total data breach costs than organizations where remote work was not a factor.
  • The biggest share of breach costs is attributed to lost business, including customer turnover, lost revenue and the increased costs of new customer acquisition thanks to reputation damage.
  • The average cost per record lost jumped to $161, up from $146 in the previous year. If the record involved Personally Identifiable Information (PII), the average cost was $180 per record.
  • The average number of days to find and fix data breaches grew by one week in 2020 to 287 days. Think of that this way: if a breach started on January 1, it would take until October 14 to stop it.
  • There is some good news in the IBM report. If an organization has deployed modern security tools and automation, the average breach costs drop by about 80 percent.

Average Data Breach Costs in the U.S. Over $9 Million

Remember the bottom line mentioned earlier? In the U.S., the country with the highest number of cyberattack-related data breaches, the average data breach costs a company a little more than $9 million.

These are average figures based on data breaches that range from 1,000 to 100,000 records lost. The costs go up by a factor of 100 when you get above one million records lost, which is not uncommon these days. Other factors that increase data breach costs include ransom payments and the complexity of a company’s IT infrastructure.

Not included in the report is how much of these increased data breach costs are passed along to consumers in the form of higher fees or prices. The report also does not quantify the impact on small businesses that don’t have the technical or financial resources that large enterprises do.

In October, the ITRC plans to publish a report on just that, how identity crimes impact small businesses, and how they recover. Stay tuned for more about our first Business Aftermath Report.

Also, listen next week to our sister podcast, The Fraudian Slip, when the ITRC CEO and the Founder of privacy protection company Abine discuss how consumers can protect themselves and their data while online.

Contact the ITRC

If you have questions about how to keep your personal information private and secure, visit www.idtheftcenter.org, where you will find helpful tips. 

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during normal business hours (6 a.m.-5 p.m. PST). 

Thanks again to Experian for supporting the ITRC and this podcast. We will be back in two weeks with another episode of the Weekly Breach Breakdown

  • According to a new report from NTT Application Security, the percent of application software being patched has dropped below 50 percent. It is partly because more applications are being tested in the wake of recent high-profile cyberattacks. 
  • The average time to fix the most severe software vulnerabilities in a large enterprise is 203 days. That number is more than twice that figure in some industries. 
  • The report also reveals that most applications in 10 of the 11 leading industries tracked by NTT Application Security have at least one software flaw open to attack every day of the year. 
  • Cybersecurity teams are failing to fix software vulnerabilities on a timely basis, which is one reason why cybercriminals have success attacking businesses
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC’s) data breach tracking tool, notified
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.  

A King of Shreds & Patches 

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for July 30, 2021Our podcast is possible thanks to support from Experian and Sentilink. Each week we look at the most recent events and trends related to data security and privacy. This week, we discuss one of the primary causes of cyberattacks that leads to data compromises – known but unpatched software vulnerabilities and flaws.  

In Shakespeare’s Hamlet, the troubled prince refers to his uncle, a usurper of the Danish throne, as a rag-tag monarch: “A king of shreds & patches.” That description also applies to how much modern software is riddled with known flaws that give cybercriminals an easy path into organizations. There’s a report out this week that gives us a clue into just how difficult it is to patch software, even when the bugs are well known. 

Cybersecurity Teams Struggle to Quickly Fix Software Vulnerabilities 

Global cybersecurity provider NTT Application Security claims that cybersecurity teams are struggling to fix issues quickly. So far this year, the percent of application software being patched has dropped below 50 percent, partly because more applications are being tested in the wake of recent high-profile cyberattacks. 

Still, the time to patch has not improved over time. The average time to fix the most severe software vulnerabilities and flaws in a large enterprise is 203 days. In some industries, the number is more than twice that figure. The time needed to fix software used in the agriculture and forestry sector is the highest at 513 days, on average. The education sector, a common target for ransomware attacks, is the second slowest industry and requires an average of 478 days to fix a known flaw. 

How long does it take for a cybercriminal to exploit software vulnerabilities? A 2020 report puts the time to breach a system at as few as two hours once a flaw is publicly announced, usually at the same time a fix is issued. 

The Consequences of Slow Response Times to Patch Flaws 

The universally slow patch cycle where companies prioritize which software vulnerabilities they fix in what order has an unintended consequence, too. The lower the risk, the longer the time to patch. That allows cybercriminals to develop new attacks that link several lower-risk flaws into a single attack that is hard to detect and defend.  

NTT Application Security’s research shows that the same kind of software vulnerabilities continue to appear in new and updated applications. Most of the flaws identified in the first six months of 2021 fall into the same five categories month after month. 

What does that tell us? According to the report’s authors, it means that the people who are developing software and the teams that are protecting systems are not talking to one another, at least not enough to learn what bugs are common and how to fix them. 

Most Applications Have At least One Software Flaw Open to Attack 

There’s one last statistic from the NTT Application Security report that should be discussed. A majority of applications in 10 of the 11 leading industries tracked by NTT have at least one software flaw open to attack every day of the year. That explains why cybercriminals are successful at attacking businesses

Next week, we’ll take a look at the ever-growing costs to businesses that suffer a data compromise as calculated in a new report from IBM

Contact the ITRC 

If you have questions about how to keep your personal information private and secure, visit www.idtheftcenter.org, where you will find helpful tips. 

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during normal business hours (6 a.m.-5 p.m. PST). 

Thanks again to Sentilink and Experian for supporting the ITRC and this podcast. Be sure to check out our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown


With the REAL ID deadline pushed back to May of 2023, you have time to determine if you should replace your current government-issued ID, as well as be aware of any scams that may pop around near the time of the change. However, officials say people should still update their ID when they can.

What is a REAL ID?

Over fifteen years ago, Congress passed the REAL ID Act, which set a uniform standard for how individual states issue driver’s licenses and state IDs. Before the 9/11 attacks, each state determined the requirements on how to prove your identity and address when applying for identity documents. Once the ID was issued, it was automatically valid in all other states. Since the 9/11 hijackers used legal, state-issued IDs in their attacks, the federal government created guidelines to standardize the credentials required to travel by air or enter federal government buildings.

After numerous delays in the 15+ years since the law was enacted, U.S. residents must now decide if they need a REAL ID with the REAL ID deadline approaching, or to keep their current state-government-issued ID.

What to Consider

It’s important to consider your circumstances and if you truly need a REAL ID, especially with the REAL ID deadline approaching in 2023. If you plan to travel domestically by commercial airline within the United States, you will need the enhanced ID. However, if you are not planning to travel within the U.S. by air or enter a federal government building, your regular state identification card or Driver’s License is still valid. If your license is valid—whether it is a REAL ID or not—you will still be able to use it as a form of identification for activities like writing a check.

At the start of COVID-19, the DMV expanded the eligibility to renew licenses by mail or online. To encourage more people to get the REAL ID card, the DMV will waive the fees paid by customers who got a regular ID between March 2020 and July 2021 (approximately 5.7 million people). The offer will stand until the end of 2021. Click here for more information. To receive a REAL ID, you need to go to the DMV in person.

Important Steps

There are some important steps to obtain a REAL ID in your state with the REAL ID deadline approaching in 2023 and specific documents you must have. Be sure to check with your state’s DMV or state police website in order to find out what you must bring with you. According to the Department of Homeland Security’s Frequently Asked Questions (FAQs), “At a minimum, you must provide documentation showing: 1) Full Legal Name; 2) Date of Birth; 3) Social Security Number; 4) Two Proofs of Address of Principal Residence; and 5) Lawful Status.”

For example, to apply for the REAL ID card in California, you need to present one identity document that includes your date of birth and full name. That could include:

  • Valid, unexpired U.S. passport or passport card
  • Original or Certified copy of U.S birth certificate (issued by a city, county or state vital statistics office); “Abbreviated” or “Abstract” certificates are not accepted
  • U.S. Certificate of Birth Abroad or Consular Report of Birth Abroad of U.S. Citizen
  • Unexpired foreign passport with valid U.S. Visa and approved I-94 form
  • Certified copy of birth certificate from a U.S. Territory
  • Certificate of Naturalization or Certificate of U.S. Citizenship
  • Valid, unexpired Permanent Resident Card
  • Valid, unexpired Employment Authorization Document (EAD) Card (I-766) or valid/expired EAD Card with Notice of Action (I-797 C)
  • Valid/expired Permanent Resident Card with Notice of Action (I-797 C) or Approval Notice (I-797)
  • Unexpired foreign passport stamped “Processed for I-551”
  • Documents reflecting TPS benefit eligibility

Potential Scams

With any change in government processes, scammers will try to take advantage. Be on your guard against fraud and hoaxes with the REAL ID deadline approaching in 2023.

For example, you cannot upgrade your license or ID over the phone, you will not be required to pay a fee or fine for not having a REAL ID and you will never be asked for the information on your license.

You will not receive a fine from the police for driving with a license that is not a REAL ID as long as it is valid. Also, you cannot be turned away at a polling place if you are a registered voter.

When in doubt, reach out to your local agency that issues REAL IDs for more information.

Data Storage & Protection

Once you are done applying for your REAL ID, don’t forget about data storage and protection. Important papers like your W-2 form, Social Security Administration card and other documents (even your devices) should never be unattended, even in a locked vehicle.

Once you get home, it is also important to lock up your documents in a safe place to keep people—even people you thought you could trust—from accessing them. This could be a locked filing cabinet or firebox.

Contact the ITRC

For more information on the REAL ID deadline approaching in 2023, or if you believe you have been targeted with a READ ID scam, contact the Identity Theft Resource Center. You can speak with an expert advisor toll-free by phone (888.400.5530) or live-chat. Just visit www.idtheftcenter.org to get started.

This post was originally published on 2/25/20 and was updated on 7/26/21


For on-the-go identity assistance, check out the free ID Theft Help App from ITRC.

You might also like…

  • The one-year anniversary of the California Consumer Privacy Act (CCPA) and CCPA enforcement has come. According to the California Attorney General (AG), 75 percent of complaints were resolved within 30 days. The other 25 percent are still within the 30-day grace period or are still under investigation.
  • The California AG’s report also includes 27 examples of complaints and what companies did to fix the potential violations.
  • California also released a tool that will make it easier for consumers to file complaints about businesses that do not have a clear and easy-to-find “Do Not Sell My Personal Information” link on their website’s homepage.
  • To learn about recent data breaches consumers and businesses should visit the ITRC’s data breach tracking tool, notified.
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

The Right Tool

Welcome to the Identity Theft Resource Center’s Weekly Breach Breakdown for July 23, 2021. Our podcast is possible thanks to support from Experian and Sentilink. Each week we look at the most recent events and trends related to data security and privacy. This week we look at the California Consumer Privacy Act (CCPA), the state law that gives consumers a way to push back against data breaches, and the one-year anniversary of CCPA enforcement.

I’m sure most of us have heard a parent or mentor say at one time or another, “You need the right tool for the right job.” When it comes to protecting privacy and personal information, the Mac-Daddy of protection tools is the CCPA.

News Statistics Released About CCPA Enforcement

California Attorney General (AG) Rob Bonta recently published statistics about the number of complaints his office has received alleging CCPA violations, including some examples. Seventy-five (75) percent of the complaints were resolved within the 30 days the law gives a business to comply once they are notified of a potential violation. The other 25 percent are still within the 30-day grace period or are still under investigation.

The most interesting part of the AG’s report is the 27 examples of complaints and what companies did to fix the potential violations. Notices to cure have been issued to data brokers, marketing companies, businesses handling children’s information, media outlets and online retailers. Some businesses prompted hundreds of CCPA enforcement complaints, while others generated millions.

Potential violations that have been cured include:

  • A business that manufactures and sells cars failed to notify consumers of how personal information was used as part of a vehicle test drive in addition to other omissions in its privacy policy. 
  • A grocery chain required consumers to provide personal information in exchange for participation in its company loyalty programs. The company did not provide a Notice of Financial Incentive to participating consumers.
  • A social media app was not timely responding to CCPA requests, and users publicly complained that they were not receiving notice that their CCPA requests had been received or acted on. 
  • An online dating platform that collected and sold personal information did not have a “Do Not Sell My Personal Information” link on its homepage or adequately explained its data-sharing practices.

Tool Released to Make It Easier for California Residents to File Complaints

AG Bonta also released a tool that makes it easy for California residents to directly complain to a business that does not have a clear and easy-to-find “Do Not Sell My Personal Information” link on their website’s homepage. That’s required by the CCPA, and the direct consumer complaints can trigger the process that can lead to CCPA enforcement action by the state AG.

More tools that allow consumers to help police the CCPA’s provisions, including damages paid directly to consumers for certain data breaches, may be offered in the future.

Contact the ITRC

If you have questions about CCPA enforcement, or how to keep your personal information private and secure, visit www.idtheftcenter.org, where you will find helpful tips.

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during normal business hours (6 a.m.-5 p.m. PST).

Thanks again to Sentilink and Experian for supporting the ITRC and this podcast. Be sure to check out our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown.