There are many unanswered questions about the coronavirus impacts in the United States, some of which center around how schools will reopen for the fall term. K-12 school districts in many areas are scheduled to resume classes in a matter of weeks. However, what the learning environment will look like has yet to be determined in many cases. With that said, there are a lot of concerns about how schools might implement distance learning on a large scale.

One concern that parents, teachers, administrators and technology leaders face is how to protect students’ personally identifiable information (PII) in an online environment. Child identity theft is a serious problem and educational institutions have been a target for hacking due to the vast amount of personal student data their servers store. A child’s identity credentials are seen as extremely valuable to identity thieves, primarily because of the long period of time where their use by the thieves can go undetected.

Parents are considering the option of continuing to keep their students distance learning, but internet safety tips for kids using online platforms will become even more important as more students (especially K-12) utilize digital education for a longer period of time. However, with so many different online platforms being used by schools of different sizes and needs, there could still be an increased risk of student data being exposed or stolen in a data compromise and then used to create synthetic identities or sold for marketing purposes.

In one example from 2019, an online education provider in the U.S. suffered an accidental overexposure when a database of possibly more than 19,000 students’ information was left unsecured. Anyone with an internet connection was able to see the data for more than a week before it was taken down and password protected. It is still not known if anyone accessed the information while it was exposed.

As the new school year takes shape, it will be vital that administrators and IT professionals put safeguards in place to prevent unauthorized access to student records, employee files and other sensitive materials. Understanding the laws that are already in place is important in helping schools avoid costly mistakes. In California, the state’s privacy and cybersecurity law (CCPA) requires businesses and organizations to safeguard consumer data against data breaches and accidental events. Companies are also required to obtain parents’ authorization when collecting data on any child under 13 years of age, as well as have permission from the parents and student if the child is between 13 and 16 years old. The U.S. government’s Children’s Online Privacy Protection Act (COPPA) also gives parents some control over what personal information companies can collect on their children under the age of 13.

The next step may be in limiting the type of information that schools gather, such as Social Security numbers or health insurance and Medicaid identification numbers. Another important child privacy step will be ensuring that all personnel who have access to stored data know how to secure it. As some educators switch to wearing multiple hats this fall, they must be well-trained on how to use the platforms their school systems have adopted.

For parents, there are many internet safety tips for kids they can teach their students when it comes to online security:

  • Parents should be mindful of what websites their kids visit and teach them about what types of information are okay to enter online
  • Parents are encouraged to help their kids be aware of the dangers of clicking links or downloading files, as these can contain viruses and malware
  • Parents should make sure all of their kids’ online interactions occur with a known and trusted individual to lessen the opportunity for social engineering
  • Parents can enact the strictest privacy control settings available on both their child’s computer, mobile devices and browsers they use

Anyone with questions about child identity theft, distance learning security or internet safety tips for kids can live-chat with an Identity Theft Resource Center expert advisor. They can also call toll-free at 888.400.5530.


You might also like…

Stalker Data Breach Leads to Sale of Users’ Credentials

Non-Traditional Data Compromises Make Up the Latest Week of Breaches

Mystery Shopper Scams Surface During COVID-19

It is more important than ever that consumers use strong security questions with strong security answers on their online accounts. With most people home due to the COVID-19 pandemic, more consumers are required to shop online to do their food and household purchasing. That means a lot of online accounts have been and will continue to be created. One common step in creating an online account is picking a security question in case the creator of the account cannot remember their password. It is meant to be another layer of security for the authentication process.

While this alternative way of identifying customers can be very useful, it could also put more personal information at risk of compromise should the company fall victim to a data breach. For example, if someone selected “What are the last four digits of your Social Security number?” as their security question and provided that credential as the answer and the company’s online user database was breached, hackers could have that piece of personal information to use to flesh out more details of the person’s identity credentials.

However, there are things people can do to keep themselves safe while using strong security questions as another form of authentication.

When creating an answer to a security question, the response doesn’t have to be the exact answer. In fact, the Identity Theft Resource Center would encourage people that are signing up for online shopping, and other non-sensitive online accounts, to provide alternative answers. Doing so creates a strong security answer because it would be nearly impossible for anyone to research or guess. For example, if “What is my mother’s maiden name?” was selected as a security question, using an alternative like their mother’s nickname or some other name doesn’t give away a very valuable component of your security question. The answer should be stored in a password manager or on a piece of paper that is securely locked away.

With that said, creating alternative answers to security questions should only apply when someone is creating an account for a business or institution that doesn’t require highly sensitive information to verify their identity. If someone was creating security questions and answers for an account with a bank, lending institution or medical provider that uses that information to authenticate the user’s identity, they would want to provide accurate answers because the answers could be used to verify identity.

Some other tips to keep in mind while trying to pick strong security questions include:

  • Select a security question that cannot be guessed or researched over the internet, social media profiles, etc.
  • Select a security question that will not have to be changed over time
  • Select a security question that is easy to answer, but not obvious to others or easily researched
  • Select a security question with a precise answer that does not create confusion

Users should make sure they are selecting strong security questions that will keep them safe. They should not be afraid to use alternatives for the answer if it will protect identity credentials. People should also make sure their answers are as strong as their passwords. People can do their part to protect themselves and shop online for all the things they need to get through the COVID-19 pandemic, and beyond.

For more information about protecting your online accounts, contact the Identity Theft Resource Center to live chat with an expert advisor or call toll-free at 888.400.5530.


You might also like…

 

Schools, businesses and individuals are making drastic changes right now due to concerns surrounding COVID-19. Some of the protective measures, such as social distancing and self-isolation, translate to technology picking up the slack to keep businesses and education moving forward. However, that is leading to privacy issues particularly around kids using technology not originally intended to be utilized in the new manner many have taken to using some platforms.

One platform stepping in to fill the need is Zoom, a videoconferencing tool that allows users to talk, video chat, instant message and even screen-share in real-time. This long-time business tool is now being used for everything from online classes to social get-togethers, but malicious users have already figured out how to crash virtual meetings.

A new practice, known as “zoom-bombing,” happens when an uninvited user works their way into a user’s Zoom session and causes a disruption. Reports so far have included “bombers” dropping in and writing racial slurs across the screen, posting pornographic images for all the viewers to see and more.

Zoom was created to allow businesses to communicate quickly, effectively and on-the-go. Because of that, creating an account was set up to be very simple and does not require much authentication. Now that more people are using the platform, including teachers for grades K-12, and finding creative uses for this tool, the concern about privacy, and especially that of children, is even more real.

In fact, some Zoom conferences hosting children have already been compromised. Recently a Zoom conference with students from the Orange County Public School System in Florida was disrupted after an uninvited guest exploited himself to the class. In Boston, a group of students shared inappropriate content.

Zoom is working on a fix that will help stop intrusions and increase security, particularly child privacy, making it important that users download any updates issued by Zoom. Before using the platform, users can also take precautions by changing the default security settings. That includes updating the use of a password to enter the conference, using the “waiting room” feature to screen participants and only allowing authenticated users to join the meeting.

Users can also be more aware of how they are engaging with other people with their Zoom accounts. Ultimately, the platform relies on each user making smart decisions about how they are sharing their meeting rooms. Some child privacy aspects to consider:

  • Making sure to not share meeting invites with others on public profiles, such as inviting others to attend on social media
  • Teachers hosting Zoom meetings are encouraged to change the platform’s default settings before each session

This is an important reminder that this type of technology, especially platforms that function online and are accessible by other users, can have serious privacy ramifications. As many public schools and activity groups are now using Zoom to interact with children, it is even more important that users understand how to protect themselves. Parents should make it a habit to remain nearby while their children are on Zoom in order to end the session immediately if something unexpected takes place.

To increase child privacy, parents are encouraged to talk to their kids about proper online conduct before any virtual meeting. It is also recommended that if someone’s child is going to interact with other children on Zoom, parents should remind their kids that the same rules that apply in the classroom – or other in-person meetings – apply on Zoom.

If people have questions regarding their privacy on social media or accounts, they can live chat with an expert ITRC advisor at no-cost.


You might also like…

Financial Database Leak Leads to Over 500,000 Documents Exposed Online

Canon Data Breach Leads to General Electric (GE) Employee Information Being Exposed

COVID-19 Romance Scams Begin to Make the Rounds

Unbeknownst to many consumers, the country’s most advanced consumer privacy act just went into effect on January 1, 2020. The California Consumer Privacy Act (CCPA) outlines some of the strongest protections for individual consumers and the companies they choose to do business with. However, some early reporting shows that a lot of people are still not aware of the new legislation.

DOWNLOAD OUR NEW CCPA INFOGRAPHIC HERE

CCPA provides new protections in the event of a data breach, new tools for consumers to find out exactly what information a company has collected and sold or shared and more. Under the CCPA, consumers also have the right to delete some personal information and opt-in for children. In the CCPA personal information is defined as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information under the CCPA does not include publicly available information.

 Companies doing business in California — whether they are located there or not, or simply have customers or users who reside in the state — must provide more than just the proof of information they have collected. If an individual consumer does not want their information sold to third parties, the CCPA states they have the right to opt-out and the companies must comply. Failure to comply could result in significant fines, penalties and damage awards of up to $7,500 per consumer.

Image of business with notice of CCPA

That has been a sticking point for a number of businesses, though.

There are questions about how businesses will comply with the do not sell requirements. Some companies are claiming that if they “share” their users’ data with an outside company, they are in compliance. The supporters of the CCPA have said selling or sharing is the same thing, though companies like Facebook, CVS, Indeed and others argue their methods of providing users’ information to outsiders does not violate the CCPA.

Image of Conde Nast disclosure of CCPA

Some of the other responsibilities of businesses include a child opt-in requirement, a website notice requirement, a duty to educate, vendor agreements, third-party transfers and cybersecurity protections to prevent a data breach. In the event of a data breach, consumers can now sue to recover up to $750 in costs per data breach. For more information about consumer rights in the event of a data breach or other CCPA rights, click here.

Image of business disclosure of CCPA

Though the California Consumer Privacy Act went into effect on January 1, businesses have until July 1 to comply before enforcement—and presumably, punitive action—begins. It will be interesting to see both how this plays out for businesses that make a lot of money by selling their customers’ information, and how many other states follow suit with legislation of their own.

Sign Up For Identity Theft and Data Breach News

Sign up for the TMI Weekly to stay in the know about potential threats to your identity/privacy and tips to keep you safe. Our monthly breach alert keeps you posted on the latest trends and activity in the world of breaches.

Free Identity Theft Assistance

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

This news is currently evolving and we will update as announcements are made available.  

You might also like…

Save the date for this year’s Data Privacy Day! In the current always-connected digital age, it can be easy to take privacy for granted. Apps, websites, social media and even games want everything from permission to access our contacts list to invasive amounts of personal information. Even signing up for a new account can mean turning over your name, email address or birth date.

Too often, though, consumers do not stop to think about why an app wants to use your friend’s list or why a game needs access to your device’s photos. We simply click through the terms of use and are wondering later on how hackers stole our data in a data breach or why a company sold our information to third-parties.

StaySafeOnline, which is powered by the National Cyber Security Alliance, will be hosting its annual Data Privacy Day on Tuesday, January 28. This live-streamed event will begin at 1:00 p.m. EST/10:00 a.m. PST and will feature industry experts speaking on a variety of privacy-related topics.

One session of the event will be important to a lot of different stakeholders, that being the discussion of the new California Consumer Privacy Act, which is set to take effect this month. There will also be panels on the effects of the GDPR regulations that have already gone into effect in Europe, as well as discussions on how privacy affects both businesses and individuals in a worldwide-connectivity landscape.

More importantly, one of the goals of Data Privacy Day is to look ahead to what the future of the privacy and cybersecurity landscape might look like. A few years ago we might have never envisioned mobile games that could leak your personal information online or social media apps that buy and sell users’ data as a commodity. Now, with the first days of 2020 already behind us, it is both exciting and a little unnerving to imagine what privacy will really mean in the coming decade. To participate in the online live stream of Data Privacy Day 2020, visit StaySafeOnline.org and click on the Data Privacy Day tab.

You might also like…

2020 Trends for Identity Theft, Data Privacy, and Cybersecurity

Begin Your 2019 Tax Filing to Thwart Tax Return Fraud

Don’t Get Grinched by the Ellen Facebook Scam

As this year winds down, it is important to spend a little time reflecting on the 2019 identity crimes, some of the things that went right in 2019 and the things that did not go as well. This is true for so many subjects, especially identity crime – which includes scams, fraud, data breaches, cybercrime and all of the other types of crimes that go with it.

Fallout from 2018

As in previous years, this past year has been a big one for these kinds of crimes. Tech users are still feeling the aftermath of things like the Facebook/Cambridge Analytica privacy debacle that was uncovered last year; Congress is still at work on what to do about consumer privacy in the social media age. Also, the news that phishing attacks more than doubled last year over the year before had researchers, businesses, lawmakers and consumers alike paying closer attention to the messages they receive.

What Went Right in 2019

Fortunately, new legislation has come along to make our privacy lives a little safer. The General Data Protection Regulation (GDPR) regulations went into effect in Europe last year, for example, and they inflict strict penalties on businesses that gather and store data but let it fall into the wrong hands. New laws in California and Colorado will be taking effect soon, intent on strengthening privacy and consumer choice. Best of all, the awareness of what constitutes these kinds of crimes and how to recognize them is increasing.

Top Security Incidents of 2019

However, this welcome news does not mean that consumers are safe or that hackers are finally giving up. With every new platform, tool or technology, there is even greater potential for new avenues of attack. Healthcare providers and insurance companies continued to be one of the hardest-hit targets this year, thanks to the overwhelming amount of personally identifiable information (PII) they gather. “Accidental exposure” breaches were a common 2019 identity crime for major-name companies, which happens when businesses store huge databases of private information – in an online server then fail to password protect it as an example. Even our entertainment was not safe, as many apps and online gaming portals suffered data breaches that were traced back to reusing passwords on multiple sites.

2019 did not just see a lot of large data breaches, but settlements as well.

Equifax Settlement

In July, Equifax reached a $700 million settlement for harms caused by their data breach. Equifax agreed to spend $425 million to help victims of the breach, leading to lots of discussion on how to file a claim.

Facebook Settlement

While the Equifax settlement was the largest in data breach history to date, Facebook blew it out of the water just two days later, as they were ordered to pay $5 billion. After the settlement, Facebook said it required a “fundamental shift” in Facebook’s approach at every level of the company in terms of their privacy.

Yahoo Settlement

A month and a half later a Yahoo data breach settlement was proposed for $117.5 million after over three billion Yahoo accounts were exposed. Identity Theft Resource Center CEO, Eva Velasquez, stated in a media alert that the settlement trend is moving the needle in the right direction for both consumers and victims. However, that was not without its challenges, including putting the onus on the consumer to tell the settlement administrators how they were harmed and provide proof of it.

10,000 Breaches Reported

This past year the Identity Theft Resouce Center also recorded 10,000 publicly-notified data breaches since 2005. As part of the milestone, the ITRC took a look back at some of the top breaches the last 15 years as part of our 10,000 Breaches Later blog series.

Minimizing Future Risks

While data breach fatigue is a recognized phenomenon, one that can occur when consumers are bombarded with constant news about their data being compromised, the flip side is the kind of paranoia that makes you want to unplug and go live off the grid. However, neither of those is the solution. What does work is an awareness of the threat and some good privacy habits to prevent crimes like the 2019 identity crimes:

We’re Here to Help

Remember, you are not responsible for the criminal behaviors of a hacker. However, you can take steps that reduce your risk of becoming a victim and help minimize the damage if the worst does occur. The Identity Theft Resource Center is always here to help. Call us toll-free at 888.400.5530 or live-chat with one of our advisors.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

Exercise Car Safety to Avoid Leaving Your Identity Behind

Holiday Phishing Scams Target Small Business

Social Security Phone Scam



If you are a fan of the Facebook ten-year challenge, you are probably excited about its recent comeback. As more people come to terms with the uncertainty surrounding social media use and privacy, many users are starting to take a more cautious approach to how and what they share. From changing their privacy settings to safeguarding the names and images of their children, a lot of users have become more knowledgeable—and therefore more concerned—about what happens to their content once it is posted. If issues like Facebook’s relationship with Cambridge Analytica taught us anything, it is that someone is always willing to pay for information about us.

For example, the Facebook ten-year challenge that swept through Facebook in the early part of 2019 is back, and it has left a lot of people asking what the social media giant is really doing with the images. If you have not seen it yet, users are encouraging one another to post a photo from 2009 and another one from 2019, presumably in recognition of the end of this decade. What is really behind the Facebook ten-year challenge?

A growing number of people have speculated that it is an attempt by Facebook to educate its facial recognition algorithms in the area of age-progression by looking at a ten-year age difference among users. That does not sit well with some privacy-minded people. There has been a lot of outcry over companies like Facebook, Amazon and others who have produced software that has stronger-than-ever capabilities for recognizing faces in a crowd. Amazon has even sold its software, Rekognition, to law enforcement agencies and has just announced brand-new features.

Even some tech industry insiders have been alarmed by the potential for grabbing up social media posts and using them to develop software that some see as an invasion of privacy. However, the Facebook ten-year challenge has led others to try to put a damper on the runaway conspiracy. After all, doesn’t Facebook already own countless photos of its users? What would be the benefit of having users simply post those same images again? Plenty, according to Wired magazine writer Kate O’Neill. Facebook can much more easily “mine” data when they have a fresh set of content that was taken a precise number of years apart.

In this case, it is not about what social media platforms already have access to or doing their legwork for them. Instead, the cause for alarm is more about what users are willing to post without really thinking through the potential for harm. Whether it is an endless stream of food pictures or the GPS coordinates to our children’s schools, we all need to be more aware of what it is that we are posting and how someone else could use it for their own purposes.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

Hacked Disney+ Accounts Are Being Sold Online

Our Holiday Shopping Tips to Keep You Cybersafe

E-Skimming is a New Cybercrime That is Just in Time for the Holidays

If you had told someone even ten years ago that a criminal sitting on the other side of the world could steal their credit card information with a simple email, they might have written you off as a conspiracy theorist. Only a few decades ago, identity theft was not even recognized as a crime, let alone something that the police could actually investigate and prosecute. However, as new technology emerges that makes our lives more convenient and more connected, new virtual reality privacy concerns can also appear.

New Tech, New Concerns

That is the current understanding of innovations like virtual reality and augmented reality. These high-tech, digital forms of media—used for everything from education and business to entertainment—create new virtual reality privacy dangers by placing the user in entirely fabricated situations and locations, usually thanks to special software that interacts with their visual hardware.

Popular games like Pokémon Go, for example, allow the player to walk around in the real world while finding virtual characters in their actual surroundings.

Misuse of Your Personal Information

By giving access to your phone, tablet or computer to another platform in order to participate in these kinds of activities, you are opening yourself up to potential new virtual reality privacy concerns. Any time someone else can access your stored photos, camera and Facebook account or friends list, there is a possibility of them misusing that access.

Even worse, any time a platform is free to use, it is a sure sign that your information is being sold to third-parties. You have no way of knowing who those other companies are or what they plan to do with your information.

Virtual Reality User Permissions 

It is important that companies who utilize these technologies understand the new virtual reality privacy concerns of interacting with consumers in this way. However, it is equally important that users know how their information could be compromised. It is a reminder that we all must be cautious about the latest gadgets and games, and to understand what permissions we are granting when we create an account or allow access to our information. If you cannot verify what a company can do with your connection, it is better to play it safe and avoid interacting.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

Adobe Account Information Leaked After Server Left Unsecured

E-Skimming is a New Cybercrime That is Just in Time for the Holidays

Be on the Lookout for 2020 Census Scams

One of the most dangerous forms of cyberattack might be phishing attacks, mostly because they are easy to pull off with any kind of high-tech skill and because too often, they work. In a phishing attack, the criminal sends you some kind of message and pretends to be someone they are not. It might be your boss, a Nigerian prince fleeing the country, your favorite retailer or even a friend. The message might look and sound authentic, but the sender is not.

Instagram has launched a new feature that will try to curb phishing attacks via its platform. One of the more common versions of an attack, at least when it masquerades as an online platform or website, is the claim that you must verify your login credentials in order to secure your account. Another popular twist is to claim that someone has logged into your account from another device, and you need to “click this link” if you were not the one who did it.

Picture of Instagram's new privacy setting on a mobile device

Image courtesy of Instagram

Image courtesy of Instagram

Now, users will be able to press the settings button on their Instagram screens and find a list of emails with what company sent them, along with the date and the reason. If you receive an email in your inbox and it is not in your Instagram app’s settings, then you will know it did not come from the company.

Image courtesy of Instagram

This small step can make a big difference in preventing identity theft and account takeover from phishing attacks. However, it will only work if users think to take a peek and compare the lists of emails. Until other platforms take similar precautionary measures, there are a few helpful hints you can remember to block cybercriminals:

1. Never click a link, open an attachment or download any content from an email unless you are expecting it or have verified it with the sender. Even if it appears to come from someone you know, that person’s email account could have been hacked or copied. Check with the sender before taking any action.

2. Never verify your identity, login credentials, account numbers or any other sensitive data for someone who calls, texts, emails or sends a private message. Many companies have come out and stated they will never ask you for this information.

3. Never comply with strange requests, even if you think you know the sender, without verifying the request verbally. It might be changing account numbers, changing a password on an account, sending funds to a different account or even buying gift cards. If you receive a request that in any way involves money or sensitive information, dial the phone and call the sender first using a phone number you looked up for yourself.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

Identity Theft Resource Center Sees Organizational Growth

TikTok Platform Found to Be Full of Scams and Fake Accounts

Advertisement Scams