Home Page Featured 1

Your Passport and Your Identity

A recently-discovered data breach of the Starwood brands of Marriott International’s hotels has left consumers and security advocates alike scratching their heads. At the heart of this confusion surrounding the theft of data for around 500 million guests is passport security, or more accurately, the need to safeguard both your physical document and its number. So assuming that your passport was affected, what do you do?

According to numerous sources including the US State Department, your passport number on its own is not a highly valuable piece of information for a hacker. However, when combined with some of the other data points that were compromised in this breach, your number could possibly be used to craft a more complete profile for identity theft – or allow for an identity thief to generate a synthetic identity with more validity.

First, if the physical document is lost or stolen, that is absolutely an urgent matter. You should report it to the proper authorities—namely the State Department who issues them—so that there is a record of the missing document. If it is used for identity theft or fraud, you will have already filed it as missing.

Read: What To Do If Your Passport is Lost or Stolen

But in the case of this data breach where only the number was compromised, your recourse is a little different:

1. If only the number and not the actual document is stolen, don’t be too quick to replace it. Since the number by itself does not directly result in identity theft, you may not be given a new passport free of charge. That means you’ll pay for the new document out-of-pocket.

In the case of the Marriott breach, if you can show proof that your passport was the cause of fraud or identity theft, they are offering to replace it. Read the specifics very carefully to understand what your recourse is in this particular case.

2. If the document was set to expire in the near future AND you were planning to replace it, there’s no need to wait if you can demonstrate that it was compromised. However, you may need to provide the notification letter or email from Marriott International to show why you’re requesting a new passport early.

3. When you decide to replace your passport, it will contain a new number (unlike driver’s licenses that retain their issue number, for example), but that doesn’t mean someone couldn’t still use your old number to piece together your identifying information. You will still need to monitor your accounts—especially travel-related accounts—carefully.

Read: What Can a Thief Do With Your Driver’s License?

This breach also serves as a cautionary tale about oversharing: unless you are required to turn over a piece of identifying information, think twice about submitting it. Many consumers take domestic flights and stay in hotels without even owning a passport; just because you have one doesn’t mean you have to provide the number every time it’s an option.

Finally, as if this wasn’t worrisome enough, there’s another potential threat that could be looming: scams associated with passports. With any high-profile event, scammers crawl out from under their rocks to take advantage of the public. Be wary of any email, text, social media post or other communication that plays off of fears surrounding compromised passport numbers.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read: The Real People Behind Identity Theft Statistics

For years, security experts and advocates have warned consumers about suspicious websites, specifically ones that take your sensitive information or payments. The best course of action? To look for the HTTPS designation in the web address at the top of the screen and the little padlock icon, both of which indicate a site can be trusted.

Unfortunately, scammers continue to evolve their ways to continue victimizing the public through technology. A new report has found that about 49% of known phishing websites—websites that steal your information after tricking you into submitting it—contain a secure designation and a little green padlock. The “look for the lock” advice that was once a sound way to protect yourself is a little less reliable than before.

Just as scammers have evolved, now it’s up to consumers to make some changes in order to protect themselves from the latest threats:

1. Install a security suite that offers anti-phishing and website security

A basic antivirus isn’t enough to keep you safe anymore, and a number of well-known security software developers have incorporated a lot of extra features. Some can alert you to a fake website or known scammer before you compromise your information. Even better, many security programs offer a wide range of subscription prices—even free plans—so there’s something to meet every budget.

2. Establish a throwaway email address

Some sites want nothing more than your email address so they can sell it to spammers. Generate a free email address that is separate from your everyday, commonly used one. Then, whenever you’re visiting websites that want your email address, you have the option to trust the site with your contact information or use your backup email address.

3. Designate a payment card for internet purchases

The last thing you need is for a phishing website to steal your money, but it happens. By intentionally having an “internet only” credit card that is not connected to your bank account and that has a very low credit limit, you may have an easier time protecting yourself from someone who steals your information.

The most important thing you can do is to remember that what was once considered top-notch security advice can change as new technology and new developments occur. It’s not enough to develop a good habit and never deviate from it. Instead, you need to stay informed by following ongoing coverage of the latest scams and frauds.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: “Secret Sisterhood” Online Gift Exchange Scam Alert

If you follow tech news, you may still get shivers up your spine from the buzz surrounding one of the most dangerous ransomware attacks in recent history. The May 2017 WannaCry attack made headlines for months due to the high volume of victims and the high-profile companies who were targeted. Within a short time, this self-replicating cryptoworm had infected more than 300,000 computers, locking up their systems and demanding payment from the victims in the form of Bitcoin.

As with all headlines, though, the story can fade fast when other news takes its place. And just like most other news stories, that doesn’t mean this one is gone just because people aren’t talking about it.

In fact, antivirus and security suite developer Kaspersky Lab issued recent findings that more than 75,000 new cases of WannaCry infections were discovered between July and September of 2018. Yes, only a couple of months ago, new victims were suffering from a well-known form of ransomware and having to decide whether or not to pay the criminals in order to regain access to their computers.

One of the major issues surrounding WannaCry is that a patch was available for it even before the initial attack. Consumers and businesses who were using older computers or older operating systems may have been more vulnerable, along with individuals who haven’t been installing recommended updates regularly.

Another issue some victims faced was not having a strong, up-to-date security suite with antivirus and anti-malware protection. A number of large-scale data breaches have been traced back to inadequate protection for a computer or network, and in some cases, the original victim was not the major corporation who was ultimately the target.

One of the best courses of action against WannaCry or any other form of ransomware is to create scheduled, automatic backups of all your files. These backups can be stored in a cloud-based subscription or an external storage device, and they’ll mean you can still access all of your files if someone targets your system. Paying the ransom might be cheaper than a new computer—the typical WannaCry ransom was $300, but other ransomware attacks have demanded more—but there’s no guarantee the hackers will release your files upon payment. That money can be put towards newer equipment instead of lining a cyberthief’s pockets.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: “Secret Sisterhood” Online Gift Exchange Scam Alert

The term “data breach” serves as a catch-all word for any kind of event in which someone entrusted with information—usually for large groups of people, like one’s customers or patients—allows that information to be exposed. While some data breaches are the work of highly-skilled hackers who can access a billion email accounts at once, others could be something as simple as an electrician leaving his work phone behind on a job site, possibly exposing customers’ info.

However, no matter how it happened, who was at fault, or what information was exposed, all data breaches are serious. They carry the potential for someone to misuse information or harm others.

A recently reported data breach of the United States Postal System’s website appears to be accidental, but since about 60 million users’ information were exposed for at least a year, there’s no telling what damage could have occurred…or has already occurred.

This breach involves the website’s API, or “application program interface.” API is computer lingo for the set of parameters that help legitimate users interact with a website. The API was connected to the USPS “Informed Visibility Mail Tracking & Reporting” service, a mail tracking preview program, where the weakness was found. Unfortunately, by exploiting any security holes found in the tracking service, hackers can interact with the API, too.

Here’s what security researchers found: the USPS website was accidentally left “unlocked,” meaning anyone with an account could change the search parameters and find other users’ accounts and information. They could even make changes to those accounts in some cases.

Think of it like this example: pretend you went to a major retailer’s website to look up a pair of socks you ordered two years ago. You go to your order history, type in your name and zip code, and then your order history appears. Now pretend that you could simply change the zip code or the last name, or your city or street address. What would you do if all of the information for every person in your zip code, last name, city, or street address appeared? What if it showed you every single item those people had ever ordered?

That’s similar to what happened here, and there are a few unfortunate issues with this breach. First, the information was never secured in the first place. It was only a matter of time before someone decided to test out different data points. Also, the USPS was supposedly informed of this website problem a year ago. Recently, the person who informed them then contacted Krebs on Security to report that the matter had still not been resolved, and Brian Krebs reached out to the postal service. After he contacted them, the USPS patched the problem and made it stop.

This certainly isn’t the first time a government agency has suffered a data breach. The Office of Personnel Management, reported in June 2015, and the US State Department, reported in September 2018, for example, have both endured exposures of users’ sensitive information. However, that doesn’t make the issue any easier for the consumers who now need to monitor their USPS accounts and make sure that nothing out of the ordinary has taken place.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: “Secret Sisterhood” Online Gift Exchange Scam Alert

In the coming weeks, students across the country are going to experience a major shift in their lives, probably one that is unlike any other developmental milestone they’ve ever faced.

Come June, young people who’ve still had to follow curfews, dress codes, and rules about raising their hand for permission to use the bathroom will suddenly be considered adults.

Whether you’re heading to college or entering the workforce, your life may take a very sharp turn once you hit this milestone. It’s important to be prepared for some of the changes that may be coming your way, especially regarding your financial, medical, and personal identity.

Financial identity

You may have already had a job and a bank account, perhaps even a car loan, but once you finish high school, the dynamic can still shift a little. Your parents might have been joint account holders or co-signers; they may remain on your accounts or you may find yourself with your accounts to be responsible for. Understanding how your financial identity can be put at risk is crucial, especially if you’re going it alone.

Talk to your financial institution about building credit responsibly, but also about protecting your accounts. Your bank account, credit card, loans or any other financial dealings can be susceptible to takeover, and your identity can be used fraudulently to open new lines of credit or accounts. You need to know how to spot the signs of a problem and how to take action to correct it.

Medical identity

Again, this is a time when you may still be on your parents’ health insurance or when you’ll be relying on your own coverage to receive care. But your identifying information can also be used by a thief. If you suddenly receive medical bills or health insurance statements for treatments you never received, prescriptions that aren’t yours or any other related services—whether through your hometown doctor, your student health center or another healthcare provider—contact those offices immediately to report the problem.

Remember, it can be difficult to handle medical identity theft cases because HIPAA privacy laws still cover the person who used your identity. You may need to demonstrate that you were not the person who sought the care and that you are not responsible for any charges or legal fallout from the issue.

Personal Identity Theft

There are many different ways someone can steal and use your identity. New situations like moving into a dorm or apartment, filling out background checks to sign a lease or activate utilities, applying for colleges or jobs and other related scenarios can mean that your identifying information is now in a lot more places than it was when you were a kid. It’s time to understand how your information can be stolen, how to recognize if you might be a victim and what steps to take next. The Identity Theft Resource Center is a great place to start gathering information before a problem comes up, as well as an excellent resource to turn to if something goes wrong.

There’s one more thing to keep in mind as June approaches: if you’re filing a FAFSA application for financial aid to college or technical school, the deadline is June 30. Don’t wait until the last minute, though; if you discover that someone has already filed one in your name, you’ll need time to report the matter and file your legitimate FAFSA in order to avoid missing the opportunity for financial aid consideration. Get your application in quickly so you can have time to address any identity theft problems that possibly arise.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

New large-scale data breaches have impacted consumers, and new regulations about how we conduct our daily connected lives are on the horizon. A better understanding of

our connected devices has been revealed, as well as official concerns about foreign hacking.

These last few days of the year are a good time to make resolutions for the new year, and that includes security and privacy regulations. While you resolve to eat healthier or walk a few days a week after work, take the time to visit your personal identifiable information and launch some good habits for 2018, such as:

1. “I will secure my accounts.”

This one couldn’t be easier. All it takes it setting up a strong password that includes a combination of uppercase and lowercase letters, a number or two, and a symbol, then making sure you only use that password on one account. Change it up—a little or a lot—on your other accounts to keep hackers out.

2. “I will update my accounts.”

Again, it doesn’t get easier than this. The first time you access a commonly used account next year, such as your email or your social media accounts, click “forgot my password.” Change that password to your new strong, unique password. Then, each time you use a not-so-common account during 2018, click that same “forgot my password” link and change it again. This way, you’ll be blocking hackers from using old login credentials that they purchased online or stole.

3. “I will protect my accounts with 2FA.”

This one is a little harder, but the payoff can be big. Setting up two-factor authentication on sensitive accounts like your online banking, mobile wallet, and email means you’ll have to provide two different forms of login information. It’s an extra layer of security that can keep a hacker or identity thief out of your accounts.

4. “I will monitor my accounts all year long.”

Keeping tabs with on your credit card and bank accounts takes only a few minutes of your time, but can help you stop suspicious activity in its tracks.Checking your credit reports is a little more involved, but worth it in the long run. Request your free copy of your credit report from each of the three major credit reporting agencies once a year to watch out for anything that shouldn’t be there, then report it immediately.

5. “I will ask the hard questions.”

When it comes to handing over your information, it can be unnerving to ask the recipient how they plan to store the information, who will be able to access it, or why they even need it in the first place. Make 2018 the year that you stop and think before filling out that form or submitting that information online, and make smart choices about why the entities you do business with need it.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.