Home Page Featured 1

Capital One, Who’s in Your Wallet?

Announced Monday, July 29, 2019, a Capital One Data Breach puts 106 million consumers at risk. The credit card company released a statement citing “unauthorized access by an outside individual” that occurred in March of 2019, as the cause of data breach. The breach puts consumers at risk who applied for a credit card with Capital One and their existing customers. The company approximates that 100 million Americans and 6 million Canadians’ information was exposed.

Small businesses and individuals were victims in the Capital One data breach with information disclosed including name, address, date of birth, email address, credit scores, credit limits, payment history, and balances. Roughly 80 thousand linked bank account numbers of credit card customers were also exposed. Capital One reports that no credit card information was compromised. They also say 99 percent of Social Security numbers (Social Insurance numbers for Canadians) were not exposed, although 1 percent of 106 million is still 1.06 million affected consumers between the U.S. and Canada.

Take Action Now

If you are a victim of the Capital One data breach, the company has announced it will “notify you through multiple channels.” Lacking specifics, Identity Theft Resource Center suggests taking a proactive approach if you think you could be a victim of the breach.

Freeze Your Credit

This includes steps like freezing your credit report and checking financial statements. Try logging onto your account to see if there are notifications regarding the breach waiting for you.

Be Aware of Scams

Also, be wary of anyone calling in regards to the breach and asking to collect personal information. Capital One is not notifying victims via phone and asking for Social Security numbers or financial information, if someone contacts you in this regard it is a scam.

Document Your Steps

Also, start documenting your activities utilizing the ITRC’s ID Theft Help App – that way if you need to provide the documentation on what you’ve done in the future, you have recorded the time and effort you’ve spent.

While there is no proof that the compromised information has been used to commit identity theft or fraud, there is no time limit on identity crime. Millions of user information has been exposed, and there is no taking it back from the hacker or the places she chose to distribute it. The victims of the Capital One data breach will be offered credit monitoring and “identity protection” at no-cost, but the company does not offer details on the length or terms of these services.

The credit card company says the data breach was allowed by a configuration vulnerability and they have since fixed the issue. Capital One also worked with the Federal Bureau of Investigation (FBI) and the alleged hacker has been arrested, an unusual event compared to most data breach cases.

Sign Up For Identity Theft and Data Breach News

Sign up for the TMI Weekly to stay in the know about potential threats to your identity/privacy and tips to keep you safe. Our monthly breach alert keeps you posted on the latest trends and activity in the world of breaches.

Free Identity Theft Assistance

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

This news is currently evolving and we will update as announcements are made available.  


You might also like…

How to File an Equifax Claim for Data Breach Settlement

How To: Place a Free Credit Freeze

New Tool Breach Clarity Helps Consumers Make Sense of Data Breaches

 

In 2017, criminals accessed Equifax’s database of consumers exposing the personal identifying information of over 148 million Americans. Equifax, one of the three main credit reporting agencies (CRAs), noted that Social Security numbers, addresses, birth dates and credit card information were all apart of the information exposed. This data breach created an increased risk of identity theft for millions of Americans. Now over two years after the breach was reported, a settlement has been reached. Details are still emerging but it’s important to understand the basics of what we know today.

The Equifax settlement agreed to pay up to $700 million dollars for harms caused by the data breach – the largest monetary settlement in data breach history. In the settlement, filed on July 22, 2019, Equifax agreed to spend up to $425 million to help the victims of its 2017 data breach. An additional $275 million will be spent to pay civil penalties. Also included in the Equifax settlement is the requirement to update security protocol and increase measures to protect consumer information.

If your information was exposed in the data breach, Equifax should have notified you directly via mail. A part of the settlement, a new breach claim site will also have a tool for consumers to check if their information was exposed. If you were affected by the breach, the Equifax settlement is offering certain benefits to minimize your risk of identity theft.

Settlement Benefits for Victims

First, Equifax will provide a total of up to 10 years in free credit monitoring services. The first 4 years will be provided for all three major CRAs – Equifax, TransUnion and Experian. Then Equifax will provide the services for monitoring their report for an additional 6 years. If you were a victim of the breach and a minor, even more services are available at no cost. If victims choose to opt-out of the free credit monitoring option, they may be eligible for a $125 cash payment.

Second, victims who have already dedicated resources to protecting their identity because of the Equifax breach could be reimbursed up to $20,000. This includes time spent protecting your identity or efforts to recover it. It also includes any money spent like the cost of lawyers or fraudulent financial charges. It’s unclear what the specifics behind how to obtain this reimbursement, but consumers will most likely bear the burden to prove the impact in order to receive compensation.

Finally, if you did fall victim to identity theft because of the breach Equifax is providing free restoration services. These services are offered for up to seven years and can be used if someone steals your identity or if you are a victim of fraud. Again, it’s unclear how consumers will have to prove that they were directly victimized as a result of the breach, but as details emerge we will share information.

As of July 24, 2019, the settlement administrator is now accepting claims. The deadline to file a claim is January 22, 2020. Find the full details here: https://www.equifaxbreachsettlement.com/

Read our guide on How to File an Equifax Claim for Data Breach Settlement

Beyond the financial impacts of the breach, nearly 90 percent of respondents said they experienced adverse feelings or emotions within one year of the initial event as reported in The Aftermath: Equifax One Year Later study by Identity Theft Resource Center.

Stay Updated with Alerts

The Federal Trade Commission (FTC) says the settlement is still in process and claims can be made after court approval. The FTC is regularly updating information as it becomes available at ftc.gov/Equifax.

Steps to Reduce Your Risk

Being a victim of the data breach does not automatically make you a victim of identity theft; however, it does greatly increase your risk. There are some steps ITRC recommends that can reduce your risk of identity theft. You can also call to speak with one of our expert advisors at no-cost at 888.400.5530 or livechat to learn more about your risk and preventative measures.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

How to File an Equifax Claim for Data Breach Settlement

How To: Place a Free Credit Freeze

New Tool Breach Clarity Helps Consumers Make Sense of Data Breaches

 

United States Customs and Border Protection (CBP) announced that it was victim of a data breach at the hands of a third-party partner. The information exposed included photos of license plates and travelers. CBP released a statement about the breach saying,

“In violation of CBP policies and without CBP’s authorization or knowledge, [a subcontractor] transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network,” CBP added. “The subcontractor’s network was subsequently compromised by a malicious cyberattack.”

The hack happened by accessing a database on the third-party’s server that was unauthorized by CBP to exist. Although the third-party who caused the breach was not directly named, The Washington Post reported that the subject line of the emailed statement included “Perceptics.” Perceptics is a company based in Tennessee whose website boast they have been “securing our nation’s boarders for more than 30 years.” They design technology for identifying vehicles and license plates for federal and commercial use.

CBP claims they have conducted a thorough search and have not found any of the stolen information on the dark web. This does not however mean the data is impossible to use for malicious acts. President and CEO of ITRC, Eva Velazquez, sums it up in her NBC7 interview saying, “These things, they stay in perpetuity. It is not going to disintegrate. So even in this moment, if there is not a way to monetize, that does not mean 10 years from now that (stolen information) might not be more valuable.”

While CBP noted their own databases were not affected by this attack, this is not the first data breach under the Department of Homeland Security. Early last year it was reported more than 240 thousand employee records were exposed by a former employee.

ITRC continues to monitor the trend of cybercriminals targeting large third-party versus smaller first party databases. Four million records were exposed in 2018 because of focused cybercrime efforts on vendor security. By targeting popular third-party vendors that work with multiple companies, criminals can collect even more personal identifying information in one attack.


You might also like…

Imposter Scams Were the Most Reported Complaint in 2018

In New Scam, Criminals Pose as Government Pretending to Help With Identity Theft

Study Explores Non-Economic Negative Impacts Caused by ID Theft 

 

When news of yet another data breach comes out, the reaction can range from panic to “blah.” At the one of end of the spectrum, consumers can be left with documented feelings of stress, fear and even paranoia about further attacks to their identity. At the same time, a very real phenomenon known as “data breach fatigue” occurs when there are so many attacks that consumers stop taking them seriously.

Fortunately, a new tool can help consumers make sense of a data breach; while neither overreaction nor inaction is an appropriate response, this tool can help people who are affected by the breach understand their options and take corrective action.

The Identity Theft Resource Center and Futurion have partnered and launched a tool called Breach Clarity, which takes publicly-available data breach information and breaks down both the threat and that actionable steps for consumers.

Watch Our New Free Webinar: Deciphering the Code of Data Breach Notifications

Unfortunately, far too many consumers do not check up on these kinds of attacks until it is too late. Even then, many victims of data breaches do not follow up on the support that notification letters offer, including things like identity theft protection or credit monitoring.

Breach Clarity lets users type in a general search term for a known breach and see a graphic representation of the threat level based on a number of factors. These include things like understanding whether or not financial information was exposed or if Social Security numbers (or other sensitive PII) were accessed. From there, a one-to-ten risk score is provided so consumers understand just how seriously this could affect them. The Home Depot breach in 2014 only receives a 3 out of 10 because of the nature of the information that was stolen; the 2015 attack on the US government’s Office of Personnel Management was far more serious and received a 10 out of 10 risk score as a result.

Breach Clarity was unveiled at the 2019 KNOW Conference in Las Vegas where it won first place in the third annual Identity Startup Pitch Competition. The criteria for selecting a grand prize winner included factors like the degree to which the entrant meets the customer’s needs and expectations, innovation, originality, and more.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

The Force Has Awakened this #StarWarsDay! May the Fourth Be With You as you break out your lightsabers and prepare to do battle against the Dark Side of our cyber world with tips from the Identity Theft Resource Center and National Cyber Security Alliance.

To celebrate this #MayTheFourthBeWithYou, use the messages below on Twitter, Facebook and LinkedIn to join the cyber force on May 4th, 2019. Don’t forget to use the #MayTheFourthBeWithYou hashtag!

Download all images and messages here.

 

Tweet: It’s #StarWars Day and the cyber force has awakened! Use our tips for protecting your identity from the dark side. #MayTheFourthBeWithYou @ITRCSD @StaySafeOnline https://idtheft.center/MayTheFourth

More resources: Identity theft impacts 17 million individuals every year and unfortunately, can impact you at anytime. Learn about the different types of identity theft and how you can protect yourself with help from ITRC.


Tweet: “Do. Or do not. There is no try.” Taking steps to protect your digital identity & privacy every day is a must. #MayTheFourthBeWithYou @ITRCSD @StaySafeOnline https://idtheft.center/MayTheFourth

 

More resources: The National Cyber Security Alliance’s (NCSA’s) CyberSecure My Business™ is a national program helping small and medium-sized businesses (SMBs) learn to be safer and more secure online.

 

Tweet: You don’t have to go Solo. Get help from the cyber force with tips from @ITRCSD & @StaySafeOnline #MayTheFourthBeWithYou https://idtheft.center/MayTheFourth

More resources: Learn how to protect yourself, your family and devices with these Online Safety Basics

 

Tweet: A new hope for your digital identity is here. We have a plan to help you recover from identity theft. @ITRCSD & @StaySafeOnline #MayTheFourthBeWithYou https://idtheft.center/MayTheFourth

 

More resources: For free one-on-one assistance with identity theft, scams, fraud, cybersecurity, privacy and more, contact the Identity Theft Resource Center toll-free 888-400-5530 or LiveChat

 

Tweet: Think you have what it takes to be a digital jedi? Train with steps to empower your privacy & identity. #MayTheFourthBeWithYou #RiseOfSkywalker @ITRCSD & @StaySafeOnline https://idtheft.center/MayTheFourth

More resources: Take privacy into your own hands with a privacy quiz. Then learn how to update your privacy settings on popular devices and online services.

 

Even after May The Fourth, you can safeguard your information from the Empire all year-long by staying up to date with the latest threats to your identity and tips by signing up for our newsletters:

Stay Safe Online Email Sign-up: https://staysafeonline.org/email-signup 

Identity Theft Resource Center Email Sign-up: https://www.idtheftcenter.org/newsletter-signup/ 


If you think you may be a victim of identity theft, contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App.

Your Passport and Your Identity

A recently-discovered data breach of the Starwood brands of Marriott International’s hotels has left consumers and security advocates alike scratching their heads. At the heart of this confusion surrounding the theft of data for around 25 million guests is passport security, or more accurately, the need to safeguard both your physical document and its number. So assuming that your passport was affected, what do you do?

As noted in the newest release published on January 4th, 2019, “Marriott now believes that approximately 5.25 million unencrypted passport numbers were included in the information accessed by an unauthorized third party. The information accessed also includes approximately 20.3 million encrypted passport numbers.” According to numerous sources including the US State Department, your passport number on its own is not a highly valuable piece of information for a hacker. However, when combined with some of the other data points that were compromised in this breach, your number could possibly be used to craft a more complete profile for identity theft – or allow for an identity thief to generate a synthetic identity with more validity.

First, if the physical document is lost or stolen, that is absolutely an urgent matter. You should report it to the proper authorities—namely the State Department who issues them—so that there is a record of the missing document. If it is used for identity theft or fraud, you will have already filed it as missing.

Read: What To Do If Your Passport is Lost or Stolen

But in the case of this data breach where only the number was compromised, your recourse is a little different:

1. If only the number and not the actual document is stolen, don’t be too quick to replace it. Since the number by itself does not directly result in identity theft, you may not be given a new passport free of charge. That means you’ll pay for the new document out-of-pocket.

In the case of the Marriott breach, if you can show proof that your passport was the cause of fraud or identity theft, they are offering to replace it. Read the specifics very carefully to understand what your recourse is in this particular case.

2. If the document was set to expire in the near future AND you were planning to replace it, there’s no need to wait if you can demonstrate that it was compromised. However, you may need to provide the notification letter or email from Marriott International to show why you’re requesting a new passport early.

3. When you decide to replace your passport, it will contain a new number (unlike driver’s licenses that retain their issue number, for example), but that doesn’t mean someone couldn’t still use your old number to piece together your identifying information. You will still need to monitor your accounts—especially travel-related accounts—carefully.

Read: What Can a Thief Do With Your Driver’s License?

This breach also serves as a cautionary tale about oversharing: unless you are required to turn over a piece of identifying information, think twice about submitting it. Many consumers take domestic flights and stay in hotels without even owning a passport; just because you have one doesn’t mean you have to provide the number every time it’s an option.

Finally, as if this wasn’t worrisome enough, there’s another potential threat that could be looming: scams associated with passports. With any high-profile event, scammers crawl out from under their rocks to take advantage of the public. Be wary of any email, text, social media post or other communication that plays off of fears surrounding compromised passport numbers.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read: The Real People Behind Identity Theft Statistics

For years, security experts and advocates have warned consumers about suspicious websites, specifically ones that take your sensitive information or payments. The best course of action? To look for the HTTPS designation in the web address at the top of the screen and the little padlock icon, both of which indicate a site can be trusted.

Unfortunately, scammers continue to evolve their ways to continue victimizing the public through technology. A new report has found that about 49% of known phishing websites—websites that steal your information after tricking you into submitting it—contain a secure designation and a little green padlock. The “look for the lock” advice that was once a sound way to protect yourself is a little less reliable than before.

Just as scammers have evolved, now it’s up to consumers to make some changes in order to protect themselves from the latest threats:

1. Install a security suite that offers anti-phishing and website security

A basic antivirus isn’t enough to keep you safe anymore, and a number of well-known security software developers have incorporated a lot of extra features. Some can alert you to a fake website or known scammer before you compromise your information. Even better, many security programs offer a wide range of subscription prices—even free plans—so there’s something to meet every budget.

2. Establish a throwaway email address

Some sites want nothing more than your email address so they can sell it to spammers. Generate a free email address that is separate from your everyday, commonly used one. Then, whenever you’re visiting websites that want your email address, you have the option to trust the site with your contact information or use your backup email address.

3. Designate a payment card for internet purchases

The last thing you need is for a phishing website to steal your money, but it happens. By intentionally having an “internet only” credit card that is not connected to your bank account and that has a very low credit limit, you may have an easier time protecting yourself from someone who steals your information.

The most important thing you can do is to remember that what was once considered top-notch security advice can change as new technology and new developments occur. It’s not enough to develop a good habit and never deviate from it. Instead, you need to stay informed by following ongoing coverage of the latest scams and frauds.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: “Secret Sisterhood” Online Gift Exchange Scam Alert

If you follow tech news, you may still get shivers up your spine from the buzz surrounding one of the most dangerous ransomware attacks in recent history. The May 2017 WannaCry attack made headlines for months due to the high volume of victims and the high-profile companies who were targeted. Within a short time, this self-replicating cryptoworm had infected more than 300,000 computers, locking up their systems and demanding payment from the victims in the form of Bitcoin.

As with all headlines, though, the story can fade fast when other news takes its place. And just like most other news stories, that doesn’t mean this one is gone just because people aren’t talking about it.

In fact, antivirus and security suite developer Kaspersky Lab issued recent findings that more than 75,000 new cases of WannaCry infections were discovered between July and September of 2018. Yes, only a couple of months ago, new victims were suffering from a well-known form of ransomware and having to decide whether or not to pay the criminals in order to regain access to their computers.

One of the major issues surrounding WannaCry is that a patch was available for it even before the initial attack. Consumers and businesses who were using older computers or older operating systems may have been more vulnerable, along with individuals who haven’t been installing recommended updates regularly.

Another issue some victims faced was not having a strong, up-to-date security suite with antivirus and anti-malware protection. A number of large-scale data breaches have been traced back to inadequate protection for a computer or network, and in some cases, the original victim was not the major corporation who was ultimately the target.

One of the best courses of action against WannaCry or any other form of ransomware is to create scheduled, automatic backups of all your files. These backups can be stored in a cloud-based subscription or an external storage device, and they’ll mean you can still access all of your files if someone targets your system. Paying the ransom might be cheaper than a new computer—the typical WannaCry ransom was $300, but other ransomware attacks have demanded more—but there’s no guarantee the hackers will release your files upon payment. That money can be put towards newer equipment instead of lining a cyberthief’s pockets.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: “Secret Sisterhood” Online Gift Exchange Scam Alert

The term “data breach” serves as a catch-all word for any kind of event in which someone entrusted with information—usually for large groups of people, like one’s customers or patients—allows that information to be exposed. While some data breaches are the work of highly-skilled hackers who can access a billion email accounts at once, others could be something as simple as an electrician leaving his work phone behind on a job site, possibly exposing customers’ info.

However, no matter how it happened, who was at fault, or what information was exposed, all data breaches are serious. They carry the potential for someone to misuse information or harm others.

A recently reported data breach of the United States Postal System’s website appears to be accidental, but since about 60 million users’ information were exposed for at least a year, there’s no telling what damage could have occurred…or has already occurred.

This breach involves the website’s API, or “application program interface.” API is computer lingo for the set of parameters that help legitimate users interact with a website. The API was connected to the USPS “Informed Visibility Mail Tracking & Reporting” service, a mail tracking preview program, where the weakness was found. Unfortunately, by exploiting any security holes found in the tracking service, hackers can interact with the API, too.

Here’s what security researchers found: the USPS website was accidentally left “unlocked,” meaning anyone with an account could change the search parameters and find other users’ accounts and information. They could even make changes to those accounts in some cases.

Think of it like this example: pretend you went to a major retailer’s website to look up a pair of socks you ordered two years ago. You go to your order history, type in your name and zip code, and then your order history appears. Now pretend that you could simply change the zip code or the last name, or your city or street address. What would you do if all of the information for every person in your zip code, last name, city, or street address appeared? What if it showed you every single item those people had ever ordered?

That’s similar to what happened here, and there are a few unfortunate issues with this breach. First, the information was never secured in the first place. It was only a matter of time before someone decided to test out different data points. Also, the USPS was supposedly informed of this website problem a year ago. Recently, the person who informed them then contacted Krebs on Security to report that the matter had still not been resolved, and Brian Krebs reached out to the postal service. After he contacted them, the USPS patched the problem and made it stop.

This certainly isn’t the first time a government agency has suffered a data breach. The Office of Personnel Management, reported in June 2015, and the US State Department, reported in September 2018, for example, have both endured exposures of users’ sensitive information. However, that doesn’t make the issue any easier for the consumers who now need to monitor their USPS accounts and make sure that nothing out of the ordinary has taken place.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: “Secret Sisterhood” Online Gift Exchange Scam Alert

In the coming weeks, students across the country are going to experience a major shift in their lives, probably one that is unlike any other developmental milestone they’ve ever faced.

Come June, young people who’ve still had to follow curfews, dress codes, and rules about raising their hand for permission to use the bathroom will suddenly be considered adults.

Whether you’re heading to college or entering the workforce, your life may take a very sharp turn once you hit this milestone. It’s important to be prepared for some of the changes that may be coming your way, especially regarding your financial, medical, and personal identity.

Financial identity

You may have already had a job and a bank account, perhaps even a car loan, but once you finish high school, the dynamic can still shift a little. Your parents might have been joint account holders or co-signers; they may remain on your accounts or you may find yourself with your accounts to be responsible for. Understanding how your financial identity can be put at risk is crucial, especially if you’re going it alone.

Talk to your financial institution about building credit responsibly, but also about protecting your accounts. Your bank account, credit card, loans or any other financial dealings can be susceptible to takeover, and your identity can be used fraudulently to open new lines of credit or accounts. You need to know how to spot the signs of a problem and how to take action to correct it.

Medical identity

Again, this is a time when you may still be on your parents’ health insurance or when you’ll be relying on your own coverage to receive care. But your identifying information can also be used by a thief. If you suddenly receive medical bills or health insurance statements for treatments you never received, prescriptions that aren’t yours or any other related services—whether through your hometown doctor, your student health center or another healthcare provider—contact those offices immediately to report the problem.

Remember, it can be difficult to handle medical identity theft cases because HIPAA privacy laws still cover the person who used your identity. You may need to demonstrate that you were not the person who sought the care and that you are not responsible for any charges or legal fallout from the issue.

Personal Identity Theft

There are many different ways someone can steal and use your identity. New situations like moving into a dorm or apartment, filling out background checks to sign a lease or activate utilities, applying for colleges or jobs and other related scenarios can mean that your identifying information is now in a lot more places than it was when you were a kid. It’s time to understand how your information can be stolen, how to recognize if you might be a victim and what steps to take next. The Identity Theft Resource Center is a great place to start gathering information before a problem comes up, as well as an excellent resource to turn to if something goes wrong.

There’s one more thing to keep in mind as June approaches: if you’re filing a FAFSA application for financial aid to college or technical school, the deadline is June 30. Don’t wait until the last minute, though; if you discover that someone has already filed one in your name, you’ll need time to report the matter and file your legitimate FAFSA in order to avoid missing the opportunity for financial aid consideration. Get your application in quickly so you can have time to address any identity theft problems that possibly arise.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.