Posts

According to the National Center for Education Statistics (NCES), about 56.6 million students are attending school this fall. The NCES also reports that there are 3.7 million teachers currently in the United States. That is over 60 million students and teachers spending their time inside of schools, on their Wi-Fi, online programs and much more.

Data breaches that affect students and teachers are not uncommon, although education ranked lowest of the five industry sectors that the Identity Theft Resource Center (ITRC) records in 2018 with 76 education data breaches exposing 1,408,670 records. However, 2017 was a different story. According to the ITRC’s 2018 End-of-Year Data Breach Report, in 2017 there were 128 education data breaches exposing 1,418,455 records. So far in 2019, there have been 104 breaches exposing 2,248,578 records. You can learn more by signing up for our ITRC Monthly Breach Newsletter.

While the education sector is not seeing as many breaches as some of the other industry categories, the ITRC believes that one breach is one too many. That is why we continue to empower identity theft victims – particularly those that are victims of education data breaches – with the resources to resolve their cases. Our mission, since our founding in 1999, is to help people proactively reduce their risk of becoming a victim and to empower them to mitigate their cases if they have become one. Since 2005, the ITRC has recorded over 10,000 publicly notified data breaches. As part of our 10,000 Breaches Later blog series, last week we looked at the top banking, credit and financial data breaches. This week we conclude our blog series with a look at the top five education data breaches that impacted U.S. teachers, students and families and their personal information that was compromised.

Maricopa County Community College District

Following a data breach incident in January 2011, Maricopa County Community College District experienced another education data breach in 2013 that led to personal information like names, addresses, Social Security numbers, dates of birth and financial aid information being exposed. The breach affected 2.5 million current and former students, employees and vendors. In January 2011, the district was first notified by the FBI of a small data breach affecting 400 people. Information from its database was found online for sale, and the FBI warned the district that it needed to properly secure its systems. Ten months later the district was warned, once again, this time after the Arizona Auditor General found that terminated employees still had active user accounts on the district’s network. One year later an audit found that the district had still not tightened up its security procedures. This led to the breach in 2013 which discovered, once again, sensitive information had been found for sale online. The impact on those teachers and students was potentially catastrophic given the amount of sensitive information and data compromised. This education data breach also highlights the importance of businesses and schools to take their security measures seriously.

Georgia Tech

In April 2019, Georgia Tech announced that nearly 1.3 million current and former faculty members, students, staff and student applicants had been affected by an education data breach that was caused by unauthorized access to a web application. Information compromised included names, addresses, dates of birth and Social Security numbers. The university has taken steps since to help people who were affected by offering credit monitoring and identity theft protection services to individuals who had their Social Security number exposed. Faculty members and students should be aware of the sensitive nature of their data and the potential unique identity theft aspects that could come from its exposure.

Washington State University – Social & Economic Science Research Center

Two years prior to the Georgia Tech education data breach, Washington State University learned that a locked safe containing a hard drive used by the Social & Economic Science Research Center to store backed-up files had been stolen. The hard drive contained a wide range of sensitive information on 1.1 million individuals including demographic information, Social Security numbers and personal health information. In April of 2019, the university reached a $4.7 million settlement where victims were entitled to receive up to $5,000 in cash reimbursements for any out-of-pocket expenses incurred, credit monitoring services or credit reports. This breach stresses the importance of making sure schools and universities have guidelines and measures in place to make sure that all student and faculty information is securely protected and that there is no risk of it being stolen, whether online or from a safe.

University of California Los Angeles (UCLA)

In October 2006, UCLA was hit by a cyber-attack allowing a hacker to gain access to a restricted database containing sensitive information of 800,000 current and former students, faculty and staff. The database included names, addresses, dates of birth and Social Security numbers. While this breach affected less than five percent of the records in the database, it was still one of the largest education data breaches at that time. While the university said there was no evidence of any personal information being misused, they suggested those possibly affected contact credit reporting agencies and take steps to minimize the risk of potential identity theft.

Pearson

Initially reported in July 2019, educational software maker, Pearson, experienced a data breach affecting its AIMSWeb 1.0 platform. Roughly 13,000 school and university accounts were affected by this breach. However, this number does not include the individual students and staff members whose information was contained in each account. Although the information exposed varies per account, information like student names, student dates of birth, student email addresses, student ID numbers, staff names, staff email addresses, job titles and more was exposed. In an interview with the Las Vegas Review-Journal, ITRC president and CEO, Eva Velasquez said, fortunately, the information exposed was limited: “Just a name is not going to necessarily lead to an increase in the risk of identity theft. A name and date of birth could potentially lead to a slight increase. But as far as very serious personal identifying information, it does not appear that this breach contains that level of data.” School districts are continuing to come forward to report being affected by the Pearson breach.

As we recap education data breaches, the ITRC hopes to help those impacted – both as faculty members, students, schools and universities – understand how to minimize their risk and mitigate their identity compromises. If you received a data breach notification letter, do not just set it aside. Call us at 888.400.5530 or LiveChat to talk with a live-advisor on what you should do. If you are a school or university that has been impacted by a data breach incident, please reach out to the ITRC to discuss how we can provide assistance to your impacted customers. Every victim of a data breach should download our free ID Theft Help App to track their activities around any given data breach.

For a complete look at all the blogs from the 10,000 Breaches Later blog series, visit https://www.idtheftcenter.org/10000-data-breaches-blog-series.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

10,000 Breaches Later: Top Five Financial, Credit and Banking Data Breaches

10,000 Breaches Later: Top Five Military and Government Data Breaches

10,000 Breaches Later: Top Five Medical and Healthcare Data Breaches

According to our 2018 End-of-Year Breach Report, there were a total of 135 financial, credit and banking data breaches, exposing 1,709,013 records last year. In the report, banking/credit/financial had the third-highest amount of data breaches of the five industry categories the Identity Theft Resource Center tracks. Of all the data breaches recorded in 2018, hacking was the most common form of data breaches. That trend has been noticeable throughout our 10,000 Breaches Later blog series and continues to play a role when it comes to financial, credit and banking data breaches.

Sign up for our ITRC Monthly Breach Newsletter for more information on these data breaches.

This is one of many reasons why the ITRC  has been working to empower financial, credit and banking identity theft victims with the resources they need to resolve their cases since 1999. That includes helping people proactively reduce their risk of becoming a victim of identity theft. Since 2005, the ITRC has recorded over 10,000 publicly notified data breaches with monthly and cumulative end-of-year reports.

Last month, we looked at some of the largest government and military data breaches. Now we shift our focus to the top five most impactful financial, credit and banking data breaches (as well as a bonus breach) for consumers.

Capital One

Just three months ago on July 29, 2019, Capital One announced that a hacker had gained access to 100 million U.S. and six million Canadian Capital One customers’ accounts and credit card applications in March of 2019. Individuals and small businesses were affected by this data breach that disclosed names, addresses, dates of birth, email addresses, credit scores, credit limits, payment history and balances. Roughly 140,000 Social Security numbers (SSNs) and 80,000 linked bank account numbers were also exposed. At the time of the breach, the ITRC urged consumers to take action, freeze their credit, be aware of scams and to document all of their steps they were taking if they were impacted (utilizing our ID Theft Help App as one tool). This breach was particularly impactful due to the high amount of SSNs and bank account numbers exposed and the gigantic amount of accounts accessed. A stolen Social Security number can lead to multiple types of identity theft, including financial identity theft, government identity theft, criminal identity theft, medical identity theft and utility fraud.

JPMorgan Chase & Co.

First reported in August of 2014, JPMorgan Chase & Co. experienced a cyberattack that allowed hackers to access the personal information of 76 million households and seven million small businesses. The information accessed included names, addresses, phone numbers, email addresses and internal JPMorgan Chase & Co. information of those users. Customers affected by this breach were those who used Chase.com, JP Morgan online, Chase Mobile and JP Morgan Mobile. Many JPMorgan Chase & Co. customers were impacted because JPMorgan Chase & Co. did not have to send out notification letters to affected consumers in many states because the breach did not expose sensitive information like account numbers, passwords, dates of birth and Social Security numbers. Instead, Chase posted a blanket statement on the homepage of their website. That left some individuals affected on their own to figure out what to do.

CardSystems

Credit card processing company, CardSystems Solutions, Inc., discovered in May 2005 and reported one month later that they had experienced a  data breach in which a hacker was able to insert a virus into the computer system that captured customer data. Around 40 million Visa and MasterCard credit and debit card accounts were affected. Following the breach, Visa said it would continue to work with CardSystems when the case was resolved. MasterCard said that it would give CardSystems a limited amount of time to demonstrate compliance with MasterCard’s security requirements. The data breach led to Visa and MasterCard dropping CardSystems as their credit card processor. An important point for consumers to understand in this instance, in particular, is that many institutions utilize third-party vendors that can have a detrimental impact on their data even if the consumer is as vigilant as possible.

BNY Mellon Shareowner Services

On February 27, 2008, Bank of New York Mellon (BNY Mellon) lost a box of backup tapes in transit to a storage facility that contained the names, addresses, dates of birth and Social Security numbers of 12.5 million customers. Connecticut Attorney General Richard Blumenthal said he was alarmed and deeply concerned at the time of the breach. Notification letters were sent to those affected in May and the breach had such a large impact the bank went on to hire more customer service representatives to handle the influx of calls from concerned customers. This is a reminder that if you are impacted by a breach, it is important to take the necessary steps to protect yourself.

Scottrade

In October 2015, retail stock brokerage firm, Scottrade, INC., disclosed that hackers had stolen client contact information and SSNs for 4.6 million customers. In an email notice sent to customers, Scottrade said that although SSNs, email addresses and other sensitive data were contained in the accessed system, they believed that only client names and street addresses were the focus of the hack. However, the company said it would offer those affected identity theft protection services “as a precaution.” At the time of the breach, federal authorities were also investigating similar thefts at other financial services companies. It is important for consumers to realize that even if a company believes that only certain records where the targets, any data that may have been compromised opens those impacted to much more risk than an organization may communicate in its notification.

Bonus Breach: First American Financial Corp.

In May 2019, it was reported that financial services corporation, First American Financial Corp., had been exposing a massive 885 million real estate and mortgage-related documents through its website. By simply altering a nine-digit record number attached to a transaction link, users were able to potentially pull up other transaction documents containing information such as names, phone numbers, addresses, driver’s licenses, Social Security numbers, bank account numbers and statements, mortgage and tax records and wire transactions receipts. In an update posted by First American regarding the financial, credit and banking data breach, the investigation only identified 32 consumers whose non-public personal information was likely accessed without authorization. This breach could have led to mortgage fraud where a hacker tries to take out a loan in the victim’s name as well as other types of fraud like title fraud.

As we recap the last 10,000 breaches, the ITRC hopes to help those impacted understand how to minimize their risk and mitigate their data compromises. If you have received a data breach notification letter, call us at 888.400.5530 or LiveChat to talk with a live-advisor on what you should do.

In our final 10,000 Breaches Later blog, we will take a look at some of the biggest education data breaches since 2005 and the effect they have had on children, parents and teachers. For a look at all of ITRC’s 10,000 breaches blogs, visit https://www.idtheftcenter.org/10000-data-breaches-blog-series/.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

10,000 Breaches Later: Top Five Military and Government Data Breaches

10,000 Breaches Later: Top Five Medical and Healthcare Data Breaches

10,000 Breaches Later: Top Five Business Data Breaches

According to the Bureau of Labor Statistics, there are nearly 22 million government employees in the United States; according to the New York Times the U.S. has 1.3 million active-duty troops and 865,000 military members in the reserves. That is over 24 million Americans combined in the U.S. government and military.

The Identity Theft Resource Center’s 2018 End-of-Year Data Breach Report showed 79 data breaches impacting military and government entities, exposing 5,302,846 records. In 2017 those numbers were even higher with 99 breaches that exposed 9,927,798 records. You can learn more by signing up for our ITRC Monthly Breach Newsletter.

While the government/military industry category had fewer breaches in 2018, the ITRC continues to empower identity theft victims – particularly those that are victims of both government agencies and the military breaches – with the resources and tools to resolve their cases. Our mission, since our founding in 1999, is to help people proactively reduce their risk of becoming a victim and to empower them to mitigate their cases if they have become one. Since 2005, the ITRC has recorded over 10,000 publicly notified data breaches. As part of our 10,000 Breaches Later blog series, last week we took a look at the most impactful medical and healthcare data breaches. This week we continue with our latest installment looking at the top five military and government data breaches that impacted U.S. consumers and personal information that was compromised.

Office of Personnel Management (OPM)

For the third time in our 10,000 Breaches Later blog series, OPM makes the list. In June 2015, The U.S. Office of Personnel Management (OPM) suffered two separate hacking events that exposed background investigation records of 21.5 million Federal government employees and contractors. Some of the information impacted was Social Security numbers (SSN), fingerprint/biometric data and security clearance information. It also exposed personally identifiable information (PII) of dependents including SSNs, birth dates and other information. It was a sophisticated, large-scale hacking event that led to the creation of the National Background Investigations Bureau (NBIB). The impact to those Federal employees and their dependents was potentially catastrophic given the amount and sensitivity of the data compromised.

U.S. Military – National Archives and Records Administration

In October 2009, the Inspector General of the National Archives and Records Administration announced a military and government data breach that impacted 76 million U.S. military veterans. The incident involved a defective hard drive that was sent back to its vendor for repair, determined unrepairable and sent to another firm to be recycled. While sent to be recycled, it still contained PII and sensitive PII of veterans. The hard drive helped power eVetRecs, a system used by veterans to request copies of health records and discharge papers. With that type of information available to a fraudster, the potential for government identity theft and benefits fraud could create havoc for a veteran seeking services.

United States Postal Service (USPS)

Right before the holiday season in November of 2018, and weeks after the Secret Service issued an alert that cybercriminals were using the United States Postal Service’s Informed Delivery feature to commit fraud and identity theft, the USPS announced that they had fixed a flaw in their system that exposed the personal information of 60 million users. Any user could login to an usps.com account to query the system for details belonging to other users due to the flaw. Some of the details users could have had access to included email addresses, usernames, user IDs, account numbers, street addresses, phone numbers, authorized users and mailing campaign data. All of that information meant that not only could a thief potentially know what was coming to your mailbox, but they could also pose as the address-owner and have the mail rerouted, creating a huge issue for folks with sensitive mail on the way to them.

Government Payment Service, Inc. (GovPayNow.com)

In September 2018, Government Payment Service, Inc., who is contracted by thousands of government agencies – including Federal, state, regional and local/city/town governments – to process payments related to government fees and fines, announced that their payment portal had exposed 14 million customer records. The online system allowed registered users to access copies of their receipts. However, access was not properly restricted and unauthorized recipients were able to view other user’s receipts by simply changing the digits displayed in the web address. Information that could be viewed on the receipts included names, addresses, phone numbers and the last four digits of payment card numbers. This breach also covered data stretching all the way back to 2012. The payment service released a statement saying they updated their system to ensure that only authorized users could view their individual receipts.

California Secretary of State

The California Secretary of State announced in December 2017 that they were investigating a cyberattack in which hackers stole the data of California voters and held it for ransom payable in Bitcoin. The information accessed included the names, addresses, phone numbers, email addresses, places of birth and gender of 19.2 million voters. According to DarkReading, the Kromtech researchers stated they had not been able to identify the owner of the database and believe it could have been a political action committee or a specific campaign based on the unofficial title of the repository. However, they reiterated that was only a suspicion. Access to voter records can create a treasure trove of information for a fraudster, but it can also provide a wealth of information from state-actors attempting to influence election outcomes. Consumers should be aware of the sensitive nature of voter data and the potential unique identity theft aspects that could come from its exposure.

Coming Up In 10,000 Breaches Later

As we recap military and government data breaches, the ITRC hopes to help those impacted – both as consumers, businesses and government entities – understand how to minimize their risk and mitigate their identity compromises. If you received a data breach notification letter, do not just toss it aside or file it away. Call us at 888.400.5530 or LiveChat to talk with a live-advisor on what you should do. If you are a government or military entity impacted by a data breach incident, please reach out to the ITRC at itrc@idtheftcenter.org to discuss how we can provide assistance to your impacted customers. Every victim of a data breach should download our free ID Theft Help App to track their activities around any given data breach.

As part of this series, in our next 10,000 Breaches Later blog, we will take a look at some of the top banking, credit and financial breaches since 2005. For a look at all of the 10,000 breaches blogs, visit https://www.idtheftcenter.org/10000-data-breaches-blog-series.


You might also like…

“Federal Government Empowerment Money Program” Scam Circulates on Social Media

In New Scam, Criminals Pose as Government Officials Pretending to Help with Identity Theft

10,000 Breaches Later: Top Five Medical and Healthcare Data Breaches

According to our 2018 End-of-Year Breach Report, there were a total of 372 data breaches in the medical and healthcare sector that exposed over 10 million records. As of September 2019, there have already been 368 data breaches that have exposed over 36 million records in the sector – poised to push well past the 2018 statistics. In the last two years, the ITRC has seen an increase in medical and healthcare data breaches – more than any other category we track, aside from the business sector.

Sign up for the ITRC Monthly Breach Newsletter for more information on these data breaches.

This is one reason why the Identity Theft Resource Center has been working to empower identity theft victims with the resources and tools to resolve their cases since 1999, including helping people proactively reduce their risk of becoming a victim of identity theft – especially of their highly sensitive personally health information (PHI). Since 2005, the ITRC has recorded over 10,000 publicly notified data breaches with monthly and cumulative end-of-year reports.

Last week we took a look at some of the largest business data breaches. This week we shift our attention to the top five most impactful medical and healthcare data breaches for consumers.

Anthem

In February 2015, Anthem suffered what is considered to be the largest medical and healthcare data breach and the largest Health Insurance Portability and Accountability Act (HIPAA) settlement in the United States. Nearly 80 million consumers were impacted with information like names, birthdates, Social Security numbers, addresses, phone numbers, email addresses and employment data being compromised. Minors on their parent’s healthcare plans were affected, which is particularly troubling due to the long shelf-life of the static data (SSNs) that was compromised. Anthem agreed to take corrective actions in 2018 by paying the U.S. Department of Health and Human Services, Office for Civil Rights $16 million to settle the violations of HIPAA Privacy and Security rules. This created awareness among consumers that while their health information was regulated under HIPAA, that didn’t mean that it wasn’t at risk for exposure – and not just their health information but a host of other components to their identity.

American Medical Collection Agency

Third-party billing and collections agency, American Medical Collections Agency, experienced a medical and healthcare data breach with an intrusion in its payment system in March of 2019. That intrusion exposed personal information of millions of patients. Over 24 million people and 20 entities (so far) were affected by this breach, including Quest Diagnostics who reported approximately 11.9 million of their patients were impacted. Some of the data exposed included names, dates of birth, payment card numbers, names of labs or medical service providers, dates of medical services, referring doctors, banking information, Social Security numbers and certain medical information like patient account numbers and health insurance numbers. The information exposed varied entity to entity since the same information was not provided to AMCA for their patients. As of this blog’s publish date, we’re still receiving notifications of medical industry organizations that were victims of this breach – we will continue to update the numbers as we receive them in our monthly Data Breach Report.

Premera Blue Cross

Major healthcare services provider Premera Blue Cross announced a data breach in March of 2015 that impacted over 11 million of its customers. The data breach was caused by hackers pretending to be Premera IT, sending employees phishing emails with links containing malware. This data breach affected both Premera Blue Cross and Premera Blue Shield of Alaska, as well as their affiliate brands Vivacity and Connexion Insurance Solutions, Inc. Names, birthdays, email addresses, physical addresses, phone numbers, Social Security numbers, member ID numbers, bank account information and claims information that could have been included in clinical information were some of the information exposed. In July 2019, Premera Blue Cross paid a total of $74 million ($32 million in damages and $42 million to improve data security) as part of a settlement. Premera will pay $50 to any class member who submits a claim, and up to $100,000 if class members can provide documents showing proven out-of-pocket damages from the breach.

Excellus Blue Cross Blue Shield

Blue Cross had another breach just six months later, this time including health insurer Excellus Blue Cross Blue Shield. This medial and healthcare data breach affected over ten million plan members and vendors. The cyberattack began in December 2013 and was not detected by Excellus until nearly two years later. Information such as names, dates of birth, Social Security numbers, addresses, phone numbers, claims and financial payment information (including some credit card numbers) was compromised.

Virginia Department of Health Professionals

In May 2009, the Virginia Department of Health Professionals (DHP) announced a security breach impacting the agency’s Prescription Monitoring Program. DHP discovered the breach one month prior after a message was posted on the Prescription Monitoring Program website by a hacker claiming to have stolen eight million patient records and 35.5 million prescriptions. In fact, the message included a ransom note demanding $10 million in seven days or the hacker would sell the data to the highest bidder. The breach was first reported on WikiLeaks.

As we recap the last 10,000 breaches, the ITRC hopes to help those impacted – both consumers and businesses fall victim to the nefarious acts of fraudsters – understand how to minimize their risk and mitigate their data compromises. Medical/healthcare breaches don’t just impact health information. As we can see by these examples, static information like Social Security numbers, date of birth can also be gleaned by those harvesting data through breaches – which puts consumers at an even higher risk of every aspect of identity theft (not just medical).

If you ever receive a data breach notification letter, do not just toss it aside or throw it away. Call us toll-free at 888.400.5530 or LiveChat to talk with a live-advisor on what you should do. If you are a business impacted by a data breach incident, please reach out to the ITRC to discuss how we can provide assistance to your impacted customers.

As part of this series, in our next 10,000 Breaches Later blog we will take a look at some of the largest government and military breaches since 2005 and what they meant for consumers. For a look at all of ITRC’s 10,000 breaches blogs, visit https://www.idtheftcenter.org/10000-data-breaches-blog-series/

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

12 Million Quest Diagnostic Patients Exposed in Third-Party Breach

Medicaresupplement.com Data Breach Caused by Accidental Exposure

10,000 Breaches Later: The Benchmark Breaches That Created Systemic Change

 

In our 2018 End-of-the-Year Data Breach Report, the Identity Theft Resource Center reported 907 data breaches that impacted the business sector; these breaches equaled more than the amount reported for the banking, education, government and medical sectors combined. Of the five industry categories ITRC tracks for data breaches (banking/credit/financial; business; education; government/military; and medical/healthcare), business-related data breaches are the most common.

You can learn more by signing up for the ITRC Monthly Breach Newsletter.

That is just one reason why the ITRC has been working to empower identity theft victims with the resources and tools to resolve their cases since 1999. Our mission is to help people proactively reduce their risk of becoming a victim of identity theft and to empower them if they become a victim. Since 2005, the ITRC has recorded over 10,000 publicly notified data breaches. We’re continuing our 10,000 breaches blog series with a look at the top five business data breaches that impacted U.S. consumers and personal information compromised.

Starwood Hotels & Resorts Worldwide, LLC. (Marriott International)

In November 2018, Marriott announced that its Starwood guest reservation database had been accessed by an unauthorized user. Nearly 383 million records were accessed in this business data breach, which included names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, birth dates and encrypted payment card numbers. Hotels are typically hot targets for data thieves due to the sheer volume of people’s data available.

Heartland Payment Systems

Payment processor Heartland Payment Systems announced in January 2009 that its processing systems had been breached one year prior, affecting thousands of businesses and banking institutions. Around 130 million consumers’ credit and debit card information had been stolen including cardholder names, card numbers and card expiration dates, putting all consumers at risk for fraud. An investigation into the business data breach began once Heartland received notifications from Visa and MasterCard about suspicious activity surrounding the payment systems processed card transactions.

Equifax

Once again, Equifax makes the list. As many people know, in 2017 Equifax experienced a hack that exposed 148 million U.S. consumer’s personal information including names, dates of birth, Social Security numbers, addresses, phone numbers, Driver’s License numbers, email addresses, payment card information and Tax ID numbers. In July 2019, Equifax reached a $700 million settlement due to their business data breach and agreed to spend up to $425 million to help the victims of the breach. If you were affected, you can file a claim for cash or free credit monitoring services. You can also file a claim for a minor that has been impacted as well. If you have questions about the settlement and what it means, read more here.

Experian/T-Mobile

In September 2015, Experian North America disclosed a breach of their computer systems that affected 15 million applicants for device financing from wireless provider T-Mobile. Names, birthdays, addresses, Social Security numbers, alternate forms of identification (such as Driver’s License numbers, passport numbers or military ID numbers) were some of the information exposed. While the business data breach impacted Experian’s services, it did not affect their consumer credit database. According to T-Mobile, Experian took full responsibility for the theft of data from its server and offered free credit monitoring services to all the consumers who were potentially at risk.

MyFitnessPal (Under Armour)

It was discovered that an unauthorized party acquired data associated with Under Armour’s MyFitnessPal user accounts in March of 2018. Approximately 150 million user accounts were compromised in the business data breach exposing usernames, email addresses and hashed passwords. MyFitnessPal released a notice of data breach stating they quickly took steps to determine the nature and scope of the issue and were working with data security firms and law enforcement authorities in an investigation. In the same statement, MyFitnessPal recommended users change their passwords for all their MyFitnessPal accounts, review their accounts for suspicious activity, be cautious of any unsolicited communications that ask for your personal data and to avoid clicking on links or downloading attachments from suspicious emails. (These are practices the ITRC encourages consumers to take with all of their accounts to reduce their risk of identity theft.)

Coming Up In 10,000 Breaches…

As we recap the last 10,000 breaches, the ITRC hopes that we can help those impacted – both as consumers and business – understand how to minimize their risk and mitigate their identity compromises. If you received a data breach notification letter, don’t just toss it aside. Call us at 888.400.5530 or LiveChat to talk with a live-advisor on what you should do. If you are a business impacted by a data breach incident, please reach out to the ITRC to discuss how we can provide assistance to your impacted customers.

 As part of this series, in our next 10,000 Breaches Later blog we will take a look at some of the top medical and healthcare breaches since 2005. For a look at all of the 10,000 breaches blogs, visit https://www.idtheftcenter.org/10000-data-breaches-blog-series.

 

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

10,000 Breaches Later: The Benchmark Breaches That Created Systemic Change

New Tool Breach Clarity Helps Consumers Make Sense of Data Breaches

10,000 Breaches Later: Three Major Data Breaches Consumers Should Know About

 

By 2021, over 2.14 billion people worldwide are expected to buy goods and services online, up from 1.66 billion global digital buyers in 2016. That means retail data breaches will also be on the rise as point-of-sale (POS) systems, e-commerce sites and other store servers are major targets for hackers looking for large volumes of personally identifiable information (PII) and behavioral data.

Sign up for the ITRC Monthly Breach Newsletter

That is one reason why the Identity Theft Resource Center has been working to empower identity theft victims with the resources and tools to resolve their cases since 1999., including helping people proactively reduce their risk of becoming a victim of identity theft. Since 2005, the ITRC has recorded over 10,000 publicly notified data breaches with monthly and cumulative end-of-year report published.

Read next: 2018 End-of-Year Data Breach Report

ITRC currently tracks five industry categories: banking/credit/financial; business; education; government/military and medical/healthcare. ITRC is a leader in reporting new data breach trends. We’re continuing our 10,000 breaches blog series with a look at the five most impactful retail data breaches for consumers.

Target

Retail giant Target makes the list for their 2013 data breach that exposed the payment card information of 40 million people and the personal information of 70 million. Hackers were able to infect Target’s POS systems with malware, disrupting holiday shopping for millions of consumers. Between Black Friday and Christmas shopping, anyone who shopped at Target from November 27 to December 15, 2013 was at risk for fraud. In a public statement to customers, Target said they moved swiftly to address the issue and that they regret any inconvenience it might have caused.

TJX Companies

In January 2007, TJX Companies Inc., operator of stores like T.J. Maxx, Marshalls and HomeGoods, experienced a retail data breach that affected 94 million customers. Payment card information and customer return records, which included driver’s license numbers, military I.D. numbers or Social Security numbers, were stolen by hackers who were able to gain access to TJX’s computer systems that process and store transaction information. TJX reached settlements with a majority of entities in 2007 and 2008.

Home Depot

Target is not the only retailer that experienced a breach of their POS systems. In 2014, Home Depot announced that they had experienced a retail data breach affecting their payment card processing systems. The hackers were able to steal the payment card information of 40 million customers and emails of 54 million. Since the incident, there have been 57 lawsuits filed against the large retailer. While the company did not admit any wrongdoing, they say they settled so they could move forward and put the incident behind them without incurring further costs.

Hudson Bay

Hudson Bay, parent company of Saks Fifth Avenue and Lord & Taylor, experienced a retail data breach that affected the payment card information of five million customers in 2018. Most of the stores affected were located in New York and New Jersey. It is reported that the retail data breach only affected in-store purchases and did not affect its e-commerce sites. In a statement, Hudson Bay said they deeply regretted any inconvenience or concern the breach may have caused. They also said there was no indication that Social Security or driver’s license numbers were stolen.

Hannaford Brothers

In 2008, supermarket company Hannaford Brothers was breached. It affected just over four million customers. Malware was placed on 300 Hannaford servers as part of the retail data breach which allowed hackers to steal customers’ payment card details as they were used at the check-out. Of the just over four million customers who were affected, more than 1,800 reported their credit cards had been used.

As we recap the last 10,000 breaches, the ITRC hopes that we can help those impacted – both consumers and business fall victim to the nefarious acts of fraudsters – understand how to minimize their risk and mitigate their data compromises. If you received a data breach notification letter, don’t just toss it aside. Call us at 888.400.5530 or LiveChat to talk with a live-advisor on what you should do. If you are a business impacted by a data breach incident, please reach out to us to discuss how we can provide assistance to your impacted customers.

As part of this series, in our next 10,000 Breaches Later blog  we will take a look at some of the biggest business breaches since 2005 and what they meant for consumers. For a look at all of the ITRC’s 10,000 breaches blogs, visit idtheftcenter.org.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

10,000 Breaches Later: The Benchmark Breaches That Created Systemic Change

10,000 Breaches Later: Three Major Data Breaches Consumers Should Know About

New Tool Breach Clarity Helps Consumers Make Sense of Data Breaches

 

The Identity Theft Resource Center has been working to empower breach victims with the resources and tools to resolve their cases since 1999. That includes helping people proactively reduce their risk of becoming a victim of identity theft, especially after they were impacted by a data breach. Since 2005, the ITRC has recorded over 10,000 publicly notified breaches. Here is a look at five watershed moments that created systemic change for consumers.

Equifax

In 2017, 148.8 million people were affected by this impactful data breach that through the Freedom from Equifax Exploitation Act led to credit freezes being free and regulation changes as noted in ITRC’s “Equifax One Year Later Aftermath Report.” On July 22, 2019, Equifax reached a $700 million settlement with the Federal Trade Commission (FTC) where Equifax agreed to spend up to $425 million to help victims of the breach. And it’s changing the standard of proof for settlements – shifting the onus from the entity that was breached to the consumer having to prove that they were impacted. Because of Equifax, we’re still seeing people push for data breach law reform.

Target

During the busy holiday season in 2013, Target was hit by a data breach that exposed the credit card data of 40 million people and the personal information of 70 million, upsetting lawmakers. This breach made customers uneasy about using payment cards and was a catalyst for pushing forward the adoption of chip card technology. It also created a greater understanding of the need for authentication options. Consumers are now more acutely aware of their transactional engagements with retailers and how their financial information could be a gateway to other types of compromise.

Anthem

In 2015, Anthem suffered a large consumer data breach that impacted nearly 80 million people. The information compromised included names, birthdates, Social Security numbers, addresses, phone numbers, email addresses and employment data that could have included income information. Minors who were on their parent’s health plans were affected, which is particularly troubling due to the long shelf-life of the static data (SSNs) that was compromised. In 2018, Anthem agreed to take corrective actions and pay the U.S. Department of Health and Human Services, Office for Civil Rights $16 million to settle violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. In order to place a claim for the settlement, victims needed to provide proper documentation for out-of-pocket costs. The Anthem breach is considered to be the largest health data breach and the largest HIPAA settlement in the United States.

OPM

Over 21 million people were affected by the second Office of Personal Management (OPM) impactful data breach, which occurred in 2016. Investigators determined that 19.7 million applicants for security clearances had their Social Security numbers and other personal information stolen – including biometric and protected health information. Not only did it impact those that were under OPM’s jurisdiction, but it also impacted those that were dependents as well. It was a sophisticated, large-scale hacking event that resulted in the creation of the National Background Investigations Bureau (NBIB).

ChoicePoint

ChoicePoint was part of a large impactful data breach in 2005 that led to the personal information of at least 163,000 Americans being sold to a crime ring. Fraudsters, posing as customers of the company, gained access to the company’s background check database – giving them the ability to mine sensitive personal information for nefarious purposes. In 2008, ChoicePoint agreed to pay $10 million to settle a class-action lawsuit. Since the breach, Senators have proposed a law to regulate the data broker industry called the “Data Broker Accountability and Transparency Act.”

Bonus Breach: U.S. Department of Veteran Affairs

This 2006 data breach affected 26.5 million veterans, spouses, active-duty military personnel and reserve military personnel. It led to the acknowledgment of many vulnerabilities in the VA. It also heightened awareness of the importance of protecting computer equipment containing personally identifiable information and responding to effectively to a breach that poses privacy risks. Lessons learned included rapid notification of key government officials being critical, a core group of senior officials being designated to make all decisions regarding an agency’s response and determining when to offer credit monitoring to affected individuals requires risk-based management solutions.

As we recap the last 10,000 breaches, the ITRC hopes that we can help those impacted – both as consumers and business – understand how to minimize their risk and mitigate their identity compromises. If you received a data breach notification letter, don’t just toss it aside. Call us at 888.400.5530 or LiveChat to talk with a live-advisor on what you should do. As part of this series, in our next 10,000 Breaches Later blog we will take a look at some of the top retail breaches since 2005. To stay up to date on the latest news in identity theft and data breaches, sign-up for our newsletters.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

10,000 Breaches Later: Three Major Data Breaches Consumers Should Know About

Should You Consider Credit Monitoring Services as Part of a Breach? 

New Tool Breach Clarity Helps Consumers Make Sense of Data Breaches

 

and two that changed how we should perceive our data…

Since 1999, the Identity Theft Resource Center has been hard at work empowering identity theft victims with the resources and tools to resolve their cases, as well as helping people proactively reduce their risk of becoming a victim of identity theft. One of the most common ways consumers have their information misappropriated is through data breaches. Since 2005, we have recorded over 10,000 publicly notified breaches. Let’s look at the top three major data breaches with the biggest impact to consumers based on our new risk assessment tool, Breach Clarity, developed in partnership with Futurion and its creator Jim Van Dyke.

Based on ITRC’s database of data breach notifications and Breach Clarity’s proprietary processing, Van Dyke says consumers can be better educated on the significance of which breaches rank as the all-time riskiest to the individual consumer in terms of both size and scope.   The new tool includes the potential impact on the affected individual identity-holder, what types of identity theft could occur based on the records exposed and what steps that person needs to take to minimize his/her risk. Here is a look at the top five major data breaches that impacted individuals in the United States:

The U.S. Office of Personal Management

In June 2015, The U.S. Office of Personal Management (OPM) was the target of two separate hacking events exposing background investigation records of 21.5 million Federal government employees and contractors. Some of the information impacted was Social Security numbers (SSN), fingerprint data and security clearance information. Additionally, it also exposed PII of dependents including SSNs, date of birth and other information.

OPM was one of most significant major data breaches in memory, with it ranking a ten in severity on Breach Clarity. Van Dyke says it created a risk through the exposure of security clearance and biometric data for those working in service of our country.

Equifax

Credit reporting agency, Equifax, experienced a hack in 2017 that exposed 146.6 million U.S. consumer’s personal information. “Equifax has been regarded by many to be the worst of all data breaches because this hack generally exposed Social Security numbers for a massive amount of individuals,” Van Dyke said. The information exposed included names, birthdays, SSNs, addresses, phone numbers, Driver’s License numbers, email addresses, payment card information and Tax ID numbers.

While this major data breach ranked ten in severity and exposed so much information, it is not among the worst in terms of per-victim impact. As we learn more about the settlement process <link> for this breach, each individual consumer will need to assess the impact based on their circumstances.

Anthem, Inc.

In 2015 Anthem, Inc. had a major data breach, exposing nearly 79 million sensitive records. Van Dyke says it created a dangerous risk, receiving an overall risk level of eight. Breach Clarity shows that it created a unique pattern of risk that included new financial account creation and tax refund fraud.

There were two other breaches that really changed how consumers viewed their data and how companies should secure it. No two breaches have the same impact, but Facebook and Yahoo brought the spotlight on how companies could manage their users’ data security better. It also reminded users that they are ultimately responsible for the information that is being housed in any particular platform. When all else fails, don’t share it if you don’t want it to be potentially exposed publicly.

Facebook

In 2018, hackers were able to tap into the ever-popular social media landscape stealing account access tokens from Facebook and then using them to access user names, contact details and profile information like usernames, birthdays and device types used to access to access additional information.

“The Facebook breach represents a particularly unique type of breach,” Van Dyke said. “It represents behavioral data that victims may not be prepared to respond to. It is unlikely that even a social media behemoth like Facebook will earn a top risk score in Breach Clarity, yet again we need to continue understanding how personal relationships and behavioral data increase risk of a variety of crimes.”

The security hack affected 50 million accounts and led to tokens being stolen from 30 million of them, resulting in the major data breach getting a risk score of five on Breach Clarity.

Yahoo

After experiencing a major data breach affecting 500 million users in September 2016, Yahoo announced a second breach just months later in December that affected more than one billion user accounts. “Yahoo was one of the biggest data breaches ever,” Van Dyke said. “Both in sheer number of victims and the duration of exposure during which criminals had access to private data.”

An unauthorized third party stole information like names, email addresses, phone numbers, birthdays, passwords and security questions and answers from users. Van Dyke says users who emailed private documents like tax returns may be at particular risk because criminals may have also had access to personal email records. He says Breach Clarity cannot predict all of the possible identity theft and fraud risks because of the varying nature of private data exposed while the criminals had access. This particular major data breach received a risk score of four.

Also, you can use Breach Clarity to see the actionable steps you can take after a data breach. If you think you might have identity theft, speak to one of our advisors for free assistance at 888.400.5530.

As we recap the last 10,000 breaches, the ITRC hopes that we can help those impacted – both as consumers and business – understand how to minimize their risk and mitigate their identity compromises. If you received a data breach notification letter, don’t just toss it aside. Call us at 888.400.5530 or LiveChat to talk with a live-advisor on what you should do. As part of this series, in our next 10,000 Breaches Later blog we will take a look at some of the top retail breaches since 2005. To stay up to date on the latest news in identity theft and data breaches, sign-up for our newsletters.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

10,000 Breaches Later: The Benchmark Breaches That Created Systemic Change

Should You Consider Credit Monitoring Services as Part of a Breach? 

New Tool Breach Clarity Helps Consumers Make Sense of Data Breaches