Posts

This is an emerging data breach incident – this information will be updated as ITRC receives more information. Last update: 06/07/19 10:30 am

Quest Diagnostics is one of the United States’ premier providers of medical testing. They are notifying customers who may be at risk because a third party vendor, American Medical Collection Agency (AMCA), was breached. AMCA reported to Quest that unauthorized users gained access to internal systems. Around 11.9 million Quest patients have potentially been affected, although the company is working to verify that number and patient risk. 200,000 payment cards been previouly found for sale on a well-known dark web market (by Gemini Advisory) and GA linked the cards to AMCA. 15% of the records included additional PII such as: DOB, SSN, and physical addresses. 

The information exposed includes Social Security numbers, financial information and medical information. Quest reported that the information breached did not include laboratory test results. 

We are investigating a data incident involving an unauthorized user accessing the American Medical Collection Agency system,” reads a written statement attributed to the AMCA. “Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page.”

“We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security. We have also advised law enforcement of this incident. We remain committed to our system’s security, data privacy, and the protection of personal information.”

Quest also noted that since being notified of the breach, the company has stopped new requests to AMCA and are working to notify patients affected in accordance with the law. AMCA is in the process of sending notices to approximately 200,000 LabCorp consumers whose credit card data or bank account information may have been accessed. These individuals have been offered 2 years of credit monitoring and identity theft protection services. 

AMCA provides billing collections services to a company called Optum360, whom is a contractor with Quest Diagnostics. Quest Diagnostics is the only company to make a public notification of being affected by the breach, but there is a chance other companies who work with AMCA could also be associated. The trend of third-party breaches is on the rise as hackers target large databases of vendors who work with sensitive information.

Breach Clarity – the new tool developed to help consumers make sense of their risk when it comes to data breach – can help victims of this breach understand their risk of additional exposure. The tool updates its risk score as new, more detailed information is made publicly available. Breach Clarity will guide consumers on their best course of action given the current information – please check it regularly to understand the updated risk assessment and minimization plans.

While patients are waiting to be notified they were affected, those who think they might be victims can start taking steps to minimize their risk. Financial identity theft and medical identity theft could both be a cause of the breach. You can find resources for financial and medical identity theft in our knowledge center. If you have additional questions regarding data breach, our expert advisors are available to help. Call us toll-free at 888.400.5530 or LiveChat with us. 

For Media Inquiries

About the Identity Theft Resource Center®

Founded in 1999, the Identity Theft Resource Center® (ITRC) is a nationally recognized non-profit organization established to support victims of identity theft in resolving their cases, and to broaden public education and awareness in the understanding of identity theft, data breaches, cybersecurity, scams/fraud, and privacy issues. Through public and private support, ITRC provides no-cost victim assistance and consumer education through its call center, website, social media channels, live chat feature and ID Theft Help app. For more information, visit: https://www.idtheftcenter.org

Contact: Charity Lacey, VP of Communications

Email: media@idtheftcenter.org

More media resources here


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read more: First American Financial Breach Exposes Millions of Complete Identities

 

In yet another example of technology outpacing its users, an unsecured database of First American Financial has exposed hundreds of millions of records, including complete identities—names, account numbers, Social Security numbers, and much more—of American consumers. The information was compiled in a database that was left unsecured on a web-based server, meaning anyone with internet access could have potentially stumbled across it.

The ITRC currently tracks seven categories of data loss methods and is categorizing the First American Financial breach under “accidental web exposure.” This kind of data exposure is becoming all-too-common. Web servers like this one are intended to let authorized individuals access documents online. All they need is the URL, or web address, for a single document; that URL is usually shared with the intended recipient by the owner, in this case, First American Financial. But if the web server isn’t password protected or doesn’t require authentication, all you’d have to do to see any other document in the database is change a digit in the URL. That single digit would provide you access to an entirely different customer’s personal information, history, bank account numbers, SSN, tax and mortgage records, and more.

Even worse, in these kinds of breaches, there’s no way of knowing if anyone accessed them or not. In the case of First American Financial, a real estate professional discovered this flaw by mistake. When he reported it to the company but they had no response, he reported the security incident to Krebs on Security, who then confirmed it.

First American Financial is one of the country’s largest title insurance providers—meaning they’ve handled hundreds of millions of consumer records.  Fortunately, a new tool can help consumers make sense of a data breach; Breach Clarity helps people who are affected by the breach understand their options and take corrective action.  If any of the estimated 885 million records were actually accessed by a malicious individual and you think you may be a victim, securing your credit report with a freeze and monitoring your accounts are some of the few useful steps you can take. For its part, the company has taken steps to close off further access to these records, but isn’t offering any further information until their own internal review is completed.

The Identity Theft Resource Center and Futurion have partnered and launched a tool called Breach Clarity, which takes publicly-available data breach information and breaks down both the threat and actionable steps for consumers. 


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read more: ITRC Advisor Saves Woman from Lottery Scam and Losing $2,500

Data breach laws can vary from state to state in terms of notification. For years some states did not even have laws in place that required companies to inform victims if their data had been compromised in a breach. Laws vary depending on not only the location of the company that was breached, but also the location of the victims.

Washington state has had data breach laws in place for years, but those laws had a somewhat limited scope. Currently in Washington, if certain pieces of data – like your Social Security number – are not impacted in a breach, the company does not have to offer protection service or notify victims of the incident.

A new bill in Washington would expand the definition for sensitive data to include things like your birthdate, health insurance number, student ID or military ID number and more. This essentially broadens the terms of what can trigger a required notification.

The need for this change grew out of the increase in data breaches and the growing numbers of residents whose identifying information was compromised in data breaches. More than 3 million residents of that state had their data accidentally or intentionally attacked in a one-year period from July 2017 to June 2018. With breach on the rise, Washington is taking action with their data breach laws.

This new bill would not only broaden the types of personal data that are covered, but also reduce the length of time that a company has to report the breach. The current notification law gave the affected businesses 45 days to notify the state’s attorney general of a data breach, and this new bill would reduce that to 30 days. The difference of those two weeks can make an enormous impact in minimizing the damage of victims.

Of course, laws such as this one can be seen as a double-edged sword. Supporters, security experts and consumer advocates understand that there are many different kinds of identity theft, and that serious harm can result even without stealing someone’s Social Security number. However, critics view it through the eyes of the organizations and businesses, and how it may hurt them in the event of a data breach. It is important to remember that businesses who collect and store consumers’ personally identifiable information have an obligation to protect it. If they fail in that regard, then they should have to offer information and support to the customers who were affected.

The Identity Theft Resource Center and Futurion have partnered and launched a tool called Breach Clarity, which takes publicly-available data breach information and breaks down both the threat and that actionable steps for consumers.

Watch Our New Free Webinar: Deciphering the Code of Data Breach Notifications


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: What To Know About Payment Apps and Security

Year after year, cybercrimes like scams, fraud, identity theft and data breaches make a global impact on consumers and businesses alike. Organizations like the Federal Trade Commission and the Identity Theft Resource Center keep tabs on the statistics and the aftermath of these events in order to form a clearer picture of their effects. With only days to go until we reach the end of 2018, here’s a look at some of the numbers from this year.

Top Scams of the Year

According to a report by Heimdal Security, phishing attempts continue to be one of the more prevalent ways scammers connect with their victims. Phishing usually arrives as an email that entices someone to take action; the action might be to send money, hand over sensitive data, redirect to a harmful website, or even download a virus from a macro contained within the email. No matter what the story the scammers use, one-third of all security incidents last year began with a phishing email.

What happens to consumers when they fall for a phishing email? One in five people reported losing money, around $328 million altogether. That’s about $500 per victim on average, but that’s also only from the victims who reported the scam. Interestingly, new data this year found that Millennials were more likely to fall for a scam than senior citizens, although seniors still lost more money on average than these younger victims.

Different Industries Impacted by Data Breaches

The ITRC’s annual Data Breach Report highlights the organizations that have been impacted by data breaches throughout the year, along with the number of consumer records that were compromised. While the year isn’t over, the data compiled through Nov. 30 is already worrisome.

There have been more than 1,100 data breaches through the end of November 2018, and more than 561 million consumer records compromised. Those breaches were categorized according to the type of industry the victim organization falls under: banking/credit/financial, business, education, government/military and medical/healthcare.

The business sector saw not only the highest number of breaches but also the highest number of compromised records with 524 breaches and 531,987,008 records. While the medical and healthcare industry had the second highest number of breaches at 334 separate events, the government/military’s 90 breaches totaled more compromised records at 18,148,442. The financial sector only had 122 data breaches this year, but those events accounted for more than 1.7 million compromised records. Finally, while education—from pre-K through higher ed—only reported 68 data breaches, there were nearly one million compromised records associated with schools and institutions.

The Crimes that Made Headlines

There were quite a few headline-grabbing security incidents this year. While Facebook and the Cambridge Analytica events were not classified as traditional data breaches, they were nonetheless an eye opener for social media users who value their privacy. The Marriott International announcement of a 383 million-guest breach of its Starwood Hotels brand has opened consumers’ eyes about the types of information that hackers can steal, in this case, 5 million unencrypted passport numbers. The breach of the government’s online payment portal at GovPayNow.com affected another 14 million users, demonstrating that even the most security-driven organizations can have vulnerabilities. Finally, separate incidents at retailers and restaurants like Hudson Bay and Jason’s Deli reminded us (and those breaches’ combined 8.4 million victims) that attacking point-of-sale systems to steal payment card information is still a very viable threat.

What Do Criminals Really Steal?

In every scam, fraud, and data breach, criminals are targeting some kind of end goal. Typically, it’s money, identifying information or both. But recent breaches this year of websites like Quora—which provides login services for numerous platforms’ comment forums—also show that sometimes login credentials can be just as useful.

After all, with the high number of tech users who still reuse their passwords on numerous online accounts, stealing a database of passwords to a fairly innocuous site could result in account access to so-called bigger fish, like email, online banking, major retail websites, and more. Furthermore, it showed that a lot of users establish accounts or link those accounts to their Facebook or Gmail logins without really following up; a lot of people who learned their information was stolen in the Quora breach may have forgotten they even had accounts in the first place. The number of victims in that breach is expected to be over 100 million.

Moving Forward into the New Year

The biggest security events of 2018 may pale in comparison to criminal activity next year. After all, there was a time when the Black Friday 2013 data breach of Target’s POS system was considered shocking. One thing that cybercriminals have taught us time and time again is that there’s money to be made from their activities, and they aren’t going to give up any time soon.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: “Honeyboys Keeping Internet Users Safe”

Identity theft and fraud can occur in many different ways, so it’s not something that any one person can fully prevent. However, there are a lot of things consumers can do to minimize their risk, starting with what might be the easiest step of all: password security.

The word “security” rarely means “easy,” but when it comes to implementing a strong, unique password, it absolutely is simple if you follow key guidelines. Strong passwords are those that contain a long string of characters, ones that include uppercase letters, lowercase letters, numbers, and symbols. It’s also important that the strong password does not contain a variation of your name, the website or company name, or easily guessed words or slogans.

Making a strong password might be the easy part, especially since many platforms now require you to use a certain number of characters, or remind you to include a number or symbol. The real problem for consumers is in reusing those passwords, in other words, not making them unique.

If you make a really great, strong password then reuse it on other websites, you may be no better off than if you’d used “password” as your password (like so many people actually do). A recent data breach incident involving Adidas US’s website serves as proof of that.

“According to the preliminary investigation, the limited data includes contact information, usernames and encrypted passwords,” the company said in its announcement. “Adidas has no reason to believe that any credit card or fitness information of those consumers was impacted.”

Once a hacker gains access to a trove of account information for millions of consumers—as may have occurred in this incident, which is still under investigation—any username and password combinations that were stolen can be used on other sites. The hacker gets your username (which is quite often your email address) and password from the Adidas breach then tries it on Amazon, iTunes, PayPal, Yahoo and Gmail, and popular banking websites. If you’ve reused your password, they just got in.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.