Posts

This year’s Cybersecurity Awareness Month initiative highlights the importance of cybersecurity by encouraging individuals & organizations to take measures to ensure they stay safe online  

SAN DIEGO, September 22, 2021 – Today, the Identity Theft Resource Center® (ITRC), a nationally recognized nonprofit organization established to support victims of identity crime, announced its commitment to Cybersecurity Awareness Month (CSAM), held annually in October. The ITRC joins the growing global effort to promote the awareness of staying safe online. CSAM 2021 is a collaborative effort among businesses, government agencies, colleges and universities, associations, nonprofit organizations, and individuals committed to the CSAM theme of ‘Do Your Part. #BeCyberSmart.’ 

“The importance of good cybersecurity and its link to identity protection is reinforced every day,” said Eva Velasquez, President and CEO of the Identity Theft Resource Center. “Cybersecurity is a critical issue that affects everyone, whether you are a business owner, company employee, or a consumer. Online safety, identity protection and data privacy is important for everyone. The ITRC continues to stay committed to our mission, to help consumers and businesses with best practices, and to help everyone #BeCyberSmart.” 

The ITRC will lead or participate in the following activities during CSAM 2021: 

  • Sept 29, 2021 – “How to Secure Your Online Life” Webinar 

On September 29, the ITRC will take part in a webinar with Verity-IT, National Institute of Standards and Technology (NIST), and the Cybersecurity and Infrastructure Agency (CISA) of the U.S. Department of Homeland Security on how to secure your online life. The one-hour session will give an overview of the cyber basics. 

  • Oct 6, 2021 – Release of Q3 2021 Data Breach Trend Analysis 

On October 6, the ITRC will release its data breach information for the third quarter of 2021. In the ITRC’s H1 2021 Data Breach Trend Analysis, the ITRC reported a 38 percent increase in data breaches quarter-over-quarter and predicted an all-time high number of data breaches by year’s end if breaches continued at the first half of the year’s pace. Sign up for the Monthly Data Breach Newsletter to get alerts and this report directly to your inbox. 

Save The Date – ITRC 2021 Business Aftermath Report to be released October 2021
  • Oct 27, 2021 – Release of Inaugural Business Aftermath Report 

On October 27, the ITRC will release its first-ever report on the impacts of identity crimes and cyberattacks on small businesses. Cyberattacks and the resulting security and data breaches can have a devastating effect on any business. However, small organizations and solopreneurs often lack the resources to prevent or defend against cybercrimes. The 2021 Business Aftermath Report is the first major independent, publicly-reported research into what happens specifically to small businesses following a data or security breach. Sign up to get this report directly to your inbox and more highlights from the ITRC. 

  • Oct 27, 2021 – Nasdaq Cybersecurity Summit 

On October 27 at 10 a.m. EST/7 a.m. PST, the National Cyber Security Alliance (NCSA) will host its annual Nasdaq Cybersecurity Summit virtually and at the Nasdaq MarketSite in Times Square, New York. The ITRC will participate as a partner in this event that looks at research and best practices for designing security products and processes that are usable by those who need them. 

  • The ITRC’s Weekly Breach Breakdown and Fraudian Slip Podcast Episodes  

Check out the ITRC’s latest podcasts, “The Fraudian Slip” (monthly), where we talk about all-things identity compromise, crime and fraud that impact people and businesses, as well as “The Weekly Breach Breakdown” (weekly), covering the most recent events and trends related to data security and privacy.  

More on CSAM 2021 

Technology plays a part in almost everything we do in life. Mobile and connected smart devices are woven into society as an integral part of how people communicate and access services essential to their well-being. Despite these great advances in technology and the conveniences this provides, recent events have shown us how quickly our lives and businesses can be disrupted when cybercriminals and adversaries use technology to do harm. Now in its 18th year, CSAM continues to build momentum and impact with the ultimate goal of providing everyone with the information they need to stay safe online.  

The ITRC is proud to support this far-reaching online safety awareness and education initiative co-led by CISA the NCSA. 

For more information about CSAM 2021, staying safe online and how to participate in a wide variety of activities, visit staysafeonline.org/cybersecurity-awareness-month/. You can also follow and use the official hashtag #BeCyberSmart on social media throughout the month.  

About the Identity Theft Resource Center 

Founded in 1999, the Identity Theft Resource Center® (ITRC) is a national nonprofit organization established to empower and guide consumers, victims, business and government to minimize risk and mitigate the impact of identity compromise and crime. Through public and private support, the ITRC provides no-cost victim assistance and consumer education through its website live-chat idtheftcenter.org and toll-free phone number 888.400.5530. The ITRC also equips consumers and businesses with information about recent data breaches through its data breach tracking tool, notified. The ITRC offers help to specific populations, including the deaf/hard of hearing and blind/low vision communities.  

About Cybersecurity Awareness Month 

Cybersecurity Awareness Month is designed to engage and educate public and private-sector partners through events and initiatives with the goal of raising awareness about cybersecurity to increase the resiliency of the nation in the event of a cyber incident. Since the Presidential proclamation establishing Cybersecurity Awareness Month in 2004, the initiative has been formally recognized by Congress, federal, state and local governments and leaders from industry and academia. This united effort is necessary to maintain a cyberspace that is safer and more resilient and remains a source of tremendous opportunity and growth for years to come. For more information, visit staysafeonline.org/cybersecurity-awareness-month/.  

About National Cyber Security Alliance  

The National Cyber Security Alliance is a nonprofit alliance on a mission to create a more secure connected world. We enable powerful, public-private partnerships in our mission to educate and inspire individuals to protect themselves, their families and their organizations for the collective good. For more information on the National Cyber Security Alliance, please visit https://staysafeonline.org

Media Contact     

Identity Theft Resource Center     
Alex Achten     
Head of Earned & Owned Media Relations      
888.400.5530 Ext. 3611     
media@idtheftcenter.org 

  • A new cybersecurity executive order will lead to the creation of a Cyber Safety Review Board, removing barriers to sharing threat information and much more.
  • The Cyber Safety Review Board will determine how cybercriminals were able to infiltrate the SolarWinds software used by key government agencies and nearly every Fortune 500 company, and will meet anytime there is a significant event. Also, federal agencies will eliminate legal barriers that prevent the sharing of information about data and security breaches.
  • Since the same companies that sell technology to the government also sell products to consumers and businesses, the level of quality and security will rise for every use and everyone.
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notified.
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org. coming in June, you can talk after-hours, weekends and on holidays with our new automated chatbot, ViViAN.

Come What May

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdownfor May 28, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. This week, we will focus on something unusual – a new cybersecurity executive order and solutions to the seemingly endless race against cybercriminals.

In Macbeth, Shakespeare wrote: “Come what come may, time and the hour runs through the roughest day.” Without question, the last six months have been rough on companies, governments and individuals as identity scams and cyberattacks have captured headlines and disrupted lives.

Changes to How the Federal Government Approaches Cybersecurity

From companies most people have never heard of like SolarWinds and Accellion to household names like Microsoft and Peloton, along with critical infrastructure organizations like Colonial Pipeline and the respected Scripps Health system, organizations and institutions alike have been on the wrong side of data and security breaches.

However, federal officials have announced a series of actions that privacy and cybersecurity experts are praising as both needed and welcome changes to how the federal government approaches cybersecurity. Because the U.S. government purchases billions of dollars in IT products and services each year, the private sector, including individual consumers, will also benefit.

Top Provisions in New Cybersecurity Executive Order

There are seven key actions in the new Executive Order on Improving the Nation’s Cybersecurity. We don’t have time to go into all seven, so let’s focus on two of the most important provisions:

  1. Establishing a Cyber Safety Review Board; and,
  2. Removing barriers to sharing threat information.

The best news is, we already have a model in other areas that we know works. Here’s what we mean. Southwest Airlines flight 1380 was climbing through 32,000 feet on the morning of April 17, 2018. At approximately 11:03 a.m., fan blade No. 13 in the left engine shattered due to a previously undetected stress fracture. A 12-inch section weighing 6.825 pounds and a two-inch section of a fan blade weighing .650 pounds separated from the rest of the fan blade assembly. The result was an uncontained failure of the jet engine.

We know all of this because the National Transportation Safety Board (NTSB) publishes its findings so the public and industry can benefit from the knowledge gained in accident investigations. This decades-old information-sharing model has resulted in the safest form of transportation on the planet. According to the National Safety Council, the odds in 2019 of you dying while walking were one in 543. Dying in a plane crash? So low as to not be measurable.

What are the odds of a company suffering a cyberattack? It’s not a matter of “if,” but how many times, how frequently and if the attack succeeds. A 2017 study by the University of Maryland claims an attack occurs every 39 seconds. Yet, despite the near-constant level of cyber threats, there is no NTSB-style body to find and share the root causes of cyber incursions and the ways to prevent future attacks.

What the New Cybersecurity Executive Order Means

Due to the new cybersecurity executive order, federal agencies have been instructed to find the legal barriers that prevent the sharing of information about data and security breaches and get rid of them. The Homeland Security Secretary is to form a panel of public and private sector experts to determine how cybercriminals were able to infiltrate the SolarWinds software used by key government agencies and nearly every Fortune 500 company. The group is to convene anytime there is a significant cyber event, just like the NTSB.

Later in the year, federal agencies and the companies that sell them hardware and software will have to adopt strict new quality control standards. Because the same companies that sell technology to Uncle Sam also sell products to consumers and businesses, the overall level of quality and security will rise for every use and everyone.

Contact the ITRC

If anyone has questions about keeping their personal information secure, they can visit www.idtheftcenter.org, where they will find helpful tips. People can also sign-up to receive our regular email updates on identity scams and compromises and download our latest report on how identity crimes impact individuals.

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. Victims can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). And coming in June, people can talk after-hours, weekends and on holidays with our new automated chatbot, ViViAN. Just visit www.idtheftcenter.org to get started. 

Be sure to check out our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown.

The IDSA shares with the ITRC in the newest Fraudian Slip podcast exploring identity management & the future of identity

  • This week, the Identity Theft Resource Center (ITRC) celebrated Identity Management Day, hosted by the Identity Defined Security Alliance (IDSA). The day raised awareness on the importance of identity management, securing digital identities and sharing best practices to help organizations and consumers.
  • The ITRC sat down with the IDSA to discuss how identity management has changed, the future of identity, how identity crimes are changing and much more.
  • To learn more, listen to this week’s episode of The Fraudian Slip
  • You can also learn more about the identity-related crimes discussed in the podcast and how to protect yourself from identity fraud and compromises by visiting the ITRC’s website.
  • If you think you are the victim of an identity crime or your identity has been compromised, you can call us, chat live online, send an email or leave a voice mail for an expert advisor to get advice on how to respond. Just visit www.idtheftcenter.org to get started.

Below is a transcript of our podcast with special guest Julie Smith, Executive Director of the Identity Defined Security Alliance

Welcome to The Fraudian Slip, the Identity Theft Resource Center’s (ITRC) podcast, where we talk about all-things identity compromise, crime and fraud that impact people and businesses. 

This month, April, we’re going to talk about one of the hottest topics in the world of cybersecurity, privacy and identity. Namely, the shift from what we think of as traditional identity theft to what is increasingly more common today – identity-based fraud.

As more organizations analyze their 2020 data and information from the first three months of 2021, there is a common theme. Cybercriminals are less interested in mass attacks seeking to scoop up as much information as possible about consumers. Instead, data thieves are focusing on attacking organizations where they can hold data for ransom, or where an attack against a single company can yield information from all the customers who rely on the breached business.

At the core of many of these attacks are identity credentials, little pieces of information that once upon a time was pretty much limited to your driver’s license, Social Security number and occasionally your mother’s maiden name. Today, identity credentials are everything from your login and password, which is more valuable than your credit card information to a cybercriminal, to the location where you use your smartphone.

The complexity of identity today makes it simultaneously more difficult to protect your identity while also making it easier to prove you are who you say you are.

This week we celebrated Identity Management Day to raise awareness of the importance of identity management, securing digital identities and sharing best practices to help organizations and consumers. Be Identity Smart. 

Identity Defined Security Alliance (IDSA) hosted the day.

We talked with Executive Director of IDSA Julie Smith about the following:

  • The IDSA, its members, and issues
  • How identity management has changed
  • A businesses role in managing and protecting consumer identities; the most important actions to take
  • The future of identity

We also talked with ITRC CEO Eva Velasquez about the following: 

  • How identity crimes are changing
  • Consumer self-management and protection; the most important actions to take
  • The future of identity

For answers to all of these questions, listen to this week’s episode of The Fraudian Slip Podcast

Contact the ITRC or IDSA

You can learn more about data privacy, cybersecurity, the future of identity and other identity-related issues by visiting the ITRC’s website www.idtheftcenter.org. If you want to learn more about the IDSA and its work, you can visit www.idsalliance.org.

If you have questions about how to protect your personal information, or if you believe you have been the victim of an identity crime or compromise, talk to one of our expert advisers on the phone (888.400.5530), by live-chat or by email during normal business hours (6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.

Be sure and join us next week for our Weekly Breach Breakdown podcast and next month for another episode of The Fraudian Slip.

Sparking joy has taken on a whole new meaning thanks to the KonMari method of tidying up. Cleaning up your physical and digital life are some ways to prevent identity theft.

Marie Kondo took the world by storm in 2019 with the premise of decluttering your life, tidying up your home and workspaces and living by a simple principle: if it doesn’t “spark joy,” you don’t need it. The mindset behind the so-called KonMari method proved to be so effective that second-hand stores and thrift shops saw record-setting levels of donations.

This decluttering concept can be applied to physical possessions, but you should also consider its ability to benefit other areas of life. For example, you might clean up your email inbox or desktop. There’s another level of protection that consumers can take from this “spark joy” concept, and that’s keeping their identities out of a criminal’s hands.

Before You Begin

Several steps can help you organize your identity before you ever have to deal with cluttering consequences. These would include things like halting subscriptions to magazines and newspapers you don’t read, blocking credit card offers with your financial institutions and going “paperless” on bills and bank statements. By ensuring these things don’t arrive at your home, you’ll have less clutter to deal with and fewer security pitfalls that a thief could exploit.

Another possible vulnerability is your email inbox. Adopt the good habit of not just deleting unwanted emails but actively unsubscribing from them. You will have to open them, scroll down and click unsubscribe. Do not follow this procedure for emails that appear to be scam attempts. Clicking a link can redirect you to a harmful website or install malicious software on your computer. Instead, you should avoid links or attachments in unsolicited messages and block the sender.

One other thing you can do is update your contact information. Review all of your contact information to ensure it is up-to-date and you are not missing any essential information. There are other ways to prevent identity theft.

Physical Mail

As for identity tidying in your home or workplace, that can seem very daunting. Don’t worry; it’s not. By following commonly shared methods from organizational experts like Marie Kondo and others, you can start by creating “piles.” Establish a temporary spot for everything that could be linked back to your identity: a pile for bills, a pile for junk mail and a pile for important papers.

  • The bills: Your monthly statements must be accessible but protected. Find out where you are most likely to see them but keep others from coming across them. As you pay a bill, shred the remaining mailer portion so that you don’t end up with random piles of paper that will need to be addressed later.
  • Junk mail: It’s too easy to toss some junk mail on the counter and think you’ll deal with it later. It’s even easier to throw it in the trash unopened. However, that could lead a dumpster-diving identity thief to pieces of your overall data puzzle. Keep a basket near your cross-cut shredder to stash these items until you’re ready to shred.
  • Important papers: Many people would agree that tax documents, health insurance statements and other key forms don’t “spark joy” and therefore should be done away with immediately. However, that’s not wise. What is helpful is investing in a small file cabinet or file box where important papers can be stored when they are not needed. The file must be accessible in an emergency but not left out in the open where anyone could rifle through it.

Digital Clutter

Your digital identity becomes more important every day as the world evolves to a digital-first model. However, the same principles behind decluttering can help you in the virtual space. Investing in an external hard drive or cloud-based storage subscription can protect the things you want to keep while getting them out of your physical space. Even better, if there’s a paper you might need at a later date, you can photograph it or scan it, then store it in these outside spaces. That way, you can discard the original but retain a protected printable copy if you need it. It is also a good idea to organize your digital files. While it is time-consuming, it will make more space available for the most important things that need to be stored on these devices.

Mobile Apps & Privacy Settings:

  1. Take a look at all of the apps on your device – are there any you’re not using anymore? Delete those.
  2. Visit your mobile device settings to see what information your applications collect from you and update them for increased privacy. For example, you might need to let a map app see your location, but does it need to be active all the time or just when in use? The same thing for photos, do all of your apps need access to your media library? It’s also a good time to run any updates for your phone software or apps.

You should also pay attention to the permissions you allow the mobile apps on your device. Third-parties might be tracking information about you that you might not realize like your location, search history and even your photos through these apps. If they aren’t actively using this collected data, they’re still storing it, leaving your personal information vulnerable to cyberattacks should the third-party fall victim to a breach. Also, think twice before discarding an old device and be sure to reset your factory settings.

Finally, make sure all of the passwords are different for each of your accounts and use a 12+ character passphrase. Right now, threat actors are after credentials more than in years past. You should have a different password for each account and use multifactor authentication if possible for an added layer of security. If you follow these steps, you will be enacting different ways to prevent identity theft. 

Contact the ITRC

If you have questions about tidying up your identity and ways to prevent identity theft, or if you believe you are a victim, contact the Identity Theft Resource Center. You can reach an expert advisor toll-free by phone (888.400.5530) or live-chat. You can also find resources on an array of identity-related topics. Just go to www.idtheftcenter.org to get started.

The post was originally published on 2/15/19 and was updated on 4/6/21

  • According to a survey by Proofpoint, ransomware attacks are now viewed as the top cybersecurity threat by nearly half, 46 percent, of Chief Information Security Officers. 
  • Cybersecurity firm Emsisoft found that at least 2,354 U.S. government agencies, healthcare facilities and schools were the victims of ransomware attacks in 2020. 
  • The Emsisoft report also reports that more than 1,300 companies lost data, including intellectual property and other sensitive information in 2020. 
  • Ransomware attacks cause significant disruption when ambulances carrying emergency patients are redirected, cancer treatments are delayed, lab test results are inaccessible and 9-1-1 services are interrupted. 
  • For information about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notified
  • Keep an eye out for the ITRC’s 15th Annual Data Breach Report. The 2020 Data Breach Report will be released on January 28, 2021.  
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the Identity Theft Resource Center toll-free at 888.400.5530 or via live-chat on the company website. 

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for January 22, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy.  Human beings tend to end a year by looking forward, but begin the new year by looking back. This week, such is the case when researchers, having just finished publishing their 2021 predictions, turn to sharing their annual trend reports. How many of X and the increase or decrease in Y. 

Here, we are interested in the trends that impact consumers and businesses regarding data privacy and security. The first significant report on those topics concludes that ransomware attacks are now the single biggest cyber threat to companies based on what happened in 2020. If it’s a threat to businesses, it’s a threat to consumers. 

You may not know the name Phil Dusenberry, but you know his work. If you saw a Pepsi commercial during the ’80s, ‘90s and early 2000s, you saw his handy work. If you ever saw the “Morning in America” film for President Reagan or the baseball movie, “The Natural”, those belonged to Phil Dusenberry, too. Now, he has contributed to today’s episode when he said: “Writing advertisements is the second most profitable form of writing. The first, of course, is…” Hold that thought, and we’ll come back to it.  

Ransomware Attacks Considered A Top Cybersecurity Threat 

Cybersecurity firm Proofpoint has found that ransomware attacks are now viewed as the top cybersecurity threat by nearly half, 46 percent, of Chief Information Security Officers in a recent survey. Even more alarming is research from New Zealand-based cybersecurity firm Emsisoft that concludes at least 2,354 U.S. government agencies, healthcare facilities and schools were the victims of ransomware attacks in 2020. The impacted organizations include: 

  • 113 federal, state and municipal governments and agencies 
  • 560 healthcare facilities 
  • 1,681 schools, colleges and universities 

These kinds of attacks cause significant, and sometimes life-threatening, disruption when ambulances carrying emergency patients have to be redirected, cancer treatments are delayed, lab test results are inaccessible and 9-1-1 services are interrupted. 

The Impact of Ransomware Attacks on Private Businesses 

Ransomware attacks are not limited to the public sector. Private businesses are very much in the crosshairs of the professional cybercriminals who commit these crimes. According to the Emsisoft report, more than 1,300 companies, many based in the U.S., lost data, including intellectual property and other sensitive information in 2020. That’s just the number of companies with data published on websites where thieves post their ransom notes or stolen data for sale. It does not include the unknown number of companies that paid the ransom before anyone noticed.  

Few cyber-criminal groups released the data they stole in 2020. Only two are known to have done so after companies refused to pay a ransom. However, by the end of 2020, more companies were paying ransom figures over $200,000 on average to avoid the release of their compromised information.  

Many times, they paid the demands even if they didn’t have to do so. Emsisoft has documented cases where businesses with the necessary back-ups to restore their information still paid the ransom for fear their data would be released if they didn’t pay. Proving Phil Dusenberry’s theory, the most profitable form of writing…is a ransom note. 

ITRC to Release Annual Data Breach Report 

Next week, the ITRC will publish its annual report on data breaches. The report includes how many breaches occurred, who was impacted, why they occur and much more. There are some very interesting trends that we’ll discuss in our next episode.  

Contact the ITRC 

If you have questions about how to protect your information from data breaches and data exposures, visit idtheftcenter.org, where you will find helpful tips on this and many other topics.  

If you think you have already been the victim of an identity crime or a data breach and you need help figuring out what to do next, contact us. You can speak with an expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during regular business hours (6 a.m. to 5 p.m. PST). Visit the company website to get started. 

If you want to work ahead and read our 2020 Data Breach Report, our 15th annual edition, it will be posted on our website on Thursday, January 28, as part of Data Privacy Day. Just visit idtheftcenter.org

  • The software provider behind some of the largest travel websites, Prestige Software, maintained a cloud database without a password. The unsecured database led to approximately 10 million accounts being available to view online to anyone who knew where to look.  
  • Prestige Software provides technology services to Booking.com, Expedia, Hotels.com, Sabre and other hotel reservation websites around the world. Information included credit card details, payment details and reservation details dating back to 2013.  
  • While there is no evidence the exposed information is being misused, travel website users should change their passwords on their accounts (our experts suggest enacting a passphrase), add two-factor authentication, freeze their credit, monitor their bank statements for any unusual activity and keep an eye out for phishing attempts.  
  • For more information, contact the Identity Theft Resource Center toll-free at 888.400.5530 or live-chat on the company website. 
  • For the latest on data breaches, visit the ITRC’s data breach tracking tool notifiedTM

Subscribe to the Weekly Breach Breakdown Podcast 

Every week the Identity Theft Resource Center (ITRC) looks at some of the top data compromises from the previous week and other relevant privacy and cybersecurity news in our Weekly Breach Breakdown Podcast. This week, we look at the all too frequent event in the world of data – unsecured databases. 

A Lack of Secure Online Databases 

In the context of data protection, repeating the same mistake can have significant consequences. It is why cybersecurity professionals tend to focus on preventing data breaches. That requires them to continually adapt their strategies and tactics to match those of the treat actors who are frequently attacking company systems.  

 Securing online databases continues to slip away from cybersecurity teams. The software provider behind some of the world’s largest travel websites maintained a cloud database without a password, leading to 10 million accounts being available online for access by anyone who knew where to look.  

Forensic researchers believe the available information dates back to 2013 and only relates to hotel reservations. While the information contained in the unsecured database could be used to commit several identity crimes and fraud, right now, there is no evidence the information has been copied and removed from the database. Also, right now, there are no reports of the data being used. 

Software Provider Behind Large Travel Websites Leaves Database Unsecured 

Prestige Software provides technology services to websites that many consumers may have used, including: 

  • Booking.com 
  • Expedia 
  • Hotels.com 
  • Sabre (The reservation system used by American Airlines) 
  • Other hotel reservation websites & mobile apps 

The cloud database was hosted in an Amazon Web Services (AWS) environment that included basic security protections. However, they were not configured. Prestige Software confirmed the database was open to the internet and is now secured.  

Information Exposed Due to Unsecure Prestige Software Database 

The information stored in the unsecured database included large amounts of personal information like full names, email addresses, national I.D. numbers and phone numbers of hotel guests. Additional information stored includes: 

Credit card details: card number, cardholder’s name, CVV and expiration date 

Payment details: total cost of hotel reservations 

Reservation details: reservation number, dates of a stay, the price paid per night, additional requests made by guests, number of people, guest names and much more 

What Impacted Consumers Need To Do 

Consumers who have used these travel websites should assume that any information they shared since 2013 is in the wild and available to be misused in identity crimes, fraud and phishing schemes. Consumers should act as if they have already received a breach notice due to the unsecured database and take the necessary steps to protect their personal information

  • Change your passwords on the travel accounts to a longer, memorable passphrase. Make sure it is unique to the account. Do not use the same passphrase on more than only one account because it helps the bad guys. 
  • Add two-factor authentication. 
  • Freeze your creditif you haven’t already, and monitor your credit card statements for unusual activity over the next few months. 
  • Keep an eye out for phishing attemptsespecially related to any websites affected by this breach or other travel-related websites. Remember, the best protection is to never click on unsolicited links. If you are unsure, contact the company directly.  

How It Impacts Prestige Software 

For the company, the impacts of the lapse in cybersecurity could be significant. Prestige Software is based in Spain and subject to the European Union’s strict privacy and cybersecurity law, known as the General Data Protection Regulation (GDPR). Companies found to have failed to protect consumer information are subject to significant fines up to four percent of their annual revenue.  

Also, companies that process credit cards are subject to self-regulations. The penalty for failing to comply with the Payment Card Industry (PCI) standards include, in some cases, a company losing the right to process debit and credit cards. It is surprising that we have to continue to remind companies of a simple fact: Companies are responsible for securing their cloud environments, not cloud platform providers like Amazon, IBM, Microsoft or any other cloud services companies. Cloud hosts will make basic tools available, but companies have to use them. Also, companies are still responsible for patching their applications and maintaining their advanced cybersecurity tools.  

notifiedTM  

For information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.  

Contact the ITRC 

If you believe you have been affected by the Prestige Software database exposure and want to learn more or think you’re the victim of an identity crime, contact the ITRC at no-cost by calling 888.400.5530 or by live-chat on the company website. Also, download the free ID Theft Help App to access resources, a case log and much more.  

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform. 


Timberline, BankSight and MAXEX Headline the Most Notable Data Breaches in October

California Voters Pass Strongest Privacy Law in the U.S. – The California Privacy Rights Act (CPRA)

Reports Show Consumer Privacy and Cybersecurity Views Have Evolved

  • Two new research papers from OpSec Security and Consumer Reports shows how consumer privacy and cybersecurity views are evolving across the U.S. 
  • Findings in the OpSec Security report show that cyberattacks and data breaches are pervasive, and consumers are concerned and desensitized by the volume of information compromises. 
  • The Consumer Reports report concludes that consumers believe companies are primarily responsible for protecting the personal information businesses collect, store and use. 
  • For more information on the latest data breaches, visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notifiedTM. It is updated daily and free to consumers.  
  • For cybersecurity, privacy or data breach advice, contact the ITRC toll-free at 888.400.5530 or by live-chat on the company website. 

Privacy and cybersecurity impact consumers. Two new research papers show how consumer privacy and cybersecurity views are evolving across the U.S. The reports validate a central concern among consumers that there is not enough done to protect their most precious possession; their name. 

Subscribe to the Weekly Breach Breakdown Podcast 

Every week the Identity Theft Resource Center (ITRC) looks at some of the top data compromises from the previous week and other relevant privacy and cybersecurity news in our Weekly Breach Breakdown Podcast. This week, we will look at two new research reports. The first focuses on recent changes in consumer attitudes. The second takes a longer-term look at how consumer privacy and cybersecurity views are different now compared to 25 years ago when the modern commercial internet was born.

The Importance of Reputation 

Reputations are important to individuals, companies and organizations. That’s why OpSec Security, a global cybersecurity firm, recently surveyed 2,600 consumers throughout the U.S. and four European countries. Researchers asked consumers whether they have been affected by cybercrime, their perceptions of brands, and if their role – or the role they should play – in keeping consumers safe has changed over time. 

The findings show that cyberattacks and data breaches are pervasive and consumers are both concerned and desensitized by the volume of information compromises. Some of the key findings in the last year include the following: 

  • 40 percent of respondents were a victim of an email or phishing scam
  • 51 percent of respondents say they receive more phishing attempts now than before the COVID-19 pandemic. 
  • 35 percent of respondents experienced credit or debit card fraud. 
  • 21 percent of respondents were a victim of identity theft at some point.  

Meanwhile, 30 percent of respondents were impacted by a data compromise, which did not surprise nearly one-third of the people who received a data breach notice. Of those who had their data compromised, 46 percent were contacted more than five times. Almost half of those who haven’t received a data breach notice, 48 percent, are worried they will soon.  

Those 30 percent of consumers in the OpSec survey who say they had their data compromised in a data breach equal the same percentage of people who responded to a similar question from Consumer Reports.  

Consumers Think Businesses are Responsible for Protecting Personal Information 

Both surveys came to a similar conclusion: consumers believe companies are primarily responsible for protecting the personal information businesses collect, store and use. Consumer Reports surveyed more than 5,000 U.S. residents about privacy and security. They also reviewed past research to show how consumer attitudes changed over time. 

  • In 1995, 44 percent of consumers were worried “a lot” or “some” about losing privacy due to the internet. 
  • By 2002, 76 percent of survey respondents were uncomfortable about companies collecting data about them. However, 94 percent thought they had a legal right to see what data the company collected about them from a website. 
  • Fast forward to 2019; 65 percent of consumers said they do not believe their personal information is kept private. 

In the Consumer Reports research published in October, 96 percent of consumers surveyed agreed that more could be done to ensure companies protect consumer information. Other findings include the following: 

  • 68 percent of consumers surveyed believe companies should be required to delete the data they have about someone upon the consumer’s request. 
  • 67 percent of respondents think there should be tougher penalties, like high fines, for companies that don’t protect someone’s privacy. 
  • 63 percent say companies should be required to give consumers access to the data companies have about them. 
  • 63 percent also believe there should be a national law that says companies must get a person’s permission before sharing their information. 

There are now laws, passed in multiple states, that include one or more of the items from the consumers’ privacy wish list above, but a national privacy law remains elusive. 

Built-In Privacy Features 

One finding that did not emerge from either survey on consumer privacy and cybersecurity views was a consensus around what consumers want to happen next to protect their information. Consumer Reports notes that companies are beginning to build products with built-in privacy features. More than 40 percent of consumers say they may be willing to pay companies to stop collecting, sharing and selling their personal information. Right now, that practice is prohibited in California, the state with the toughest privacy law in the U.S.  

notifiedTM  

For more information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.   

Contact the ITRC 

If you receive a breach notice and would like to know how to protect yourself, contact the ITRC at no-cost by calling 888.400.5530 to speak with an expert advisor. You can also live-chat with an advisor on the company website. Also, download the free ID Theft Help App to access advisors, data breach resources, a case log and much more.  

Join us on our weekly data breach podcastto get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.   


Read more of our latest information & educational resources below

Unsubscribe Email Scam Looks to Trick Consumers

Social Media Scams are on the Rise as More People Use the Platforms to Connect

Phishing Attack Report Reveals Microsoft is the Top Spoofed Brand and Other Data Breach News

  • A recent report by Comparitech says that six percent of all Google Cloud environments are misconfigured and left open to the web for anyone to see.  
  • Dunkin Donuts settled in a lawsuit with the State of New York after being accused of not taking appropriate action in response to two cyberattacks dating back to 2015.
  • 217 Blackbaud users have announced they are impacted by the technology services provider data breach. The breach has affected at least 5.7 million individuals.
  • To learn about the latest data breaches, visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notifiedTM. Consumers impacted by a data breach can call the ITRC at 888.400.5530 or live-chat with an expert advisor on the company website.

It’s a busy week in the world of data breaches. A report released reports six percent of all Google Cloud environments are misconfigured and left open to the web where anyone can view them; Dunkin Donuts paid a settlement over a series of cyberattacks that resulted in multiple Dunkin Donuts data breaches; There’s also an update in the data breach of Blackbaud.

Subscribe to the Weekly Breach Breakdown Podcast

Every week, the Identity Theft Resource Center (ITRC) looks at some of the top data compromises of the previous week in our Weekly Breach Breakdown podcast. This week, Dunkin, Blackbaud and Google Cloud highlight the list.

Misconfigured Google Cloud Environments

2020 has had its share of high-profile data events. Sar far in September, an estimated 100,000 customers of a high-end gaming gear company had their private information exposed from a misconfigured server. Another misconfigured server impacted 70 dating and e-commerce sites, leaking personal information and dating preferences. In Wales, personally identifiable information (PII) of Welsh residents who tested positive for COVID-19 was exposed when it was uploaded to a public server.

According to a recent research report published by Comparitech, six percent of all Google Cloud environments are misconfigured and left open to the web where anyone can view their contents. Amazon, the largest cloud provider, has also had issues with clients failing to secure their databases. There is no evidence that any of the data was stolen or misused by threat actors. However, the kinds of data Comparitech uncovered includes thousands of scanned documents such as passports, birth certificates and personal profiles from children. This is not considered a data breach. Rather, it is categorized as a data exposure because their information was not taken; it was just exposed on the internet. With that said, it is a poor cybersecurity practice that puts consumers at risk.

If anyone uses a cloud database in their business, they should make sure their information is secure, starting with a password.

Dunkin Donuts Data Breach Settlement

Dunkin, the company many know as Dunkin Donuts, experienced multiple data breaches where at least 300,000 customers’ information was stolen. A settlement from a lawsuit with the State of New York was reached due to the Dunkin Donuts data breaches. The lawsuit alleged that Dunkin Donuts failed to take appropriate action in response to two cyberattacks dating back to 2015.

The New York Attorney General says Dunkin Donuts failed to notify its customers of a 2015 breach, reset account passwords to prevent further unauthorized access, or freeze the store customer cards registered with their accounts. The State also claimed Dunkin Donuts failed to implement appropriate safeguards to limit future attacks.

The company was notified by a third-party vendor in 2018 that customer accounts had, again, been attacked. Although the company contacted customers after the 2018 Dunkin Donuts data breach, the State claimed the notification was incomplete and misleading.

Dunkin Donuts will pay the State $650,000, refund New York customers impacted by the data breach, and will be required to take additional steps to prevent further Dunkin Donuts data breaches.

Businesses with customers in New York should check to see if the State’s new privacy and cybersecurity law, known as New York SHIELD, applies to them. It has very specific notice requirements in the event personal information is exposed in a data breach.

Blackbaud Data Breach Update

The ITRC notified consumers of a data breach of Blackbaud in August. The technology services provider announced in July that data thieves stole information belonging to the non-profit and education organizations that use Blackbaud to process client information. The cybercriminals demanded a ransom, and Blackbaud paid it in exchange for proof the client information was destroyed.

Since the data breach of Blackbaud was announced, 217 different Blackbaud users of all shapes and sizes have reported their client’s information was impacted in the ransomware attack. Not every organization has listed how many people have been affected. However, the latest count from the organizations that have is 5.7 million individuals.

Blackbaud has not shared the number of customers with compromised information. Instead, they have relied on the customers to self-report it. Breach notices continue to be filed each day, and the ITRC will keep consumers updated on any future developments. 

notifiedTM

For more information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.

Contact the ITRC

If you believe you are the victim of an identity crime, or your identity has been compromised in a data breach, like the data breach of Blackbaud, you can speak with an ITRC expert advisor on the website via live-chat or by calling toll-free at 888.400.5530. Victims of a data breach can also download the free ID Theft Help app to access advisors, resources, a case log and much more.

Join us on our weekly data breach podcastto get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.


Read more of our latest news below

iPhone 12 Chatbot Scam Begins to Spread Through Text Messages

Unemployment Benefits Mail Fraud Scams Strike Across the U.S.

50,000+ Fake Login Pages for Top Brands from Credential Theft

People are spending more time on their phones, tablets and computers now than ever, making the importance of cyber-hygiene tips as paramount as they’ve ever been. The Identity Theft Resource Center (ITRC) wants to highlight some of the best practices and steps that users can take to improve their online security.

We recommend everyone make these cyber-hygiene tips part of their regular routine to greatly reduce their risk of identity theft or other cybersecurity compromises.

1. Use a secure connection and a VPN to connect to the internet

A virtual private network (VPN) is a digital tool that keeps outsiders, such as hackers, identity thieves, spammers and even advertisers from seeing online activity. Users should also be wary of public Wi-Fi. While public Wi-Fi may be convenient, it can have many privacy and security risks that could leave someone vulnerable to digital snoops. If connecting to public Wi-Fi, be sure to use a VPN.

2. Get educated about the terms of service and other policies

It is important to understand what the terms of service and other policies say because, once you check the box, you may have agreed to have your information stored and sold, automatic renewals, location-based monitoring and more.

3. Make sure anti-virus software is running on all devices

It is very important to have anti-virus software running on every device because it is designed to prevent, detect and remove software viruses and other malicious software. It will protect your devices from potential attacks.

4. Set up all online accounts (email, financial, shopping, etc.) with two-factor or multi-factor authentication

Two-factor authentication (2FA) or multi-factor authentication (MFA) adds an extra layer of protection to your accounts; it requires at least two separate verification steps to log into an account. Relying on a minimum of two methods of login credentials before accessing accounts will make it harder for a hacker to gain access.

5. Use secure payment methods when shopping online

One easy cyber-hygiene step is to only shop on trusted websites and use trusted payment methods. Consumers should not use payment portals or shop on websites with which they are not familiar.

Always use a payment instrument that has a dispute resolution process – like a credit card or PayPal – if you have to shop on an unfamiliar site.

6. Use unique passphrases for passwords and do not reuse passwords

The best practice these days is to use a nine to ten-character passphrase instead of an eight-character password. A passphrase is easier to remember and harder for hackers to crack.

Also, users should employ unique passphrases; if they use the same one, hackers can gain access to multiple accounts through tactics like credential stuffing.

7. Never open a link from an unknown source

Do not click on links or download attachments via email or text – unless you are expecting something from someone or a business you know. If it is spam, it could insert malware on your device.

Also, never enter personally identifiable information (PII) or payment information on websites and web forms that are not secure or have not been fully vetted. It could be a portal to steal personal information.

8. Make sure devices are password protected

If devices are not password protected, it is just that much easier for a hacker to share or steal personal information. Without a layer of protection or authentication to access the device, all the information saved on it becomes fair game. Use a PIN code, biometric or pattern recognition to lock your devices and set the same protection for apps that have access to sensitive information like banking or credit cards.

9. Log out of accounts when done

This is another bad habit that makes it much easier for someone to share or steal your information. Always log out of accounts when done so no one can get easy access to them.

While there is nothing that can be done to eliminate identity theft, account takeovers and other malicious intent, these cyber-hygiene tips will help keep consumers safe, as well as reduce the number of cybercrime victims.

For anyone who believes they have been a victim of identity theft or has questions about cyber-hygiene tips, they can call the ITRC toll-free at 888.400.5530 to speak with an expert advisor. They can also live-chat through the website or the free ID Theft Help app.


Read more of our related articles below

The Unconventional 2020 Data Breach Trends Continue

School District Data Breaches Continue to be a Playground for Hackers

Is This an Amazon Brushing Scam?

Identity theft is not one single type of crime. There are many different ways a criminal can use your information, such as applying for government benefits, getting a job under your Social Security number, receiving medical care or prescription drugs in your name, and of course, the financial aspects. But stealing from your bank account or signing up for a new credit card in your name are just scraping the surface when it comes to the harm identity theft can cause.

Tax identity theft occurs when someone uses your compromised information to file a tax return in your name. They fudge the numbers, enter an unrelated refund dispersal option like a prepaid debit card, and make off with your money before you ever know that anything has gone wrong.

How do they get their hands on your data in the first place? There are many ways, including:

  • Imposter scams
  • Data breaches
  • Stolen mail or W-2s
  • CEO/HR phishing scams
  • Corrupt insiders/tax preparation services
  • Unsecured and public Wi-Fi hotspots
  • Social Security number that is lost, stolen or compromised

Of course, it’s just as easy for a criminal to purchase your previously stolen information online, then use it to file a fraudulent return.

How can you know if someone has filed a return with your stolen information? Again, you may find out in different ways, but one common way is for the IRS to inform you.

They don’t usually call you up and say, “Guess what? Someone stole your identity!” Instead, it’s a lot more likely that the IRS will reject your legitimate tax return because someone has already filed using your Social Security number. Another way is someone not necessarily filing the entire return in your name, but rather claiming your dependents on their return if they’ve stolen your kids’ identities; in that case, the IRS will still contact you about the duplicated dependents. Finally, the IRS might contact you if someone files a business return involving your identity as an employee and the agency wants you to answer for the unreported income you supposedly earned but didn’t list on your return.

The fact of tax identity theft is that hundreds of millions of consumers’ identities have been compromised in different data breaches over the years. That means no one is immune from the threat of having their tax refund stolen.

For more questions and answers about tax identity theft, read our tips here.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Tidying Up For Your Identity, Mobile Device and More…