Posts

Data Privacy Day is an international effort to empower individuals and business to respect privacy, safeguard data and enable trust.

Many of today’s tech users have never navigated an online world where they weren’t constantly asked to provide personal details about themselves for everything from booking a doctor’s appointment to buying a new shirt. Too many tech users don’t do enough to protect their online privacy and secure their data, while also thinking that it’s “other people” who don’t protect themselves.

This is a trend that Data Privacy Day works to address. The Identity Theft Resource Center is the non-profit partner for this event, hosted on January 28th, 2019, by StaySafeOnline. Powered by the National Cyber Security Alliance, the upcoming event will focus on the changing privacy landscape and what that means for consumers, businesses, policymakers, and more.

The change is so rapid, in fact, that StaySafeOnline is referring to this age as a new era in privacy, and as such, the event will feature a wide variety of instructional sessions led by some of the top names in the field. With events available for both in-person attendees and live stream participants, Data Privacy Day stands to be a source of vital information to kick off the new year with a focus on security.

Of course, there are actionable steps that every tech user can implement right now to help secure their personally identifiable information and protect their privacy:

1. Understand—and put in place—good password hygiene.

2. Establish a family or company policy on how to respond to suspicious messages and what steps to take in the event of a possible privacy incident.

3. Install strong, trustworthy security software that helps block or delete attempted privacy threats.

4. Think twice about oversharing, whether it’s posting too much information on social media, responding to emails asking for identifying details, or handing over your data to third-parties.

5. Seek out the vulnerabilities that may already be a threat, like third-party apps, unsecure privacy settings in your social media accounts, software and operating systems that haven’t been updated regularly, and more.

Can’t be there in person? Watch live from LinkedIn, SF! ITRC CEO, Eva Velasquez will be joining privacy experts on the panel, “The Future of Privacy and Breakthrough Technologies” to discuss advances in technology, such as artificial intelligence to the human body acting as the computer interface, how privacy will take on even greater significance. Panelists will highlight why our actions now will drive tomorrow’s outcomes.

Just released – Download the 2018 End-of-Year Data Breach Report


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Consumers at Risk: 126% Increase in Exposed Consumer Data, 1.68 Billion Email-Related Credentials

It’s the ultimate payoff for a scammer: raking in a high-dollar payday with little effort or cybersecurity expertise. Unfortunately, that’s exactly what makes business email compromise scams, or BEC scams for short, so popular among criminals. By gaining access to an email account within a company, the potential for lucrative phishing scams is limitless.

One recent victim? Save the Children Foundation, a well-known non-profit organization that supports relief efforts for children all around the world. After scammers gained access to a staff member’s email address in 2017 and began sending invoices for solar panels to the proper department, the organization was cheated out of around one million.

BEC scams aren’t new. They used to be called “boss phishing” and “CEO phishing,” among other names. Now that criminals have figured out there are more people within a company with high-security access, the scam email can come from a variety of positions within the company.

The fact that BEC scams continue to work is alarming, though. In fact, the FBI reported that there were more than 300,000 cases of cybercrime in 2017, totaling over $1.42 billion in losses. BEC scams accounted for nearly half of those loses at $676 million. These scams saw a 137 percent increase in an eighteen-month period, and a report by WeLiveSecurity stated that social engineering scams like BEC and phishing emails were the third most commonly reported scam last year.

Unfortunately, social engineering scams still work, especially as scammers become more and more involved in the storyline. Those ludicrous old “Nigerian prince” email scams relied on social engineering, or getting the victim to hand over money in order to help someone in need and see a return on that money later. In the case of a BEC scam, the engineering is even simpler: “Bob from accounting” emailed an invoice—or so it appeared—and the recipient cut a check or transferred the funds, just like they do every single day. In other cases, the boss seems to have emailed a request for payroll records or W2 forms for everyone within the company; the assistant who received the email never thinks twice about following a logical request, and hands over the complete identities of everyone who works there.

In the case of business email compromise, the age-old advice isn’t easy to follow. Email scam recipients have always been told to ignore them. But how do you ignore a request from the CEO? How is a charity supposed to ignore an invoice for solar panels in a remote village when the organization’s job is literally to provide these things?

The first way for organizations to fight back against BEC scams is to institute iron-clad policies on submitting sensitive information, issuing payments and funds, changing account numbers or passwords, and other eyebrow-raising activities. The policy has to outline exactly which requests are to be questioned, as well as offer a layer of protection for an employee who requests verbal confirmation. Of course, preventing this kind of crime also starts with ensuring outsiders cannot gain access to a company’s email accounts, namely through strong, unique passwords that are force-changed on a regular basis and multi-factor authentication.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: The Government Shutdown is Hurting Crime Victims

A phishing scam has led to the unauthorized access of more than 500,000 students’ identifying information in the San Diego Unified School District. Through emails sent to staff members of the school district, an outsider was able to gain staff members’ login credentials and view students’ profiles.

Phishing scams like this one are all too common. By masquerading as an official email from a verified source, outsiders can trick recipients into all manner of sensitive activities, from changing passwords and account numbers to transferring funds to paying phony invoices. In this case, the emails likely required staff members to verify their usernames and passwords.

The phishing attack is believed to have been carried out between January and November of this year, but school system officials first became aware of it in October. However, the credentials gave the unauthorized person access to student records dating all the way back to the 2008-2009 school year.

Impacted individuals are being notified by letter from the school system, and the current investigation has already identified someone believed to be responsible. Officials have not determined whether or not any of the data was actually stolen or used, but it was certainly possible to steal complete identities from the activity that occurred; therefore, they are treating this incident as a data breach.

There are some important takeaways from this news. The first is that sharing your information with outsiders can result in the loss of that data. If you are not absolutely legally required to turn over your complete identity or that of your children, don’t. If you are required to provide it, ask who will be able to access it and how it will be protected. In the case of the school system, even base-level staff members were able to view details like birthdates and Social Security numbers, something that they didn’t need.

Also, if you receive a notification letter that your information has been breached, it’s vitally important that you take note of what data was compromised and what steps the company is taking to make it right. If the company is offering credit monitoring or identity monitoring, don’t delay. Sign up for that support immediately to take advantage of the protection.

Finally, since this incident involves children’s personally identifiable information, parents and guardians must be cautious about their children’s identities. Too many young people only discover they’ve been victimized this way when they become adults and attempt to get a job, enlist in the military, apply for financial aid, or other similar actions. Parents can freeze their children’s credit reports to reduce the chances that someone will use their information maliciously.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: The 2018 Impact of Data Breaches and Cybercrime

[vc_row][vc_column][vc_column_text]When it comes to a credit freeze, consumers have to ask themselves when they should take this step, and why. The “when” is easy… the answer is NOW. There are very few reasons to leave your credit report unfrozen, all of them stemming from your life circumstances that involve high-volume spending, the need for new accounts or other similar, limited situations.

But “why”, is a little more difficult to explain. Your credit report is the document that gives lenders an idea of what kind of borrower you are. It contains lengthy information on your previous spending and payoffs, your open lines of credit, the amount of debt you carry, and more. However, this report is also the tool that lenders need in order to issue you a new account or line of credit; no report, no new credit card or car purchase.

It’s easy to see how blocking access to that report can prevent new lines of credit from being issued, and that goes a long way towards protecting you from fraud if someone steals or fabricates your identity. When the criminal applies for a new credit card, home utilities, a car or other similar account, the credit report will come back to the lender as “frozen,” essentially blocking the account.

This is one of the strongest measures consumers can take to help reduce their risk of financial identity theft. There are other ways your personally identifiable information fall into the wrong hands can harm you, but new account fraud is one of the easiest but most devastating scenarios. At the same time, there are not many other actionable steps consumers can take that can have this much of an impact on identity theft and fraud.

Remember when we said you should do it right now? There’s never been a better time. New legislation goes into effect this week that will remove the fees associated with freezing and thawing your credit report. Even though it takes time to “thaw” should you need it (a few business days, typically), you will no longer have to pay a fee for protecting your credit report this way. All three of the reporting agencies—Experian, Equifax, and TransUnion—will no longer charge this fee thanks to legislation that was passed after the Equifax data breach.

In order to freeze your credit, here are a few steps to take. While you handle that, remember that you’re also entitled to one free copy of your credit report from each of the three major reporting agencies every year. You don’t have to request them all at once, though, so you can stagger your requests a few months apart and get a look at your credit report all throughout the year.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Is Your Bluetooth Tracking You?

[/vc_column_text][/vc_column][/vc_row]

[vc_row][vc_column][vc_column_text]A recent discovery on an internal message board may be a little unsettling: according to Politico, who discovered the internal memo and first wrote about the incident, the U.S. State Department’s unclassified email system suffered a data breach. This event affected only one percent of the organization’s 69,000 employees, but while the classified email system was not affected, the State Dept acknowledges that the impacted employees’ personally identifiable information may have been compromised.

Events like this one are happening with alarming regularity across every kind of business or agency, leading to record-setting year-over-year numbers of data breaches and compromised consumer records. While the State Department’s investigation of the incident is still underway, the internal memo did cite the need for better password security among employees.

Password security is an issue that plagues users at every level and in every industry. There are even websites that track the most commonly used passwords—discovered as a result of data breaches and stolen account credentials—and unsurprisingly, things like “password,” “qwerty,” and “12345678” still top the lists. Of course, a weak and easily guessed password isn’t the only issue; reusing passwords on multiple accounts leads to fraudulent access too. If a hacker uncovers a database of stolen logins for social media accounts, they can access any other accounts that reused those same usernames and passwords.

The U.S. government has been urged to take extra precautions when it comes to cybersecurity, largely due to the fallout and the resulting legislation from the Office of Personnel Management breach that began in 2014 and continued into 2015. Millions of government employees’ complete identities were stolen, along with identifying information for other people connected to those employees (i.e., family members, former employers).

The event sparked the Federal Cybersecurity Enhancement Act, which was signed into law in 2015. It required federal agencies to take more preventive action to reduce the threat of cybercrimes, and to report on their actionable steps. Unfortunately, those security steps have not been implemented across the board. Several U.S. Senators issued a letter to Secretary of State Mike Pompeo earlier this month, expressing their disappointment that the organization has not followed through on enough of the recommended security measures.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Is Your Bluetooth Tracking You?

[/vc_column_text][/vc_column][/vc_row]

[vc_row][vc_column][vc_column_text]Securing Our Nation’s Critical Infrastructure Is Everyone’s Responsibility

In Week 4 of #CyberAware Month we’re emphasizing the importance of securing our critical infrastructure and highlighting the roles the public can play in keeping it safe.

A nation-wide pizza chain made news in 2018 by announcing a new contest: nominate your town for pothole repair. The very endearing marketing tactic asked customers around the country to explain why their town deserves a little roadway TLC in order to keep pizzas from bouncing around the car on the way to their tables. One winner would be chosen, and the chain would fund pothole repair for that city.

As fun as that sounds, maintaining and protecting our infrastructure isn’t a game, especially when it comes to the real threat of cyber attacks. These coordinated attacks can disable anything from our power grid, telecommunications and E-911 systems, water supply and sewage and more. Taking down even one of these vital utilities with a cyber attack would have devastating consequences while targeting more than one system could cripple entire sections of the country.

October is National Cyber Security Awareness Month, a project hosted by StaySafeOnline. This year’s theme is “Our Shared Responsibility,” and each weekly theme focuses on how consumers, businesses, and stakeholders can play key roles in protecting against hacking, data breaches, and other related crimes.

But how are members of the public supposed to prevent a large-scale hacking event that aims infrastructure? It’s one thing to update your home computer’s antivirus or log out of your sensitive accounts when you’re not using them, but those behaviors will hardly stop highly-skilled operatives from threatening a country’s water supply.

Or can they? Can the security behaviors you adopt prevent the next widespread cybercrime? StaySafeOnline certainly thinks so, and will offer crucial information to the public on ways that they can take an active role in securing our country’s infrastructure: “Our day-to-day life depends on the country’s 16 sectors of critical infrastructure, which supply food, water, financial services, public health, communications and power along with other networks and systems. A disruption to this system, which is operated via the internet, can have significant and even catastrophic consequences for our nation.”

One of the most obvious ways that consumers can protect these necessary resources starts with protecting their own networks. Your home computer, your smartphone, and your Internet-of-Things connected devices are all sources of potential vulnerabilities. If you’re in any way connected to the public utilities—even theoretically something as mundane as paying your electric or water bill online—it could result in fraudulent access to the utilities if hackers gain access through your computer.

By securing your own devices and networks first, you’re possibly preventing a cybercriminal from compromising your device and using that connection to gain access to a “bigger fish.” Third-party attacks, commonly associated with small businesses who have connections to larger corporations, are a recognized avenue of attack. The Black Friday data breach that affected Target in 2013, for example, was eventually traced back to a third-party vendor who worked on the refrigeration units for a small number of Target locations.

Safeguarding your own network and devices is always a smart thing to do, and it can prevent a lot of headaches for you down the road. In today’s connected digital climate; however, your own security steps just might protect us all.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: The Harm in Hoaxes on Social Media

[/vc_column_text][/vc_column][/vc_row]

[vc_row][vc_column][vc_column_text]October is National Cybersecurity Awareness Month, and there’s no bigger “holiday” for those who work in information technology, digital safety and tech security. Okay, that might be a tiny exaggeration; However, it is safe to say this: cybersecurity professionals keep our internet and networks safe from hacking, data breaches, scams and fraud, and there simply aren’t enough cyberheroes doing the job.

Just in 2017, data breaches hit a new record high of 1,579 breaches, indicating a drastic upturn of 44.7 percent increase over the record high figures the year before. Fortunately, there’s never been a better time to pursue a career in computer security or data protection. The theme for week two of NCSAM is to highlight the intense need for highly-skilled, dedicated professionals who are interested in the landscape of modern crime and warfare known as our computers and the internet.

But who has the chance to become a superhero? Anyone! Only two years ago, there were an estimated one million unfilled jobs in the U.S. in the cybersecurity field, and that number is expected to be 3.5 million by 2021. There has never been a better time to consider this field, and there may have never been a more critical need than right now.

1. Middle school and high school – It’s never too early to begin learning about data breaches, information technology, cybersecurity and other tech-related subjects. Unfortunately, you’d be hard-pressed to find more than a few high schools even offering this type of course. There are some really dynamic online sources for teens, though, and the first step is simply to get students interested in the field and talking about the subject.

2. College and career – More and more colleges are offering cybersecurity degrees, and many of those schools even offer a fully online bachelor’s degree in the field (after all, you’re going to be working online a lot, you might as well earn your degree that way!). The programs have grown in number to the point that multiple sources have already ranked colleges’ and universities’ cybersecurity degree programs according to best value, best education, highest number of graduates working in their field and more.

3. Returning learners – For one reason or another, the average person changes careers between five and seven times during the span of their work life. Some of the reasons include better pay or benefits, more flexibility, a lack of opportunity in their previous field, or simply the chance to reinvent themselves after years in a fulfilling career. Cybersecurity is relatively new, it’s constantly evolving, it’s an incredibly high demand, and for some, it’s a job that a professional could do as a freelancer or from home. All of those factors make cybersecurity and information technology exciting possibilities for older, non-traditional or returning students.

No matter why you consider the cybersecurity field, there’s never been a better time to take on the challenge. It’s a widely recognized and highly sought after area of study while also serving the greater good and protecting the public. (The $100,000+ average annual salary doesn’t hurt, either.) If you’re looking for an exciting opportunity that can offer you variety mixed with longevity, talk to a college, university or career counselor about cybersecurity.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Our Shared Responsibility Begins at Home

[/vc_column_text][/vc_column][/vc_row]

[vc_row][vc_column][vc_column_text]National CyberSecurity Awareness Month, an annual cybersecurity experience hosted by Stay Safe Online, has officially kicked off its 15th year. This October event, which brings together stakeholders from every level of online security, is geared towards everyone from top-tier cybercrime analysts to the most vulnerable everyday internet users. The goal remains the same each year: to ensure that the most up-to-date information on cybersecurity is accessible to all users and is at the forefront of their tech decision-making.

This year’s month-long theme is “Our Shared Responsibility,” but the focus of week one is how cybersecurity begins at home. Lessons on every aspect of our physical and emotional safety begin with those who care about us the most, and internet safety is no different. Creating an environment of secure internet access and understanding leads to life-long Cyber Aware users.

To know what lessons to impart, parents and other caregivers need to understand the changing needs for all users within the home. Young children might only enjoy a few minutes of screen time on a tablet with specifically chosen apps, while older teens gain more and more responsibility—and exposure—through social media, browsing, the “latest” app that everyone’s talking about, and more.

At every age and for every user in a household, the privacy and security pitfalls can change. That’s why it’s essential to remain in the know about the kinds of cybersecurity issues that different people may face:

  1. Young children – For most youngsters, it may be up to Mom and Dad to enter their information into an age-appropriate account, so it’s also up to the parents to understand what information they’re sharing, what permissions they’re granting, and where that information can end up. Understanding what kinds of data breaches have taken place in the past can also help, such as the VTech breach or ones involving public schools and doctors’ offices.
  1. Preteens and Tweens – Every generation has thought that kids were growing up too fast these days, but when it comes to technology—especially unsupervised access to it—that may be truer now more than ever before. The average age for US kids to get their first smartphone is now ten years old, and that can mean unprecedented access to the internet, downloadable apps, social media, and more.
  1. Teens and Young Adults – One of the most commonly associated cybersecurity issues for young adults is probably cyberbullying, especially on social media, but that’s just one of the many dangers this age group can face. While it’s important to discuss proper behavior online as well as what to do if they’re targeted, it’s also vital that parents discuss scams, fraud, identity theft, hoaxes, and more. One staggering statistic, for example, has shown that senior citizens may be more likely to be targeted by a scammer, but Millennials are the ones who lose more money to online scams and fraud.

No matter what age your family members may be, NCSAM is an excellent time to explore your privacy, security, and overall digital safety.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: The Harm in Hoaxes on Social Media

[/vc_column_text][/vc_column][/vc_row]

[vc_row][vc_column][vc_column_text]Identity theft and fraud can occur in many different ways, so it’s not something that any one person can fully prevent. However, there are a lot of things consumers can do to minimize their risk, starting with what might be the easiest step of all: password security.

The word “security” rarely means “easy,” but when it comes to implementing a strong, unique password, it absolutely is simple if you follow key guidelines. Strong passwords are those that contain a long string of characters, ones that include uppercase letters, lowercase letters, numbers, and symbols. It’s also important that the strong password does not contain a variation of your name, the website or company name, or easily guessed words or slogans.

Making a strong password might be the easy part, especially since many platforms now require you to use a certain number of characters, or remind you to include a number or symbol. The real problem for consumers is in reusing those passwords, in other words, not making them unique.

If you make a really great, strong password then reuse it on other websites, you may be no better off than if you’d used “password” as your password (like so many people actually do). A recent data breach incident involving Adidas US’s website serves as proof of that.

“According to the preliminary investigation, the limited data includes contact information, usernames and encrypted passwords,” the company said in its announcement. “Adidas has no reason to believe that any credit card or fitness information of those consumers was impacted.”

Once a hacker gains access to a trove of account information for millions of consumers—as may have occurred in this incident, which is still under investigation—any username and password combinations that were stolen can be used on other sites. The hacker gets your username (which is quite often your email address) and password from the Adidas breach then tries it on Amazon, iTunes, PayPal, Yahoo and Gmail, and popular banking websites. If you’ve reused your password, they just got in.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.[/vc_column_text][/vc_column][/vc_row]

[vc_row][vc_column][vc_column_text]Researchers with mobile security firm Appthority have disturbing news for iOS and Android mobile users: a vulnerability on the developers’ end exposed sensitive data collected via more than 1,000 common enterprise device apps. This exposed information, which included personal identifiable information, plain text passwords, and more, was compromised due to what experts are calling the Firebase vulnerability.

Similar to other previously discovered app vulnerabilities, this one occurred in relation to how the app “speaks” to the Google Firebase cloud database. Specifically, when authentication wasn’t required, any attacker could access information through the unsecured Firebase. Developers needed to initiate an additional step to require that authentication, but for too many apps, that step wasn’t put in place.

As a result, this vulnerability leaked around 100 million records from unsecured Firebase databases.

Appthority’s team isolated 28,502 mobile apps—more than 27,000 on the Android platform and another 1200-plus on iOS—that connected to a Firebase database. More than 3,000 were vulnerable because of this lack of authentication. Unfortunately, these numbers meant one out of every ten Firebase databases was left unsecured.

There is a wide variety of app categories involved in this finding, especially business-oriented apps like productivity tools, financial and business apps, and even dating app. The business users of these impacted apps include companies in banking, telecom, ride hailing, travel, and schools scattered through the US, Europe, South America, and Asia.

So what was exposed? Researchers found millions of plain text usernames and passwords, private health records, stored GPS coordinates to past locations, online payment and cryptocurrency activity records, and access to millions of users’ social media platforms.

It’s important for business device users to understand that this kind of vulnerability not only exists, but may even become more widespread based on the increasing numbers of Firebase users since it was launched. It’s worth noting that any vulnerability that exposes sensitive data from an enterprise account can mean the risk of violating regulatory compliance, regardless of how the information was leaked or who was responsible.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.[/vc_column_text][/vc_column][/vc_row]