Posts

A recent discovery on an internal message board may be a little unsettling: according to Politico, who discovered the internal memo and first wrote about the incident, the U.S. State Department’s unclassified email system suffered a data breach. This event affected only one percent of the organization’s 69,000 employees, but while the classified email system was not affected, the State Dept acknowledges that the impacted employees’ personally identifiable information may have been compromised.

Events like this one are happening with alarming regularity across every kind of business or agency, leading to record-setting year-over-year numbers of data breaches and compromised consumer records. While the State Department’s investigation of the incident is still underway, the internal memo did cite the need for better password security among employees.

Password security is an issue that plagues users at every level and in every industry. There are even websites that track the most commonly used passwords—discovered as a result of data breaches and stolen account credentials—and unsurprisingly, things like “password,” “qwerty,” and “12345678” still top the lists. Of course, a weak and easily guessed password isn’t the only issue; reusing passwords on multiple accounts leads to fraudulent access too. If a hacker uncovers a database of stolen logins for social media accounts, they can access any other accounts that reused those same usernames and passwords.

The U.S. government has been urged to take extra precautions when it comes to cybersecurity, largely due to the fallout and the resulting legislation from the Office of Personnel Management breach that began in 2014 and continued into 2015. Millions of government employees’ complete identities were stolen, along with identifying information for other people connected to those employees (i.e., family members, former employers).

The event sparked the Federal Cybersecurity Enhancement Act, which was signed into law in 2015. It required federal agencies to take more preventive action to reduce the threat of cybercrimes, and to report on their actionable steps. Unfortunately, those security steps have not been implemented across the board. Several U.S. Senators issued a letter to Secretary of State Mike Pompeo earlier this month, expressing their disappointment that the organization has not followed through on enough of the recommended security measures.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Is Your Bluetooth Tracking You?

With all of the high-tech hacking, malware attacks that cripple entire networks, and new ways to steal or fabricate someone’s complete identity, it’s easy to forget that some of the things that used to be problems in the past are, still a problem.

On Aug. 16, a data breach was discovered that affected multiple Cheddar’s Scratch Kitchen restaurants in numerous states. Investigators believe the operative first launched the breach in early November of 2017 and continued through Jan. 2. More than 500,000 payment cards were compromised in the breach.

The company has sent out notification letters to the victims and offered identity monitoring for the affected customers. They also revamped the payment card system in April of this year, but still advise all of their customers to monitor their account information very closely for any signs of suspicious activity.

This incident clearly demonstrates that “old-fashioned” methods of stealing identifying and financial information are still out there, even if they’re sometimes overshadowed by larger events like the or the cyber attack that hit last year. Even old tactics like dumpster diving for your junk mail or health insurance statements can lead to identity theft crimes, even if they’re on a much smaller scale than a data breach like this one.

To help minimize the risks associated with this kind of incident, there are steps that consumers can take:

1. Enable alerts on your payment cards – If your financial institution offers it, you can set up text or email alerts that tell you any time your card number is used without the physical card being present. If your account info is stolen in a breach like this one, you’ll know if someone uses your card fraudulently. One person who contacted the Identity Theft Resource Center was on her child’s school trip when she received an alert; a quick call to her credit card company showed that someone had used her account number to buy several iPhones at a cellular store. The transaction was promptly canceled and a new card sent to the victim.

2. Monitor your accounts closely – By taking even a quick peek at your account statements on a regular basis (something you can even set up to do online or on your mobile device), you can stay on top of any unusual activity.

3. Place a credit freeze – This event only compromised the customers’ payment card numbers, but in this climate of record-setting data breaches, some consumers are opting for preventive credit freezes. New legislation goes into effect next month that will remove the fee associated with freezing and unfreezing your credit, which helps prevent new accounts from being opened with your identifying information. If more sensitive information is stolen in other data breaches, you’ll be better prepared to fend off identity theft and fraud.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: The Harm in Hoaxes on Social Media

For quite some time, Social Security numbers have been called the “Holy Grail” of personally identifiable information. With access to your SSN and a few other key data points, an identity thief could open new lines of credit and run up bills for large purchases for years to come. If you discovered the fraudulent card and canceled it, they could simply open up another one.

In any data breach, it was almost a relief to find out that the victims’ SSNs had not been compromised… but that may not be the case anymore.

As a newly announced data breach of T-Mobile’s network shows, our phone numbers can be a hot commodity for hackers. Hackers made off with the names, email address, some of the accounts’ passwords, account numbers and phone numbers for . The cellular provider discovered the incident on Aug. 20 and shut down the hackers’ access, then began the process of investigating and sending out notification letters to affected customers.

You might think a thief can’t really do much for this information, but that’s not true. With just the data compromised, identity thieves can port the affected customers’ phone numbers to a new SIM card, install it in a new handheld device and access any accounts that the user has connected through that phone number.

For example, a hacker can get into your email account, Amazon account, online banking or PayPal account and more by having the password reset link sent to the phone number associated with the accounts, even if two-factor authentication was in place. The thief can then access the victims’ text messaging, receive the one-time-use verification code and use it to change the victims’ passwords on any accounts where they’ve entered their phone number.

T-Mobile has already begun notifying the victims and offered them some key instructions, namely to change their passwords on their accounts. However, it’s also a good idea to change the passwords on any other sensitive accounts—not just the T-Mobile accounts—and to be on the lookout for any unusual activity. This might include notifications of logins from new devices, contacts from your account providers telling you of suspicious activity, any unusual deductions from your financial accounts and more.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: The Harm in Hoaxes on Social Media

Parents instinctively protect their children from any danger that might come their way, but what do parents tend to overlook? Child identity theft.  Given the prevalence of this crime – more than one million cases of child identity theft cases were reported last year alone – it’s crucial that parents and legal guardians start taking the necessary steps to help minimize their children’s risks. To help encourage this thinking, Experian has deemed September 1 as Child Identity Theft Awareness Day to generate more attention around this prolific crime in hopes that it will reduce the amount of victims.

Children’s identities are seen as desirable because they are often left unmonitored for many years, giving thieves ample time to wreak havoc. For example, a recent survey conducted by Experian found that 45 percent of respondents didn’t discover they were a victim of identity theft until they were between the ages of 16 and 18.  Additionally, more than half of those surveyed didn’t discover they were a victim of child identity theft until they applied for credit as an adult or when they received a bill or credit card in the mail.

The emotional toll this crime takes on its victims is also worth noting. The survey discovered that 35 percent of the child identity theft victims surveyed sought professional help in dealing with related stress, anxiety, anger or depression related to the theft; 68 percent said they are fearful it could happen to them again; and 65 percent are angry about the credit roadblocks they have faced. Furthermore, 10 years later, 1 out of 4 victims surveyed are still dealing with the issues and 81 percent of them remain concerned about their ability to get approved for credit in the future.

As illustrated in the survey, the effects of child identity theft can be long lasting and although this crime is not completely unpreventable, parents and legal guardians can take the necessary steps to minimize their children’s risks. For starters, many parents/legal guardians don’t realize that they might be unintentionally putting their child at risk of identity theft by carrying their Social Security card, giving out this number to entities that don’t legally need it (doctor’s office/hospital) and by not being proactive.

Interestingly enough, the survey revealed that when the parents discovered the child identity theft, their children were 14 years old on average, whereas if the child found out about the theft themselves, they were 19 years old on average. What parents don’t often realize is that they might be able to discover this theft even sooner, which could potentially save their children years of headache.  First, parents need to be on the lookout for signs of child identity theft, which include the following: protecting their Social Security number, monitoring their children’s personal information, social media and online activity, paying attention to privacy policies and teaching them about identity theft risks. Second, they might consider doing Experian’s free Child ID Scan, which is a one-time service for parents or guardians to check if an Experian credit report exists for their child. If you do find out that your children’s information has been compromised, we recommend contacting the Identity Theft Resource’s toll-free number at 888-400-5530 to speak to an experienced advisor who can inform you about the necessary steps to take to resolve the issue. You can also use their live chat feature on their website at: www.idtheftcenter.org

Taking small steps to protect your child’s identity can not only greatly reduce their risk of becoming a victim but it can also help them in the long run.

Experian proudly provides financial support to the Identity Theft Resource Center.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: The Harm in Hoaxes on Social Media

Organizations like the Identity Theft Resource Center track data breaches and identity theft crimes throughout the year in order to establish a clear picture of how these issues affect consumers. Year after year, record-setting numbers of data breaches and compromised consumer records continue to plague every sector of industry, but nothing may have been more surprising than this:

In July, more than 860,000 patients’ medical records were compromised in data breaches.

You read that right: 860,000 patient records. The data breaches that resulted in the loss of records came from a variety of sources and methods, and not all of the affected records led to individual harm. The result; however, is nearly one million people whose information was in some way exposed.

What’s interesting about the events that compromised so many records is the different ways they happened. Improper disposal of records, something that has been happening for decades, may have affected more patients than any other mechanism, even the supposedly high-tech kinds like hacking or ransomware. It’s alarming that more than 300,000 patients’ records were exposed through improper disposal, yet only two reported improper disposal events were uncovered in July.

Hacking or other cybercrimes—arguably the more commonly thought of method of data breaches, at least in the minds of the public—were only responsible for just over 200,000 stolen records. Except for a couple of incidents involving health insurance providers or vendors, most of the 18 separate intentional breaches targeted the networks of healthcare providers themselves.

Accidental exposure of records is an issue that has weighed on nearly every kind of industry in the past few years, and the healthcare sector was no different. Last month, more than 200,000 patient records were exposed when a database of information from one state was left accessible on the internet. Of course, it’s irresponsible to overlook the potential exposure that happens when someone misplaces a USB drive or reports a stolen laptop. That single missing laptop was responsible for the exposure of almost 5,000 patient records in one event.

So what does this mean for patients? It means you could expect a notification letter or email to show up in the near future, providing you with step-by-step instructions on how to take action if your records were exposed. It also means you need to monitor your sensitive accounts carefully and be on the lookout for medical bills or insurance claims that you didn’t file in case an unauthorized person uses your identity.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

When new technology comes along, it might take a matter of years or only a matter of days for a highly-skilled hacker to figure out a way to break in. With any luck, the person who breaks into the system is what’s known as a “white hat hacker,” or someone whose expert-level skills are put to use helping stop criminal activity instead of benefitting from it.

When security analyst Ryan Stevenson breached Comcast’s Xfinity website portal, it seemed like a frighteningly easy task. It simply required him to match up readily available IP addresses—basically, your computer’s code name onto the internet—with the in-home authentication feature that lets users pay their bills on the telecom provider’s website without having to go through the sign-in process. Another vulnerability allowed Stevenson to match users to their Social Security numbers by inputting part of their home mailing addresses—something that the first vulnerability exposed—and guessing the last four digits of their SSN.

Guessing the last four digits of someone’s SSN might not sound that easy, but it only takes seconds for a computer to do it with the right software. The flaw in the website allowed the computer to make an unlimited number of guesses for a corresponding mailing address, so it took very little time for the code to reveal complete Social Security numbers.

This vulnerability is believed to have affected around 26 million Comcast customers.

Comcast issued a patch a few hours after the report of the flaws. The company responded to requests from news outlets with an official statement to the effect that they have no reason to believe anyone other than Stevenson accessed this information. They also don’t believe that the vulnerabilities are related to anyone with malicious intent. Just to be safe, though, the company is continuing an investigation into how the flaws originated and how they might possibly have been used.

In the meantime, Xfinity customers would do well to monitor their accounts closely. This could potentially affect other accounts, not just their telecom service accounts, as Social Security numbers, names and mailing addresses were visible.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

When news breaks of a data breach, consumers might envision a network of Dark Web hackers infiltrating a major target and stealing their files. However, a large number of data breaches are the work of a company’s employees. Sometimes, those employees have set out to steal information from the business, while other inside job data breaches are purely accidental.

That appears to be the case in yet another data breach that can be traced back to an unsecured Amazon S3 web hosting server. Many breaches have already occurred as a result of user error in password protecting these hosted file storage databases, but this time, the compromised information was voter registration records.

A data breach involving voter records might automatically make the public assume the worst in today’s political climate, so it’s important to point out that the compromised information includes a lot of data that is already publicly available to researchers, journalists and other interested parties.

In this event, an unsecured server allowed anyone who “stumbled” on it online to see information that includes full names, phone numbers, complete mailing addresses, political affiliations, birth dates and genders, demographic information that has been gathered and more. The database included records for more than 26,000 voters, according to a report by Bob Diachenko, head of communications for cybersecurity firm Kromtech Alliance Corp.

Diachenko found the information online after conducting a sweep for unsecured S3 web servers. The information belonged to a political robocalling company named Robocent, who sells individual voter records to anyone who wants them for three-cents apiece. The only thing Diachenko had to do to find this exposed database was search for the keyword “voter” in his hunt for unsecured servers.

Unfortunately, another service had already found the information. According to a report on this incident by Cyberscoop, “By the time it was identified by Kromtech, the server had already been indexed by GrayhatWarfare, another website that scans the internet for open S3 buckets.”

When Diachenko reached out to Robocent to report the compromised data, the response was less than satisfactory: “We’re a small shop (I’m the only developer) so keeping track of everything can be tough.” The information is now secured, but there is no way of knowing who else has already seen it.

Looking back at the information that was exposed, it might seem like fairly harmless, common knowledge-type data. After all, names and addresses need more protection. However, this type of database exposure is a gold mine for identity thieves who commit synthetic identity fraud; that type of fraud occurs when the criminal pairs existing identifying information with a made up or unissued Social Security number, essentially creating a fake person who has the victim’s name, address, and other data points.

Since members of the public have very little recourse when it comes to knowing if someone compromises their information, it’s more important than ever to monitor your account statements and credit reports, secure all of your accounts with strong, unique passwords and stay on top of anything suspicious that happens with your identifying information.

ith harsh comments, pleas for help, and any other statement to get the money out of you. Don’t fall for it, and don’t let love turn into heartache and loss by giving in.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Identity theft and fraud can occur in many different ways, so it’s not something that any one person can fully prevent. However, there are a lot of things consumers can do to minimize their risk, starting with what might be the easiest step of all: password security.

The word “security” rarely means “easy,” but when it comes to implementing a strong, unique password, it absolutely is simple if you follow key guidelines. Strong passwords are those that contain a long string of characters, ones that include uppercase letters, lowercase letters, numbers, and symbols. It’s also important that the strong password does not contain a variation of your name, the website or company name, or easily guessed words or slogans.

Making a strong password might be the easy part, especially since many platforms now require you to use a certain number of characters, or remind you to include a number or symbol. The real problem for consumers is in reusing those passwords, in other words, not making them unique.

If you make a really great, strong password then reuse it on other websites, you may be no better off than if you’d used “password” as your password (like so many people actually do). A recent data breach incident involving Adidas US’s website serves as proof of that.

“According to the preliminary investigation, the limited data includes contact information, usernames and encrypted passwords,” the company said in its announcement. “Adidas has no reason to believe that any credit card or fitness information of those consumers was impacted.”

Once a hacker gains access to a trove of account information for millions of consumers—as may have occurred in this incident, which is still under investigation—any username and password combinations that were stolen can be used on other sites. The hacker gets your username (which is quite often your email address) and password from the Adidas breach then tries it on Amazon, iTunes, PayPal, Yahoo and Gmail, and popular banking websites. If you’ve reused your password, they just got in.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.