Posts

In 2020, the number of individuals impacted by a data breach was down 66 percent from 2019; cybercriminals continue to shift away from mass attacks seeking consumer information and towards attacks aimed at businesses using stolen logins and passwords  

SAN DIEGO, January 28, 2021 – Today, the Identity Theft Resource Center® (ITRC), a nationally recognized non-profit organization established to support victims of identity crime, released its 15th annual Data Breach Report. According to the report, the number of U.S. data breaches tracked in 2020 (1,108) decreased 19 percent from the total number of breaches reported in 2019 (1,473). In 2020, 300,562,519 individuals were impacted by a data breach, a 66 percent decrease from 2019.  

The 2020 Data Breach Report shows the continuation of a trend from 2019: cybercriminals are less interested in stealing large amounts of consumers’ personal information. Instead, threat actors are more interested in taking advantage of bad consumer behaviors to attack businesses using stolen credentials like logins and passwords. Due to the shift in tactics, ransomware and phishing attacks directed at organizations are now the preferred data theft method by cyberthieves.  

Ransomware and phishing attacks require less effort, are largely automated, and generate much higher payouts than taking over individuals’ accounts. One ransomware attack can generate as much revenue in minutes as hundreds of individual identity theft attempts over months or years. According to Coveware, the average ransomware payout has grown from less than $10,000 per event in Q3 2018 to more than $233,000 per event in Q4 2020. 

Download the ITRC’s 2020 Data Breach Report 

“While it is encouraging to see the number of data breaches, as well as the number of people impacted by them decline, people should understand that this problem is not going away,” said Eva Velasquez, president and CEO of the Identity Theft Resource Center. “Cybercriminals are simply shifting their tactics to find a new way to attack businesses and consumers. It is vitally important that we adapt our practices, and shift resources, to stay one step ahead of the threat actors. Although resources continue to decline for victims of identity crimes, the ITRC will continue to help impacted individuals by providing guidance on the best ways to navigate the dangers of all types of identity crimes.” 

One notable case study highlighted in the ITRC’s 2020 Data Breach Report is the ransomware attack on Blackbaud, a technology services company used by non-profit, health and education organizations. A professional ransomware group stole information belonging to more than 475 Blackbaud customers before informing the company the information was being held hostage. The stolen information included personal information relating to more than 11 million people that was later reported to have been destroyed by the cybercriminals after Blackbaud paid a ransom.  

Another notable finding was that supply chain attacks are becoming increasingly popular with attackers since they can access the information of larger organizations or multiple organizations through a single, third-party vendor. Often, the organization is smaller, with fewer security measures than the companies they serve.  

To learn more about the latest data breaches, visit the ITRC’s interactive data breach tracking tool, notified. It is updated daily and free to consumers.  

For anyone that has been a victim of a data breach, the ITRC recommends downloading its free ID Theft Help app to manage the various aspects of an individual’s data breach case. 

Consumers and victims can receive free support and guidance from a knowledgeable live-advisor by calling 888.400.5530 or visiting idtheftcenter.org to live-chat. 

About the Identity Theft Resource Center  

Founded in 1999, the Identity Theft Resource Center® (ITRC) is a non-profit organization established to empower and guide consumers, victims, business and government to minimize risk and mitigate the impact of identity compromise and crime. Through public and private support, the ITRC provides no-cost victim assistance and consumer education through its website live-chat idtheftcenter.org, toll-free phone number 888.400.5530, and ID Theft Help app. The ITRC also equips consumers and businesses with information about recent data breaches through its data breach tracking tool, notified.   

Media Contact 

Identity Theft Resource Center 
Alex Achten 
Earned & Owned Media Specialist 
888.400.5530 Ext. 3611 
media@idtheftcenter.org  

  • According to a survey by Proofpoint, ransomware attacks are now viewed as the top cybersecurity threat by nearly half, 46 percent, of Chief Information Security Officers. 
  • Cybersecurity firm Emsisoft found that at least 2,354 U.S. government agencies, healthcare facilities and schools were the victims of ransomware attacks in 2020. 
  • The Emsisoft report also reports that more than 1,300 companies lost data, including intellectual property and other sensitive information in 2020. 
  • Ransomware attacks cause significant disruption when ambulances carrying emergency patients are redirected, cancer treatments are delayed, lab test results are inaccessible and 9-1-1 services are interrupted. 
  • For information about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notified
  • Keep an eye out for the ITRC’s 15th Annual Data Breach Report. The 2020 Data Breach Report will be released on January 28, 2021.  
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the Identity Theft Resource Center toll-free at 888.400.5530 or via live-chat on the company website. 

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for January 22, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy.  Human beings tend to end a year by looking forward, but begin the new year by looking back. This week, such is the case when researchers, having just finished publishing their 2021 predictions, turn to sharing their annual trend reports. How many of X and the increase or decrease in Y. 

Here, we are interested in the trends that impact consumers and businesses regarding data privacy and security. The first significant report on those topics concludes that ransomware attacks are now the single biggest cyber threat to companies based on what happened in 2020. If it’s a threat to businesses, it’s a threat to consumers. 

You may not know the name Phil Dusenberry, but you know his work. If you saw a Pepsi commercial during the ’80s, ‘90s and early 2000s, you saw his handy work. If you ever saw the “Morning in America” film for President Reagan or the baseball movie, “The Natural”, those belonged to Phil Dusenberry, too. Now, he has contributed to today’s episode when he said: “Writing advertisements is the second most profitable form of writing. The first, of course, is…” Hold that thought, and we’ll come back to it.  

Ransomware Attacks Considered A Top Cybersecurity Threat 

Cybersecurity firm Proofpoint has found that ransomware attacks are now viewed as the top cybersecurity threat by nearly half, 46 percent, of Chief Information Security Officers in a recent survey. Even more alarming is research from New Zealand-based cybersecurity firm Emsisoft that concludes at least 2,354 U.S. government agencies, healthcare facilities and schools were the victims of ransomware attacks in 2020. The impacted organizations include: 

  • 113 federal, state and municipal governments and agencies 
  • 560 healthcare facilities 
  • 1,681 schools, colleges and universities 

These kinds of attacks cause significant, and sometimes life-threatening, disruption when ambulances carrying emergency patients have to be redirected, cancer treatments are delayed, lab test results are inaccessible and 9-1-1 services are interrupted. 

The Impact of Ransomware Attacks on Private Businesses 

Ransomware attacks are not limited to the public sector. Private businesses are very much in the crosshairs of the professional cybercriminals who commit these crimes. According to the Emsisoft report, more than 1,300 companies, many based in the U.S., lost data, including intellectual property and other sensitive information in 2020. That’s just the number of companies with data published on websites where thieves post their ransom notes or stolen data for sale. It does not include the unknown number of companies that paid the ransom before anyone noticed.  

Few cyber-criminal groups released the data they stole in 2020. Only two are known to have done so after companies refused to pay a ransom. However, by the end of 2020, more companies were paying ransom figures over $200,000 on average to avoid the release of their compromised information.  

Many times, they paid the demands even if they didn’t have to do so. Emsisoft has documented cases where businesses with the necessary back-ups to restore their information still paid the ransom for fear their data would be released if they didn’t pay. Proving Phil Dusenberry’s theory, the most profitable form of writing…is a ransom note. 

ITRC to Release Annual Data Breach Report 

Next week, the ITRC will publish its annual report on data breaches. The report includes how many breaches occurred, who was impacted, why they occur and much more. There are some very interesting trends that we’ll discuss in our next episode.  

Contact the ITRC 

If you have questions about how to protect your information from data breaches and data exposures, visit idtheftcenter.org, where you will find helpful tips on this and many other topics.  

If you think you have already been the victim of an identity crime or a data breach and you need help figuring out what to do next, contact us. You can speak with an expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during regular business hours (6 a.m. to 5 p.m. PST). Visit the company website to get started. 

If you want to work ahead and read our 2020 Data Breach Report, our 15th annual edition, it will be posted on our website on Thursday, January 28, as part of Data Privacy Day. Just visit idtheftcenter.org

The release of the 2020 ITRC Data Breach Report and launch of the ITRC’s data breach tracking tool supports the Data Privacy Day 2021 initiative to help build trust among consumers and promote transparency around data collection practices.

SAN DIEGO, January 13, 2021- Today, the Identity Theft Resource Center® (ITRC), a nationally recognized non-profit organization established to support victims of identity crime, announces its commitment to Data Privacy Day on January 28, 2021. The ITRC recognizes and supports the principle that all organizations share the responsibility of being conscientious stewards of personal information.

The ITRC will unveil the 15th annual edition of the ITRC Data Breach Report on January 28, 2021. One of the most widely quoted reports on data breach trends, the report will also explore the fundamental shifts underway in the root causes of identity-related crimes. The release of the 2020 ITRC Data Breach Report coincides with the launch of the ITRC’s new data breach tracking tool, notifiedTM, to assist consumers and businesses in making informed decisions about with whom they do business. Landmark state privacy and security laws, like the California Privacy Rights Act, require businesses to ensure third-party vendors’ cybersecurity processes protect consumer information.

“The ITRC is honored to take part in Data Privacy Day 2021 and to bring awareness to the importance of people and businesses taking action to protect personal and company information,” said Eva Velasquez, president and CEO of the Identity Theft Resource Center. “We want individuals to value protecting their own data and for businesses to keep people’s personal information safe. Likewise, our latest trend analysis shows that consumers have a big role to play in protecting their employer’s valuable business data and systems. It is critical that everyone take part in reducing the number of data compromises moving forward.”

Data Privacy Day is a global effort that generates awareness about the importance of privacy, highlights easy ways to protect personal information, and reminds organizations that privacy is good for business. This year, the focus is on encouraging individuals to “Own Your Privacy” by learning more about how to protect the valuable data that is online, and encouraging businesses to “Respect Privacy” by helping organizations keep individuals’ personal information safe while ensuring fair, relevant and legitimate data collection and processing practices.

According to a Pew Research Center study, 79 percent of U.S. adults report being concerned about how companies use their data. As technology evolves and the COVID-19 pandemic continues to influence how consumers interact with businesses online, data collection practices are becoming increasingly unavoidable, making it imperative that companies act responsibly.

“In recent years, we’ve seen the impact of more global awareness surrounding the abuse of consumer data, thanks to sweeping privacy measures like GDPR and CPRA,” said Kelvin Coleman, Executive Director for the National Cyber Security Alliance. “While legislative backing is key to reinforcing accountability for poor data privacy practices, one major goal of Data Privacy Day is to build awareness among businesses about the benefits of an ethical approach to data privacy measures separate from legal boundaries.”

For more information about Data Privacy Day 2021 and how to get involved, visit https://staysafeonline.org/data-privacy-day/.

For more information on the ITRC’s 2020 Data Breach Report, email media@idtheftcenter.org.

About the Identity Theft Resource Center®  

Founded in 1999, the Identity Theft Resource Center® (ITRC) is a non-profit organization established to empower and guide consumers, victims, business and government to minimize risk and mitigate the impact of identity compromise and crime. Through public and private support, the ITRC provides no-cost victim assistance and consumer education through its website live-chat idtheftcenter.org, toll-free phone number 888.400.5530, and ID Theft Help app. The ITRC also equips consumers and businesses with information about recent data breaches through its data breach tracking tool, notifiedTM.  

About Data Privacy Day

Data Privacy Day began in the United States and Canada in January 2008 as an extension of the Data Protection Day celebration in Europe. Data Protection Day commemorates the Jan. 28, 1981, signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection. NCSA, the nation’s leading nonprofit, public-private partnership promoting cybersecurity and privacy education and awareness, leads the effort in North America each year. For more information, visit https://staysafeonline.org/data-privacy-day/.

About the National Cyber Security Alliance

NCSA is the Nation’s leading nonprofit, public-private partnership promoting cybersecurity and privacy education and awareness. NCSA works with a broad array of stakeholders in government, industry and civil society. NCSA’s primary partners are the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and NCSA’s Board of Directors, which includes representatives from ADP; AIG; American Express; Bank of America; Cofense; Comcast Corporation; Eli Lilly and Company; ESET North America; Facebook; Intel Corporation; Lenovo; LogMeIn; Marriott International; Mastercard; MediaPro; Microsoft Corporation; Mimecast; KnowBe4; NortonLifeLock; Proofpoint; Raytheon; Trend Micro, Inc.; Uber: U.S. Bank; Visa and Wells Fargo. NCSA’s core efforts include Cybersecurity Awareness Month (October); Data Privacy Day (Jan. 28); STOP. THINK. CONNECT.™, the global online safety awareness and education campaign co-founded by NCSA and the Anti-Phishing Working Group with federal government leadership from the Department of Homeland Security; and CyberSecure My Business™, which offers webinars, web resources and workshops to help businesses be resistant to and resilient from cyberattacks. For more information on NCSA, please visit https://staysafeonline.org.

Media Contact  

Identity Theft Resource Center  
Alex Achten   
Earned & Owned Media Specialist  
888.400.5530 Ext. 3611  
media@idtheftcenter.org  

  • A T-Mobile repeat data breach event resulted from unauthorized access to 200,000 customer accounts, including call records.
  • It is the fourth time T-Mobile has sent a data breach notification since 2018. The T-Mobile data breach in December was the second one in 2020.
  • An investigation into the SolarWinds data hack has not revealed any evidence suggesting the attackers sought or stole mass amounts of personal information. The target appears to be either intellectual property or the personal information of particular individuals for espionage purposes.
  • For information about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notifiedTM.
  • Keep an eye out for the ITRC’s 15th Annual Data Breach Report. The 2020 Data Breach Report will be released on January 27, 2021. 
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the Identity Theft Resource Center toll-free at 888.400.5530 or via live-chat on the company website. 
https://soundcloud.com/idtheftcenter/the-weekly-breach-breakdown-podcast-by-itrc-second-verse-same-as-the-first-season-2-episode-1

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for January 8, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. We started this podcast and a sister monthly program in 2020 in response to the shifts in privacy, security and identity issues: the changes in how criminals collect and use consumer and, increasingly, business information.

One of the trends that the ITRC has identified, and will explore in a report this spring, is the rise in the number of repeat data breaches, even as the overall number of data events is declining. That leads us to the title of this week’s episode – “Second Verse, Same as the First.”

While most of us were prepping for a socially distanced Christmas celebration, one of the largest mobile telephone companies posted a data breach notice on its website. It was not the first time T-Mobile issued a breach notice; it was the fourth time since 2018.

T-Mobile Repeat Data Breach Event

T-Mobile announced that an unauthorized party accessed a small percent of customer accounts, about 200,000 accounts, in early December 2020. The compromised data may have included call records — such as when a call was made, how long the call lasted, the phone numbers called and other information that might be found on a customer’s bill.

T-Mobile says the hackers did not access names, home or email addresses, financial data and account passwords or PINs. An investigation is on-going.

The December data event is the second time an attacker accessed customer information in the same year. Just months into 2020, a breach of the T-Mobile employee email system allowed criminals to see customer data and potentially misuse it. Information about more than one million prepaid customers was exposed in 2019, and cybercriminals compromised nearly two million accounts in 2018.

A Shift in Data Thieves Tactics

Research conducted by the ITRC shows the number of consumers who report being the victim of more than one identity crime has increased 33 percent in the past 18 months. It comes at a time when data thieves are shifting their tactics and targets. Our research shows they are focusing more on business data and less on mass amounts of consumer personal data.

While data breaches are dropping, cyberattacks are rising. The two are not the same. That’s an important distinction as a large and consequential cybersecurity breach occurred in late December 2020 and is likely still underway.

SolarWinds Data Hack Update

We talked about the attack in our last podcast before the holiday break, but the scope of this attack warrants an update.

Here’s what happened: A group of professional cybercriminals affiliated with the Russian government’s intelligence service was able to insert software into a common technology service used by governments and private companies, known as SolarWinds. An estimated 18,000 organizations have been exposed to the malware, including some of the largest agencies in the U.S. government – the Departments of Commerce, Treasury, Justice, State and most of the Fortune 500.

The good news for consumers is at this point, after nearly a month of investigation, there is no indication the attackers sought or stole mass amounts of personal information. As is common with this particular group of threat actors, the target appears to be intellectual property or the personal information of specific individuals for espionage purposes – not profit.

We will release a detailed report on the impact of identity-related crimes in May. We will issue our report on 2020 data breaches and trends on January 27, just a few weeks from now.

Contact the ITRC

If you have questions about how to protect your information from data breaches and data exposures, visit www.idtheftcenter.org, where you will find helpful tips on this and many other topics.

If you think you have already been the victim of an identity crime or a data breach and you need help figuring out what to do next, contact us. You can speak with an expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during regular business hours. Just visit www.idtheftcenter.org to get started.

Next week listen to our sister podcast, The Fraudian Slip, which focuses on identity-related fraud when we talk with the Deputy Chief of the Internal Revenue Service’s Criminal Division about identity crimes and how they might impact your taxes.

  • A Canon data breach resulted from a ransomware attack on the company by the Maze ransomware group. Canon is just one of many companies recently hit with a ransomware attack, a trend the Identity Theft Resource Center predicts to continue in 2021.  
  • The mobile video game Animal Jam suffered a data breach affecting 46 million users after threat actors stole a database. However, WildWorks, the game’s owner, has been very transparent throughout the entire process, setting an example of how businesses should approach data breaches. 
  • Insurance tech company Vertafore discovered files containing driver-related information for 28 million Texas residents were posted to an unsecured online storage service.  
  • For more information about recent data breaches, consumers and businesses should visit the ITRC’s data breach tracking tool, notifiedTM.  
  • Keep an eye out for the ITRC’s 15th Annual Data Breach Report. The 2020 Data Breach Report will be released on January 27, 2021. 
  • If you believe you are a victim of identity theft from a data breach, contact the ITRC toll-free at 888.400.5530 or through live-chat on the company website.  

Notable Data Compromises for November 2020 

Of all the data breaches the Identity Theft Resource Center (ITRC) tracked in November, three stood out: Canon, WildWorks – Animal Jam, and Vertafore. All three data events are notable for different reasons. One highlights a trend and prediction made by the ITRC; another shows transparency by the company throughout the process; the third leaves 28 million individuals’ driver-related information exposed. 

Canon 

Camera manufacturer Canon recently suffered a data breach that was caused by a ransomware attack, but the company only acknowledged the attack was the result of ransomware in November. According to techradar.com and Bleeping Computer, the Canon IT department notified their staff in August that the company was suffering “widespread system issues affecting multiple applications, Teams, email and other systems.” On November 25, the company acknowledged the Canon data breach was due to a ransomware attack by the Maze ransomware group.  

It is unknown how many people are affected by the Canon data breach. However, files that contained information about current and former employees from 2005 to 2020, their beneficiaries, and dependents were exposed. Information in those files included Social Security numbers, driver’s license numbers or government-issued identification numbers, financial account numbers provided to Canon for direct deposit, electronic signatures and birth dates. 

Canon is just one of many companies that have been hit with a ransomware attack. As the ITRC mentioned in its 2021 predictions, cybercriminals are making more money defrauding businesses with ransomware attacks and phishing schemes that rely on poor consumer behaviors than traditional data breaches that rely on stealing personal information. As a result of the ransomware rise, data breaches are on pace to be down by 30 percent in 2020 and the number of individuals impacted down more than 60 percent year-over-year.  

WildWorks – Animal Jam 

Animal Jam, an educational game launched by WildWorks in 2010, suffered a data breach after threat actors stole a database. According to the WildWorks CEO, cybercriminals gained access to 46 million player records after compromising a company server. The information exposed in the Animal Jam data breach includes seven million email addresses, 32 million usernames, encrypted passwords, approximately 15 million birth dates, billing addresses and more. 

WildWorks has been very transparent throughout the entire process. The company provided a detailed breakdown of the information taken in the Animal Jam data breach, how the data event happened, where the information was circulated, whether people’s accounts are safe and the next steps to take. The ITRC believes WildWorks has set an example of how other businesses should share information with impacted consumers after a data breach.  

Anyone affected by the Animal Jam data breach should change their email and password for their account (consumers should switch to a 12-character passphrase because it is easier to remember and harder to guess). Users should also change the email and password of other accounts that share the same email and password. If any users think their account was used illegally, they are encouraged to contact the Animal Jam security team by emailing support@animaljam.com  

Vertafore 

Vertafore, a Denver based insurance tech company, recently discovered three files containing driver-related information were posted to an unsecured online storage service. The files included data from before February 2019 on nearly 28 million Texas drivers. Vertafore says the files have since been secured, but they believe the files were accessed without authorization. To learn more about this data breach, read the ITRC’s latest blog, and listen to our podcast on the event. 

Unfortunately, companies continue to leave databases unsecured, which is tied with ransomware as the most common cause of data compromises, according to IBM. Consumers impacted by the Vertafore data event need to follow the advice given by Vertafore and the Texas Department of Public Safety

notifiedTM  

For more information about recent data breaches, consumers and businesses should visit the ITRC’s data breach tracking tool, notifiedTM, free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.  

Contact the ITRC 

If you believe you are the victim of an identity crime or your identity has been compromised in a data breach, you can speak with an ITRC expert advisor at no-cost by phone (888.400.5530) or live-chat. Just go to www.idtheftcer.org to get started. Also, victims of a data breach can download the free ID Theft Help app to access resources, a case log and much more.  

  • The list for the most common passwords in 2020 is out, released by cybersecurity firm NordPass. The three most common passwords of 2020 are 12345, 123456789 and picture1.  
  • Weak passwords continue to be a security issue. According to Verizon, compromised passwords are responsible for 81 percent of hacking-related data breaches
  • To strengthen password security, consumers should change their password to a passphrase, never reuse a password (consider a password manager), use two-factor authentication when possible and never use work passwords at home (and vice versa). 
  • For information about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notifiedTM
  • For more information on how to upgrade your password, contact the ITRC toll-free at 888.400.5530 or by live-chat on the company website.  

Subscribe to the Weekly Breach Breakdown Podcast  

Every week the Identity Theft Resource Center (ITRC) looks at some of the top data compromises from the previous week and other relevant privacy and cybersecurity news in our  Weekly Breach Breakdown Podcast. This week, we will look at one of the behaviors that are increasingly at the foundation of many, if not most, data compromises in 2020: weak passwords

Why Passwords are Important 

As ITRC Chief Operating Officer James Lee mentions in the podcast, like the Porter outside Macbeth’s castle, passwords are designed to allow entry to our personal and work castles. Passwords protect the devices that are home to the applications and data we use and create.  

Passwords in the 1980s and 1990s 

People have been protecting passwords since the 1980s. The first passwords were simple, and most people only needed one. Maybe the password was assigned to someone at work, so they used the same one at home; that is if there was a computer at home. People were told never to write down their password.  

Then came the internet in the mid-1990s, and suddenly there was a need for more passwords. People needed a password for their AOL or Earthlink account. Eventually, people had to add passwords to the handful of other online accounts they created. However, most people probably just used the same word or set of numbers that was their device login password. 

Passwords Today 

Fast forward to today, according to cybersecurity firm NordPass, the average person now has to manage a staggering 100 passwords, up 25 percent from 2019. The rise is due, in part, to the increase in online transactions during 2020 related to COVID-19.  

Most Common Passwords 

NordPass also publishes an annual list of the most common passwords, which also corresponds with the passwords cracked most often by professional data thieves. Here are the top 10 most common passwords of 2020 and how long it takes a cybercriminal to crack the password: 

  1. 12345 (takes less than one second to break) 
  1. 123456789 (takes less than one second to break) 
  1. picture1 (takes up to three hours to crack) 
  1. password ( takes less than one second to break) 
  1. 12345678 (takes less than one second to break) 
  1. 111111 (takes less than one second to break) 
  1. 123123 (takes less than one second to break) 
  1. 12345 (takes less than one second to break) 
  1. 1234567890 (takes less than a second to break) 
  1. Senha (the Portuguese word for password; takes 10 seconds to break) 

The Dangers of Weak Passwords 

Weak passwords allow cybercriminals to access systems and accounts easily. People use weak passwords because there are so many to remember, which also prompts people to use the same weak passwords on multiple accounts and use them at work and home. 

Here are a few statistics from earlier in 2020: 

What You Can Do to Avoid Weak Passwords 

The good news is that people can do many things to make sure they have strong passwords that will keep their accounts secure. Here are some tips: 

  • Change your password to a passphrase. Use a passphrase like a movie quote, a song lyric, or a favorite book title that is easy to remember and at least 12 characters long. It would take a cybercriminal 300 years to crack a 12-character passphrase with upper and lower case letters. If you add a number, the passphrase will last 2,000 years.  
  • Never reuse your passwords, or passphrases since you just upgraded, right? If you have too many passwords to remember, use a password manager. If you want a free solution, many browsers offer a form of a built-in password manager. Safari and Firefox are two examples. 
  • Use two-factor authentication when it’s available. An authentication app like those offered by Microsoft and Google is best. However, even the two-factor authentication version that sends a code to you by text is better than no multi-factor authentication. 
  • Never use your work password at home, or vice versa. Stolen work credentials are one way cybercriminals use to get the access they need to launch ransomware attacks against companies.  

notifiedTM   

For information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.  

Contact the ITRC  

If you have questions about how to upgrade your password to protect your information from data breaches and exposures, visit www.idtheftcenter.org, where you will find helpful tips on this and many other topics. If you think you have already been the victim of an identity crime or a data breach and you need help figuring out what to do next, contact us. You can speak with an expert advisor at no-cost by calling 888.400.5530 or chat live on the web. Just visit www.idtheftcenter.org to get started. 

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.  

  • Vertafore, a Denver based insurance tech company, discovered three files containing driver-related information were posted to an unsecured online storage service. The files included data from before February 2019 on nearly 28 million Texas drivers.
  • The files included lienholder information, drivers’ license numbers, names, dates of birth, addresses and vehicle registration histories.
  • Failing to secure a cloud database is tied with ransomware as the most common cause of data compromise, according to IBM. The ITRC’s own data breach information corroborates the findings.
  • Consumers impacted by the Vertafore data compromise need to follow the advice given by Vertafore and the Texas Department of Public Safety. Vertafore is offering one year of free credit monitoring and identity restoration services.
  • For more information on the Texas driver’s records exposed, contact the Identity Theft Resource Center toll-free at 888.400.5530 or live-chat on the company website.
  • For the latest on data breaches, visit the ITRC’s data breach tracking tool notifiedTM.

Subscribe to the Weekly Breach Breakdown Podcast

Every week the Identity Theft Resource Center (ITRC) looks at some of the top data compromises from the previous week and other relevant privacy and cybersecurity news in our Weekly Breach Breakdown Podcast. This week, we will discuss the Vertafore data compromise that exposed personal information to the risk of being stolen by a cybercriminal by not installing security on a cloud storage service.

What We Know

There is one thing that almost everyone carries in their pocket – their driver’s license. Without a driver’s license, people can’t legally drive or show proof of age or identity. It is one of the most important forms of identification a person needs in the U.S. That is why a recent event that led to Texas driver’s records exposed has millions of people worried about how it could affect them.

Vertafore, a Denver based insurance tech company, discovered that three files containing driver-related information were moved to an unsecured online storage service. In other words, it was moved to a third-party cloud database with no security. The files included data before February 2019 on nearly 28 million Texas drivers. The files included lienholder information, drivers’ license numbers, names, dates of birth, addresses and vehicle registration histories.

In a statement announcing that Texas driver’s records were exposed, Vertafore says there is no evidence of information misuse. However, the company acknowledges that there is evidence an unknown and unauthorized party accessed the information. Other Vertafore data – including partner, vendor or additional supplier information – and systems remain unimpacted. No Vertafore systems were found to include known software vulnerabilities, and Vertafore immediately secured the suspect files.

Investigators hired by the company believe the unauthorized access to the data occurred between March 11 and August 1 of 2020. The files supported one of Vertafore’s products that helps insurance companies determine insurance policy costs. The files did not contain Social Security numbers or financial information about consumers. Vertafore is offering one year of free credit monitoring and identity restoration services.

Cloud Databases Continue to be Left Unsecured

Unfortunately, this kind of event is far too common. On last week’s podcast, we highlighted another company that left a cloud database unsecured, leading to nearly ten million people’s travel accounts being available online.

Failing to secure a cloud database is tied with ransomware as the most common cause of data compromise, according to IBM. The ITRC’s own data breach information corroborates the findings. Most of the time, there is no evidence data thieves removed or copied the data – meaning the risk of misuse is relatively low. However, it is not zero. It is why consumers impacted by the Vertafore data compromise need to follow the advice given by Vertafore and the Texas Department of Public Safety.

How the Data Ends Up in the Hands of a Private Company

The event that led to Texas driver’s records exposed has prompted consumers to ask questions about how their driver’s license and related data ends up in the hands of a private company. That is not an uncommon question when data breaches, compromises and exposures involve businesses that victims have never heard of – and did not give permission for their data to be shared.

While the answer to the question varies from state to state, the response is almost always some version of “it’s legal.” Also, consumers rarely have the opportunity to “opt-in” or “opt-out” of the sale or sharing of information like driver’s license data by the government.

In response to questions about the Vertafore compromise, the State of Texas issued a statement about the use of driver’s data:

“Texas law permits, and at times requires, the release to authorized parties of driver license and vehicle registration information.”

In the case of Vertafore, the permitted use involves ensuring companies have the data they need to appropriately price insurance premiums for drivers.

Even the nation’s toughest privacy law, the California Consumer Privacy Act (CCPA), allows personal information from government agencies to be sold and shared for certain purposes without the consumers’ consent. Generally, consumers cannot opt-out of these uses if they are designed to prevent fraud or are used to verify someone’s identity.

notifiedTM  

For information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.  

Contact the ITRC

If you have questions about how to protect your information from data breaches and data exposures, or if you want to learn more about the Vertafore data compromise, contact the ITRC. You can speak with an advisor toll-free over the phone (888.400.5530), live-chat on the web, or email itrc@idtheftcenter.org during business hours. Just visit www.idtheftcenter.org to get started. Also, download the free ID Theft Help App to access resources, a case log and much more.  

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform. 

  • Timberline Billing Service recently determined a supposed ransomware attack led to encrypted files and information removed from their network. So far, the Identity Theft Resource Center (ITRC) has tracked 14 impacted schools.  
  • A database exposure was recently discovered at BankSight Software Systems, exposing over 300 million records for at least 100,000 people.  
  • MAXEX exposed 9 GB of internal data, including confidential banking documents, system login credentials, emails, the company’s data breach incident response policy, and reports from penetration tests. 
  • For more information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM
  • For more information, contact the ITRC toll-free at 888.400.5530, or by live-chat via the company website. People can also download the free ID Theft Help app to access advisors, resources, a case log and much more. 

There were many notable data breaches in October, all tracked by the Identity Theft Resource Center (ITRC). Since 2005, the ITRC has compiled publicly-reported U.S. data breaches as part of our data breach tracking efforts. The ITRC tracks both publicly-reported data breaches and data exposures in a database containing 25 different information fields that are updated daily. Of the notable data breaches in October, Timberline, BankSight and MAXEX top the list. 

Timberline Billing Service 

Timberline Billing Service, a company that claims Medicaid for education agencies in Iowa, recently determined that someone accessed their network between February 12, 2020 and March 4, 2020. The supposed ransomware attack led to encrypted files and information removed from the system.

However, the investigation was unable to determine what information was removed. The information exposed includes names, dates of birth, Medicaid I.D. numbers, billing information, support service code and identification numbers, medical record numbers, treatment information, medical information regarding diagnoses and symptoms and Social Security numbers. However, the information exposed varies from school to school.  

Of the 190 schools in Iowa Timberline assists, so far, the ITRC has tracked 14 impacted schools: 

  • Fort Dodge Community School District 
  • Iowa City Community School District 
  • Cherokee Community School District 
  • Kingsley-Pierson Community School District 
  • Central Decatur Community School District 
  • Clinton Community School District 
  • Muscatine Community School District 
  • Saydel Community School District 
  • Sheldon Community School District 
  • Mid-Prairie Community School District 
  • Hudson Community School District 
  • Dallas Center-Grimes Community School District 
  • Knoxville Community School District 
  • Oskaloosa Community School District 

Timberline says they are taking steps to enhance their security systems, resetting all user passwords, requiring frequent password rotations and migrating school and student data to a cloud location. Timberline is also offering a year of identity monitoring services through Experian to impacted children. Impacted individuals should monitor their accounts for any suspicious activity and contact the appropriate company and act if needed.  

BankSight Software Systems, Inc. 

vpnMentor’s research team recently discovered an exposed BankSight database, exposing over 300 million records for at least 100,000 individuals. According to vpnMentor, the exposed information includes the following: names, Social Security numbers, email addresses, phone numbers, home and business addresses, employment and business ownership details, financial data for businesses and individuals, and personal notes from people looking for loans or postpone on loan payments, exposing private family and business information.  

vpnMentor says they contacted BankSight, and BankSight shut down the server one day later. The information exposed allows a hacker to create sophisticated fraud schemes and target customers of BankSight’s clients. BankSight customers should contact the company to determine the steps to take to protect their client’s data.  

MAXEX, LLC.  

Of the notable data breaches in October, MAXEX does not impact the most people. However, it potentially creates the most significant risk to affected individuals. According to BankInfoSecurity, MAXEX, a residential mortgage trading company, exposed 9 GB of its internal data, including software development for its loan-trading platform. The data also had confidential banking documents, system login credentials, emails, the company’s data breach incident response policy, and reports from penetration tests done years ago.

The company also leaked the complete mortgage documents for at least 23 people in New Jersey and Pennsylvania. The records include tax returns, IRS transcripts, credit reports, bank account statements, scans of birth certificates, passports and driver’s licenses, letters from employers, divorce records, academic transcripts and Social Security numbers for the mortgage applicants and their children.  

MAXEX says they have retained security experts and contacted law enforcement agencies. They also have a computer forensics unit tracing the source of the breach and providing resolution advice. The company says they have fixed the issue that led to the breach. MAXEX says its mortgage trading platform was unaffected. However, links to the data are circulating on forums where stolen data is posted. On one platform, the information has been downloaded more than 1,000 times, according to BankInfoSecurity.  

While the data compromise only impacted a limited number of people, it does not always matter how many people it affected. Rather, the information that was exposed or stolen. Impacted individuals should begin contacting the appropriate companies to determine the next steps to take. Some of the steps to take include freezing your and your child’s credit, checking your reports for suspicious activity, and taking part in credit monitoring or identity monitoring services.  

notifiedTM 

For more information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free. 

Contact the ITRC 

If you believe you are the victim of an identity crime or your identity has been compromised in a data breach, like one of the notable data breaches in October, you can speak with an ITRC expert advisor on the website via live-chat or by calling toll-free at 888.400.5530. Finally, victims of a data breach can download the free ID Theft Help app to access advisors, resources, a case log and much more. 


Read more of our latest information & educational resources below

QR Code Security Threats Begin to Grow as Digital Barcode Popularity Rises

Unsubscribe Email Scam Looks to Trick Consumers

  • Two new research papers from OpSec Security and Consumer Reports shows how consumer privacy and cybersecurity views are evolving across the U.S. 
  • Findings in the OpSec Security report show that cyberattacks and data breaches are pervasive, and consumers are concerned and desensitized by the volume of information compromises. 
  • The Consumer Reports report concludes that consumers believe companies are primarily responsible for protecting the personal information businesses collect, store and use. 
  • For more information on the latest data breaches, visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notifiedTM. It is updated daily and free to consumers.  
  • For cybersecurity, privacy or data breach advice, contact the ITRC toll-free at 888.400.5530 or by live-chat on the company website. 

Privacy and cybersecurity impact consumers. Two new research papers show how consumer privacy and cybersecurity views are evolving across the U.S. The reports validate a central concern among consumers that there is not enough done to protect their most precious possession; their name. 

Subscribe to the Weekly Breach Breakdown Podcast 

Every week the Identity Theft Resource Center (ITRC) looks at some of the top data compromises from the previous week and other relevant privacy and cybersecurity news in our Weekly Breach Breakdown Podcast. This week, we will look at two new research reports. The first focuses on recent changes in consumer attitudes. The second takes a longer-term look at how consumer privacy and cybersecurity views are different now compared to 25 years ago when the modern commercial internet was born.

The Importance of Reputation 

Reputations are important to individuals, companies and organizations. That’s why OpSec Security, a global cybersecurity firm, recently surveyed 2,600 consumers throughout the U.S. and four European countries. Researchers asked consumers whether they have been affected by cybercrime, their perceptions of brands, and if their role – or the role they should play – in keeping consumers safe has changed over time. 

The findings show that cyberattacks and data breaches are pervasive and consumers are both concerned and desensitized by the volume of information compromises. Some of the key findings in the last year include the following: 

  • 40 percent of respondents were a victim of an email or phishing scam
  • 51 percent of respondents say they receive more phishing attempts now than before the COVID-19 pandemic. 
  • 35 percent of respondents experienced credit or debit card fraud. 
  • 21 percent of respondents were a victim of identity theft at some point.  

Meanwhile, 30 percent of respondents were impacted by a data compromise, which did not surprise nearly one-third of the people who received a data breach notice. Of those who had their data compromised, 46 percent were contacted more than five times. Almost half of those who haven’t received a data breach notice, 48 percent, are worried they will soon.  

Those 30 percent of consumers in the OpSec survey who say they had their data compromised in a data breach equal the same percentage of people who responded to a similar question from Consumer Reports.  

Consumers Think Businesses are Responsible for Protecting Personal Information 

Both surveys came to a similar conclusion: consumers believe companies are primarily responsible for protecting the personal information businesses collect, store and use. Consumer Reports surveyed more than 5,000 U.S. residents about privacy and security. They also reviewed past research to show how consumer attitudes changed over time. 

  • In 1995, 44 percent of consumers were worried “a lot” or “some” about losing privacy due to the internet. 
  • By 2002, 76 percent of survey respondents were uncomfortable about companies collecting data about them. However, 94 percent thought they had a legal right to see what data the company collected about them from a website. 
  • Fast forward to 2019; 65 percent of consumers said they do not believe their personal information is kept private. 

In the Consumer Reports research published in October, 96 percent of consumers surveyed agreed that more could be done to ensure companies protect consumer information. Other findings include the following: 

  • 68 percent of consumers surveyed believe companies should be required to delete the data they have about someone upon the consumer’s request. 
  • 67 percent of respondents think there should be tougher penalties, like high fines, for companies that don’t protect someone’s privacy. 
  • 63 percent say companies should be required to give consumers access to the data companies have about them. 
  • 63 percent also believe there should be a national law that says companies must get a person’s permission before sharing their information. 

There are now laws, passed in multiple states, that include one or more of the items from the consumers’ privacy wish list above, but a national privacy law remains elusive. 

Built-In Privacy Features 

One finding that did not emerge from either survey on consumer privacy and cybersecurity views was a consensus around what consumers want to happen next to protect their information. Consumer Reports notes that companies are beginning to build products with built-in privacy features. More than 40 percent of consumers say they may be willing to pay companies to stop collecting, sharing and selling their personal information. Right now, that practice is prohibited in California, the state with the toughest privacy law in the U.S.  

notifiedTM  

For more information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.   

Contact the ITRC 

If you receive a breach notice and would like to know how to protect yourself, contact the ITRC at no-cost by calling 888.400.5530 to speak with an expert advisor. You can also live-chat with an advisor on the company website. Also, download the free ID Theft Help App to access advisors, data breach resources, a case log and much more.  

Join us on our weekly data breach podcastto get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.   


Read more of our latest information & educational resources below

Unsubscribe Email Scam Looks to Trick Consumers

Social Media Scams are on the Rise as More People Use the Platforms to Connect

Phishing Attack Report Reveals Microsoft is the Top Spoofed Brand and Other Data Breach News

  • A new CheckPoint report shows that 44 percent of all phishing attacks involve emails that use Microsoft as the spoofed brand. Microsoft was the brand used as bait in 19 percent of all forms of phishing last quarter. 
  • Barnes & Noble acknowledged what they initially thought was a systems error earlier in October turned out to be a cyberattack on some of its systems. 
  • Cyberthieves posted three million credit cards for sale on the dark web earlier in the month stolen from Dickey’s BBQ restaurant chain throughout 2019 and 2020. 
  • Darkside announced they donated $20,000 in bitcoins to two global charities. Darkside claims they do not attack schools, hospitals or governments, and instead focus on highly profitable, large corporations. 
  • If you are the victim of a phishing attack or data compromise, contact the Identity Theft Resource Center for no-cost assistance at 888.400.5530 or by live-chat on the company website. 

A new report reveals how frequently identity criminals use well-known brands to trick people into sharing their personal information. CheckPoint Security researchers say one company has jumped to the top of the heap when it comes to fake emails and fake websites involved in brand phishing attacks – Microsoft.  

Subscribe to the Weekly Breach Breakdown Podcast 

Every week, the Identity Theft Resource Center (ITRC) looks at some of the top data compromises from the previous week and other relevant cybersecurity news in our Weekly Breach Breakdown podcast. This week, we take a look at CheckPoint’s latest survey and what it means, as well as two data compromises that recently prompted consumer notices, and a ransomware group donating to charities.  

Brand Phishing Attacks 

There are different types of phishing attacks. What is a brand phishing attack? In this attack style, a cybercriminal imitates a well-known brand’s official website by using a web address and webpage design similar to the real thing. A link to the fake website is then sent to people by email, text message, or social media.

The fake webpage often contains a form intended to steal the credentials, payment details, or other personal information of the people caught in the phisher’s net.  

While many of the spoofed websites are fake with poor spelling or grammar, these emails, websites, texts and social media accounts are increasingly sophisticated and highly accurate imitations that even trained professionals don’t spot at first glance. 

Report Reveals Microsoft as the Top Spoofed Brand 

CheckPoint’s current report shows that 44 percent of all phishing attacks involve emails that use Microsoft as the spoofed brand. Forty-three percent of all types of phishing attacks involve fake websites, and Microsoft is again the number one brand used to lure unsuspecting users.

As tolled, Microsoft was the brand used as bait in 19 percent of all forms of phishing last quarter.  

However, Microsoft is not the only brand in the crosshairs of cybercriminals. The rest of the top ten brands currently being used in phishing campaigns include: 

  • Google (nine percent) 
  • PayPal (six percent) 
  • Netflix (six percent) 
  • Facebook (five percent) 
  • Apple (five percent) 
  • WhatsApp (five percent) 
  • Amazon (four percent) 
  • Instagram (four percent) 

How to Avoid a Phishing Attack 

The best way to avoid falling victim to all types of phishing attacks is to ignore unsolicited emails and texts that include links. If anyone receives a notice from a company where they do business, they should log in directly to their account to verify the message they received was real.

Anyone who gets a notice can also go to the company website directly and contact them. Under no circumstances should anyone click on a link or call a telephone number in an unexpected email.  

Barnes & Noble Data Compromise 

We also want to tell you about two recent data compromises that led to consumer notices. Barnes & Noble – the online brick and mortar bookseller – acknowledged what they initially thought was a systems error earlier in October was, in fact, a cyberattack on some of the company’s systems.

Customer email addresses, billing and shipping addresses, telephone numbers and transaction histories may have been involved in the security breach. Barnes & Noble says there is no evidence of a data exposure. However, they are not ruling out the possibility. 

Dickey’s BBQ Data Compromise 

The Barnes & Noble breach is different from the circumstances at the Dickey’s BBQ restaurant chain. Cyberthieves posted three million credit cards for sale on the dark web earlier in the month stolen from the popular eatery throughout 2019 and 2020. Security researchers believe 156 Dickey’s locations across 30 states likely had payment systems compromised by card-stealing software.  

“Darkside” Ransomware Group Tries to Claim its Legitimacy 

Finally, the ransomware group known as “Darkside” is trying its hand at brand building just like a legitimate company. This week Darkside announced they had donated $20,000 in bitcoins to two global charities. Darkside claims they do not attack schools, hospitals or governments, and instead focus on highly profitable, large corporations.  

Security researcher Chris Clements notes, “The most troubling realization here is that the cybercriminals have made so much money through extortion that donating $20,000 is chump change to them.”  

Neither of the two charities has acknowledged receiving the donation and say they will not keep it if it turns out to be true. 

notifiedTM 

For more information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.  

Contact the ITRC 

If you accidentally click on a link of a brand phishing attack or provide information to what you discover later was a fake website form, contact the ITRC toll-free at 888.400.5530 or live-chat with an expert advisor on the company website. An advisor will walk you through the steps to take to protect yourself from any possible identity misuse. 

If you receive a breach notice due to the Barnes & Noble or Dickey’s BBQ events or any other data compromise and you’d like to know how to protect yourself, contact the ITRC to speak with an expert advisor. Also, download the free ID Theft Help App to access advisors, resources, a case log and much more. 

Join us on our  weekly data breach podcastto get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.  


Read more of our latest articles below

Identity Theft Resource Center® Reports 30 Percent Decrease in Data Breaches so Far in 2020

Election Scams Begin to Surface with the General Election Less than One Month Away

Recent Insider Attacks Stress the Importance of Smart Business Practices