Posts

The Identity Theft Resource Center has been working to empower breach victims with the resources and tools to resolve their cases since 1999. That includes helping people proactively reduce their risk of becoming a victim of identity theft, especially after they were impacted by a data breach. Since 2005, the ITRC has recorded over 10,000 publicly notified breaches. Here is a look at five watershed moments that created systemic change for consumers.

Equifax

In 2017, 148.8 million people were affected by this impactful data breach that through the Freedom from Equifax Exploitation Act led to credit freezes being free and regulation changes as noted in ITRC’s “Equifax One Year Later Aftermath Report.” On July 22, 2019, Equifax reached a $700 million settlement with the Federal Trade Commission (FTC) where Equifax agreed to spend up to $425 million to help victims of the breach. And it’s changing the standard of proof for settlements – shifting the onus from the entity that was breached to the consumer having to prove that they were impacted. Because of Equifax, we’re still seeing people push for data breach law reform.

Target

During the busy holiday season in 2013, Target was hit by a data breach that exposed the credit card data of 40 million people and the personal information of 70 million, upsetting lawmakers. This breach made customers uneasy about using payment cards and was a catalyst for pushing forward the adoption of chip card technology. It also created a greater understanding of the need for authentication options. Consumers are now more acutely aware of their transactional engagements with retailers and how their financial information could be a gateway to other types of compromise.

Anthem

In 2015, Anthem suffered a large consumer data breach that impacted nearly 80 million people. The information compromised included names, birthdates, Social Security numbers, addresses, phone numbers, email addresses and employment data that could have included income information. Minors who were on their parent’s health plans were affected, which is particularly troubling due to the long shelf-life of the static data (SSNs) that was compromised. In 2018, Anthem agreed to take corrective actions and pay the U.S. Department of Health and Human Services, Office for Civil Rights $16 million to settle violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. In order to place a claim for the settlement, victims needed to provide proper documentation for out-of-pocket costs. The Anthem breach is considered to be the largest health data breach and the largest HIPAA settlement in the United States.

OPM

Over 21 million people were affected by the second Office of Personal Management (OPM) impactful data breach, which occurred in 2016. Investigators determined that 19.7 million applicants for security clearances had their Social Security numbers and other personal information stolen – including biometric and protected health information. Not only did it impact those that were under OPM’s jurisdiction, but it also impacted those that were dependents as well. It was a sophisticated, large-scale hacking event that resulted in the creation of the National Background Investigations Bureau (NBIB).

ChoicePoint

ChoicePoint was part of a large impactful data breach in 2005 that led to the personal information of at least 163,000 Americans being sold to a crime ring. Fraudsters, posing as customers of the company, gained access to the company’s background check database – giving them the ability to mine sensitive personal information for nefarious purposes. In 2008, ChoicePoint agreed to pay $10 million to settle a class-action lawsuit. Since the breach, Senators have proposed a law to regulate the data broker industry called the “Data Broker Accountability and Transparency Act.”

Bonus Breach: U.S. Department of Veteran Affairs

This 2006 data breach affected 26.5 million veterans, spouses, active-duty military personnel and reserve military personnel. It led to the acknowledgment of many vulnerabilities in the VA. It also heightened awareness of the importance of protecting computer equipment containing personally identifiable information and responding to effectively to a breach that poses privacy risks. Lessons learned included rapid notification of key government officials being critical, a core group of senior officials being designated to make all decisions regarding an agency’s response and determining when to offer credit monitoring to affected individuals requires risk-based management solutions.

As we recap the last 10,000 breaches, the ITRC hopes that we can help those impacted – both as consumers and business – understand how to minimize their risk and mitigate their identity compromises. If you received a data breach notification letter, don’t just toss it aside. Call us at 888.400.5530 or LiveChat to talk with a live-advisor on what you should do. As part of this series, in our next 10,000 Breaches Later blog we will take a look at some of the top retail breaches since 2005. To stay up to date on the latest news in identity theft and data breaches, sign-up for our newsletters.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

10,000 Breaches Later: Three Major Data Breaches Consumers Should Know About

Should You Consider Credit Monitoring Services as Part of a Breach? 

New Tool Breach Clarity Helps Consumers Make Sense of Data Breaches

 

and two that changed how we should perceive our data…

Since 1999, the Identity Theft Resource Center has been hard at work empowering identity theft victims with the resources and tools to resolve their cases, as well as helping people proactively reduce their risk of becoming a victim of identity theft. One of the most common ways consumers have their information misappropriated is through data breaches. Since 2005, we have recorded over 10,000 publicly notified breaches. Let’s look at the top three major data breaches with the biggest impact to consumers based on our new risk assessment tool, Breach Clarity, developed in partnership with Futurion and its creator Jim Van Dyke.

Based on ITRC’s database of data breach notifications and Breach Clarity’s proprietary processing, Van Dyke says consumers can be better educated on the significance of which breaches rank as the all-time riskiest to the individual consumer in terms of both size and scope.   The new tool includes the potential impact on the affected individual identity-holder, what types of identity theft could occur based on the records exposed and what steps that person needs to take to minimize his/her risk. Here is a look at the top five major data breaches that impacted individuals in the United States:

The U.S. Office of Personal Management

In June 2015, The U.S. Office of Personal Management (OPM) was the target of two separate hacking events exposing background investigation records of 21.5 million Federal government employees and contractors. Some of the information impacted was Social Security numbers (SSN), fingerprint data and security clearance information. Additionally, it also exposed PII of dependents including SSNs, date of birth and other information.

OPM was one of most significant major data breaches in memory, with it ranking a ten in severity on Breach Clarity. Van Dyke says it created a risk through the exposure of security clearance and biometric data for those working in service of our country.

Equifax

Credit reporting agency, Equifax, experienced a hack in 2017 that exposed 146.6 million U.S. consumer’s personal information. “Equifax has been regarded by many to be the worst of all data breaches because this hack generally exposed Social Security numbers for a massive amount of individuals,” Van Dyke said. The information exposed included names, birthdays, SSNs, addresses, phone numbers, Driver’s License numbers, email addresses, payment card information and Tax ID numbers.

While this major data breach ranked ten in severity and exposed so much information, it is not among the worst in terms of per-victim impact. As we learn more about the settlement process <link> for this breach, each individual consumer will need to assess the impact based on their circumstances.

Anthem, Inc.

In 2015 Anthem, Inc. had a major data breach, exposing nearly 79 million sensitive records. Van Dyke says it created a dangerous risk, receiving an overall risk level of eight. Breach Clarity shows that it created a unique pattern of risk that included new financial account creation and tax refund fraud.

There were two other breaches that really changed how consumers viewed their data and how companies should secure it. No two breaches have the same impact, but Facebook and Yahoo brought the spotlight on how companies could manage their users’ data security better. It also reminded users that they are ultimately responsible for the information that is being housed in any particular platform. When all else fails, don’t share it if you don’t want it to be potentially exposed publicly.

Facebook

In 2018, hackers were able to tap into the ever-popular social media landscape stealing account access tokens from Facebook and then using them to access user names, contact details and profile information like usernames, birthdays and device types used to access to access additional information.

“The Facebook breach represents a particularly unique type of breach,” Van Dyke said. “It represents behavioral data that victims may not be prepared to respond to. It is unlikely that even a social media behemoth like Facebook will earn a top risk score in Breach Clarity, yet again we need to continue understanding how personal relationships and behavioral data increase risk of a variety of crimes.”

The security hack affected 50 million accounts and led to tokens being stolen from 30 million of them, resulting in the major data breach getting a risk score of five on Breach Clarity.

Yahoo

After experiencing a major data breach affecting 500 million users in September 2016, Yahoo announced a second breach just months later in December that affected more than one billion user accounts. “Yahoo was one of the biggest data breaches ever,” Van Dyke said. “Both in sheer number of victims and the duration of exposure during which criminals had access to private data.”

An unauthorized third party stole information like names, email addresses, phone numbers, birthdays, passwords and security questions and answers from users. Van Dyke says users who emailed private documents like tax returns may be at particular risk because criminals may have also had access to personal email records. He says Breach Clarity cannot predict all of the possible identity theft and fraud risks because of the varying nature of private data exposed while the criminals had access. This particular major data breach received a risk score of four.

Also, you can use Breach Clarity to see the actionable steps you can take after a data breach. If you think you might have identity theft, speak to one of our advisors for free assistance at 888.400.5530.

As we recap the last 10,000 breaches, the ITRC hopes that we can help those impacted – both as consumers and business – understand how to minimize their risk and mitigate their identity compromises. If you received a data breach notification letter, don’t just toss it aside. Call us at 888.400.5530 or LiveChat to talk with a live-advisor on what you should do. As part of this series, in our next 10,000 Breaches Later blog we will take a look at some of the top retail breaches since 2005. To stay up to date on the latest news in identity theft and data breaches, sign-up for our newsletters.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

10,000 Breaches Later: The Benchmark Breaches That Created Systemic Change

Should You Consider Credit Monitoring Services as Part of a Breach? 

New Tool Breach Clarity Helps Consumers Make Sense of Data Breaches

 

Thousands of schools and students were recently affected by the Pearson data breach. Educational software developer Pearson announced that it suffered a data breach of its AIMSweb platform. The FBI first alerted Pearson to the issue, and after investigating, the company discovered approximately 13,000 educational institutions’ AIMSweb accounts were breached by an unknown individual. There could be thousands of individual student accounts at each different institution, leaving the total number of victims unclear.

It is tempting to think that the Pearson data breach is not very serious because affected students had their names disclosed in the breach, but only some of the students had their email addresses and dates of birth compromised. However, despite the limited dataset, hackers can actually cause serious damage:

  • If the hackers of the Pearson data breach manage to infiltrate any of the email accounts, they can potentially target the students’ other accounts, like retailers, social media, and even work-related accounts
  • With access to the email accounts, the hackers could also be able to target the students’ devices themselves, if the accounts are also linked to their device manufacturers
  • Even without taking over any accounts, the hackers can target the victims with spam emails, phishing attempts and harmful software viruses

Also, if the hackers of the Pearson data breach are able to infiltrate individual schools, having access to the students’ email addresses and birth dates can have other serious implications. Despite not compromising more sensitive information like Social Security numbers and not having any proof that the information has been used maliciously by the hackers, Pearson has stated it will offer free Credit Monitoring Services for affected victims of the Pearson data breach.

It is important to understand the seriousness of a data breach notification letter. In the event of any data breach in which any of your information may have been accessed, you need to take advantage of whatever protection the company is providing. Even if the stolen records do not contain highly sensitive material, this kind of service helps safeguard your information in the event a hacker is able to connect the dots between different data breaches and form a more complete picture of your identity. Ultimately, the Identity Theft Resource Center recommends each potential victim of the Pearson data breach to do what is best for them given their situation.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

How to File an Equifax Claim for Data Breach Settlement

How To: Place a Free Credit Freeze

New Tool Breach Clarity Helps Consumers Make Sense of Data Breaches