Posts

Organizations like the Identity Theft Resource Center track data breaches and identity theft crimes throughout the year in order to establish a clear picture of how these issues affect consumers. Year after year, record-setting numbers of data breaches and compromised consumer records continue to plague every sector of industry, but nothing may have been more surprising than this:

In July, more than 860,000 patients’ medical records were compromised in data breaches.

You read that right: 860,000 patient records. The data breaches that resulted in the loss of records came from a variety of sources and methods, and not all of the affected records led to individual harm. The result; however, is nearly one million people whose information was in some way exposed.

What’s interesting about the events that compromised so many records is the different ways they happened. Improper disposal of records, something that has been happening for decades, may have affected more patients than any other mechanism, even the supposedly high-tech kinds like hacking or ransomware. It’s alarming that more than 300,000 patients’ records were exposed through improper disposal, yet only two reported improper disposal events were uncovered in July.

Hacking or other cybercrimes—arguably the more commonly thought of method of data breaches, at least in the minds of the public—were only responsible for just over 200,000 stolen records. Except for a couple of incidents involving health insurance providers or vendors, most of the 18 separate intentional breaches targeted the networks of healthcare providers themselves.

Accidental exposure of records is an issue that has weighed on nearly every kind of industry in the past few years, and the healthcare sector was no different. Last month, more than 200,000 patient records were exposed when a database of information from one state was left accessible on the internet. Of course, it’s irresponsible to overlook the potential exposure that happens when someone misplaces a USB drive or reports a stolen laptop. That single missing laptop was responsible for the exposure of almost 5,000 patient records in one event.

So what does this mean for patients? It means you could expect a notification letter or email to show up in the near future, providing you with step-by-step instructions on how to take action if your records were exposed. It also means you need to monitor your sensitive accounts carefully and be on the lookout for medical bills or insurance claims that you didn’t file in case an unauthorized person uses your identity.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

When new technology comes along, it might take a matter of years or only a matter of days for a highly-skilled hacker to figure out a way to break in. With any luck, the person who breaks into the system is what’s known as a “white hat hacker,” or someone whose expert-level skills are put to use helping stop criminal activity instead of benefitting from it.

When security analyst Ryan Stevenson breached Comcast’s Xfinity website portal, it seemed like a frighteningly easy task. It simply required him to match up readily available IP addresses—basically, your computer’s code name onto the internet—with the in-home authentication feature that lets users pay their bills on the telecom provider’s website without having to go through the sign-in process. Another vulnerability allowed Stevenson to match users to their Social Security numbers by inputting part of their home mailing addresses—something that the first vulnerability exposed—and guessing the last four digits of their SSN.

Guessing the last four digits of someone’s SSN might not sound that easy, but it only takes seconds for a computer to do it with the right software. The flaw in the website allowed the computer to make an unlimited number of guesses for a corresponding mailing address, so it took very little time for the code to reveal complete Social Security numbers.

This vulnerability is believed to have affected around 26 million Comcast customers.

Comcast issued a patch a few hours after the report of the flaws. The company responded to requests from news outlets with an official statement to the effect that they have no reason to believe anyone other than Stevenson accessed this information. They also don’t believe that the vulnerabilities are related to anyone with malicious intent. Just to be safe, though, the company is continuing an investigation into how the flaws originated and how they might possibly have been used.

In the meantime, Xfinity customers would do well to monitor their accounts closely. This could potentially affect other accounts, not just their telecom service accounts, as Social Security numbers, names and mailing addresses were visible.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Highly-sophisticated cyberattacks conducted with the help of someone “on the inside” might make for great Hollywood movies, but the reality for most businesses is far more mundane. As the recent data breach of UnityPoint Health proves, the planning might have been sophisticated, but the mechanism was as boring as an email sent to an employee of the company.

The only skillset the hackers needed in this breach was the ability to do some online sleuthing, figure out which executive to mimic, then contact someone within the company while posing as that executive. Unfortunately, “boss phishing,” as this is known, is so easy a middle schooler could do it. It simply means making a fake email account—either masquerading as a company email or even a free throw away account—and contacting someone, asking for login credentials or other data.

In this case, someone at UnityPoint fell for it. A phishing email asking for login credentials was received and responded to, simply because it looked like an email from a boss. From there, the scammer was able to log into the system and access emails, some patient records and more.

UnityPoint investigated the breach and has sent out notification letters to the affected patients, offering a year of credit monitoring for those whose Social Security numbers or drivers licenses were accessed. They’ve also included instructions to all of the affected individuals on how to request a copy of their credit reports and how to place freezes on their credit.

More importantly, the health system is conducting widespread employee training on how to spot a phishing email, how to respond, and how to develop the foolproof, unyielding habit of never giving out sensitive information without confirming the request first.

For the rest of us, the last part is absolutely vital. It doesn’t matter if it’s in the workplace or the living room, all tech users have to learn how to avoid phishing attempts. It does not matter what the mechanism is, such as email or social media message, and it doesn’t matter what the request is. Some messages will claim there’s a problem with your account or payment method on file, while others may accuse you of a crime like failing to pay your taxes or not showing up for jury duty. Whatever the reason, you’ve got to ignore the message and handle it yourself.

Rather than hitting reply or clicking the enclosed link (there’s almost always a link to click!), get out of the message and head directly to your account for whatever company or organization claims supposedly sent the message. Look into your account status there, and if you’re still unsure, contact the company directly through their verified contact method. If you receive any requests for information like bank account numbers, credit card numbers, passwords, or other sensitive data, it’s most likely a scam.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Reddit is a popular-but-controversial website dedicated to forum threads and messaging groups. Think of it as a giant bulletin board at the end of your driveway where anyone can post a new discussion topic, others can respond, but only a handful of people whom you’ve chosen are allowed to come up to the door and talk to you. Unfortunately, the highly anonymous nature of Reddit has allowed it to become a breeding ground for discussions that range from “how to bathe a poodle” to “where to buy illegal items” and other dangerous content.

Reddit has now disclosed that it suffered a data breach in June, and that login credentials were stolen for everyone who signed up for an account before May 2007. A separate compromise at the same time also accessed all of the daily digest emails, which presents a different kind of privacy problem.

The website is one of the largest in the world, so a hacker who pulled off this feat already gets to brag a little among his cybercriminal contacts. However, what sets this one even further apart is that the hacker was able to bypass two-factor authentication to gain access to employee credentials.

Two-factor authentication is an additional layer of security that denies you access to an account until you have two methods of logging in. It might be sending a one-time use PIN number to your phone, for example, which you need in order to log in alongside your username and password. It may also be answering security questions or providing other details to verify your identity.

Given the highly controversial nature of some content on Reddit, the company’s employees were required to use two-factor authentication in the form of an SMS message, or a text message as it’s more commonly known.

Somehow, the hackers intercepted those text messages and were able to log in under the employees’ stolen credentials.

First, the dire warning to the tech community: don’t be fooled into thinking that two-factor authentication will absolutely keep someone out. Yes, it’s been a great shield so far, but this demonstrates that it can be cracked. Previous data breaches that have leaked cell phone numbers may be to blame, as a hacker can port that number to an additional handset and intercept SMS messages.

Next, for Reddit users: the anonymity that you’ve enjoyed so far may be at risk. The hackers accessed the daily digest subscribers’ emails, so if you’ve subscribed to any Reddit subgroups that are topic-specific—especially ones that could have personal consequences if other people found out—there’s a chance your email address could be shared. If your email address has also been used to log into Reddit and post inflammatory, sensitive or otherwise extremely private content on Reddit, it is possible for the hackers to connect those dots and make that information public.

Reddit will undergo a forced password reset for accessed accounts, but it’s a good idea to log in and change it even if you don’t receive notification from Reddit. Also, if you’ve reused a password from Reddit on another account, you should change that one as well.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

April the Giraffe became an internet sensation in 2017, bigger perhaps than any pop-star-behaving-badly, for her adventure park’s YouTube live stream of her pregnancy and delivery. It took a little longer than expected, but she gained a following of millions of viewers for the birth of her first baby to be born at the park, Tajiri.

At that time, many people had a tongue-in-cheek criticism of the whole sensational affair: how would you feel if someone broadcasted your pregnancy and delivery to the entire internet?! In fact, in recent years, more and more hospitals have instituted policies against this very thing, banning video cameras, digital cameras and even cell phones from the delivery room to give the mom and baby both some privacy.

Obviously, April didn’t seem to mind either the jokes or the constant attention directed towards her medical condition. Hopefully, she’s just as calm about the April Cam going live once again for her next delivery. But that doesn’t mean we should be so laid back about our own privacy and oversharing of personal information.

Oversharing happens when we post more information or content online that might be safe. It could be sharing too many details in your social media profiles, entering information online without finding out where it will end up, even posting photographs that in hindsight probably shouldn’t have been made public. In any event, oversharing is a serious problem that can lead to consequences like identity theft, account takeover, repercussions at school or in the workplace and more.

In order to avoid oversharing, there are a few things to keep in mind:

  1. Social media settings – Who can see your posts? Do you know how to keep others’ prying eyes out? Depending on the platform, such as Facebook versus Twitter versus Instagram, you have options when it comes to keeping your content limited to people you personally know. To check up on your privacy settings, log into your account and go to your profile. Note: that’s not to say everyone must lock strangers out altogether, but it’s good to know how to set up your preferences and change them if you wish.
  2. Locations – If you have location settings turned on for your phone or other devices, you might be handing a criminal the exact location to where you’ve taken a photograph, even down to which room in your house. A concept called geotagging incorporates these coordinates into the digital file for the image, and when you upload that image, you can retrieve the coordinates by someone who accesses the picture. In order to keep your location under wraps, be sure to turn off the location settings for your device’s camera so, anyone with malicious intent doesn’t come looking for the flat-screen TV or MacBook in the background.
  3. Sensitive content – Finally, once you’re certain that the posts aren’t giving away too much, really think about what’s in the post, photo or video. Is this something that paints you in the best light? What will an employer say about it? Is it embarrassing to anyone in your family, including your kids?

Remember, April the Giraffe may not understand that millions of people around the world watched her every move—including an event that most people consider to be very, very private—but you and your friends or family might care a great deal. Protect your privacy and your dignity with safe, smart sharing behaviors.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

When news breaks of a data breach, consumers might envision a network of Dark Web hackers infiltrating a major target and stealing their files. However, a large number of data breaches are the work of a company’s employees. Sometimes, those employees have set out to steal information from the business, while other inside job data breaches are purely accidental.

That appears to be the case in yet another data breach that can be traced back to an unsecured Amazon S3 web hosting server. Many breaches have already occurred as a result of user error in password protecting these hosted file storage databases, but this time, the compromised information was voter registration records.

A data breach involving voter records might automatically make the public assume the worst in today’s political climate, so it’s important to point out that the compromised information includes a lot of data that is already publicly available to researchers, journalists and other interested parties.

In this event, an unsecured server allowed anyone who “stumbled” on it online to see information that includes full names, phone numbers, complete mailing addresses, political affiliations, birth dates and genders, demographic information that has been gathered and more. The database included records for more than 26,000 voters, according to a report by Bob Diachenko, head of communications for cybersecurity firm Kromtech Alliance Corp.

Diachenko found the information online after conducting a sweep for unsecured S3 web servers. The information belonged to a political robocalling company named Robocent, who sells individual voter records to anyone who wants them for three-cents apiece. The only thing Diachenko had to do to find this exposed database was search for the keyword “voter” in his hunt for unsecured servers.

Unfortunately, another service had already found the information. According to a report on this incident by Cyberscoop, “By the time it was identified by Kromtech, the server had already been indexed by GrayhatWarfare, another website that scans the internet for open S3 buckets.”

When Diachenko reached out to Robocent to report the compromised data, the response was less than satisfactory: “We’re a small shop (I’m the only developer) so keeping track of everything can be tough.” The information is now secured, but there is no way of knowing who else has already seen it.

Looking back at the information that was exposed, it might seem like fairly harmless, common knowledge-type data. After all, names and addresses need more protection. However, this type of database exposure is a gold mine for identity thieves who commit synthetic identity fraud; that type of fraud occurs when the criminal pairs existing identifying information with a made up or unissued Social Security number, essentially creating a fake person who has the victim’s name, address, and other data points.

Since members of the public have very little recourse when it comes to knowing if someone compromises their information, it’s more important than ever to monitor your account statements and credit reports, secure all of your accounts with strong, unique passwords and stay on top of anything suspicious that happens with your identifying information.

ith harsh comments, pleas for help, and any other statement to get the money out of you. Don’t fall for it, and don’t let love turn into heartache and loss by giving in.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

What is considered valuable in terms of personal information has continually shifted definition for decades. At the Identity Theft Resource Center, educating consumers about the value of personal information is one of our top priorities. We often find that many consumers are unaware that having your Social Security number (SSN) exposed in a data breach is far more dangerous than having credit card or debit card information exposed. In addition to your SSN, other personal information that is regularly overlooked are login credentials (i.e. usernames and passwords), which can lead to other information being stolen using a method referred to as “credential cracking.”  This form of hacking is very widespread and more insidious than most Americans realize.

The Open Web Application Security Project defines “credential cracking” as a method that cybercriminals use to “identify valid login credentials by trying different values for usernames and/or passwords.” This is important considering that, according to the 2017 Verizon Data Breach Incident Report, 80 percent of hacking related data breaches were carried out using either stolen passwords and/or weak or guessable passwords. This means that cybercriminals attempt to gain access to a consumer’s account using educated guesses. How does someone make an educated guess about another person’s passwords? There are a couple of ways that this is done and it’s a lot easier than one might think. For example, criminals can use software that runs every word in the dictionary through authentication in hopes that a consumer has used a simple word as their login credentials.  Another way that cybercriminals make educated guesses on login credentials is to use common passwords. Unfortunately, this is successful as consumers continue to use passwords such as “password” or “1234567”. Another way that hackers crack credentials, which is the most pertinent to the focus on the value of personal information, is the use of breached login credentials.

In 2017, there were nearly 179 million pieces of personal information stolen, lost or exposed in data breaches. The use of breached login credentials by hackers is pertinent to the value of personal information because it transforms our ideas of what information is the most dangerous to have stolen by hackers or lost in a data breach.  For example, consumers would most likely consider having their tax information lost or stolen in a breach far more dangerous than having their Yahoo or Gmail account credentials stolen. However, the use of “credential cracking” shows us that one can be just as dangerous as the other.

In order to understand why this can be so detrimental, consumers should first think about the login credentials, most commonly this is a username and password, they use on their online accounts. While the best practice is that consumers use different login credentials on each of their accounts, this often isn’t a reality. How many consumers use the same username and password for their Facebook account as they do for their online banking? Even those who may think they are being safe by using different passwords often only use one or two slight modifications, such as the addition of a punctuation mark or another number to their commonly used passwords. When this is the case, all that a cybercriminal has to do is get their hands on the login credentials for one account and they have the key to open many accounts, which may be far more dangerous than the initial account which was compromised. This is crucial for consumers to understand. It shows why each piece of personal information, even something as seemingly useless as the login credentials for an old Twitter account you no longer use can spell big trouble. This is why we stress that consumers need to protect all the components of their personal information because they all have value. Of course, don’t hand out your SSN as you would your email address. The best strategy is to continue to guard that information as incredibly sensitive as well as protecting other personal information.

Our reminder to you is that every single piece of personal information has value. While the login credentials to your social media accounts may not initially cause the damage that an exposed SSN or banking account information will, with a little work from criminals those social media login credentials can lead to exposing more forms of personal information. Each piece of personal information is like a puzzle piece or clue which can be put together to cause serious damage in the form of identity crime.  So, while the value of a SSN, or other sensitive personal information, is far more valuable in the eyes of identity thieves, an email password has value as well. Both can lead to having your identity stolen. Consumers must understand that each piece of personal information or data has value and protect it.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.