Posts

A recent data breach of Dave, an online banking service, has users of the service searching for answers. Hackers often target digital banking services for their plethora of consumer records. In 2018, hackers leaked the information of 2.8 billion consumer data records, costing $654 billion in damages to U.S. organizations. Additionally, since the start of COVID-19, there has been a 50 percent increase in mobile banking. Dave is a fintech company that allows users to link their bank accounts and loan payments for upcoming bills to avoid overdraft fees. The Dave.com data breach occurred after the company’s third-party service provider, Waydev, was breached, allowing hackers access to over seven million users’ data.

What Happened

Dave suffered an attack, resulting in 7,516,625 user records being published on RAID, a hacker forum. Some of the information that was exposed from the Dave.com data breach included names, emails, birth dates, physical addresses, phone numbers, encrypted Social Security numbers and Bcrypt hashed passwords. The company uncovered the hacker’s access point into the database and has since notified customers of the exposure. After becoming aware of the incident, Dave enlisted law enforcement and the FBI to conduct an ongoing investigation, according to ZDNet.

What Does This Mean for You?

While there is no evidence that hackers have used the data from the Dave.com data breach to gain access to accounts or conduct any unlawful actions, there is still a lot of harm that could potentially be done. One threat is social engineering, where someone manipulates someone else into divulging personal information. Since multiple forms of information were exposed, there is an even higher and potentially more harmful risk for those impacted.

While the threat level is not as high as social engineering, hackers could also target victims with mail-forwarding and sign up for accounts with the victim’s information.

Next Steps to Take

Affected users of Dave should consider taking immediate action to minimize the risks of identity theft. Some important next steps include:

  • Change the usernames and passwords on any accounts that share a username and password with their Dave.com account – opt for a stronger, unique passphrase
  • Look out for account sign-ups and websites which they are not familiar
  • Avoid clicking on any links or opening any attachments in messages they are not expecting or giving out personal information on the phone. Instead, users should reach out directly to verify the validity of the message.

Anyone affected by the Dave.com data breach can call the Identity Theft Resource Center (ITRC) toll-free at 888.400.5530 for more information on the next steps they need to take. They can also live-chat with an expert advisor. Finally, victims should consider downloading the free ID Theft Help app for access to resources, a case log to track their activities in managing their data breach case and much more.

You might also like…

Being Able to Identify a Phishing Attack is More Important Now Than Ever

Netflix Email Phishing Scam Could Steal Credit Card Information

Hacked Dating Apps are a Popular Target for Social Engineering Scams

Another week has gone by, and in this week’s Weekly Breach Breakdown, the Identity Theft Resource Center (ITRC) highlights a handful of data compromises that could leave a big impact on businesses and consumers. The ITRC has been tracking publicly-notified U.S. data breaches since 2005 to look for patterns, new trends and any information that could better help educate on the need for understanding the value of protecting personally identifiable information (PII). Some of the data compromises highlighted this week include CVS, Walgreens and Walmart pharmacy data breaches with a unique twist; an athlete recruiting tool; and one state’s taxpayer system. All of these breaches have one thing in common: they are relatively small data events that can still leave a lasting impact.

CVS, Walgreens and Walmart Pharmacy Data Breaches

Three well-known companies suffered from individual pharmacy data breaches. It wasn’t a cyberattack or failure to secure their electronic records; instead, some of their stored health information was physically stolen, leaving the potential for a serious impact on the individuals whose information was exposed. During recent protests in several cities, pharmacies owned by Walmart, Walgreens and CVS were looted. Paper files and computer equipment containing customer information was taken from individual stores, not the companies at-large. The missing information included prescriptions, consent forms, birth dates, addresses, medications and physician information. All three companies affected by the pharmacy data breaches notified impacted patients, but only CVS released the number of customers involved – 21,289.

Front Rush Data Compromise

The next data compromise includes student-athlete recruiting tool, Front Rush. Front Rush recently notified 61,000 athletes and coaches that their information was open to the internet due to a misconfigured cloud database for four years. In a notice to individuals impacted, Front Rush acknowledged that they could not tell if anyone accessed or removed any PII while it was exposed to the web from 2016-2020. Some of the personal information in the database included: Social Security numbers, Driver’s Licenses, student IDs, passports, financial accounts, credit card information, birth certificates and health insurance information.

The Vermont Department of Taxes Data Compromise

The state of Vermont recently notified more than 70,000 taxpayers that the online credentials they used to file certain types of tax forms had been exposed on the internet since 2017. State officials say they lacked the tools to tell if the information was downloaded from their systems by threat actors, but they believe the risk of an identity crime is low. However, the State Department of Taxes is recommending taxpayers take precautions like monitoring bank and credit accounts, reviewing credit reports and reporting any suspicious activity to local law enforcement.

What it Means

Stolen credentials like logins and passwords, like the information breached in Vermont, are currently the number one cause of data breaches, according to IBM. However, that is tied with misconfigured cloud security that leads to data being exposed to the web, as in Front Rush. Misconfigured cloud security generally means that someone forgot to set up a password or other security tool when they configured the database. Stolen physical records and devices ranks five out of ten on the attack scale for the most common attack vectors.

For more information about the latest data breaches, subscribe to the ITRC’s data breach newsletter.

NotifiedTM

Keep an eye out for the ITRC’s new data breach tracker NotifiedTM. It is updated daily and free to consumers. Businesses that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the ITRC’s three paid subscriptions. Subscriptions help ensure the ITRC’s free identity crime services stay free. Notified launches later this month.

If someone believes they are the victim of identity theft or their information has been compromised in a data breach, they can call the ITRC toll-free at 888.400.5530 to speak with an expert advisor. They can also use live-chat. Finally, victims of a data breach can download the free ID Theft Help app to access advisors, resources, a case log and much more. Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.


 You might also like…

Being Able to Identify a Phishing Attack is More Important Now Than Ever

Netflix Email Phishing Scam Could Steal Credit Card Information

Hacked Dating Apps are a Popular Target for Social Engineering Scams

Another week has gone by, a week full of interesting publicly-reported U.S. data compromises. This week on the Identity Theft Resource Center’s Weekly Breach Breakdown podcast, we are focusing on cyberattacks and data breaches that help us put a price tag on people’s personal information – including EDP Renewables’ ransomware attack, a Twitter data breach that exposed Slack user information and much more.

In the 1980s, hacking started to become a thing. For the most part, hackers were young, smart and motivated by the challenge of breaking into the phone company or the Pentagon. As the ITRC’s COO and podcast host James Lee says, “the payout was street credibility.” Today, hackers are known as threat actors, and they are looking to steal people’s personal information simply because they are motivated by greed. Stealing someone’s personal information is not so much about breaking into someone’s bank account as it is stealing users’ login and passwords from a company to dupe them into paying a fake invoice (from said company) or infecting a company’s systems with ransomware.

Earlier this year, security research firm SentinelOne estimated that ransomware cost U.S. companies $7.5 billion in 2019. That number is expected to increase because the average ransom paid is going up. According to Security Boulevard, in six months between October 2019 and March 2020, the average ransom payment went from $44,000 to more than $110,000 an attack.

Originally, data thieves were content with just locking up a company’s files and walking away if they did not get paid or releasing the files back to the company if they did. Now, however, cybercriminals specializing in ransomware are using more sophisticated attack software and bolder tactics. Attackers are downloading sensitive personal information before they notify their victims instead of just sending a ransom note after locking files, turning a basic cyber hold-up into a classic data breach.

This past week, EDP Renewables, a European energy company that serves 11 million customers in the U.S., confirmed they were the target of a ransomware attack with a $14 million price-tag. Customer information was breached as part of the attack. In ransomware attacks, like EDP Renewables, the stolen information is used as leverage to force companies to pay the attackers. EDP Renewables did not pay. The demands like the one in the EDP Renewables ransomware attack make it easy to calculate the value cybercriminals put on identity information.

Another way to tell the value of personal information is to look at the price data commands in one of the Dark Web’s illicit marketplaces – where stolen information and identities are commerce. Earlier in July, data thieves posted a database of customer information from Live Auctioneers, an auction website that allows people worldwide to bid on auctioned items in real-time. The complete set of 3.4 million records are for sale starting at $2,500.

However, not all data is as valuable as other pieces of information. For example, a credit or debit card could be worth as much as $11 or as little as $1. Workspace tool Slack is learning their user information is not as valuable to data thieves, at least right now. A recent Twitter data breach exposed Slack user information. According to security researchers at KELA Group, 17,000 Slack credentials from 12,000 company workspaces are for sale on the dark web for a little as $0.50 and as much as $300. Despite the cheap low rate, no one is taking advantage of the Slack data from the Twitter data breach – posts offering the Slack credentials are nearly a year old. The reasons why cybercriminals are interested in some data and not interested in other data can vary. However, right now, data thieves are not interested in the Slack user information; because as popular as Slack is with users and Wall Street, Slack channels are rarely filled with the kinds of information cybercriminals want.

For more information about the latest data breaches, people can subscribe to the ITRC’s data breach newsletter. Keep an eye out for the ITRC’s new data breach tool, NotifiedTM. It’s updated daily and free for consumers. Businesses that need access to comprehensive breach information for business planning or due diligence can subscribe to unlock as many as 90 data points through one of three paid tiers. Subscriptions help ensure the ITRC’s free identity crime services stay free. Notified launches in August.

If someone believes they are a victim of identity theft or have been impacted by a data breach, they can call the ITRC toll-free at 888.400.5530 to speak with an expert advisor. They can also use live-chat. Finally, victims of a data breach can download the free ID Theft Help app to access advisors, resources, a case log and much more.

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.

You might also like…

Twitter Hack Serves as a Reminder of How Manipulative Bitcoin Scams Can Be

Cyber-Hygiene Tips to Keep Consumers Safe

USS Bonhomme Richard Charitable Giving Scam