Posts

Identity Theft Resource Center is Available for Subject Matter Interviews

Today, the Federal Trade Commission and Equifax announced a settlement in the 2017 data breach that resulted in 148 million U.S. consumer identity credentials being compromised.

As the leader in victim assistance in identity crime cases, the Identity Theft Resource Center is available to provide expert perspective on the potential impacts to consumers and the relevance of today’s announcement for those impacted by the 2017 breach. With over 100,000 consumers seeking advice from ITRC in the days after the initial incident, executives from the organization were on the frontlines of the initial aftermath.

Additionally, ITRC produced a report on the impacts the consumers felt over the course of the year after the event. The AftermathTM: Equifax, One Year Later states the 81 percent of respondents experience anxiety or worry as a result of the event.

Members of the ITRC’s executive team are available for interview via local affiliate, Skype, phone or satellite studio.

Read our guide on How to File an Equifax Claim for Data Breach Settlement

About the Identity Theft Resource Center®

Founded in 1999, the Identity Theft Resource Center® (ITRC) is a nationally recognized non-profit organization established to support victims of identity theft in resolving their cases, and to broaden public education and awareness in the understanding of identity theft, data breaches, cybersecurity, scams/fraud, and privacy issues. Through public and private support, ITRC provides no-cost victim assistance and consumer education through its call center, website, social media channels, live chat feature and ID Theft Help app. For more information, visit: http://www.idtheftcenter.org

Identity Theft Resource Center
Charity Lacey
VP of Communications
O: 858-634-6390
C: 619-368-4373
clacey@idtheftcenter.org

A recently announced Evite data breach has some alarming potential outcomes. The internet-driven invitation platform allowed people to sign up for events and virtual meetups, so the very nature of the website gave outsiders a way to contact users via email. Access to the users’ Evite accounts means a hacker could send phishing attempts, malicious links or other scam communications to unsuspecting individuals.

The Evite data breach, which occurred from February to May this year, compromised account information dating back as far as 2013. That information included names, email addresses, usernames and passwords for an as-of-yet unknown number of users. Other optional information that some users provided, such as birthdates and phone numbers, was accessed as well.

Risk Level of Information Exposed

It is tempting to think that this information is not all that sensitive, so therefore, this breach is not too troublesome. Unfortunately, that is not the case. First, any data breach of stored information is a big deal since it means someone has managed to work their way into a cache of collected data. Moreover, usernames, email addresses, and passwords are a massive problem if the users haven’t been practicing solid security hygiene.

There is an interesting twist with the Evite data breach that experts have identified: the notification letter itself. Now that data breach notification letters can legally be emailed—which not only reduces the amount of time for victims to find out, but also greatly reduces the cost to the company who suffered the breach—there is actually a plausible concern that spammers themselves will email the victims. Once news of this or any data breach comes to light, spammers could send out fake emails that appear to come from the affected company. Instead of helping the victims, though, they may contain harmful links, viruses or further phishing attempts. It is important to follow good protocols for your security when receiving a data breach notification email.

What You Can Do About It

For now, Evite users are encouraged to change their passwords and ensure that no other accounts they use shared those same login credentials. This is true even if you do not receive a notification email from Evite. Also, if you do receive any communication from Evite, do not click a link or download an attachment. The company has already said its notification letter while not contain those things, but it is never a good idea to click or download in an email unless you were expecting additional content. Always verify the safety of the link or attachment before opening it, regardless of who you think sent it.

Of course, the Identity Theft Resource Center is here to help. Speak to an identity theft advisor for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Experian proudly provides financial support to the Identity Theft Resource Center.


You might also like…

Imposter Scams Were the Most Reported Complaint in 2018

In New Scam, Criminals Pose as Government Pretending to Help With Identity Theft

Study Explores Non-Economic Negative Impacts Caused by ID Theft 

 

In what has become an alarming security trend, yet another company has exposed millions of consumers’ profiles online due to a non-password protected web-based server. Ladders, a recruitment site that lets users create a profile that can be shared with potential employers, was using an Amazon-hosted web server to store the profiles; according to a security researcher who discovered the information exposed online—and according to confirmation from the company—13.7 million of those users’ complete profiles were available to anyone who knew to look for them.

While the information didn’t appear to contain Social Security numbers, everything else that you might list in a job application was there. Names, email addresses, physical addresses, work histories, educational level, even whether or not the applicant had a security clearance and in what field were all available.

Fortunately, the information was discovered by Sanyam Jain, who works for a non-profit that specifically looks for overexposed information and reports it. There’s no way of knowing if anyone with malicious intentions got to it beforehand, though. After receiving the report, Ladders took down the database within a short time.

Incidents like this one continue to happen, largely due to poor password security. In far too many of the cases of accidental overexposure or data leak, the company who posted their information didn’t realize the default setting was “open” to the public.

For users of any platform, there’s really no way to prevent this kind of oversharing of their information. Other than contacting the company’s IT department, asking if they host their databases on web-based servers, and then asking if that server is password protected—all of which the IT department is probably not going to share with a member of the general public—there’s not much that individuals can do. But here are some actionable steps:

  1. Establish a secondary email – In cases like this, a spammer could download the database and target the users with spam and potentially harmful emails. If you’re establishing online accounts, you might consider setting up an email address that you only use for those purposes. However, in this case, it must be one that you can still check routinely since the purpose of the account was to be notified about job opportunities.
  2. Password security – Even if the other company doesn’t quite have their passwords nailed down, that doesn’t mean you can’t be safer with good password security. Never reuse a password or make one that’s too easy—remember, humans don’t sit and “guess” your password, but rather, software that can make billions of guesses per second does the job for them. Also, it’s a good idea to change your password from time to time, especially on sensitive accounts.
  3. Don’t throw in the towel – Even if it feels like your information is exposed every single day, that’s not the case. Data breach fatigue is a documented problem, but don’t let the constant news of poor security practices keep you from locking down your information as much as possible.

Of course, the Identity Theft Resource Center is here to help. Speak to an identity theft advisor for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

Imposter Scams Were the Most Reported Complaint in 2018

In New Scam, Criminals Pose as Government Pretending to Help With Identity Theft

Study Explores Non-Economic Negative Impacts Caused by ID Theft 

 

Why Has UCSD Failed to Notify HIV Patients of Data Breach?

Data breaches are already upsetting enough, especially when your highly-sensitive personally identifiable information is put at risk. But when it comes to data breaches and fraud, perhaps there’s no greater intrusion than to suffer a data breach of your medical information; somehow though, even that kind of intrusion pales in comparison to being victimized in a breach then victimized again by the company who failed to inform you about it.

Now imagine that the medical information that was breached is of the most private nature, one that could have serious consequences for the victims should it get out.

University of California-San Diego partnered with a health services industry organization known as Christie’s Place to recruit participants for a vital, worthwhile study. The study’s subjects were all HIV-positive women who were examined on their commitment to treatment based on experiences with domestic violence, trauma, mental illness, and substance abuse. Unfortunately, the entire case file for all of the study’s participants was left visible in the computer—accessible to literally anyone who worked or volunteered with Christie’s Place.

Somehow, this data breach has taken yet another upsetting turn: UCSD decided not to inform the patients that their information has been exposed. The details on who was behind that decision have not been very clear, but as of recent reports, the patients are still unaware.

There are some very unclear details emerging from this, including allegations of misconduct and even possible attempts to inflate the numbers of patients receiving support. However, none of those accusations has been proven. More information on those matters can be found here.

In the meantime, the very least that can be argued about this breach and the failure to notify is that patients have not been given an opportunity to take action to secure their information. Some of the participants also may have not shared news of their diagnoses with others, and a violation of this kind could have serious consequences for them. The university has stated that it will notify patients very soon, but there is no specific timeline for that to take place.


You might also like…

Imposter Scams Were the Most Reported Complaint in 2018

In New Scam, Criminals Pose as Government Pretending to Help With Identity Theft

Study Explores Non-Economic Negative Impacts Caused by ID Theft 

 

United States Customs and Border Protection (CBP) announced that it was victim of a data breach at the hands of a third-party partner. The information exposed included photos of license plates and travelers. CBP released a statement about the breach saying,

“In violation of CBP policies and without CBP’s authorization or knowledge, [a subcontractor] transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network,” CBP added. “The subcontractor’s network was subsequently compromised by a malicious cyberattack.”

The hack happened by accessing a database on the third-party’s server that was unauthorized by CBP to exist. Although the third-party who caused the breach was not directly named, The Washington Post reported that the subject line of the emailed statement included “Perceptics.” Perceptics is a company based in Tennessee whose website boast they have been “securing our nation’s boarders for more than 30 years.” They design technology for identifying vehicles and license plates for federal and commercial use.

CBP claims they have conducted a thorough search and have not found any of the stolen information on the dark web. This does not however mean the data is impossible to use for malicious acts. President and CEO of ITRC, Eva Velazquez, sums it up in her NBC7 interview saying, “These things, they stay in perpetuity. It is not going to disintegrate. So even in this moment, if there is not a way to monetize, that does not mean 10 years from now that (stolen information) might not be more valuable.”

While CBP noted their own databases were not affected by this attack, this is not the first data breach under the Department of Homeland Security. Early last year it was reported more than 240 thousand employee records were exposed by a former employee.

ITRC continues to monitor the trend of cybercriminals targeting large third-party versus smaller first party databases. Four million records were exposed in 2018 because of focused cybercrime efforts on vendor security. By targeting popular third-party vendors that work with multiple companies, criminals can collect even more personal identifying information in one attack.


You might also like…

Imposter Scams Were the Most Reported Complaint in 2018

In New Scam, Criminals Pose as Government Pretending to Help With Identity Theft

Study Explores Non-Economic Negative Impacts Caused by ID Theft 

 

For years, crimes like identity theft, scams and fraud have targeted residents in different states all across the country. Sometimes the crimes are simply based on opportunity, such as a large-scale data breach of a major company; in that case, the locations of the victims can seem to be somewhat random. Other crimes, however, have targeted residents of specific states, and the reasons for this kind of highly-specific targeting can vary.

Florida has the long-standing yet dubious honor of being one of the most targeted states over the past few years. The state has often topped the list for identity-related crimes, and 2018 was no different. The state ranked number one for fraud reports to the Federal Trade Commission (FTC), and number four for identity theft reports. These numbers are fairly typical for Florida’s ranking in those crimes.

According to different sources, there are a number of reasons why Florida might be such a hot target for criminals. These include state and local government structuring, the resort construction and tourism industries, a large retiree population and the high-density of the state’s population in numerous metro areas. Last year’s total volume of reports to the FTC was over 205,000 from Florida alone, and the average losses from that state were $400 per victim.

An article in the Sun-Sentinel explains, “Thieves and scammers apparently are attracted to Florida for a host of reasons: Its lack of state income tax means less scrutiny from state officials. Its transient population makes it easier for hit-and-run operators to blend in. Its large senior population provides a tempting target of savings and vulnerabilities. And its fast development means a lot of new money floating around.”

Of course, identity theft and fraud crimes are broad categories that encompass a lot of different forms of attack. Criminals can rely on highly-profitable but hard to trace tactics such as benefits fraud, credit card and new account fraud, account takeover and imposter scams. A report by Security.org based on the FTC’s data found that fake debt collection scams were the most commonly reported method of attack at 29 percent (approximately 71,000 reports); meanwhile, reports of identity theft and its related crimes made up another 15 percent, or 38,000 reports. There is a seemingly endless variety of ways that someone with a little bit of know-how can target someone in this way, as these findings have shown.

Fortunately, a lot of the ways that criminals target Florida residents—which truthfully, can all be a threat no matter where you live—can often be thwarted by developing an air of caution. Ignoring requests for your private sensitive information, for example, and refusing to make payments over the phone or via email can head off a lot of these attacks. Securing your accounts with strong, unique passwords can also help, along with changing those passwords frequently. Finally, helping others by spreading the word about common scams and fraud attempts can help protect those around you, which can in turn help protect you.

Of course, the Identity Theft Resource Center is always here to help. If you’re a victim of identity theft or have questions about scams and other issues, speak to an identity theft advisor for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

Imposter Scams Were the Most Reported Complaint in 2018

In New Scam, Criminals Pose as Government Pretending to Help With Identity Theft

Study Explores Non-Economic Negative Impacts Caused by ID Theft 

 

Hackers are targeting vendors of companies for third-party data breach efforts. This trend rose in 2018, with over 4 million records exposed do to criminal efforts focused on vendor security.

Data breaches often occur at the hand, or keyboards, of hackers. Criminals can infiltrate insecure systems and steal personal data owned or stored by a company. The size of company and amount of personal identifying information (PII) they store factor in to the level of risk for consumers presented by the breach. One of the more newsworthy data breaches of 2018 was Marriot International, which exposed hundreds of millions of guest information including passport numbers. Hackers targeted Marriot because of the potential payoff of lots of lucrative PII, versus targeting many companies that might result in more – but smaller – payoffs. Now hackers are reevaluating their strategy and getting smarter about where they exert their efforts.

This new strategy comes in the form of targeting vendors for third-party data breach. Instead of going after one large company’s data, they go after a vendor who works with multiple large companies and collects even more PII. Third-party vendors – like email servers, payment platforms and web plugins – often work with a multitude of companies ranging in purpose or product offered. Therefore by compromising a third-party’s security measures, a hacker gains access to even more PII from a wide variety of consumers.

This attack on third-parties and subcontractors became a trend in 2018. Of the third-party data breaches that were reported in 2018, 4,823,234 records were exposed four times more compared to 2017 third-party breaches. In 2019, eSentire (a cybersecurity firm) commissioned a study to determine how concerned companies are regarding vendor risk given the trend in data breach.

According to the study, 81 percent of respondents said they had an effective third-party risk policy and 74 percent are confident in their vendors’ protections. However, only 35 percent said managing vendor risk was a priority and 20 percent said they trust vendors to uphold privacy standards blindly. The reality is of the respondents surveyed, 44 percent of them (or their employer) had experienced a data breach involving a vendor in the last 12 months. To make matters worse, only 15 percent were notified of the breach by the responsible vendor.

There is a clear disconnect between the effort put forth into managing vendor security and the amount of trust companies put in their vendors. Companies need to start evaluating vendor relationships and security practices more thoroughly to ensure the safety of consumers. On the opposite end, consumers need to remember that the safety of their data ultimately resides with them and take the utmost precautions with their personal information.

If you are a victim of data breach, or have concerns over a recent data breach and your identity, Breach Clarity can help you identify your potential risk and suggest preventative steps. You can also contact ITRC for free assistance regarding your case. Speak with an expert advisor over the phone (888.400.5530) or through LiveChat.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Identity Theft Resource Center and Futurion unveil a new tool Breach Clarity for consumers impacted by data breaches 

LAS VEGAS, Mar 24, 2019 ­­– Today, the Identity Theft Resource Center® (ITRC), a national non-profit organization established to support victims of identity crime, and Futurion announced during the KNOW 2019 conference the launch of a new tool to empower victims of data breaches in decoding what breach notification means to them and how they can minimize the risk of identity theft and fraud. The ITRC, along with the tool’s creator Jim Van Dyke, announced Breach ClarityTM. Breach Clarity is the secret decoder that will allow consumers to decipher data breach risks, prioritize the right minimization actions and access ITRC advisors for additional help. Breach Clarity is a no-cost, online tool for consumers, meant to crack the often muddled and incomplete information that follows breach notification.

Consumers can utilize the tool at www.idtheftcenter.org/BreachClarity and begin decoding the effect of any data breach on their identity safety. Breach Clarity uses a proprietary algorithm to give a data breach a risk score based on unique variables, like amount and type of information exposed. The higher the risk score for a specific breach, the more negative consequences that breach can potentially have for an individual. Breach Clarity also unlocks the top potential harms and recommended action steps for a victim of each breach, eliminating confusion in a time-is-of-the-essence period for victims. Finally, the tool provides resources for consumers like risk minimization plans from ITRC for data breach and next steps toward remediation.

The most frequently asked question ITRC receives when assisting victims of data breach is, “But what does this actually mean to me?” The national non-profit strives to better assist and educate victims in determining if they should be worried and how the breach can affect them. Breach Clarity gives consumers the power to decode the harms of a data breach. After receiving a notification letter or getting information from a credible third-party like media sources, websites that provide security

information and other sources, a victim can enter the name of the breach they were affected by to decode what that breach means to his or her safety.

“Victims deserve answers, not vague language that covers up the true meaning of data breaches,” says president and CEO of ITRC Eva Velasquez. “We are thankful to have partners, like Jim Van Dyke, who are working to change the industry and bring clarity to victims. Breach Clarity is the first step toward empowering data breach victims and changing the scope of the industry.”

The Breach Clarity algorithm runs on the backbone of ITRC’s proprietary database of publicly available and notified breaches. Since data breaches – and fraud methods around them – often change quickly, Breach Clarity is a dynamic, evolving tool that updates as new information becomes available regarding breaches and fraud mechanisms.

“I’m delighted to work with the ITRC because we share a passion for protecting consumers,” says Jim Van Dyke, inventor of Breach Clarity. “In contrast with some who blame victims as being ‘apathetic’ or even ‘dumb’ when it comes to security, Breach Clarity is designed to empower every identity holder with the facts and help they need to minimize the risk of a data compromise leading to identity theft.”

Shortly following the launch of Breach Clarity, ITRC and Van Dyke will jointly offer webinars on how to use the tool and address questions from the public. Sign up for the first webinar about Breach Clarity at idtheft.center/BreachClarity. For financial institutions and employers, a premium version of Breach Clarity will be created to provide advanced capabilities such as an expanded list of risks and action steps for the consumer, integrated results from multiple breaches and methods for integrating to digital finance systems that further empower the consumer after a breach.

Attendees of the KNOW 2019 conference can join Eva Velasquez, president and CEO of ITRC (booth #121), Jim Van Dyke, founder of Futurion and creator of Breach Clarity, and James Ruotolo, director of product management and product marketing for the Fraud and Security Intelligence division at SAS, for a covert event Monday March 25th, 7-9pm. Register here or visit ITRC’s booth (#121) for more information, space is limited as this is a first come, first serve event. Thanks to SAS for their support of ITRC and underwriting the KNOW 2019 networking event.

###

About the Identity Theft Resource Center®

Founded in 1999, the Identity Theft Resource Center® (ITRC) is a nationally recognized non-profit organization established to support victims of identity theft in resolving their cases, and to broaden public education and awareness in the understanding of identity theft, data breaches, cybersecurity, scams/fraud, and privacy issues. Through public and private support, ITRC provides no-cost victim assistance and consumer education through its call center, website, social media channels, live chat feature and ID Theft Help app. For more information, visit: http://www.idtheftcenter.org

About Futurion and Breach ClarityTM

Futurion is a research-based consultancy focused on consumer identity, digital commerce and financial services. Futurion’s CEO Jim Van Dyke formerly founded and led Javelin Strategy & Research and has also held various product management and board positions. Breach Clarity was created based on research of consumer identity crime victims and interviews with experts on the front line of fraud prevention at financial institutions, government agencies, payments networks and more. Breach Clarity’s basic outputs are free to all consumers at www.BreachClarity.com, with an upcoming premium version being designed for consumers who log into their secure personal account at licensing financial institutions and employers.

###

Identity Theft Resource Center
Charity Lacey
VP of Communications
O: 858-634-6390
C: 619-368-4373
clacey@idtheftcenter.org

Identity theft is not one single type of crime. There are many different ways a criminal can use your information, such as applying for government benefits, getting a job under your Social Security number, receiving medical care or prescription drugs in your name, and of course, the financial aspects. But stealing from your bank account or signing up for a new credit card in your name are just scraping the surface when it comes to the harm identity theft can cause.

Tax identity theft occurs when someone uses your compromised information to file a tax return in your name. They fudge the numbers, enter an unrelated refund dispersal option like a prepaid debit card, and make off with your money before you ever know that anything has gone wrong.

How do they get their hands on your data in the first place? There are many ways, including:

  • Imposter scams
  • Data breaches
  • Stolen mail or W-2s
  • CEO/HR phishing scams
  • Corrupt insiders/tax preparation services
  • Unsecured and public Wi-Fi hotspots
  • Social Security number that is lost, stolen or compromised

Of course, it’s just as easy for a criminal to purchase your previously stolen information online, then use it to file a fraudulent return.

How can you know if someone has filed a return with your stolen information? Again, you may find out in different ways, but one common way is for the IRS to inform you.

They don’t usually call you up and say, “Guess what? Someone stole your identity!” Instead, it’s a lot more likely that the IRS will reject your legitimate tax return because someone has already filed using your Social Security number. Another way is someone not necessarily filing the entire return in your name, but rather claiming your dependents on their return if they’ve stolen your kids’ identities; in that case, the IRS will still contact you about the duplicated dependents. Finally, the IRS might contact you if someone files a business return involving your identity as an employee and the agency wants you to answer for the unreported income you supposedly earned but didn’t list on your return.

The fact of tax identity theft is that hundreds of millions of consumers’ identities have been compromised in different data breaches over the years. That means no one is immune from the threat of having their tax refund stolen.

Fortunately, there are steps that consumers can take to minimize their risk. The Identity Theft Resource Center provides free victim remediation assistance through its call-center by dialing (888) 400-5530. The ITRC will host an informative Twitter chat with the Federal Trade Commission to provide insight into protecting yourself. The live event will take place on March 8, 2019, at 8 am PT/11 am ET, and will discuss the importance of protecting yourself against tax-related identity theft. Use #IDTheftChat to join!

If you can’t take part that day, you can still read all of the tweets later on by searching for the hashtag. For more questions and answers about tax identity theft, read our tips here.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Tidying Up For Your Identity, Mobile Device and More…