Posts

A recently announced Evite data breach has some alarming potential outcomes. The internet-driven invitation platform allowed people to sign up for events and virtual meetups, so the very nature of the website gave outsiders a way to contact users via email. Access to the users’ Evite accounts means a hacker could send phishing attempts, malicious links or other scam communications to unsuspecting individuals.

The Evite data breach, which occurred from February to May this year, compromised account information dating back as far as 2013. That information included names, email addresses, usernames and passwords for an as-of-yet unknown number of users. Other optional information that some users provided, such as birthdates and phone numbers, was accessed as well.

Risk Level of Information Exposed

It is tempting to think that this information is not all that sensitive, so therefore, this breach is not too troublesome. Unfortunately, that is not the case. First, any data breach of stored information is a big deal since it means someone has managed to work their way into a cache of collected data. Moreover, usernames, email addresses, and passwords are a massive problem if the users haven’t been practicing solid security hygiene.

There is an interesting twist with the Evite data breach that experts have identified: the notification letter itself. Now that data breach notification letters can legally be emailed—which not only reduces the amount of time for victims to find out, but also greatly reduces the cost to the company who suffered the breach—there is actually a plausible concern that spammers themselves will email the victims. Once news of this or any data breach comes to light, spammers could send out fake emails that appear to come from the affected company. Instead of helping the victims, though, they may contain harmful links, viruses or further phishing attempts. It is important to follow good protocols for your security when receiving a data breach notification email.

What You Can Do About It

For now, Evite users are encouraged to change their passwords and ensure that no other accounts they use shared those same login credentials. This is true even if you do not receive a notification email from Evite. Also, if you do receive any communication from Evite, do not click a link or download an attachment. The company has already said its notification letter while not contain those things, but it is never a good idea to click or download in an email unless you were expecting additional content. Always verify the safety of the link or attachment before opening it, regardless of who you think sent it.

Of course, the Identity Theft Resource Center is here to help. Speak to an identity theft advisor for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Experian proudly provides financial support to the Identity Theft Resource Center.


You might also like…

Imposter Scams Were the Most Reported Complaint in 2018

In New Scam, Criminals Pose as Government Pretending to Help With Identity Theft

Study Explores Non-Economic Negative Impacts Caused by ID Theft 

 

This is an emerging data breach incident – this information will be updated as ITRC receives more information. Last update: 06/07/19 10:30 am

Quest Diagnostics is one of the United States’ premier providers of medical testing. They are notifying customers who may be at risk because a third party vendor, American Medical Collection Agency (AMCA), was breached. AMCA reported to Quest that unauthorized users gained access to internal systems. Around 11.9 million Quest patients have potentially been affected, although the company is working to verify that number and patient risk. 200,000 payment cards been previouly found for sale on a well-known dark web market (by Gemini Advisory) and GA linked the cards to AMCA. 15% of the records included additional PII such as: DOB, SSN, and physical addresses. 

The information exposed includes Social Security numbers, financial information and medical information. Quest reported that the information breached did not include laboratory test results. 

We are investigating a data incident involving an unauthorized user accessing the American Medical Collection Agency system,” reads a written statement attributed to the AMCA. “Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page.”

“We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security. We have also advised law enforcement of this incident. We remain committed to our system’s security, data privacy, and the protection of personal information.”

Quest also noted that since being notified of the breach, the company has stopped new requests to AMCA and are working to notify patients affected in accordance with the law. AMCA is in the process of sending notices to approximately 200,000 LabCorp consumers whose credit card data or bank account information may have been accessed. These individuals have been offered 2 years of credit monitoring and identity theft protection services. 

AMCA provides billing collections services to a company called Optum360, whom is a contractor with Quest Diagnostics. Quest Diagnostics is the only company to make a public notification of being affected by the breach, but there is a chance other companies who work with AMCA could also be associated. The trend of third-party breaches is on the rise as hackers target large databases of vendors who work with sensitive information.

Breach Clarity – the new tool developed to help consumers make sense of their risk when it comes to data breach – can help victims of this breach understand their risk of additional exposure. The tool updates its risk score as new, more detailed information is made publicly available. Breach Clarity will guide consumers on their best course of action given the current information – please check it regularly to understand the updated risk assessment and minimization plans.

While patients are waiting to be notified they were affected, those who think they might be victims can start taking steps to minimize their risk. Financial identity theft and medical identity theft could both be a cause of the breach. You can find resources for financial and medical identity theft in our knowledge center. If you have additional questions regarding data breach, our expert advisors are available to help. Call us toll-free at 888.400.5530 or LiveChat with us. 

For Media Inquiries

About the Identity Theft Resource Center®

Founded in 1999, the Identity Theft Resource Center® (ITRC) is a nationally recognized non-profit organization established to support victims of identity theft in resolving their cases, and to broaden public education and awareness in the understanding of identity theft, data breaches, cybersecurity, scams/fraud, and privacy issues. Through public and private support, ITRC provides no-cost victim assistance and consumer education through its call center, website, social media channels, live chat feature and ID Theft Help app. For more information, visit: https://www.idtheftcenter.org

Contact: Charity Lacey, VP of Communications

Email: media@idtheftcenter.org

More media resources here


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read more: First American Financial Breach Exposes Millions of Complete Identities

 

In yet another example of technology outpacing its users, an unsecured database of First American Financial has exposed hundreds of millions of records, including complete identities—names, account numbers, Social Security numbers, and much more—of American consumers. The information was compiled in a database that was left unsecured on a web-based server, meaning anyone with internet access could have potentially stumbled across it.

The ITRC currently tracks seven categories of data loss methods and is categorizing the First American Financial breach under “accidental web exposure.” This kind of data exposure is becoming all-too-common. Web servers like this one are intended to let authorized individuals access documents online. All they need is the URL, or web address, for a single document; that URL is usually shared with the intended recipient by the owner, in this case, First American Financial. But if the web server isn’t password protected or doesn’t require authentication, all you’d have to do to see any other document in the database is change a digit in the URL. That single digit would provide you access to an entirely different customer’s personal information, history, bank account numbers, SSN, tax and mortgage records, and more.

Even worse, in these kinds of breaches, there’s no way of knowing if anyone accessed them or not. In the case of First American Financial, a real estate professional discovered this flaw by mistake. When he reported it to the company but they had no response, he reported the security incident to Krebs on Security, who then confirmed it.

First American Financial is one of the country’s largest title insurance providers—meaning they’ve handled hundreds of millions of consumer records.  Fortunately, a new tool can help consumers make sense of a data breach; Breach Clarity helps people who are affected by the breach understand their options and take corrective action.  If any of the estimated 885 million records were actually accessed by a malicious individual and you think you may be a victim, securing your credit report with a freeze and monitoring your accounts are some of the few useful steps you can take. For its part, the company has taken steps to close off further access to these records, but isn’t offering any further information until their own internal review is completed.

The Identity Theft Resource Center and Futurion have partnered and launched a tool called Breach Clarity, which takes publicly-available data breach information and breaks down both the threat and actionable steps for consumers. 


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read more: ITRC Advisor Saves Woman from Lottery Scam and Losing $2,500

Data breach laws can vary from state to state in terms of notification. For years some states did not even have laws in place that required companies to inform victims if their data had been compromised in a breach. Laws vary depending on not only the location of the company that was breached, but also the location of the victims.

Washington state has had data breach laws in place for years, but those laws had a somewhat limited scope. Currently in Washington, if certain pieces of data – like your Social Security number – are not impacted in a breach, the company does not have to offer protection service or notify victims of the incident.

A new bill in Washington would expand the definition for sensitive data to include things like your birthdate, health insurance number, student ID or military ID number and more. This essentially broadens the terms of what can trigger a required notification.

The need for this change grew out of the increase in data breaches and the growing numbers of residents whose identifying information was compromised in data breaches. More than 3 million residents of that state had their data accidentally or intentionally attacked in a one-year period from July 2017 to June 2018. With breach on the rise, Washington is taking action with their data breach laws.

This new bill would not only broaden the types of personal data that are covered, but also reduce the length of time that a company has to report the breach. The current notification law gave the affected businesses 45 days to notify the state’s attorney general of a data breach, and this new bill would reduce that to 30 days. The difference of those two weeks can make an enormous impact in minimizing the damage of victims.

Of course, laws such as this one can be seen as a double-edged sword. Supporters, security experts and consumer advocates understand that there are many different kinds of identity theft, and that serious harm can result even without stealing someone’s Social Security number. However, critics view it through the eyes of the organizations and businesses, and how it may hurt them in the event of a data breach. It is important to remember that businesses who collect and store consumers’ personally identifiable information have an obligation to protect it. If they fail in that regard, then they should have to offer information and support to the customers who were affected.

The Identity Theft Resource Center and Futurion have partnered and launched a tool called Breach Clarity, which takes publicly-available data breach information and breaks down both the threat and that actionable steps for consumers.

Watch Our New Free Webinar: Deciphering the Code of Data Breach Notifications


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: What To Know About Payment Apps and Security

A security researcher discovered an unsecured online storage server—an all-too-common occurrence known as an accidental overexposure—that linked to 4.9 million lines of patient records from an addiction treatment center called Steps to Recovery. Those millions of lines of information were not all for separate patients, but rather were separate entries on almost 150,000 of the same patients, outlining their medical treatment.

When it comes to data breaches and hacking, personally identifiable information like Social Security numbers are considered the “holy grail” of theft. Credit card information or emails are still very valuable and useful—since the card numbers make purchases until the bank shuts them down, or the email address can be sold to spammers—but Social Security numbers are permanent. With the intact data set of identifying information (PII), a thief can sell the complete records or use them to open new lines of credit in someone’s name, potentially forever.

Unfortunately, a Social Security number is not the very worst PII that can be exposed to hackers. As one report has now demonstrated, leaked patient medical treatment records can have a far more harmful effect, making the victim wish that it was “just” their Social Security number that had been stolen.

There is an unfortunate stigma that still surrounds addiction and mental health, and the possibilities are nightmarish for what a hacker could have done with this information. Whether through blackmail by threatening to expose the patients’ treatment or using the information to target them with malicious content, there are no words to describe how this could have brought harm to vulnerable people who sought help for their conditions.

Fortunately, the discovery was made by a security researcher who then contacted both Steps to Recovery and the company that hosts the treatment center’s online server. While the hosting company responded to confirm that the treatment center took down the information, Steps to Recovery never responded to the researcher’s request for information concerning patient notification. It is still not known whether the center ever informed the patients about the leak.

In order to demonstrate just how serious this is, the researcher went a little further. By cross-matching patient records that were left wide open online with basic, free Google searches, he was able to find a reasonable match for a sampling of patients listed in the leak. Those results provided names, addresses, family members’ names, ages, phone numbers and email addresses, and even political affiliations. This demonstrates just how dangerous this leak truly was, and hopefully the patients have now been informed of the situation.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: New Tool Breach Clarity Helps Consumers Make Sense of Data Breaches 

Whenever consumers learn about another data breach, they might envision a team of highly-skilled tech operatives working away at fancy computers in a darkened, windowless shop. That kind of scenario might happen, but the reality is that many data breaches are pulled off by an individual working off a laptop in a coffee shop. It is also a possibility that the breach occurred completely by mistake  – like when someone forgets to password-protect a server that stores millions of records.

These kinds of accidental data breaches have made headlines in recent months. Truthfully, some are discovered by the good guys who then report them to the companies at fault. The security flaws are fixed and the notification letters get sent out if necessary, all of which happens hopefully before anyone has had a chance to discover the exposed data and use it maliciously.

Even if so-called good guys discover the problem your information was out there for the taking. It is not always a matter of your username and password, sometimes much more personal information is available. Like in the Meditab Software Inc. breach that happened in the first quarter of 2019, where entire medical histories and prescriptions were exposed.

In this chilling situation California-based medical software developer, Meditab, left a feature unprotected in one of its tools. Meditab claims to be one of the world’s leading providers of medical record-keeping software, and it also provides fax capabilities through its partner company, MedPharm. The company was storing patient records on an unprotected server, which meant that any time MedPharm handled the faxing of a patient’s medical records, anyone with internet access could have seen it if they knew where to look.

Fortunately, those good guys discovered this one. A Dubai-based cybersecurity firm named SpiderSilk found that Meditab’s unsecured database included names, addresses, some Social Security numbers, medical histories, doctors’ notes, prescriptions, health insurance data and more. Patients affected ranged in age from early childhood to mature adults.

This kind of violation is a very serious matter under the laws surrounding HIPAA privacy, and the US government has a solid record of going after entities that store information and do not protect it adequately. If the breach was accidental and even if there is no proof that anyone used the information for harm, there are still very heavy fines and penalties for failing to store it securely.

Unfortunately, there are not a lot of actionable steps that individual patients can take in cases like this one. You can, however, ask the hard questions before the event occurs: how will my information be stored, who can access it, what company hosts your electronic database, what are you prepared to do if there is a data breach? Also, remember that there is often no need to share your most sensitive information when filling out basic medical forms; feel free to ask the person requesting it why it is needed.

Medical identity theft is a serious matter, and of all the types of identity-related crimes, this one can potentially have physical consequences for the patient if a thief uses their medical history. It is important to safeguard your medical records as much as possible, and to make your healthcare provider aware if there are any past medical identity theft issues with your personally identifiable information that could impact your care.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

As if a devastating natural disaster was not disruptive enough to people’s safety, homes, and finances, a new threat has emerged – one that was caused by the very people tasked with supporting the victims of natural disasters and other emergencies. The Federal Emergency Management Agency (FEMA) shared documents with a third-party contractor that contained highly sensitive information, some of which was a direct violation of current regulations for FEMA to share.

The current industry term for this kind of data breach event is an accidental overexposure, meaning no harmful intent was behind it and there is no indication of damage from the information falling into the wrong hands. Still, the FEMA data breach gave the potential for someone who was not unauthorized to access the information and use it for identity theft and fraud.

In this case, an internal audit found that FEMA’s documents included things like the victims’ names, addresses, and the names of their financial institutions. Some information also included victims’ electronic transfer numbers for moving funds and their bank transit numbers. Sharing this information seems to have been an oversight on FEMA’s part, and a statement about the incident said that FEMA is taking aggressive action to correct the error.

The name of the contractor in this incident has been redacted, but it is a company with direct ties to victim services. The company helps disaster victims find hotel accommodations that are covered under FEMA funding and therefore did need certain pieces of personally identifiable information on the victims it is helping. Impacted victims from the FEMA data breach include those from Hurricanes Irma, Harvey and Maria, as well as the California wildfires in 2017.

Any time consumers’ personally identifiable information is exposed, compromised or attacked, the likelihood of identity theft-related crimes can go up. The Identity Theft Resource Center has partnered with Futurion to create Breach Clarity, an interactive tool that assigns a risk score to different data breach events. It also outlines in easy-to-understand terms the actionable steps that experts recommend for every breach, from something as simple as changing your password to more involved security measures like a credit freeze.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Imposter Scams Were The Most Reported Consumer Complaint

Year after year, cybercrimes like scams, fraud, identity theft and data breaches make a global impact on consumers and businesses alike. Organizations like the Federal Trade Commission and the Identity Theft Resource Center keep tabs on the statistics and the aftermath of these events in order to form a clearer picture of their effects. With only days to go until we reach the end of 2018, here’s a look at some of the numbers from this year.

Top Scams of the Year

According to a report by Heimdal Security, phishing attempts continue to be one of the more prevalent ways scammers connect with their victims. Phishing usually arrives as an email that entices someone to take action; the action might be to send money, hand over sensitive data, redirect to a harmful website, or even download a virus from a macro contained within the email. No matter what the story the scammers use, one-third of all security incidents last year began with a phishing email.

What happens to consumers when they fall for a phishing email? One in five people reported losing money, around $328 million altogether. That’s about $500 per victim on average, but that’s also only from the victims who reported the scam. Interestingly, new data this year found that Millennials were more likely to fall for a scam than senior citizens, although seniors still lost more money on average than these younger victims.

Different Industries Impacted by Data Breaches

The ITRC’s annual Data Breach Report highlights the organizations that have been impacted by data breaches throughout the year, along with the number of consumer records that were compromised. While the year isn’t over, the data compiled through Nov. 30 is already worrisome.

There have been more than 1,100 data breaches through the end of November 2018, and more than 561 million consumer records compromised. Those breaches were categorized according to the type of industry the victim organization falls under: banking/credit/financial, business, education, government/military and medical/healthcare.

The business sector saw not only the highest number of breaches but also the highest number of compromised records with 524 breaches and 531,987,008 records. While the medical and healthcare industry had the second highest number of breaches at 334 separate events, the government/military’s 90 breaches totaled more compromised records at 18,148,442. The financial sector only had 122 data breaches this year, but those events accounted for more than 1.7 million compromised records. Finally, while education—from pre-K through higher ed—only reported 68 data breaches, there were nearly one million compromised records associated with schools and institutions.

The Crimes that Made Headlines

There were quite a few headline-grabbing security incidents this year. While Facebook and the Cambridge Analytica events were not classified as traditional data breaches, they were nonetheless an eye opener for social media users who value their privacy. The Marriott International announcement of a 383 million-guest breach of its Starwood Hotels brand has opened consumers’ eyes about the types of information that hackers can steal, in this case, 5 million unencrypted passport numbers. The breach of the government’s online payment portal at GovPayNow.com affected another 14 million users, demonstrating that even the most security-driven organizations can have vulnerabilities. Finally, separate incidents at retailers and restaurants like Hudson Bay and Jason’s Deli reminded us (and those breaches’ combined 8.4 million victims) that attacking point-of-sale systems to steal payment card information is still a very viable threat.

What Do Criminals Really Steal?

In every scam, fraud, and data breach, criminals are targeting some kind of end goal. Typically, it’s money, identifying information or both. But recent breaches this year of websites like Quora—which provides login services for numerous platforms’ comment forums—also show that sometimes login credentials can be just as useful.

After all, with the high number of tech users who still reuse their passwords on numerous online accounts, stealing a database of passwords to a fairly innocuous site could result in account access to so-called bigger fish, like email, online banking, major retail websites, and more. Furthermore, it showed that a lot of users establish accounts or link those accounts to their Facebook or Gmail logins without really following up; a lot of people who learned their information was stolen in the Quora breach may have forgotten they even had accounts in the first place. The number of victims in that breach is expected to be over 100 million.

Moving Forward into the New Year

The biggest security events of 2018 may pale in comparison to criminal activity next year. After all, there was a time when the Black Friday 2013 data breach of Target’s POS system was considered shocking. One thing that cybercriminals have taught us time and time again is that there’s money to be made from their activities, and they aren’t going to give up any time soon.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: “Honeyboys Keeping Internet Users Safe”