Posts

The Merchant Risk Council talks with the Identity Theft Resource Center in the newest Fraudian Slip podcast about holiday identity theft and what people can do to protect themselves

  • We are days away from what will be one of the most unusual holiday shopping seasons in our lifetimes, coming off of an unusual holiday season.
  • 2020 and 2021 have seen record levels of identity fraud, a lot of it related to shopping online. Most of the fraud and scams is due to cybercriminals using good, old-fashioned scams.
  • The Identity Theft Resource Center (ITRC) sat down with the Merchant Risk Council (MRC) to discuss holiday identity theft, triangulation fraud and steps to protect yourself while shopping during the holiday season.
  • You can learn more about holiday identity theft, retail fraud, what you can do to stay safe and other topics discussed in this podcast by visiting the ITRC’s website www.idtheftcenter.org.
  • If you think you are the victim of an identity crime, you can call the ITRC (888.400.5530) or live-chat on the company website to speak with an expert advisor.

Below is a transcript of our podcast with special guest Julie Fergerson, CEO of the Merchant Risk Council

Welcome to The Fraudian Slip, the Identity Theft Resource Center’s (ITRC) podcast, where we talk about all-things identity compromise, crime and fraud that impact people and businesses. Listen on Apple, Google, Spotify, SoundCloud, Audible, Amazon now.   

We are days away from what will be one of the most unusual holiday shopping seasons in our lifetimes, coming off of an unusual holiday season. Or, if you have headed the warnings from retail experts, you already know we are in the midst of a second holiday season when supply and demand are not in sync. That means more people than ever are turning to online marketplaces to help Santa deliver the goods this year. However, it also means holiday identity theft.

2020 and 2021 have seen record levels of identity fraud, a lot of it related to shopping online. Before you throw your laptop or mobile phone out the window and vow to never shop the internet again, know that very little of that fraud is cybersecurity-related. Most of the fraud and scams are related to cybercriminals using good, old-fashioned scams (and maybe a few bad habits) to trick you into buying something that is too good to be true – because it isn’t.

Joining us to talk about how you can protect yourself and your holiday from holiday identity theft, and the haul from the Grinches that want to steal little Cindy Lou Who’s gifts and roast beast, is Julie Fergerson, the CEO of the Merchant Risk Council (MRC) and the ITRC’s own CEO Eva Velasquez.

We talked with Julie Fergerson about the following:

  • What’s the MRC?
  • Retailers that you do not recognize with deals that sound too good to be true; a quick Google search can show you complaints against a retailer or if they are fake.
  • Triangulation fraud (auction sites).
  • What to do if you don’t recognize a charge on your credit card statement.
  • Alternative payment methods, like buy now and pay later (BNPL) or peer-to-peer (P2P). Payments like those may not have the same consumer protections, which regulators are discussing now.
  • The importance that you trust your instincts to protect yourself from holiday identity theft.

We talked with Eva Velasquez about the following:

You can learn more about the identity scams that involve your identity, privacy or security, or get help if you have been the victim of holiday identity theft by visiting the ITRC’s website www.idtheftcenter.org.

Be sure to join us next week for our Weekly Breach Breakdown podcast. Next month we will look back to see how well we did with our 2021 predictions. We will also look ahead at what to expect in 2022 – on the December episode of The Fraudian Slip.

  • According to a new study by Coveware, cocaine trafficking in 1992 and ransomware in 2021 share similar profitability metrics; both activities carry +90 percent profit margins per unit. The major difference lies in the risk taken by the actors.
  • In 1992, every two kilos of cocaine trafficked resulted in one person arrested. Every four kilos of cocaine trafficked resulted in one person killed.
  • The survey sheds light on why cybercrimes are increasing and why ransomware cybercriminals launch direct attacks against businesses that indirectly impact individuals whose data becomes the hostage.
  • To learn about recent data compromises, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified. 
  • If you believe you are the victim of an identity crime, data breach or want to learn more ways to protect yourself from cyberattacks, contact the ITRC. Call toll-free at 888.400.5530 or live-chat on the company website www.idtheftcenter.org.

Say Hello to My Little Friend

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for November 12, 2021. Our podcast is possible thanks to support from Experian. Each week, we look at the most recent events and trends related to data security and privacy. This week we explore a theoretical question: which would you rather be – a drug trafficker in 1992 or one of the ransomware operators in 2021. Don’t answer just yet because we are going to do the math.

Crime in the popular culture of the 1980s and early 1990s was fueled by the cocaine trade. Crockett & Tubbs were cops running around Miami in flashy clothes and flashier cars while Al Pacino’s Tony Montana uttered the memorable catchphrase that gives us the title of today’s episode – Say Hello to my little friend.

In Scarface, as in the real world, a life of crime seemed glamorous until the shooting started. Sure, there was lots of money, but there were also some pretty serious downside risks too.

Advantages & Disadvantages of Being Drug Dealers

Coveware, the cybersecurity company specializing in ransomware recovery, has done us all a favor and compared the relative advantages and disadvantages of being a drug dealer in the early 1990s – before the rise of cybercrime – or one of the ransomware operators today.

Let’s start with our friend Tony Montana, a purveyor of the refined coca leaf.

You’re the boss and you demand your team meet certain key performance indicators (KPIs) that you use to manage the business.

Your base unit of product is the kilogram of cocaine, and you generate $60,000 for each “key” sold. That key costs you $5,000 to produce and prepare for sale, including marketing and distribution costs. That leaves you with a cool $55,000 in net profit for a margin of 91 percent. Not too bad, considering you are dealing in a cash business with no taxes.

However, there are downside risks to your upside potential. There is a 50/50 chance you’re going to be arrested and sent to prison. There is a 25 percent chance you will be killed in a hail of gunfire or by ingesting your own product. The barrier to entry is also very high since you will likely have to kill someone or several someone’s to take the top spot in your illegal pharma empire.

Advantages & Disadvantages of Being Ransomware Operators

Now, let’s look at the current crime wave sweeping the world – ransomware. You and your hoodie-wearing clan have a base unit of measurement of an attack against a company. That company may hold the data of many different companies or individuals that you hold hostage unless a ransom is paid. A single attack generates an average of $140,000 in late 2021, according to Coveware. However, the raw material cost is only $2,500. Your net income before paying your pirate’s share to your crew is $137,500, or a positive margin of 98 percent.

Like our fictional drug dealer, there are downsides to being ransomware operators. However, unlike our cocaine peddling friend, you only face a one (1) in 8,000 chance of going to jail. Your one in four chance of dying from lead poisoning as a drug dealer goes to zero, and your barrier to entry is limited only by your technical skills and a conscience.

I ask again, which would you rather be – a rich drug pusher under constant threat of arrest and death, or one of the filthy rich ransomware operators who, with decent skills and a safe harbor outside the U.S., can have a long career free from any serious threat of jail or early demise.

Findings Illustrate Why Cybercrimes Are on the Rise

This discussion is not intended to make light of the very serious issue of ransomware. Instead, it is to explain why cybercrimes are increasing and why ransomware operators (cybercriminals) launch direct attacks against businesses that indirectly impact individuals whose data becomes the hostage. It’s easy to get in the business, you can make scads of money, and generally speaking, no one shoots at you.

Until we can find a way to disrupt this business model, Thomas Anderson – respectable citizen by day – the hacker Neo by night – will continue to be the role model for this generation of criminal kingpins.

Contact the ITRC

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (Monday-Friday 6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.

Thanks again to Experian for supporting the ITRC and this podcast. Be sure to join us next week for our sister podcast, the Fraudian Slip, when we talk about protecting yourself from the latest retail fraud scams this holiday season with Julie Ferguson of the Retail Merchants Council and ITRC CEO Eva Velasquez. Be sure to join us next time for another episode of the Weekly Breach Breakdown.

  • On the Identity Theft Resource Center’s (ITRC) last Weekly Breach Breakdown podcast, we discussed our inaugural Business Aftermath Report. The report shows how data and security compromises impact small businesses. 
  • In this week’s episode, we look at what businesses can do to protect themselves. To protect your business from cyberattacks, when something bad happens, stopping the attack and restoring your systems to regular operation is the top priority.
  • Make sure team members know their role in protecting the company and themselves from phishing and social engineering attacks, as well as adopting good cyber-hygiene habits. Also, have good back-ups and patch software as soon as possible.
  • To learn about recent data compromises or small business data breaches, consumers and businesses should visit the ITRC’s data breach tracking tool, notified. 
  • If you believe you are the victim of an identity crime, data breach or want to learn more ways to protect yourself from cyberattacks, contact the ITRC. Call toll-free at 888.400.5530 or live-chat on the company website www.idtheftcenter.org.

No Small Attacks

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for November 5, 2021. Our podcast is possible thanks to support from Experian. Each week, we look at the most recent events and trends related to data security and privacy. Last week, we focused on our inaugural Business Aftermath Report findings that show how small businesses, including solopreneurs, are impacted by data and security compromises. This week we look at how to protect your business from cyberattacks.

In the entertainment business, the saying goes that there are no small parts, only small actors. In the security world, you might say there are no small attacks, only small attackers. That’s the name of this week’s episode: No Small Attacks. This week, we will talk about what you should do to protect your business from cyberattacks and prevent data breaches.

2021 Business Aftermath Report Findings

First, a brief recap of what we found in our survey of small business owners and leaders – nearly two-thirds of which had fewer than 50 employees.

  • Fifty-eight (58) percent of the small business owners or leaders reported a data breach, a security breach or both.
  • Seventy-five (75) percent of those have experienced more than one breach; 33 percent have experienced more than three breaches.
  • Forty-two (42) percent did not return to “business as usual” for 1-2 years; 28 percent required 3-5 years; seven percent said they had not returned to pre-breach performance levels at the time of the survey earlier this year.
  • Nearly 80 percent of the companies that reported a breach did so in the past two years. This coincides with the overall trend of cybercriminals focusing on vendors like smaller businesses to attack larger companies with ransomware. It also means this is likely to be a permanent condition.
  • Forty (40) percent of compromises were caused by outside cybercriminals. However, 35 percent were attributed to malicious insiders – an employee or a contractor.

That last statistic – the number of malicious employees is much higher than for larger enterprises with more tools and processes to detect bad actors. In fact, through the first half of 2021, there were zero data breaches attributed to a malicious insider in the U.S. Given this information, what should a business do?

How to Protect Your Business from Cyberattacks or Prevent Data Breaches

There is no going back to the days when small businesses could get by with minimal cybersecurity and data privacy protections. Every business owner, leader and team member should operate as if you are already under attack (because you probably are).

To protect your business from cyberattacks, when something bad happens, stopping the attack and restoring your systems to normal operation is priority number one. Once that’s done, the highest long-term priority is restoring trust among your customers and prospects. Ensuring you know what happened, why it happened, and taking steps to prevent another breach are the bare minimum actions.

Be prepared to invest in more training, more policies and more solutions. Then, communicate all of that to your stakeholders – employees, investors, customers and community. If you don’t tell them, no one else will.

Additional Tips

  • Make sure every team member knows their role in protecting the company and themselves from phishing and social engineering attacks, as well as adopting good cyber-hygiene habits. There’s no such thing as too much training.
  • Patch software as soon as updates are available and make sure you have good back-ups. If you don’t have in-house resources, hire a managed security service provider (MSSP) to handle all your routine IT and OT tasks and monitoring.
  • Require multi-factor authentication (MFA) for your team and vendors, and offer it to your customers. MFA linked to an authenticator app is best.
  • Threat actors don’t just want your money. They want your data, too. The more you have, the bigger the target you become. To protect your business from cyberattacks, practice data minimization and don’t collect more information than you need. Also, don’t keep it longer than necessary to complete a transaction. You can’t lose control of what you don’t have.
  • Know your vendor’s security posture, too. It’s not enough that you have good cybersecurity. Everyone you work with also needs protections equal to or better than yours. That’s the law in some states now, and it is non-negotiable when it comes to protecting your customers.

Contact the ITRC

The ITRC offers low-cost training and vendor due diligence for small businesses. For more information on those services or how to protect your business from cyberattacks, contact us at www.idtheftcenter.org.

Meanwhile, if you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (Monday-Friday 6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.

Thanks again to Experian for supporting the ITRC and this podcast. Be sure to join us next week for another episode of the Weekly Breach Breakdown.

  • The Identity Theft Resource Center (ITRC) recently released a report focusing on the impacts of small business data breaches. The report came to fruition after an ITRC executive posted a stat on LinkedIn from a U.S. Senator that turned out not to be true.
  • The incorrect stat, which said half of small businesses fail six months after a data breach, led the ITRC to look further into what actually happens to the companies that make up most of the U.S. economy. The findings were even more troubling.
  • According to the 2021 Business Aftermath Report, 58 percent of the small business owners and leaders reported a data breach, security breach or both. Seventy-five (75) percent of those have experienced more than one breach; 33 percent have experienced more than three breaches.
  • Private research by ZenBusiness shows only 27 percent of small businesses with employees estimated their 2020 total revenue to be more than $200,000. A hit of tens to hundreds of thousands of dollars in unbudgeted expenses or lost revenue is a big deal.
  • To learn about recent data compromises or small business data breaches, consumers and businesses should visit the ITRC’s data breach tracking tool,notified. 
  • If you believe you are the victim of an identity crime, data breach or want to learn more ways to protect yourself from cyberattacks, contact the ITRC. Call toll-free at 888.400.5530 or live-chat on the company website www.idtheftcenter.org.

Telephone

Welcome to the Identity Theft Resource Center’s (ITRC’s)Weekly Breach Breakdown for October 29, 2021. Our podcast is possible thanks to support from Experian. Each week, we look at the most recent events and trends related to data security and privacy. Since this is the last business day of Cybersecurity Awareness Month, we’re going to focus on the latest ITRC report, our Business Aftermath Report. The report focuses on the impacts of small business data breaches and how small businesses, including solopreneurs, are impacted by data and security compromises.

How the Business Aftermath Report Came to Fruition

First, we want to tell you the story of how this report came to be. Back in 2019, our Chief Operating Officer, James E. Lee, posted a comment on LinkedIn that included a stat about the number of small businesses that went bankrupt due to a data breach. He got the stat from a news release issued by a U.S. Senator, so he figured that was a pretty safe bet to be accurate.

Almost immediately, a former colleague questioned the integrity of the stat and challenged James, nicely, to prove it. It turns out, the most widely reported statistic used by the media and quoted in countless online reports was wrong. So wrong that the organization that was credited with the research posted a notice on their website urging people to stop citing them as the source of the bogus information.

It was like the title of this episode, a giant game of Telephone. If you ever see a quote that says half of all small businesses fail within six months after a data breach, don’t believe it. The truth is far more troubling.

ITRC Publishes Inaugural Report on Small Business Data Breaches

With no current or accurate information on the impact of data and security compromises at small businesses, of which there are tens of millions that support tens of millions of families and individuals, the ITRC decided it was time to look more closely at what really happens to the companies that make up most of the U.S. economy.

2021 Business Aftermath Report Findings

We published our research on small business data breaches this past week, and here’s what we found based on comments from hundreds of business owners and leaders:

  • Sixty-two (62) percent of the respondents have fewer than 50 employees; 37 percent have fewer than 10.
  • Fifty-eight (58) percent of the small business owners and leaders reported a data breach, a security breach or both.
  • Seventy-five (75) percent of those have experienced more than one breach; 33 percent have experienced more than three breaches.
  • Forty-two (42) percent did not return to “business as usual” for 1-2 years; 28 percent required 3-5 years; seven (7) percent said they had not returned to pre-breach performance levels at the time of the survey this summer.
  • Forty-four (44) percent of the small businesses lost revenue or incurred costs between $250,000-$500,000; 21 percent saw impacts of more than $500,000, including five percent who were impacted to the tune of $1 million or more. 
  • Seventy (70) percent incurred debt to recover; 15 percent reduced headcount, extending the breach’s impact to more than just the business owners or leaders.

To put some of these stats into context, the U.S. Small Business Administration’s (SBA) most recent report, which reflects pre-pandemic results, shows solopreneurs average annual revenue was less than $50,000. Private research by ZenBusiness indicates only 27 percent of small businesses with employees estimated their 2020 revenue to be over $200,000. A hit of tens to hundreds of thousands of dollars in unbudgeted expenses or lost revenue is a big deal.

The data also shows a dramatic increase in the number of small businesses being targeted beginning in 2019. Nearly 80 percent of the companies that reported a breach did so in the past two years. This coincides with the overall trend of cybercriminals focusing on vendors like smaller businesses to attack larger businesses with ransomware. It also means this is likely to be a permanent condition.

There’s one final stat around small business data breaches that stands out. Small businesses have a higher incidence rate of malicious employees or contractors as the root cause of data and security breaches. Forty (40) percent of compromises are still caused by outside cybercriminals. However, 35 percent are attributed to malicious insiders.

Contact the ITRC

Next week we’ll talk about what small business owners and leaders can do to protect their business and themselves. Meanwhile, if you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (Monday-Friday 6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.

Thanks again to Experian for supporting the ITRC and this podcast. Be sure to join us next week for another episode of the Weekly Breach Breakdown.

  • When the Identity Theft Resource Center (ITRC) was founded nearly 22 years ago, the root cause of most data breaches and data crimes involved paper. Now, it is far and away cyberattacks.
  • Phishing is the number one attack vector that leads to data breaches, ransomware second and malware third.
  • However, there are ways to protect yourself from cyberattacks. Back up your information, update your software, use strong and unique passphrases, and collect and maintain less information.
  • To learn about recent data breaches, consumers and businesses should visit the ITRC’s data breach tracking tool, notified. 
  • If you believe you are the victim of an identity crime, data breach or want to learn more ways to protect yourself from cyberattacks, contact the ITRC. Call toll-free at 888.400.5530 or live-chat on the company website www.idtheftcenter.org.

The Crimes, They Are Changing

Welcome to the Identity Theft Resource Center’s (ITRC’s)Weekly Breach Breakdown for October 15, 2021. Our podcast is possible thanks to support from Experian. Each week, we look at the most recent events and trends related to data security and privacy. We also use a lot of literary references – especially Shakespeare. Today, though, we turn to a different classic for inspiration – Bob Dylan – in honor of Cybersecurity Awareness Month. October is the time each year when you focus on ways to protect yourself from cyberattacks and other identity crimes. That’s why we’re calling today’s episode: The crimes, they are changing.

The Rise in Digital Data Theft

When the ITRC was founded nearly 22 years ago, the root cause of most data breaches and data crimes involved paper. Digital data theft didn’t arrive until the mid-2000s. Even then, it was usually because someone’s laptop or external hard drive was stolen.

Not so today. Physical attacks and human errors were once the leading cause of data compromises. Today it is far and away cyberattacks. In fact, cyberattacks are so common that the number of data breaches and exposures associated with them so far this year exceeds all forms of data compromises in 2020.

Phishing is the leading attack vector that leads to data breaches. The login and password credentials stolen in these email, text and website-related attacks are often used by cybercriminals to access company networks and databases held hostage in a ransomware assault – the second most common cause of data compromises.

Malware is the third leading cause of identity-related data breaches. It is often used to exploit software flaws or penetrate networks as part of a ransomware attack or just good old-fashioned data theft. Caught in the cross-hairs of all these cyberattacks are consumers – people whose data is held in trust by organizations that are the targets of cybercriminals.

The ITRC to Release Inaugural Business Aftermath Report

We often think of data breaches and ransomware only impacting big businesses whose names we recognize. However, later this month, the ITRC will issue a new report on the impact of identity crimes on small businesses and solopreneurs – the tens of millions of companies with zero or just a handful of employees. Without giving away too much right now, the research shows more than half of all small businesses have experienced one or more data breaches, security breaches or both.

Use Good Cyber-Hygiene Habits to Protect Yourself

What are some ways to protect yourself from cyberattacks both at work and at home?  The actions must be the same. Regular listeners already know the basics of a good cyber defense. Make good back-ups of your information, update or patch your software as fast as possible, and practice good password hygiene. Do not use the same password at work and at home. Each account gets a unique, 12+ character password.

There are two additional ways to protect yourself from cyberattacks you should consider:

  1. Collect and maintain less information. If you are a business, get rid of the personal data you no longer need once you complete a transaction. The same is true for consumers. Don’t keep sensitive information you no longer need. Cyberthieves can’t steal what you don’t have.
  2.  If you are a business leader, train your teams like you’re voting in Chicago – early and often. If you’re a consumer, you can use some routine training, too. Why is this important? Cybercriminals are constantly improving their attack methods and inventing new ones. We need to make sure we know what to do to stay safe from identity scams and cyber risks, and that takes training and education.

Contact the ITRC

If you think you have been the victim of an identity crime or a data breach and need help figuring out what to do next, you can speak with an expert advisor on the phone (888.400.5530), live on the web or exchange emails during our normal business hours. Just visit www.idtheftcenter.org.

Thanks again to Experian for supporting the ITRC and this podcast. Be sure to join us next week for our sister podcast, The Fraudian Slip, when we talk more about cyber education with Zarmeena Waseem of the National Cybersecurity Alliance and our very own ITRC CEO, Eva Velasquez. We will be back in two weeks with another episode of the Weekly Breach Breakdown.

  • A new report from Intel 471 reveals that cybercriminals are going after one-time passwords, known as OTPs.
  • The attackers deceive people into giving them a one-time password or other verification codes via a mobile device, which the criminals use to steal money from the now compromised account.
  • Also, do not share personal information with anyone you do not know until you verify they are who they claim to be.
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified
  • If you believe you are the victim of an identity crime or a data breach, contact the ITRC. Call toll-free at 888.400.5530 or live-chat on the company website www.idtheftcenter.org.  

Nice Things

Welcome to the Identity Theft Resource Center’s (ITRC’s)Weekly Breach Breakdown for October 1, 2021. Our podcast is possible thanks to support from Experian. Each week we look at the most recent events and trends related to data security and privacy. This week we dig into a troubling development that we all kind of knew was coming but maybe didn’t want to admit it. Cybercriminals are finding ways to steal those one-time passwords you send to your phone by text. 

This is why we can’t have nice things in our adult world. Every time someone comes up with a new way of protecting our personal information from the grubby little fingers of threat actors, the criminals find a new way to steal our data. That seems to be the case when it comes to two-factor authentic education, also known as multifactor authentication, or MFA.

New Report Shows Cybercriminals are Targeting One-Time Passwords

This week, a cybersecurity research team at Intel 471 issued a report that noted, “Two-factor authentication is one of the easiest ways for people to protect any online account.” Now, criminals are trying to circumvent that protection. Cyber thieves are using various tactics to gain account information, including impersonating banks and legitimate services on phone calls.

Using social engineering methods, the attackers deceive people into giving them a one-time password or other verification code via a mobile device, which the crooks then use to steal money from the now compromised account.

The criminals buy easy-to-use applications that send a potential victim a text message requesting their phone number. Once a target’s phone number has been entered into a chat message, the malicious application takes over from there. The researchers at Intel 471 found that about 80 percent of people targeted by cybercriminals will end up providing their information to threat actors, allowing them to drain the money from their accounts.

Variations on these OTP attack schemes include:

  • Specialty software that targets accounts on social media.
  • Media networks such as Facebook, Instagram and Snapchat.
  • Financial services like PayPal and Venmo.

Even an automated tool allows an attacker to make any phone call that appears to be from a specific bank.

Once a call is answered, the criminals use a script to trick potential victims into sharing information such as ATM, PINs, credit card verification codes or one-time passwords. Quoting the Intel 471 researchers again, while SMS and phone-based one-time password services are better than nothing, criminals have found ways to socially engineer their way around the safeguards. It was always a matter of time before the bad guys found a way around this layer of defense in these particular instances. The weak security link is the user who willingly gives information to someone they believe to be a legitimate representative at a company where they do business.

To Avoid an OTP Text Scam, the ITRC Advises You To

  • Always verify the legitimacy of any contact you do not initiate, whether it is a phone call, email, text message or a social media instant message.
  • Don’t share any personal information with anyone you do not personally know and trust until you verify the person contacting you is who they claim to be. Also, make sure they have a good reason for asking you for information they should already know.

Today is the first day of Cyber Security Awareness Month. The ITRC has a full list of activities planned, including participating in industry events and special guests on our sister podcast, The Fraudian Slip. We will also issue two very important reports this month. Next week, on October 6, we’ll publish our Q3 Data Breach Analysis that shows how many new data compromises were reported in the past three months and what the trends tell us.

On October 27, we’ll issue our very first Business Aftermath Report. As a companion to our longtime report on the impact of identity crimes on consumers, the Business Aftermath Report will look at what happens to small businesses and solopreneurs after a security breach, a data breach or both.

Contact the ITRC

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an ITRC expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started. 

Thanks again to Experian for supporting the ITRC and this podcast. We will be back next week with another episode of the Weekly Breach Breakdown.

Frozen Pii talks with the ITRC in the newest Fraudian Slip podcast about credit freezes, one of the most important tools in fighting identity crimes 

  • In 2002 California passed the first state law requiring the three credit bureaus to allow people to freeze their credit so no one else could access it. There used to be fees to freeze and thaw your credit. However, it is now free for everyone.  
  • Despite it being free, more than two-thirds of Americans do not take advantage of one of the most powerful weapons to fight identity crimes. Why? Also, why should you freeze your credit? 
  • The Identity Theft Resource Center (ITRC) sat down with Frozen Pii to discuss new ITRC data on credit freezes, the importance of freezing your credit, how it protects you and why people don’t freeze their credit. 
  • You can learn more about credit freezes and other topics discussed in this podcast, as well as how to protect yourself from identity crimes, by visiting the ITRC’s website www.idtheftcenter.org.  
  • If you think you are the victim of an identity crime, you can call the ITRC (888.400.5530) or live-chat on the company website to speak with an expert advisor. You can freeze your credit by visiting www.frozenpii.org.  

Below is a transcript of our podcast with special guest Tom O’Malley, former federal prosecutor and Founder of Frozen Pii 

Welcome to The Fraudian Slip, the Identity Theft Resource Center’s (ITRC) podcast, where we talk about all-things identity compromise, crime and fraud that impact people and businesses. Listen on Apple, Google, Spotify, SoundCloud, Audible, Amazon or Podsite now.  

Why should you freeze your credit? This month, September, we look at one of the most powerful weapons we have in the fight against identity crimes (one of the most under-utilized tools in our arsenal) and why it’s so important. We are talking about credit freezes.  

In 2002 California passed the first state law requiring the three primary credit bureaus – Equifax, Experian and TransUnion – to allow consumers to “freeze” access to their credit reports so no one could open a new account without the person’s knowledge or permission. Eventually, all state’s adopted credit freeze laws.  

In the beginning, there were fees attached to freezing, thawing and re-freezing your credit, which took several days. In fact, 20 percent of Americans spent an estimated $1.4 billion on credit freezes in 2018 before Congress stepped in to require the credit bureaus to make freezing and thawing your credit free of charge.   

Today, what once took days now takes minutes, and no fees are involved. Yet, more than two-thirds of Americans do not take advantage of this tool to keep their credit and identity information safe and secure, according to new ITRC research. Why? Also, why should you freeze your credit? 

Helping us explore the conundrum of credit freezes is the ITRC’s CEO Eva Velasquez and Tom O’Malley, a former federal prosecutor who has taken his experience as a victim of identity theft and turned it into Frozen Pii, a service devoted to making it easy to protect yourself with a credit freeze.  

We talked with Tom O’Malley about the following: 

  • His personal story of identity theft and his idea for Frozen Pii. 
  • How credit freezes protect consumers and why people don’t freeze their credit. 
  • Why should you freeze your credit? 
  • New ITRC data about credit freezes. 
  • The ITRC’s partnership with Frozen Pii, beginning in October. 

We talked with Eva Velasquez about the following: 

  • The history of credit freezes and consumer attitudes. 
  • Why should you freeze your credit? 
  • New ITRC data about credit freezes. 
  • The ITRC’s partnership with Frozen Pii, beginning in October. 

You can learn more about how to protect your personal privacy, as well as get help if you have been the victim of an identity crime by visiting the ITRC’s website www.idtheftcenter.org. While you are there, sign up for our emails that alert you to the latest scams, monthly data breach updates and tips to protect your identity. You can freeze your credit by visiting www.frozenpii.org. Beginning in late October, you will be able to access Frozen Pii directly through the ITRC website.  

Be sure and join us next week for our Weekly Breach Breakdown podcast and next month for another episode of The Fraudian Slip

Everything’s Bigger in Texas

Welcome to the Identity Theft Resource Center’s (ITRC’s) Weekly Breach Breakdown for September 10, 2021. Our podcast is possible thanks to support from Experian. Each week we look at the most recent events and trends related to data security and privacy. For the past two weeks, we’ve concentrated on what happens when you receive a notice that your personal information has been compromised. This week, we’re going to talk about a data breach involving personal information for children and the unique risks created when children’s personal information is exposed.

When you grow up in the southern U.S, you learn very quickly that the saying “Everything’s bigger in Texas” is absolutely true. The Lone Star state is twice the size of Germany. Texans eat 54,000 tons of catfish each year. That’s six times the weight of the Eiffel Tower. There are high school football stadiums in Texas that seat more than 19,000 people, enough to fit the entire population of three average-size U.S. cities.

Dallas I.S.D. Data Breach

This week, the Dallas, Texas Independent School District (Dallas I.S.D.) has earned a different distinction: the target of a significant data breach.

More than 145,000 students attend 230 schools across the district that employs 22,000 people. That doesn’t include independent contractors and vendors who also serve the Dallas schools.

School officials announced late Friday before Labor Day that an “unauthorized third-party” had accessed, downloaded and stored personal information on a cloud data storage site. The stolen data included information on current and former students and their parents as well as current and former employees and contractors dating back to 2010.

The compromised information includes full names, addresses, Social Security numbers (SSNs), phone numbers, dates of birth, and employment and salary information for current and former employees and contractors. The breached data also includes full names, SSNs, dates of birth, parent and guardian information, and grades for current and former students. According to the school district, some students’ custody status and medical conditions may have also been exposed.

What Happened

As is typical in the early days of data breaches, there are many unknowns and a lot of reluctance to share information about what happened. Dallas I.S.D. has hired forensic investigators to determine how the cybercriminals gained access to the student, parent and employee information. However, little is known about how cybercriminals got their hands on the employees, contractors and student’s personal information.

School officials are not calling this a ransomware attack. However, they acknowledge that they have communicated with the data thieves who claim the information has not been sold or shared, but has been removed from the cloud database. Ransomware attacks against schools have dramatically increased as students return for the new school year and identity criminals look for children’s personal information. One cybersecurity firm reports seeing more than 1,700 attacks against schools around the world each week in July.

The Impacts of a Children’s Personal Information Being Stolen

Dallas I.S.D. is offering credit monitoring and identity theft recovery services for one year. The ITRC always recommends data breach victims take advantage of those offers. However, the release of student information is especially troubling as criminals who take control of a young person’s identity can cause significant harm over time.

Imagine a high school student applying for college and being denied financial aid or admission because someone had used their SSN to report income or obtain credit. An identity thief can abuse the personal information for children for years before the parents or child learn of the crime.

Freeze Your Child’s Credit

It’s important for parents to not only freeze their own credit, but to freeze their children’s credit, too. That won’t prevent your child’s information from being exposed in a data breach. However, it will keep a cybercriminal from using the children’s personal information to ruin their credit and perhaps their education and work opportunities when they grow up.

Contact the ITRC

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an ITRC expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.

Thanks again to Experian for supporting the ITRC and this podcast. Listen next week as we talk about credit freezes with the founder of Frozen Pii on our sister podcast, The Fraudian Slip. We will be back in two weeks with another episode of the Weekly Breach Breakdown.

  • It’s standard, if not legally required, for businesses to issue a notice of data breach letter if they were breached. They usually include what information was accessed and offer some form of identity protection, like in the recent T-Mobile data breach notice.
  • The same standard applies to data breach settlement letters. There is often some free product or service offered, like in the recent Wawa data breach settlement.
  • Don’t ignore a notice of data breach letter or lawsuit settlement letters. You could be leaving valuable protections (credit monitoring, anti-spam services, best practices, etc.) and the occasional compensation (a settlement payment) for your trouble on the table.
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC’s) data breach tracking tool, notified.
  • If you believe you are the victim of an identity crime or a data breach, contact the ITRC. Call toll-free at 888.400.5530 or live-chat on the company website www.idtheftcenter.org.    

All’s Well that Ends Well

Welcome to the Identity Theft Resource Center’s (ITRC’s) Weekly Breach Breakdown for September 3, 2021. Our podcast is possible thanks to support from Experian. Each week we look at the most recent events and trends related to data security and privacy. Last week we talked about what it takes to file a successful lawsuit after a data breach. This week we look at what to do when your personal information has been exposed and you receive a notice of data breach letter, and later when you get a notice after a data breach lawsuit has been settled.

Shakespeare dispensed a lot of advice in his plays, none more helpful than in Act 1 Scene 1 of All’s Well that Ends Well: “Love all, trust a few, do wrong to none.” Do you know what else is filled with helpful advice? A well-written data breach notice.

Laws Around A Notice of Data Breach Letter

Every U.S. state, territory and the District of Columbia has a law that requires consumers to be notified when their personal information has been compromised. That’s pretty much where the commonality ends. The definition of personal information, the form of a notice, the distribution method, the length of time that can pass before a notice of data breach letter is issued, and the remedies available to impacted consumers are unique to each state.

However, it’s pretty much standard practice, if not legally required by your state, for businesses to disclose in broad terms what information was accessed and to offer some form of identity protection.  There are often other protection tips in the notice, including changing your passwords.

Consumers Ignore Notice of Data Breach Letters

Unfortunately, most people ignore both the notice and the advice. We’ve talked here about recent studies from the University of Michigan and Carnegie Mellon University that show nearly three-quarters of people who receive a notice of data breach letter don’t even know they received it. Only one-third of data breach victims change their passwords (and those who do used a weaker, similar password to the one that was compromised).

Protection Advice & Free Services Offered by Breached Companies is Improving

The recently breached T-Mobile raised the bar by offering not only credit monitoring, but also identity remediation services in the event a customer’s personal information is misused. T-Mobile is also offering free anti-spam services for all impacted customers and account takeover protections for pre-paid customers.

T-Mobile suggests you change your passwords, so you are not using the same password that has been compromised on any other account. Regular listeners to the ITRC podcasts will be familiar with this advice.

Data Breach Lawsuit Settlement Letters Also Offer Free Products

When a notice of data breach letter is issued, it is not the only time breach victims are offered free swag. When breach lawsuits are settled, there is often some free product or service provided. However, victims are usually required to take some action to get the award.

Wawa Data Breach Settlement

That’s the case with the recent settlement of a lawsuit against the east-coast-based convenience store chain Wawa, better known for its deli sandwiches than the 2019 data breach. Of the 22 million people who received settlement letters and are eligible for a settlement payment, those who made a purchase with a debit or credit card during the breach period but did not see evidence of identity fraud will get $5 gift cards. Those who can present proof of actual or attempted fraud will get a $15 gift card. Those who can show evidence they lost money can receive as much as $500 cash.

All claims must be submitted by November 29, 2021. So, the clock’s ticking if you want a free Wawa meatball grinder with extra cheese.

The Key Takeaway

In both of these scenarios, the key takeaway is the same: do not ignore a notice of data breach letter or lawsuit settlement letters. You could be leaving valuable protections and the occasional compensation for your trouble on the table.

Contact the ITRC

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an ITRC expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.

Thanks again to Experian for supporting the ITRC and this podcast. Be sure to check out our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown.

  • Earlier this year, the U.S. Supreme Court issued a major decision that set a new standard. People impacted by data errors cannot file a data breach lawsuit for damages unless there is actual, probable harm.
  • This week the Sixth Circuit Court of Appeals based in Ohio ruled that a person lacked standing to sue, even though their credit score dropped because their mortgage lender reported, by mistake, that they had failed to make a payment.
  • A data breach lawsuit is subject to the same rules for filing a claim. They are all but guaranteed to be tossed out of court unless there is actual harm from the breach at issue.
  • What can be done to address this? Congress can make it clear that organizations that fail to protect data can be sued based on the risk of future harm. Or states can pass their own laws allowing data breach lawsuits based on potential damages.
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC’s) data breach tracking tool, notified.
  • If you believe you are the victim of identity theft, contact the ITRC. Call toll-free at 888.400.5530 or live-chat on the company website www.idtheftcenter.org.   

Measure for Measure

Welcome to the Identity Theft Resource Center’s (ITRC)Weekly Breach Breakdown for August 27, 2021. Our podcast is possible thanks to support from Abine and Experian. Each week we look at the most recent events and trends related to data security and privacy. Today we dive into a subject we haven’t explored before, and for good reason – filing a data breach lawsuit. It’s a bit complex and a little dry. However, it is very important when it comes to the concept of justice for victims of data breaches. So, bear with us as we talk about the legal idea of standing and what recent court rulings mean when it comes to the ability for data breach victims to sue for damages in federal courts.

Shakespeare mentioned the legal profession more than any other, outside of royalty, devoting several of his plays to various concepts of justice. One of his dark comedies – Measure for Measure – is even named for the very concept of justice: punishment should fit the crime.

That’s a concept that cuts both ways – for and against defendants in criminal courts, and the same is true of plaintiffs in civil trials where money damages are the punishment.

“Standing” Needed to File a Civil Data Breach Lawsuit

To file a civil lawsuit in federal court, you must have what is called “standing.” You must have a valid reason to stand at the bar of justice. For years, U.S. courts have been split over what is a good reason when it comes to the standing of a person whose personal information has been exposed in a data breach. Some courts said the mere threat of harm was enough to justify a data breach lawsuit. Others ruled that no, proof of actual harm was required before a data breach lawsuit could be filed. After a data breach, your ability to sue for damages had more to do with where you lived than what happened to your data.

U.S. Supreme Court Sets A New Standard for Data Breach Lawsuits

Earlier this year, though, the U.S. Supreme Court issued a major decision that set a new standard: People impacted by data errors cannot file a data breach lawsuit for damages unless there is actual, probable harm. Inconvenience, threat or harm no longer counts as an acceptable reason in some federal courts. Now, plaintiffs filing lawsuits based on those kinds of claims lack standing. No standing = no lawsuit.

Now, you may have noticed the subtle distinction that the Supreme Court decision was based on data errors, not data breaches. How very observant of you, and you are correct. However, it’s called the Supreme Court for a reason. Lower federal courts are bound to follow the decision of the Supremes and are now applying the new standard to similar but not identical cases.

Ohio Sixth Circuit Court of Appeals Ruling

This week the Sixth Circuit Court of Appeals based in Ohio ruled that a person lacked standing to sue, even though their credit score dropped because their mortgage lender reported, by mistake, that they had failed to make a payment. The lower credit score was inconvenient but not harmful, according to the Court.

What It Means for Data Breach Lawsuits

What does this have to do with data breaches? A data breach lawsuit is subject to the same rules for filing a claim. That means data breach lawsuits are all but guaranteed to be tossed out of court unless there is actual harm from the breach at issue. That’s very difficult to prove in the best of times. When there have already been more than 1,100 data breaches reported this year, how do you prove which data breach caused the harm?

That doesn’t even begin to address the bigger issue of identity criminals don’t always use the data right away, or only once. The risk of harm down the road is high, and the ITRC’s 2021 Consumer Aftermath Report shows nearly three in ten identity crime victims are hit a second or third time, sometimes before the original impacts are resolved.

What Can Be Done?

Congress can make it clear that organizations that fail to protect data can be sued based on the risk of future harm. Or states can pass their own laws allowing data breach lawsuits based on potential damages.

However, the reality is that this is the exact situation that Shakespeare wrote about in Measure for Measure: “O just, but severe law.”

Contact the ITRC

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours. Just visit www.idtheftcenter.org to get started.

Thanks again to Experian and Abine for supporting the ITRC and this podcast. We’ll be back next week with another episode of the Weekly Breach Breakdown.