Posts

  • It’s standard, if not legally required, for businesses to issue a notice of data breach letter if they were breached. They usually include what information was accessed and offer some form of identity protection, like in the recent T-Mobile data breach notice.
  • The same standard applies to data breach settlement letters. There is often some free product or service offered, like in the recent Wawa data breach settlement.
  • Don’t ignore a notice of data breach letter or lawsuit settlement letters. You could be leaving valuable protections (credit monitoring, anti-spam services, best practices, etc.) and the occasional compensation (a settlement payment) for your trouble on the table.
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC’s) data breach tracking tool, notified.
  • If you believe you are the victim of an identity crime or a data breach, contact the ITRC. Call toll-free at 888.400.5530 or live-chat on the company website www.idtheftcenter.org.    

All’s Well that Ends Well

Welcome to the Identity Theft Resource Center’s (ITRC’s) Weekly Breach Breakdown for September 3, 2021. Our podcast is possible thanks to support from Experian. Each week we look at the most recent events and trends related to data security and privacy. Last week we talked about what it takes to file a successful lawsuit after a data breach. This week we look at what to do when your personal information has been exposed and you receive a notice of data breach letter, and later when you get a notice after a data breach lawsuit has been settled.

Shakespeare dispensed a lot of advice in his plays, none more helpful than in Act 1 Scene 1 of All’s Well that Ends Well: “Love all, trust a few, do wrong to none.” Do you know what else is filled with helpful advice? A well-written data breach notice.

Laws Around A Notice of Data Breach Letter

Every U.S. state, territory and the District of Columbia has a law that requires consumers to be notified when their personal information has been compromised. That’s pretty much where the commonality ends. The definition of personal information, the form of a notice, the distribution method, the length of time that can pass before a notice of data breach letter is issued, and the remedies available to impacted consumers are unique to each state.

However, it’s pretty much standard practice, if not legally required by your state, for businesses to disclose in broad terms what information was accessed and to offer some form of identity protection.  There are often other protection tips in the notice, including changing your passwords.

Consumers Ignore Notice of Data Breach Letters

Unfortunately, most people ignore both the notice and the advice. We’ve talked here about recent studies from the University of Michigan and Carnegie Mellon University that show nearly three-quarters of people who receive a notice of data breach letter don’t even know they received it. Only one-third of data breach victims change their passwords (and those who do used a weaker, similar password to the one that was compromised).

Protection Advice & Free Services Offered by Breached Companies is Improving

The recently breached T-Mobile raised the bar by offering not only credit monitoring, but also identity remediation services in the event a customer’s personal information is misused. T-Mobile is also offering free anti-spam services for all impacted customers and account takeover protections for pre-paid customers.

T-Mobile suggests you change your passwords, so you are not using the same password that has been compromised on any other account. Regular listeners to the ITRC podcasts will be familiar with this advice.

Data Breach Lawsuit Settlement Letters Also Offer Free Products

When a notice of data breach letter is issued, it is not the only time breach victims are offered free swag. When breach lawsuits are settled, there is often some free product or service provided. However, victims are usually required to take some action to get the award.

Wawa Data Breach Settlement

That’s the case with the recent settlement of a lawsuit against the east-coast-based convenience store chain Wawa, better known for its deli sandwiches than the 2019 data breach. Of the 22 million people who received settlement letters and are eligible for a settlement payment, those who made a purchase with a debit or credit card during the breach period but did not see evidence of identity fraud will get $5 gift cards. Those who can present proof of actual or attempted fraud will get a $15 gift card. Those who can show evidence they lost money can receive as much as $500 cash.

All claims must be submitted by November 29, 2021. So, the clock’s ticking if you want a free Wawa meatball grinder with extra cheese.

The Key Takeaway

In both of these scenarios, the key takeaway is the same: do not ignore a notice of data breach letter or lawsuit settlement letters. You could be leaving valuable protections and the occasional compensation for your trouble on the table.

Contact the ITRC

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an ITRC expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.

Thanks again to Experian for supporting the ITRC and this podcast. Be sure to check out our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown.

  • Mobile telecom providers U.S. Cellular, Mint Mobile and T-Mobile have all been breached in 2021. In fact, T-Mobile has been breached twice in 2021, and once in December 2020.
  • If your mobile phone account is breached, you should freeze your credit, change your passwords and PIN numbers, and use multi-factor authentication (MFA or 2FA) using an app, not text messages, to protect yourself when available.
  • You should also follow the steps in any data breach notification letter you receive or read in a public notice.
  • Keep an eye out for phishing emails, closely monitor your financial accounts and contact your Department of Motor Vehicles (DMV) if your license number is exposed in the breach.
  • If you believe your phone account is breached, or want to learn more, contact the Identity Theft Resource Center. Call toll-free (888.400.5530) or live-chat on the company website www.idtheftcenter.org.

The Rise in Mobile Data Breaches

The Identity Theft Resource Center (ITRC) has seen mobile data breaches rise, particularly in 2021. Customers of mobile phone companies that have not reported a breach also want to know what to do if their phone account information is exposed.

In January, U.S. Cellular suffered a data breach after hackers were able to scam employees to gain access to one retail store’s computer. In July, some Mint Mobile customers had phone numbers ported, leading to data being accessed. One month later, T-Mobile was breached when bad actors compromised their systems, impacting millions of documents. In fact, it is the second T-Mobile data breach in 2021 and the third since December 2020. Right now, Bleeping Computer reports that well-known threat actor ShinyHunters claims to be selling a database containing the personal information of 70 million AT&T customers. However, AT&T says they did not suffer a data breach.

Telecommunications companies continue to be targeted by identity criminals due to the importance of mobile devices in our daily lives. The rise in mobile data breaches means everyone needs to be prepared if they are impacted by a compromise. There are steps you can take to protect your information and if your phone account is breached.

What You Should do to Protect Yourself if Your Phone Account is Breached

  • Freeze your credit. Monitoring your credit is informative because it alerts you to changes on your credit reports that may need further investigation if your phone account is breached. However, it does not offer protection. While it tells you what happened, it does not stop anything from happening. A credit freeze does. Freezing your credit is free, easy and does not impact your credit.
  • Change your mobile phone account password and PIN numbers. Also, change the passwords of other accounts with the same password or PINs as the breached account. You do not want the same passwords or PINs on more than one account. Cybercriminals want you to do that because they can commit credential stuffing attacks. The ITRC recommends you switch to a unique 12+ character passphrase because they are harder for criminals to crack. You can also use a password manager to generate and keep track of your credentials.
  • Use multi-factor authentication (MFA or 2FA) on your accounts. MFA and 2FA provide an added layer of security, making it harder for hackers to gain access if your phone account is breached. Also, if possible, use an authentication app rather than having a code sent by text to your phone because the text messages can be spoofed and intercepted in a SIM swapping scheme. Authentication apps are available for free from Microsoft, Google and other software providers.
  • FOR BUSINESSES: Don’t lose control over the information you don’t have. Don’t collect more information than you need. Don’t keep the sensitive information longer than you need to complete the transaction. Keep what data you do collect and maintain safe and secure by encrypting it. Finally, make sure you offer MFA or 2FA for your customers’ and prospects’ protection when logging into their accounts.

Next Steps to Take if Your Phone Account is Breached

  • Watch for data breach notification letters. It is easy to ignore a breach notification. However, there are usually important steps in the notices, like how to activate free identity protection services. Follow the advice offered by the impacted company.
  • Be on the lookout for phishing emails. Identity criminals may look to exploit the data breach to get you to click on a malicious link or share sensitive information.
  • Closely monitor your financial accounts (credit cards, banking, utilities, etc.) If you see anything out of the ordinary, it may be a sign of fraudulent activity.
  • Contact the Department of Motor Vehicles (DMV) if your license is impacted. Notify the DMV in your state that your information may have been exposed. See if you can place an alert on your license number and check your driving record.

Contact the ITRC

Data breaches are inevitable. Consumers can do everything right and still have their phone account breached. If you believe your phone account is breached or want to learn more, contact the ITRC. You can speak with an expert advisor by phone (888.400.5530) or live-chat on the company website www.idtheftcenter.org. Advisors will answer any question you may have and help you through the resolution process.

The ITRC does not want anyone to panic. While it can be frightening if your phone account is breached, you will be able to work through any misuse of your information if you have a plan.

T-Mobile recently suffered its second data breach since February 2021 and its third breach since December 2020. The latest T-Mobile data breach leaves many current, former and prospective customers wondering what happened, how it happened and what they need to do to stay safe.

What Happened?

According to T-Mobile, a bad actor compromised T-Mobile’s systems. The company says they located and closed the access point they believe was used to gain entry to their servers.

On August 17, 2021, T-Mobile confirmed that approximately 47 million people were impacted by the data breach. T-Mobile also said the data stolen from their systems included personal information like customers’ names, dates of birth, Social Security numbers (SSNs), and driver’s license/identity information for current, past, and prospective customers.

However, in an update on August 20, 2021, T-Mobile said they discovered that phone numbers, as well as the typical numbers that allow a mobile phone to be identified and join a network (the International Mobile Equipment Identity (IMEI) and International Mobile Subscriber Identity (IMSI)), were also compromised. T-Mobile identified another 5.3 million current customer accounts that had one or more associated names, addresses, dates of birth, phone numbers, and IMEIs and IMSIs illegally accessed.

The Verge reports that the Federal Communications Commission (FCC) is investigating the T-Mobile data breach that may have impacted as many as 100 million customers.

What Does It Mean to You?

Identity criminals can use information like your SSN and driver’s license to commit an array of identity crimes like false applications for loans, credit cards or bank accounts in your name. IMEIs and IMSIs could be used to track your mobile device or assist in SIM swapping attacks where someone hijacks your phone number to intercept multi-factor authentication codes or other information.

What Can You Do to Protect Yourself from the T-Mobile Data Breach?

  • Freeze your credit. T-Mobile is offering identity protection services to impacted customers, including credit monitoring. While monitoring your credit is informative, it does not offer protection. It tells you what happened but does not stop anything from happening. A credit freeze does. Freezing your credit is free, easy and does not impact your credit.
  • Change your passwords and PIN numbers. You want to make sure you do not use the same passwords or PINs on more than one account. The Identity Theft Resource Center (ITRC) recommends you switch to a unique passphrase (something you can remember that is at least 12 characters long). You can also use a password manager to generate and keep track of your credentials. Cybercriminals want us to reuse passwords on more than one account because it makes it easier for them to commit identity crimes.
  • Use multi-factor authentication (MFA or 2FA) on your accounts. MFA and 2FA provide an added layer of security. Also, if possible, use an authentication app rather than having a code sent by text to your phone because the text messages can be spoofed and intercepted in a SIM swapping scheme. Authentication apps are available for free from Microsoft, Google and other software providers.
  • Have a plan if your IMEI or IMSI information is used fraudulently. It’s unknown if or how the IMEI or IMSI information stolen in the T-Mobile data breach will be used. However, it is important you have a plan if it is. There is no reason to panic about your phone being disabled. However, in the unlikely event it is, plan how you will contact T-Mobile. You can do this through their website t-mobile.com, an in-person visit to a T-Mobile store or using a landline telephone.  
  • FOR BUSINESSES: You can’t lose control over the information you don’t have. Don’t collect more information than you need. Don’t keep the sensitive information longer than you need to complete the transaction. Also, keep what data you do collect and maintain safe and secure by encrypting it. Finally, make sure you offer MFA or 2FA for your customers’ and prospects’ protection when logging into their accounts.

What Are the Next Steps to Take?

  • Closely monitor your financial accounts (credit cards, banking, utilities, etc.) for any signs of fraudulent activity.
  • Stay alert for a data breach notification, as well as any potential identity fraud due to the T-Mobile data breach. While it is easy to ignore a breach notification, there are usually important steps in the notices, like how to activate free identity protection services. In T-Mobile’s notification letter, the company offers two years of free identity protection services. They also recommend all eligible T-Mobile customers sign up for scam blocking protection through the company’s Scam Shield, and directs people to a customer support webpage with breach information and access to tools.
  • Be on the lookout for phishing emails exploiting the T-Mobile data breach to get you to click on a malicious link or share sensitive information.
  • Act if your driver’s license is impacted. If your driver’s license information has been compromised, contact the Department of Motor Vehicles (DMV) in your state to notify them your information may have been exposed. See if you can place an alert on your license number and check your driving record.

Contact the ITRC

While this T-Mobile data breach leaves uncertainty for many, the ITRC does not want anyone to panic. As long as you have a plan, you will be able to address any misuse of your information.

The ITRC remains available to help you. If you have questions about the T-Mobile data breach or believe you may be impacted by it, contact the ITRC toll-free by phone (888.400.5530) or live-chat on the company website (www.idtheftcenter.org). ITRC expert advisors will walk you through the steps you need to take and help you create a resolution plan.

  • T-Mobile recently suffered its third data breach since December of 2020. The T-Mobile data compromise has affected over 40 million people and led to information like Social Security numbers (SSNs) and driver’s license information being hacked.  
  • Cybersecurity researchers claim the T-Mobile data compromise may impact as many as 100 million current, past and prospective customers. 
  • To protect yourself from the T-Mobile data compromise, consider freezing your credit, changing your passwords and PIN numbers to long and unique passphrases, using multi-factor authentication and not ignoring breach notices.  
  • To learn about recent data breaches, like the T-Mobile data compromise, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC’s) data breach tracking tool, notified
  • For more information on the T-Mobile data compromise, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.  

Facts Are Stubborn, But Statistics Are Pliable 

Welcome to the Identity Theft Resource Center’s (ITRC)Weekly Breach Breakdownfor August 20, 2021. Our podcast is possible thanks to support from Abine and Experian. Each week we look at the most recent events and trends related to data security and privacy. This week, we talk about the T-Mobile data compromise, which is one of the most significant data breaches so far this year. We also talk about what you should do in response, even if you are not impacted by it. 

Mark Twain once wrote that “Facts are stubborn things, but statistics are pliable.” Apply that same principle to data breaches and you get the natural pattern that emerges when personal information is suddenly stolen or exposed by a cybercriminal. The typical response goes something like this:  

  • “We don’t have any evidence there has been a breach, but we will investigate.” 
  • Followed by “We have investigated and found that a small number of customers information has been compromised, but we do not believe any sensitive or personal data is at risk.” 
  • That statement is often followed by an update that sounds like this: “We have now determined that more than X million of our valued customers are directly impacted by unauthorized access by cybercriminals of our systems, and the data involved does include Social Security numbers (SSNs) and other personal information.”  

T-Mobile Suffers its Second Data Breach Since February 2021 

We don’t “name and shame” companies at the ITRC. Cyberattacks and data breaches are an unfortunate consequence of our digital society. It’s only logical that the more you investigate, the more you know, meaning numbers change. We have laws, regulations and courts to handle the blame game. We do, though, use anecdotes to help educate consumers and businesses on how to protect themselves.  

What Happened? 

This week, T-Mobile finds itself in the unenviable position of providing a teaching moment thanks to its third data breach since December 2020 and its second data breach since February 2021. The nation’s third-largest mobile telecom provider did not know it had been breached until a cybercriminal posted customer information stolen from T-Mobile in an identity marketplace used by identity thieves. 

Cybersecurity researchers claim as many as 100 million current, past and prospective customers may be impacted by the T-Mobile data compromise. T-Mobile has confirmed the personal information of 47 million people has been compromised, including customers’ first and last names, dates of birth, SSNs and driver’s license/identity information in some instances. 

T-Mobile customers can visit the carrier’s website t-mobile.com to learn more about the company’s actions to help victims of the breach. 

What Should You Do to Protect Yourself After the T-Mobile Data Compromise? 

What should you do if you are a T-Mobile customer? Actually, it doesn’t matter if you are a T-Mobile customer or not. Here are some actions that everyone should take to help protect their personal information today and after a data breach:  

  1. Do not ignore data breach notices. There are a lot of them. However, there are usually important action steps in the notices, like how to activate free identity protection services. 
  1. Freeze your creditCredit monitoring is helpful, but it offers no protection. It tells you what happened, but it doesn’t stop anything from happening. To protect yourself, freeze your credit. It’s free, easy and doesn’t impact your credit. 
  1. Change your passwords and PIN numbers to make sure you do not use the same passwords or PINs on more than one account. Make sure the password is long, at least 12 characters, and is something you can remember. You can also use a password manager to generate and keep track of your credentials. Cybercriminals love it when we reuse passwords on more than one account. 
  1. Use multi-factor authentication (MFA or 2FA) on all your accounts that offer it. If possible, use an authentication app rather than have a code sent by text to your phone. Authentication apps are available for free from Microsoft, Google and other software providers. 
  1. If you are a business, make sure you don’t collect more personal information than you need. Don’t keep it longer than you need to complete the transaction. Also, keep what data you do collect and maintain safe and secure by encrypting it. Make sure you offer MFA for your customers’ and prospects’ protection, too. 

Contact the ITRC 

You can always call us at the ITRC if you have questions about what you should do if you receive a data breach notice or hear about a breach in the media, like the T-Mobile data compromise. Just visit www.idtheftcenter.org, where you’ll find helpful tips. You can speak with an expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST).  

Thanks again to Experian and Abine for supporting the ITRC and this podcast. We’ll be back next week with another episode of the Weekly Breach Breakdown

  • A recent GEICO data breach led to fraudsters gaining access to nearly 132,000 GEICO customer’s driver’s license numbers. GEICO says they believe threat actors could use the information to apply for unemployment benefits fraudulently.
  • The Pennsylvania Department of Health’s third-party contact tracing vendor, Insight Global, failed to secure phone numbers, email addresses and personal information like gender, age, sexual orientation, COVID-19 diagnosis and exposure status of more than 72,000 Pennsylvania residents. Third-party breaches continue to be a growing trend.
  • Like the Pennsylvania Department of Health, ParkMobile Parking App also suffered a supply chain attack. The ParkMobile data incident exposed the non-sensitive information of 21 million users, putting them at risk of falling victim to social engineering.
  • For more information about April data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified.  
  • If you believe you are a victim of identity theft from a data breach, contact the ITRC toll-free at 888.400.5530 or through live-chat on the company website www.idtheftcenter.org.

Notable April Data Breaches

Of all the data breaches the Identity Theft Resource Center (ITRC) tracked in April, three stand out: GEICO, Pennsylvania Department of Health and the ParkMobile Group. All three data events are notable for unique reasons. In one, the company is very detailed in how criminals are misusing the information and what people should look out for; another event includes a contact tracing service failing to secure the private information of some residents in Pennsylvania – re-affirming a trend identified by the ITRC; the third compromise led to the exposure of data for 21 million people – stemming from a supply chain attack.

GEICO

A security bug led to threat actors stealing personally identifiable information (PII) from approximately 132,000 GEICO customers between January 21 and March 1. According to the GEICO data breach notice, fraudsters used the information they acquired about customers elsewhere to obtain unauthorized access to people’s driver’s license numbers through the online sales system of their website. GEICO says that they believe the information from the breach could be used to apply for unemployment benefits fraudulently. Unemployment benefits fraud continues to impact consumers all over the U.S. There could be over $200 billion lost to the fraud. The ITRC has received over 1,400 cases of unemployment benefits fraud in 2020 and 2021, compared to only 12 cases in 2019.

The GEICO data breach is notable because the insurance company is very detailed in how the information could be used and what people need to keep an eye on. It is not often the ITRC sees this level of detail in a data breach notice.

Pennsylvania Department of Health

Insight Global, a company that has provided COVID-19 contact tracing services for the Pennsylvania Department of Health since 2020, failed to secure the private information of more than 72,000 people.  According to WSKG, a health department spokesman said they recently learned workers at Insight Global disregarded security protocols established in the contract and created unauthorized documents outside the state’s secure data system.

The information exposed in the Pennsylvania Department of Health data compromise includes phone numbers, email addresses and personal information such as gender, age, sexual orientation, COVID-19 diagnosis and exposure status. The Pennsylvania Department of Health does not know how many people may have viewed or downloaded the documents. Officials say notifications will be mailed to all affected Pennsylvania residents.

The Pennsylvania Department of Health data compromise is the latest third-party exposure to occur. According to the ITRC’s Q1 2021 Data Breach Report, there’s been a 42 percent increase in supply chain attacks, including 27 at third-party vendors impacting 137 U.S. organizations, and 19 supply chain attacks in Q4 2020.

ParkMobile Group

The parking app, ParkMobile, also suffered a data compromise due to a vulnerability in third-party software, affecting 21 million people. According to the ParkMobile notification letter, they became aware of the vulnerability and launched an investigation, which is still ongoing. Information exposed includes license plate numbers, email addresses, phone numbers, mailing addresses and vehicle nicknames. According to KrebsOnSecurity, the data appeared for sale on a Russian-language crime forum.

Anyone who uses the ParkMobile parking app, used by cities and universities across the U.S., could be at risk of falling victim to social engineering. While no sensitive information was exposed, if hackers get enough information about people, they can put all of the information they have gathered together to commit identity fraud.

What to Do if These Breaches Impact You

Anyone who receives a data breach notification letter should follow the advice offered by the company. The ITRC recommends immediately changing your password by switching to a 12+-character passphrase, changing the passwords of other accounts with the same password as the breached account, considering using a password manager and keeping an eye out for phishing attempts claiming to be from the breached company.  

GEICO encourages its customers to check their account statements and credit reports regularly for any suspicious activity.

The Pennsylvania Department of Health has set up a hotline (855.535.1787) for those concerned about the security of their information.

notified

For more information about April data breaches, or other data breaches, consumers and businesses should visit the ITRC’s data breach tracking tool, notified, free to consumers. 

Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.    

Contact the ITRC

If you believe you are the victim of an identity crime or your identity has been compromised in a data breach, you can speak with an ITRC expert advisor at no cost by phone (888.400.5530) or live-chat. Just go to www.idtheftcer.org to get started. 

  • When doing your spring cleaning, consider making a digital spring-cleaning checklist. It is more important than ever in today’s digital-first society.
  • Digital spring-cleaning tips include backing up your information, deleting unused apps, reviewing all of your passwords (and making changes if needed), and checking your social media privacy settings.
  • It is also a good idea to delete or archive old emails, especially with sensitive information.
  • If you would like to learn more or believe you are a victim of identity theft, contact the Identity Theft Resource Center. You can check out our latest resources or speak to an expert advisor toll-free by phone (888.400.5530) or live-chat. Just visit www.idtheftcenter.org to get started.

Everyone looks forward to the spring! The weather changes, the flowers and landscape start to bloom, and people clean out clutter they don’t need before the summer arrives. While spring cleaning may make you feel good and productive, it is also a great way to minimize the risk of identity theft. With the move to a digital-first society, digital spring cleaning and having a digital spring-cleaning checklist is more important than ever. A few basic digital spring-cleaning steps could help keep one’s identity information out of a criminal’s hands.

Before You Begin

There are digital spring-cleaning steps to take before you have to deal with clutter. One possible vulnerability is your email inbox. Adopt the habit of not just deleting unwanted emails, but actively unsubscribing from them. To do that, open the email, scroll down and click “unsubscribe.” Do not follow these steps for emails that appear to be scam attempts. If you click on a malicious link, it can redirect you to harmful websites or install malicious software on your computer. Instead, you should avoid links or attachments in unsolicited messages and block the sender.

One other thing you can do is update your contact information. Review all of your contact information to ensure it is up-to-date and you are not missing any essential information. Once you take these steps, you can begin on your digital spring-cleaning checklist.

Digital Spring-Cleaning Checklist

Your digital identity becomes more important every day as the world moves to a digital-first model. However, the same principles behind decluttering your physical world can help you in the virtual space. Here are some digital spring-cleaning checklist tips to digitally declutter:

  1. Backup your information– No matter how safe and secure you are, you might need to recover old data in the future. Creating automatic backups is a good idea. Consider investing in an external hard drive or cloud-based storage subscription to store and protect the things you want to keep.
  2. Delete unused programs and apps– Take a look at all of the apps on your devices and figure out which ones you are not using. Delete unused apps or programs on the devices. This step is a good idea because some apps require large amounts of storage, can slow the device down, and most importantly, can introduce new vulnerabilities. The fewer apps and programs you have, the more secure your device and personal information will be.
  3. Review your passwords– Check the passwords for all of your accounts to ensure there are no duplicates (especially between work accounts and personal accounts). Also, make sure you use a strong and unique 12+ character passphrase for each account. They are easier to remember and harder to crack. If you cannot remember all of your passwords, consider investing in a password manager to store all of your passwords. Finally, if possible, enable multifactor authentication (MFA) on all of your accounts. The app version is better than the SMS version because scammers can create fake MFA SMS text messages.
  4. Update all of your apps and settings– When going through your digital spring-cleaning checklist, it is important to keep apps, programs and devices up-to-date on all software. The device will run faster, and it will lead to increased privacy, which will make it more difficult for someone to hack into them. It is also a good idea to enable automatic updates when possible.
  5. Look at the permissions you allow– Pay attention to the permissions you allow the mobile apps on your device because third-parties could be tracking information about you that you might not realize. If they aren’t actively using the collected data, they may still be storing it, leaving your personal information vulnerable to cyberattacks should the third-party fall victim to a data compromise.
  6. Review plugins and add-ons in your browser- Review the permission settings of the plugins and add-ons to make sure you are not sharing too much information. If you are not using a particular plugin or add-on anymore, delete it.
  7. Review your social media privacy settings– Check your privacy settings on all of your social media accounts to ensure you are not oversharing information with people you do not know. If criminals get a hold of enough information about you, your family and your friends, they can connect enough dots to commit scams based around social engineering.
  8. Clean out your email– Get rid of any unnecessary emails in your inbox, especially emails that contain personal information.

Other Digital Spring-Cleaning Tips

There are a few more spring-cleaning tips for people to follow:

  • While doing your spring cleaning, if there are important documents you might need later, you can photograph or scan them, and then store the originals in a secure space like a safe or bank safety deposit box.  
  • While you’re cleaning your email inbox, take a moment to destroy any paper documents you no longer need, especially those records with personal information.
  • It is also a good idea to organize your digital files. While it is time-consuming, it will make more space available for the most important things that need to be stored on your devices.

Contact the ITRC

If you have more questions about digital spring cleaning, a digital spring-cleaning checklist, or if you believe you are a victim of identity theft, contact us. You can chat with an expert advisor toll-free by phone (888.400.5530) or live-chat. You can also check out our latest resources. Just go to www.idtheftcenter.org to get started.

  • A Canon data breach resulted from a ransomware attack on the company by the Maze ransomware group. Canon is just one of many companies recently hit with a ransomware attack, a trend the Identity Theft Resource Center predicts to continue in 2021.  
  • The mobile video game Animal Jam suffered a data breach affecting 46 million users after threat actors stole a database. However, WildWorks, the game’s owner, has been very transparent throughout the entire process, setting an example of how businesses should approach data breaches. 
  • Insurance tech company Vertafore discovered files containing driver-related information for 28 million Texas residents were posted to an unsecured online storage service.  
  • For more information about recent data breaches, consumers and businesses should visit the ITRC’s data breach tracking tool, notifiedTM.  
  • Keep an eye out for the ITRC’s 15th Annual Data Breach Report. The 2020 Data Breach Report will be released on January 27, 2021. 
  • If you believe you are a victim of identity theft from a data breach, contact the ITRC toll-free at 888.400.5530 or through live-chat on the company website.  

Notable Data Compromises for November 2020 

Of all the data breaches the Identity Theft Resource Center (ITRC) tracked in November, three stood out: Canon, WildWorks – Animal Jam, and Vertafore. All three data events are notable for different reasons. One highlights a trend and prediction made by the ITRC; another shows transparency by the company throughout the process; the third leaves 28 million individuals’ driver-related information exposed. 

Canon 

Camera manufacturer Canon recently suffered a data breach that was caused by a ransomware attack, but the company only acknowledged the attack was the result of ransomware in November. According to techradar.com and Bleeping Computer, the Canon IT department notified their staff in August that the company was suffering “widespread system issues affecting multiple applications, Teams, email and other systems.” On November 25, the company acknowledged the Canon data breach was due to a ransomware attack by the Maze ransomware group.  

It is unknown how many people are affected by the Canon data breach. However, files that contained information about current and former employees from 2005 to 2020, their beneficiaries, and dependents were exposed. Information in those files included Social Security numbers, driver’s license numbers or government-issued identification numbers, financial account numbers provided to Canon for direct deposit, electronic signatures and birth dates. 

Canon is just one of many companies that have been hit with a ransomware attack. As the ITRC mentioned in its 2021 predictions, cybercriminals are making more money defrauding businesses with ransomware attacks and phishing schemes that rely on poor consumer behaviors than traditional data breaches that rely on stealing personal information. As a result of the ransomware rise, data breaches are on pace to be down by 30 percent in 2020 and the number of individuals impacted down more than 60 percent year-over-year.  

WildWorks – Animal Jam 

Animal Jam, an educational game launched by WildWorks in 2010, suffered a data breach after threat actors stole a database. According to the WildWorks CEO, cybercriminals gained access to 46 million player records after compromising a company server. The information exposed in the Animal Jam data breach includes seven million email addresses, 32 million usernames, encrypted passwords, approximately 15 million birth dates, billing addresses and more. 

WildWorks has been very transparent throughout the entire process. The company provided a detailed breakdown of the information taken in the Animal Jam data breach, how the data event happened, where the information was circulated, whether people’s accounts are safe and the next steps to take. The ITRC believes WildWorks has set an example of how other businesses should share information with impacted consumers after a data breach.  

Anyone affected by the Animal Jam data breach should change their email and password for their account (consumers should switch to a 12-character passphrase because it is easier to remember and harder to guess). Users should also change the email and password of other accounts that share the same email and password. If any users think their account was used illegally, they are encouraged to contact the Animal Jam security team by emailing support@animaljam.com  

Vertafore 

Vertafore, a Denver based insurance tech company, recently discovered three files containing driver-related information were posted to an unsecured online storage service. The files included data from before February 2019 on nearly 28 million Texas drivers. Vertafore says the files have since been secured, but they believe the files were accessed without authorization. To learn more about this data breach, read the ITRC’s latest blog, and listen to our podcast on the event. 

Unfortunately, companies continue to leave databases unsecured, which is tied with ransomware as the most common cause of data compromises, according to IBM. Consumers impacted by the Vertafore data event need to follow the advice given by Vertafore and the Texas Department of Public Safety

notifiedTM  

For more information about recent data breaches, consumers and businesses should visit the ITRC’s data breach tracking tool, notifiedTM, free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.  

Contact the ITRC 

If you believe you are the victim of an identity crime or your identity has been compromised in a data breach, you can speak with an ITRC expert advisor at no-cost by phone (888.400.5530) or live-chat. Just go to www.idtheftcer.org to get started. Also, victims of a data breach can download the free ID Theft Help app to access resources, a case log and much more.  

  • The list for the most common passwords in 2020 is out, released by cybersecurity firm NordPass. The three most common passwords of 2020 are 12345, 123456789 and picture1.  
  • Weak passwords continue to be a security issue. According to Verizon, compromised passwords are responsible for 81 percent of hacking-related data breaches
  • To strengthen password security, consumers should change their password to a passphrase, never reuse a password (consider a password manager), use two-factor authentication when possible and never use work passwords at home (and vice versa). 
  • For information about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notifiedTM
  • For more information on how to upgrade your password, contact the ITRC toll-free at 888.400.5530 or by live-chat on the company website.  

Subscribe to the Weekly Breach Breakdown Podcast  

Every week the Identity Theft Resource Center (ITRC) looks at some of the top data compromises from the previous week and other relevant privacy and cybersecurity news in our  Weekly Breach Breakdown Podcast. This week, we will look at one of the behaviors that are increasingly at the foundation of many, if not most, data compromises in 2020: weak passwords

Why Passwords are Important 

As ITRC Chief Operating Officer James Lee mentions in the podcast, like the Porter outside Macbeth’s castle, passwords are designed to allow entry to our personal and work castles. Passwords protect the devices that are home to the applications and data we use and create.  

Passwords in the 1980s and 1990s 

People have been protecting passwords since the 1980s. The first passwords were simple, and most people only needed one. Maybe the password was assigned to someone at work, so they used the same one at home; that is if there was a computer at home. People were told never to write down their password.  

Then came the internet in the mid-1990s, and suddenly there was a need for more passwords. People needed a password for their AOL or Earthlink account. Eventually, people had to add passwords to the handful of other online accounts they created. However, most people probably just used the same word or set of numbers that was their device login password. 

Passwords Today 

Fast forward to today, according to cybersecurity firm NordPass, the average person now has to manage a staggering 100 passwords, up 25 percent from 2019. The rise is due, in part, to the increase in online transactions during 2020 related to COVID-19.  

Most Common Passwords 

NordPass also publishes an annual list of the most common passwords, which also corresponds with the passwords cracked most often by professional data thieves. Here are the top 10 most common passwords of 2020 and how long it takes a cybercriminal to crack the password: 

  1. 12345 (takes less than one second to break) 
  1. 123456789 (takes less than one second to break) 
  1. picture1 (takes up to three hours to crack) 
  1. password ( takes less than one second to break) 
  1. 12345678 (takes less than one second to break) 
  1. 111111 (takes less than one second to break) 
  1. 123123 (takes less than one second to break) 
  1. 12345 (takes less than one second to break) 
  1. 1234567890 (takes less than a second to break) 
  1. Senha (the Portuguese word for password; takes 10 seconds to break) 

The Dangers of Weak Passwords 

Weak passwords allow cybercriminals to access systems and accounts easily. People use weak passwords because there are so many to remember, which also prompts people to use the same weak passwords on multiple accounts and use them at work and home. 

Here are a few statistics from earlier in 2020: 

What You Can Do to Avoid Weak Passwords 

The good news is that people can do many things to make sure they have strong passwords that will keep their accounts secure. Here are some tips: 

  • Change your password to a passphrase. Use a passphrase like a movie quote, a song lyric, or a favorite book title that is easy to remember and at least 12 characters long. It would take a cybercriminal 300 years to crack a 12-character passphrase with upper and lower case letters. If you add a number, the passphrase will last 2,000 years.  
  • Never reuse your passwords, or passphrases since you just upgraded, right? If you have too many passwords to remember, use a password manager. If you want a free solution, many browsers offer a form of a built-in password manager. Safari and Firefox are two examples. 
  • Use two-factor authentication when it’s available. An authentication app like those offered by Microsoft and Google is best. However, even the two-factor authentication version that sends a code to you by text is better than no multi-factor authentication. 
  • Never use your work password at home, or vice versa. Stolen work credentials are one way cybercriminals use to get the access they need to launch ransomware attacks against companies.  

notifiedTM   

For information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.  

Contact the ITRC  

If you have questions about how to upgrade your password to protect your information from data breaches and exposures, visit www.idtheftcenter.org, where you will find helpful tips on this and many other topics. If you think you have already been the victim of an identity crime or a data breach and you need help figuring out what to do next, contact us. You can speak with an expert advisor at no-cost by calling 888.400.5530 or chat live on the web. Just visit www.idtheftcenter.org to get started. 

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.  

By Identity Theft Resource Center CEO, Eva Velasquez & Synchrony CISO, Gleb Reznik

The 2020 holiday season will certainly be one of the most unusual ones we have seen, thanks to the biggest holiday shopping trend – a dramatic shift in online transactions prompted by the COVID-19 pandemic. Online shopping involves non-cash transactions using digital payment methods. While the most obvious are debit and credit cards, there are also peer-to-peer payment apps, digital wallets and online versions of contactless payments like Apple Pay and Google Pay.

There is a truism in cybercrime as there is in bank robbery: thieves go where the money is. There are many opportunities for bad actors to take advantage of consumers and businesses during the shopping season. We expect the identity thieves will look to take advantage of the rise in online shopping.

Tune in to our latest podcast

Historic and Current Holiday Shopping Trends

Holiday shopping has always been a busy time for consumers. Last year, there was an estimated $1.1 trillion spent on the shopping frenzy.

According to the Better Business Bureau (BBB), approximately 65 percent of consumers shopped online during the holidays in 2019.

Online retailers have seen sales grow steadily over the years. According to the U.S. Department of Commerce, sales have risen between one to two percent each year.

Online Holiday Shopping Trends So Far in the 2020 Holiday Season

With all of that said, 2020 looks to be a watershed year. In just the first ten days of the holiday shopping season, U.S. consumers spent $21.7 billion online, a 21 percent year-over-year increase, according to Adobe Analytics.

There is no surprise in this online holiday shopping trend. The same Adobe Analytics report shows 63 percent of consumers are avoiding stores and buying more online, with health concerns due to the pandemic driving the decision for 81 percent of shoppers.

Advice for Consumers

  • Have strong password management – If someone has strong password management, an identity thief will not be able to access multiple accounts if they gain access to one account with stolen credentials from a scam or shoulder surfing. It is especially important to ignore “customer service representatives” who call about online orders or accounts. At the Identity Theft Resource Center (ITRC), we recommend using at least a twelve-digit passphrase because they are easier to remember and harder for an identity thief to crack.
  • Beware of phishing emails with emotional triggers – People should keep an eye out for shopping discounts sent to their phones claiming huge store discounts if they download an app and enter their credit card information. Another popular phishing email is package tracking scams that offer to track someone’s packages after making their purchase with a link to open or download. No one should ever click on a link, attachment or file from an unknown email because that is how scammers strike with malware, ransomware and steal people’s personal information.
  • Use credit cards and not debit cards – Credit cards provide more protection than debit cards. One of the biggest reasons is because debit cards are linked with bank accounts. If an identity thief compromises a debit card, the victim’s bank account can be immediately drained of all available funds. It may take time to restore the stolen funds, leaving the cardholder without access to the money.
  • Shop on secure websites – People need to do their homework before providing any of their payment information or other data. Consumers can check a business’s reputation at third party review organizations like the BBB and Yelp. Using search terms like “Scam” or “Complaints” along with the website or company name can give someone insight into the experience of other customers. 
  • Do not use public Wi-Fi – No one should ever use public Wi-Fi to check their bank account information or to make purchases. Some public Wi-Fi connections are not secure, and a hacker could have the ability to position themselves between the user and the connection point to steal their data. If someone wants to use public Wi-Fi to kill time while in the store or to check on products they want to buy, they need to avoid entering any personal information.

Advice for Businesses

  • Secure your information – Businesses need to take all of the necessary steps to ensure customers’ personal information is secure. It starts by making sure all systems are protected with properly configured cybersecurity tools. Time and time again, we see businesses and technology providers fail to configure passwords, resulting in exposed sensitive data for anyone to see online.
  • Have security software – Businesses need to protect their networks from cyberattacks. If a system does not have appropriate security software like network and application firewalls, malware protection and a program to patch known security flaws, identity thieves will steal whatever customer and company information they want.
  • Talk to the employees about online security – A business can have all the security measures in place, but it does not matter if employees click on links in phishing schemes. Company executives and cybersecurity teams should talk to employees about security, so they do not end up being their weakest link.

What the Post-Pandemic Marketplace Will Look Like

While many things are uncertain about our post-pandemic world, one safe bet is that online holiday shopping will continue to rise. Statistics show online shopping was already on the rise before COVID-19. With the even bigger surge during the pandemic, it will force businesses to get serious, if they are not already, about e-commerce and a digital-first model. In a sense, every day could be Black Friday!

For more information on online shopping during the holiday season or online holiday shopping trends, contact the ITRC at no-cost by calling 888.400.5530 or by live-chat on the company website.

Also, download the free ID Theft Help app, which has access to resources, a case log for an identity theft resolution process and much more.

Synchrony is a proud financial sponsor of the Identity Theft Resource Center.