Posts

  • The one-year anniversary of the California Consumer Privacy Act (CCPA) and CCPA enforcement has come. According to the California Attorney General (AG), 75 percent of complaints were resolved within 30 days. The other 25 percent are still within the 30-day grace period or are still under investigation.
  • The California AG’s report also includes 27 examples of complaints and what companies did to fix the potential violations.
  • California also released a tool that will make it easier for consumers to file complaints about businesses that do not have a clear and easy-to-find “Do Not Sell My Personal Information” link on their website’s homepage.
  • To learn about recent data breaches consumers and businesses should visit the ITRC’s data breach tracking tool, notified.
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

The Right Tool

Welcome to the Identity Theft Resource Center’s Weekly Breach Breakdown for July 23, 2021. Our podcast is possible thanks to support from Experian and Sentilink. Each week we look at the most recent events and trends related to data security and privacy. This week we look at the California Consumer Privacy Act (CCPA), the state law that gives consumers a way to push back against data breaches, and the one-year anniversary of CCPA enforcement.

I’m sure most of us have heard a parent or mentor say at one time or another, “You need the right tool for the right job.” When it comes to protecting privacy and personal information, the Mac-Daddy of protection tools is the CCPA.

News Statistics Released About CCPA Enforcement

California Attorney General (AG) Rob Bonta recently published statistics about the number of complaints his office has received alleging CCPA violations, including some examples. Seventy-five (75) percent of the complaints were resolved within the 30 days the law gives a business to comply once they are notified of a potential violation. The other 25 percent are still within the 30-day grace period or are still under investigation.

The most interesting part of the AG’s report is the 27 examples of complaints and what companies did to fix the potential violations. Notices to cure have been issued to data brokers, marketing companies, businesses handling children’s information, media outlets and online retailers. Some businesses prompted hundreds of CCPA enforcement complaints, while others generated millions.

Potential violations that have been cured include:

  • A business that manufactures and sells cars failed to notify consumers of how personal information was used as part of a vehicle test drive in addition to other omissions in its privacy policy. 
  • A grocery chain required consumers to provide personal information in exchange for participation in its company loyalty programs. The company did not provide a Notice of Financial Incentive to participating consumers.
  • A social media app was not timely responding to CCPA requests, and users publicly complained that they were not receiving notice that their CCPA requests had been received or acted on. 
  • An online dating platform that collected and sold personal information did not have a “Do Not Sell My Personal Information” link on its homepage or adequately explained its data-sharing practices.

Tool Released to Make It Easier for California Residents to File Complaints

AG Bonta also released a tool that makes it easy for California residents to directly complain to a business that does not have a clear and easy-to-find “Do Not Sell My Personal Information” link on their website’s homepage. That’s required by the CCPA, and the direct consumer complaints can trigger the process that can lead to CCPA enforcement action by the state AG.

More tools that allow consumers to help police the CCPA’s provisions, including damages paid directly to consumers for certain data breaches, may be offered in the future.

Contact the ITRC

If you have questions about CCPA enforcement, or how to keep your personal information private and secure, visit www.idtheftcenter.org, where you will find helpful tips.

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during normal business hours (6 a.m.-5 p.m. PST).

Thanks again to Sentilink and Experian for supporting the ITRC and this podcast. Be sure to check out our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown.

  • Advanced child tax credit payments are being sent by the Internal Revenue Service (IRS) as part of the American Rescue Plan. However, scammers may try to take advantage of the funds with child tax credit scams.
  • The IRS will not call, text, email or message you about a child tax credit. If you receive an unsolicited message, it is a scam.
  • To avoid a child text credit scam, do not respond to any unsolicited messages or click on any unknown links or attachments. Also, report the fraudulent activity to the Federal Trade Commission (FTC) by emailing reportfraud@ftc.gov and the IRS by calling 800.829.4933.
  • For more information on the child tax credit, who is eligible, how to submit your information and more, click here.
  • If you believe you are the victim of a child tax credit scam or another form of identity theft, contact the Identity Theft Resource Center toll-free by phone (888.400.5530) or live-chat on the company website www.idtheftcenter.org.

The Internal Revenue Service (IRS) has sent approximately $15 billion to around 35 million families eligible for the advanced child tax credit. With the process underway, parents should look out for child tax credit scams. No eligible taxpayer has to do anything to receive the money, but criminals may try to say otherwise.

What You Need to Know About the Advanced Child Tax Credit

The advanced child tax credit was included in the American Rescue Plan, and it provides $250 to $300 per month per child to most families from July through December 2021. The IRS is paying half the total credit amount in advance monthly payments. The payments will come via direct deposit, paper check or debit card (more than 85 percent of the funds have been sent by direct deposit). Parents will claim the other half when they file their 2021 income tax return.

The IRS urges taxpayers who usually aren’t required to file federal income tax returns to file a return if they are eligible for Economic Impact Payments or advance payments of the Child Tax Credit. Learn more from the IRS about the advanced child tax credit, who is eligible, how to submit your information and much more.

Child Tax Credit Scams

Criminals are aware of the payments and will likely launch child tax credit scams. Criminals may impersonate IRS representatives just to steal your personally identifiable information (PII) like a Social Security number or bank account information. PII can be used to pose as you on the IRS website and reroute your money to the cybercriminals.  

The ITRC’s CEO Eva Velasquez recently told NerdWallet: “Do not rely on incoming communications. If you didn’t initiate the contact, don’t engage. Caller I.D. cannot be trusted; even if a government agency’s name is listed, thieves may have originated the call and spoofed the caller I.D. display.”

What Should You Do?

The IRS says parents do not have to take any action to receive the advanced child tax credit funds. If you want to opt-out of the IRS payments or change your information, you can do that at www.irs.gov. Here are other tips on how to avoid an advanced child tax credit scam:

  • Don’t respond to solicited communication. The IRS will not call, text, email or message you. If you receive a message claiming to be from the IRS, ignore it. The IRS will mail you anything that is legitimate, and there are ways you can make sure it is from the Service.
  • Don’t click on any unknown links. If you receive a message claiming to be from the IRS, it is important not to click on any links or attachments because they could be malicious and used to steal your personal information. They could also lead you to a fraudulent website that asks you to input sensitive PII.
  • Know who is supposed to receive the check. If you share custody of a child, make sure you know who is supposed to receive the check because sometimes a “missing” check has actually been delivered.
  • Report child tax credit scams and fraud. If someone tries to take advantage of you with a child tax credit scam, you can report it to the Federal Trade Commission (FTC) by emailing reportfraud@ftc.gov. If you believe someone stole the check from your mailbox, contact the IRS (800.829.4933) because they can trace the check and replace the money.
  • Track your check. If it is mailed to you, go to www.USPS.com and sign up for Informed Delivery, which emails you photos of your mail before it is delivered. When your check is expected, pick up your mail or have someone do it for you as quickly as possible to avoid a repeat of earlier problems with government check deliveries.

Contact the ITRC

For more information on child tax credit payments, or if you believe you were the victim of a child tax credit scam, contact us. You can speak with an expert advisor at no cost by phone (888.400.5530) or live-chat on the company website. Just visit www.idtheftcenter.org to get started.

  • Did you recently receive a phone call claiming to be from the U.S. Department of Homeland Security (DHS)? Homeland Security phone scams are making the rounds, leaving some people in a panic.
  • In the Homeland Security scam phone calls, criminals are impersonating both Homeland Security Investigations Office agents and U.S. Customs and Border Protection (CBP) agents. One scam threatens people with warrants and investigations if they do not give up either money or personal information. Another scam claims cash and drugs were intercepted with your name on it and asks for banking information.
  • If you receive a threatening phone call from a Homeland Security Investigations agent or an unsolicited call from a CBP agent, you should hang up because it is probably a Homeland Security phone scam. DHS will never call anyone with demands or requests for sensitive information. Instead, report the call to DHS and the Federal Trade Commission.
  • If you want to learn more, believe you are the victim of a phone scam, or if you have been receiving Homeland Security scam phone calls, contact the Identity Theft Resource Center (ITRC) at no cost by phone (888.400.5530) or live-chat. Just go to www.idtheftcenter.org to get started.

The Department of Homeland Security (DHS) is usually the agency issuing a fraud alert informing the public about the latest scams, like DHS giving a new warning about immigration scams from the Department’s Ombudsman office. However, now criminals are trying to get your money and personal information by impersonating Homeland Security agents, particularly in the Philadelphia and Miami areas. DHS officials say the calls are part of a Homeland Security phone scam and are intended to frighten people. DHS agents will never call you unsolicited.

Who are the Targets?

Phone users; Non-U.S. citizens

What is the Scam?

Identity criminals impersonate agents from the DHS Investigations Office and the U.S. Customs and Border Protection (CBP). In one Homeland Security phone scam, criminals threaten you with arrest or an investigation if you do not provide payment in the form of “immigration bonds” or sensitive information. Other Homeland Security scam phone calls have a pre-recorded message that says, “a box of drugs and money being shipped has your (caller’s) name on it, and it has been intercepted.” They then instruct the caller to press #1 to speak with a CBP agent, attempting to get the caller’s banking information.  

What They Want

Scammers hope to steal either money or personal information. The personal information and bank account information can be used to commit an array of different identity crimes in your name.

How to Avoid Being Scammed

  • The DHS Investigations Office will never call you with demands like those included in the current scams. If you receive a threatening call, hang up because it is a Homeland Security phone scam. Do not give them any money or personal information.
  • Also, DHS Investigations and CBP do not solicit money over the phone. If you get a call like that, note the number, any other pertinent details about the call and then hang up.
  • If you receive Homeland Security scam phone calls, report them to the DHS Investigations Field Office or the CBP, even if you did not fall for the scam. Phone scams can also be reported to the Federal Trade Commission online at reportfraud.ftc.gov/.

To learn more about Homeland Security scam phone calls, or if you believe you were the victim of a phone scam, contact the ITRC toll-free by calling 888.400.5530. You can also visit the company website to live-chat with an expert advisor. Go to www.idtheftcenter.org to get started.  

  • According to the Identity Theft Resource Center’s (ITRC) First Half 2021 Data Breach Analysis, data compromises are up 38 percent over the first quarter of 2021. If this trend from the data breach statistics continues, 2021 will set an all-time high for data compromises.
  • While data compromises are up, the number of individuals impacted is down 20 percent quarter-over-quarter. If the current trajectory holds, 2021 will see the fewest number of impacted individuals since 2016.
  • Phishing and Ransomware remain the top two root causes of data compromises for the second quarter and the first half of the year. However, supply chain attacks continue to increase in volume, scale and complexity.
  • To learn about recent data breaches, or to see the ITRC’s data breach statistics in our latest report, consumers and businesses should visit the ITRC’s data breach tracking tool, notified.
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

First Half 2021

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for July 9, 2021. Our podcast is possible thanks to support from Experian. Each week we look at the most recent events and trends related to data security and privacy. This week we look at the ITRC’s data breach statistics and trends for the second quarter of this year and what they tell us about how we may end 2021.

How the ITRC Reports Data

First, here’s a brief reminder of how the ITRC reports data. We only include information from U.S. data events that are publicly-reported. We report 1) data compromises, which includes data breaches, data exposures (think cloud databases with no security), and 2) data leaks, generally public information that is aggregated and used for a purpose other than that for which it was intended (think scraping information from social media sites that are sold for marketing lists or used for phishing attacks).

Key Takeaways from the ITRC’s First Half 2021 Data Breach Analysis

Now, let’s look at the key takeaways from this week’s ITRC First Half 2021 Data Breach Analysis:

  • According to the ITRC’s data breach statistics, data compromises are up 38 percent over the first quarter of 2021, putting us on a trajectory to end 2021 with a record level of compromises. Every month this year (except May) has seen data compromises higher than the month before. If this trend continues, we will exceed the all-time high number of compromises set in 2017 of 1,632 publicly-reported data events.
  • However, the number of people impacted by data compromises is down 20 percent quarter-over-quarter. That means we could end 2021 with fewer than 250 million victims of identity compromises, which continues a trend away from the mass collection of individual information that started in 2018.
  • The data breach statistics show we are on pace to have the highest number of data compromises ever in the same year that we could see the fewest number of people impacted since the all-time high was set in 2016.
  • Data compromises are rising or flat pretty much across the board, with half of the sectors tracked by the ITRC showing increases.
  • Manufacturing & Utilities and Professional Services are seeing significant increases while Healthcare and Retail are seeing data compromises drop. This shift reflects the broader trend of cybercriminals focusing their attention on critical infrastructure entities, so important they cannot be allowed to remain offline, and targets considered to be not as well defended. It is all in hopes of securing larger ransomware payments.
  • Phishing and Ransomware remain the #1 and #2 root causes of data compromises for the second quarter (Q2) and the first half of the year. However, supply chain attacks continue to increase in volume, scale and complexity. Attacks against vendors that give criminals access to many companies through a single data or security breach increased 19 percent in Q2. The 58 supply chain attacks through June 30, 2021 compares to the 70 malware-related compromises for the year so far. These data breach statistics indicate that third-party risks are poised to surpass malware as the third most common root cause of data events by the end of this year.
  • Just two days after the end of the second quarter, a major supply chain attack was launched against the cybersecurity provider Kaseya. Cybercriminals demanded a record $70 million in ransom to restore the operations of more than 1,500 companies impacted by the attack. It’s not known if any personal information has been compromised. However, we know this early third quarter (Q3) attack is an indication that cybercriminals are launching ever more sophisticated attacks that command larger and larger ransom payments.

Contact the ITRC

If you have questions about how to keep your personal information private or secure, visit www.idtheftcenter.org, where you will find helpful tips, and where you can download our First Half 2021 Data Breach Analysis to see our data breach statistics.

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during our normal business hours (6 a.m. to 5 p.m. PST). Just visit www.idtheftcenter.org to get started.

Thanks again to Experian for supporting the ITRC and this podcast. Be sure to check out our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown. 

  • Businesses are re-hiring team members after COVID-19 lockdowns. However, the Identity Theft Resource Center (ITRC) is also seeing a rise in online job scams, particularly mystery shopper scams. The ITRC has seen a 250 percent increase in mystery shopper scams from June to July.
  • Job scams are not uncommon. According to the FBI’s Internet Crime Complaint Center (IC3), 16,012 people reported being victims of employment scams in 2020, with losses totaling more than $59 million.
  • Law enforcement agencies across the country are also seeing the rise. The St. Martin Parish Sheriff’s Office in Louisiana is asking its citizens to be on the lookout for online job scams. The FBI wants people to watch for fake job listings.
  • To avoid a job scam, only use a reputable website for employment opportunities, be careful how much personal information you share and don’t pay upfront costs.
  • To learn more about online job scams, contact the ITRC toll-free by phone (888.400.5530) or live-chat by visiting www.idtheftcenter.org.

Updated 7/21/2021: With many people vaccinated for COVID-19, most businesses are reopening and rehiring team members. Criminals are also looking to take advantage of the surge in hiring. The Identity Theft Resource Center (ITRC) has seen a rise in the number of online job scam reports to its contact center, particularly mystery shopper scams. In fact, the ITRC has seen a 250 percent increase in mystery shopper scams from June 2021 to July 2021.

The ITRC is not the only organization to see the job scam uptick. The St. Martin Parish Sheriff’s Office in Louisiana is urging its citizens to be on the lookout for online job scams. The FBI wants people to keep an eye out for fake job listings.

Work-From-Home Job Scams

While vaccinations are on the rise, the pandemic is still ongoing, meaning many people are still looking for jobs where they can work from their homes. According to the Federal Trade Commission (FTC), criminals are aware of this and are posting the “perfect” work-from-home jobs, claiming you can be your own boss and set your schedule. They claim you can make a lot of money in a short amount of time and with little effort.

Mystery Shopper Scams

Mystery shopping has been around for a long time. Mystery shoppers help businesses, retailers and restaurants get information on the quality of their stores in exchange for money. In the past, scammers have found ways to turn the service into a mystery shopper scam, also known as a secret shopper scam. The ITRC saw a spike in 2020, and is seeing a rise again. There are different forms of mystery shopping scams. Click here to learn more.

Tips to Avoid an Online Job Scam

According to the FBI’s Internet Crime Complaint Center (IC3), 16,012 people reported being victims of employment scams in 2020, with losses totaling more than $59 million. While you are looking for the right job, there are a few things to remember:

  • Know the source of the job listing and only use reputable websites to find employment opportunities. This will require you to do some research. Look online for independent sources of information. While the company’s website or advertisement may show testimonials or reviews from satisfied employees, they could still be fake. Instead, you should search the name of the company or the person who’s hiring you and add a word like “scam,” “review” or “complaint.” Searching for “Acme Co Scams” will give you search results that show if the company is legitimate and if it has been associated with fraud. You will often see what other employees and customers think of the would-be employer.
  • If it seems too good to be true, it probably is. Be mindful of unsolicited emails and offers with outrageous claims, such as “Earn $3,000 a week working from home.”
  • Once you find a job posting, be careful how much personal information you share, at least during the application period. If a company claims they want to do a phone, Skype or Zoom interview due to social distancing and safety, that’s okay. However, it does not mean you should turn over sensitive personal information like your Social Security number (SSN) until you have been given a job offer contingent on passing a background check (which requires an SSN). Also, before you accept an offer or send a potential employer your personal information, run the job offer or posting by someone you trust.
  • Legitimate jobs don’t usually require any upfront fees or costs. Even things like company uniforms or specialized equipment like steel-toed shoes are often deducted from the first paycheck or purchased by the employee through an outside company. Typically, a form of payment is not requested. If an employer asks for a finder’s fee, administrative fee, background check fee or other funds, it is probably a scam. Even for legitimate actions like submitting a bank account number and routing number for direct depositing of paychecks, it’s vital to ensure the company is legitimate and the job has already been awarded before submitting the information. Also, don’t pay for the promise of a job. Only scammers will ask you to pay to get a job.
  • Don’t send money to your new boss. If a potential employer or new boss sends you a check, asks you to deposit it and then buy gift cards, it is a scam. While the check may look like it cleared and the funds look available in your account, the check is still fake and you will be responsible for any purchases.
  • Never pay to be a mystery shopper. Don’t wire money or send a “deposit” via PayPal, Venmo or Zelle. Also, to avoid a mystery shopper scam, cash the check at an issuing bank or wait until the money has not just posted but cleared the other account. If the check is not good, the victim can return the cash into their account.

Contact the ITRC

There are many different job scams, particularly online job scams. If you have questions, want to learn more or if you believe you were the victim of an online job scam, contact us. You can speak with an expert advisor by phone (888.400.5530) or live-chat. Just visit www.idtheftcenter.org to get started.

  • Application Programming Interfaces (APIs), software that allows two different applications to talk to each other and work together, is becoming more popular. Its use is up 61 percent in 2020 over 2019. However, so are API attacks – a 211 percent rise in 2020.
  • API flaws are at the root of the SolarWinds and Microsoft attacks and the Peloton data breach. API attacks also led to personal information from Facebook and LinkedIn being scraped.
  • To prevent API attacks, businesses with their own API developers should implement stronger testing protocols and security. Businesses that hire API development companies should insist on the highest level of testing and security. Consumers are encouraged to ask organizations they do business with how they protect personal information.
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified.
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org. Coming later this month, people can talk after-hours, weekends and on holidays with our new automated chatbot, ViViAN.

Alphabet Soup

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdownfor June 4, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. This week we are going to talk about an emerging threat to data security. By default, it’s personal information that most people are unaware even exists. It’s part of the alphabet soup of tech terms that can seem like a cure for insomnia.

Application Program Interfaces (APIs)

We are talking about API attacks. In fact, some of the biggest security events of 2020 and 2021 resulted from these kinds of attacks. So, what is an API, and how can it cause so much trouble?

API is short for Application Programming Interface. In English, that means the software that allows two different applications to talk to each other and work together. Think of when someone goes to a travel website to see which airline has the lowest price and best schedule for their vacation. It’s an API that connects the travel site to the airline’s system to get them the information they need. One may never see or interact with an API, but it’s there working in the background.

APIs Are Growing in Popularity

There’s nothing particularly complex about most APIs, which means they are not subjected to many of the rigorous testing protocols required for other software. Meanwhile, the use of APIs is growing – 61 percent in 2020 over 2019, and the growth rate in 2021 is projected to be 71 percent, according to trade publication Dev Ops Digest. Compare that to the growth in malicious API transactions in 2020 – a 211 percent increase.

API Flaws Becoming More Common in Security and Data Breaches

With poor software testing practices and a rapid development pace, flaws in APIs are climbing up the list of underlying causes of data and security breaches. Consider some recent research findings from API security firm SALT:

  • Ninety-one (91) percent of respondents suffered a security incident in their APIs in 2020.
  • Fifty-four (54) percent of those API attacks were tied to software flaws; 46 percent of the attacks succeeded because a malicious transaction was recognized as being legitimate.
  • Eighty-two (82) percent of organizations lack confidence in knowing which APIs expose personal information.
  • One hundred (100) percent of Salt Security’s customers that suffered API attacks in 2020 had standard cybersecurity tools like web application firewalls in place, but they did not prevent the attack.

API flaws are at the root of the SolarWinds and Microsoft attacks and the Peloton data breach. APIs were also exploited to scrape personal information from Facebook and LinkedIn.

How Can Businesses and Consumers Protect Themselves from API Attacks?

What can be done to minimize the risk of API attacks? Businesses that have their own API developers need to implement stronger testing protocols and security. Businesses that hire API development companies should insist on the highest level of testing and security.

Consumers should ask organizations with whom they do business how they protect personal information, including their cybersecurity and data protection programs.

Contact the ITRC

If anyone has questions about keeping their personal information secure, they can visit www.idtheftcenter.org, where they will find helpful tips. People can also sign-up to receive our regular email updates on identity scams and compromises and download our latest report on how identity crimes impact individuals.

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. Victims can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). On June 4, people can talk after-hours, weekends and holidays with our new automated chatbot, ViViAN. Just visit www.idtheftcenter.org to get started. 

Be sure to check out our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown.

  • With data breaches on the rise last 30 days to 45 days, it has been one of the most intense periods seen in a while because of the pace, scope and impact of the crimes.
  • GEICO suffered a data breach impacting 132,000 people and could lead to unemployment fraud; the Pennsylvania Department of Health and ParkMobile both had data incidents due to third-party providers; and Peloton had a problem with third-party software, allowing other users to see people’s personal information.
  • Researchers guessed up to 80 percent of iPhone and iPad users would take advantage of Apple’s new anti-tracking privacy feature. However, based on early downloads of the iOS update, 96 percent of users are using the new feature to opt-out of app-tracking.
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notified
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

Too Fast, Too Furious

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for May 14, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. This week we’re highlighting data breaches on the rise the past 30 days in one of the most intense periods of cyberattacks and data breaches we’ve seen in a while.

With all due respect to Vin Diesel and the rest of the cast of the Fast and Furious movie franchise, we’re calling this week’s episode “Too Fast, Too Furious” because of the pace, scope and impact of identity compromising events over the past 45 days – some of which are still ongoing. We also have a quick update on the impact of the recent privacy tools added to iPhones and iPads.

ITRC’s Notable Breaches for April

In the ITRC’s most recent monthly report of data breaches, we highlighted three major events:

  • GEICO’s breach of driver’s license data that impacted 132,000 customers;
  • The contact tracing service hired by the Pennsylvania Department of Health failing to secure the COVID-related personal health information of Keystone state residents; and,
  • Twenty-one (21) million users of the ParkMobile app having their information exposed thanks to a vulnerability in third-party software.

Each of these is unique in some ways but also reflective of broader trends.

GEICO

In the case of GEICO, when announcing the data breach at the nation’s second-largest auto insurance company, officials said the stolen data was being used as part of unemployment insurance fraud schemes. Pandemic-related benefits fraud is estimated to be closing in on $100 billion. The ITRC is on pace to surpass the total number of unemployment identity fraud victims we helped in 2020 by the end of May 2021.

Pennsylvania Dept. of Health & ParkMobile

The events involving the Pennsylvania Department of Health and the ParkMobile parking app are two variations of the same issue: problems with third-party suppliers. In the case of the Pennsylvania Department of Health, the vendor supplying COVID-19 contact tracing services didn’t secure the personal information of 72,000 people. With ParkMoble, a third-party software issue exposed user’s personal information. Issues with supply chains are an escalating trend when it comes to data compromises, especially cyberattacks where threat actors can steal the data of multiple companies in a single attack.

Peloton

More recently, an issue with third-party software also allowed users of the popular Peloton exercise bikes to see the personal information of other users. The flaw was found by an independent cybersecurity researcher who reported the issue to Peloton, which did not initially respond to his information. Ultimately, Peloton fixed the issue early this month, but not before opening three million subscribers to having their information exposed. Peloton has since acknowledged they have fixed the problem, and there is no evidence of anyone stealing the user information.

Update on the New Apple Privacy Feature

Finally, an update on how many people are taking up Apple’s offer to block mobile app owners from collecting and selling user data without first getting consent. Researchers guessed before the launch of the new anti-tracking privacy feature that as many as 80 percent of iPhone and iPad users would take advantage of the blocking technology.

The actual numbers based on early downloads of the iOS update is 96 percent of users are saying no to app-tracking. That’s a giant obscene gesture to companies that rely on third-party data for marketing and advertising and the platforms that collect and sell user information. Now here is the next question: Who will follow Apple’s lead in addressing the privacy and cybersecurity concerns of consumers?

Contact the ITRC

If anyone has questions about keeping their personal information private and how to protect it, data breaches on the rise or on the new Apple privacy update, they can visit www.idtheftcenter.org. They will find helpful tips on these and many other topics. People can also sign-up to receive our regular email updates on identity scams and compromises.

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. Victims can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Visit www.idtheftcenter.org to get started. 

Be sure to listen next week to our sister podcast – The Fraudian Slip – when we’ll talk to the Chief Privacy Officer of Synchrony, a leading financial services company. We will be back in two weeks with another episode of the Weekly Breach Breakdown.