Posts

In 2020, the number of individuals impacted by a data breach was down 66 percent from 2019; cybercriminals continue to shift away from mass attacks seeking consumer information and towards attacks aimed at businesses using stolen logins and passwords  

SAN DIEGO, January 28, 2021 – Today, the Identity Theft Resource Center® (ITRC), a nationally recognized non-profit organization established to support victims of identity crime, released its 15th annual Data Breach Report. According to the report, the number of U.S. data breaches tracked in 2020 (1,108) decreased 19 percent from the total number of breaches reported in 2019 (1,473). In 2020, 300,562,519 individuals were impacted by a data breach, a 66 percent decrease from 2019.  

The 2020 Data Breach Report shows the continuation of a trend from 2019: cybercriminals are less interested in stealing large amounts of consumers’ personal information. Instead, threat actors are more interested in taking advantage of bad consumer behaviors to attack businesses using stolen credentials like logins and passwords. Due to the shift in tactics, ransomware and phishing attacks directed at organizations are now the preferred data theft method by cyberthieves.  

Ransomware and phishing attacks require less effort, are largely automated, and generate much higher payouts than taking over individuals’ accounts. One ransomware attack can generate as much revenue in minutes as hundreds of individual identity theft attempts over months or years. According to Coveware, the average ransomware payout has grown from less than $10,000 per event in Q3 2018 to more than $233,000 per event in Q4 2020. 

Download the ITRC’s 2020 Data Breach Report 

“While it is encouraging to see the number of data breaches, as well as the number of people impacted by them decline, people should understand that this problem is not going away,” said Eva Velasquez, president and CEO of the Identity Theft Resource Center. “Cybercriminals are simply shifting their tactics to find a new way to attack businesses and consumers. It is vitally important that we adapt our practices, and shift resources, to stay one step ahead of the threat actors. Although resources continue to decline for victims of identity crimes, the ITRC will continue to help impacted individuals by providing guidance on the best ways to navigate the dangers of all types of identity crimes.” 

One notable case study highlighted in the ITRC’s 2020 Data Breach Report is the ransomware attack on Blackbaud, a technology services company used by non-profit, health and education organizations. A professional ransomware group stole information belonging to more than 475 Blackbaud customers before informing the company the information was being held hostage. The stolen information included personal information relating to more than 11 million people that was later reported to have been destroyed by the cybercriminals after Blackbaud paid a ransom.  

Another notable finding was that supply chain attacks are becoming increasingly popular with attackers since they can access the information of larger organizations or multiple organizations through a single, third-party vendor. Often, the organization is smaller, with fewer security measures than the companies they serve.  

To learn more about the latest data breaches, visit the ITRC’s interactive data breach tracking tool, notified. It is updated daily and free to consumers.  

For anyone that has been a victim of a data breach, the ITRC recommends downloading its free ID Theft Help app to manage the various aspects of an individual’s data breach case. 

Consumers and victims can receive free support and guidance from a knowledgeable live-advisor by calling 888.400.5530 or visiting idtheftcenter.org to live-chat. 

About the Identity Theft Resource Center  

Founded in 1999, the Identity Theft Resource Center® (ITRC) is a non-profit organization established to empower and guide consumers, victims, business and government to minimize risk and mitigate the impact of identity compromise and crime. Through public and private support, the ITRC provides no-cost victim assistance and consumer education through its website live-chat idtheftcenter.org, toll-free phone number 888.400.5530, and ID Theft Help app. The ITRC also equips consumers and businesses with information about recent data breaches through its data breach tracking tool, notified.   

Media Contact 

Identity Theft Resource Center 
Alex Achten 
Earned & Owned Media Specialist 
888.400.5530 Ext. 3611 
media@idtheftcenter.org  

The release of the 2020 ITRC Data Breach Report and launch of the ITRC’s data breach tracking tool supports the Data Privacy Day 2021 initiative to help build trust among consumers and promote transparency around data collection practices.

SAN DIEGO, January 13, 2021- Today, the Identity Theft Resource Center® (ITRC), a nationally recognized non-profit organization established to support victims of identity crime, announces its commitment to Data Privacy Day on January 28, 2021. The ITRC recognizes and supports the principle that all organizations share the responsibility of being conscientious stewards of personal information.

The ITRC will unveil the 15th annual edition of the ITRC Data Breach Report on January 28, 2021. One of the most widely quoted reports on data breach trends, the report will also explore the fundamental shifts underway in the root causes of identity-related crimes. The release of the 2020 ITRC Data Breach Report coincides with the launch of the ITRC’s new data breach tracking tool, notifiedTM, to assist consumers and businesses in making informed decisions about with whom they do business. Landmark state privacy and security laws, like the California Privacy Rights Act, require businesses to ensure third-party vendors’ cybersecurity processes protect consumer information.

“The ITRC is honored to take part in Data Privacy Day 2021 and to bring awareness to the importance of people and businesses taking action to protect personal and company information,” said Eva Velasquez, president and CEO of the Identity Theft Resource Center. “We want individuals to value protecting their own data and for businesses to keep people’s personal information safe. Likewise, our latest trend analysis shows that consumers have a big role to play in protecting their employer’s valuable business data and systems. It is critical that everyone take part in reducing the number of data compromises moving forward.”

Data Privacy Day is a global effort that generates awareness about the importance of privacy, highlights easy ways to protect personal information, and reminds organizations that privacy is good for business. This year, the focus is on encouraging individuals to “Own Your Privacy” by learning more about how to protect the valuable data that is online, and encouraging businesses to “Respect Privacy” by helping organizations keep individuals’ personal information safe while ensuring fair, relevant and legitimate data collection and processing practices.

According to a Pew Research Center study, 79 percent of U.S. adults report being concerned about how companies use their data. As technology evolves and the COVID-19 pandemic continues to influence how consumers interact with businesses online, data collection practices are becoming increasingly unavoidable, making it imperative that companies act responsibly.

“In recent years, we’ve seen the impact of more global awareness surrounding the abuse of consumer data, thanks to sweeping privacy measures like GDPR and CPRA,” said Kelvin Coleman, Executive Director for the National Cyber Security Alliance. “While legislative backing is key to reinforcing accountability for poor data privacy practices, one major goal of Data Privacy Day is to build awareness among businesses about the benefits of an ethical approach to data privacy measures separate from legal boundaries.”

For more information about Data Privacy Day 2021 and how to get involved, visit https://staysafeonline.org/data-privacy-day/.

For more information on the ITRC’s 2020 Data Breach Report, email media@idtheftcenter.org.

About the Identity Theft Resource Center®  

Founded in 1999, the Identity Theft Resource Center® (ITRC) is a non-profit organization established to empower and guide consumers, victims, business and government to minimize risk and mitigate the impact of identity compromise and crime. Through public and private support, the ITRC provides no-cost victim assistance and consumer education through its website live-chat idtheftcenter.org, toll-free phone number 888.400.5530, and ID Theft Help app. The ITRC also equips consumers and businesses with information about recent data breaches through its data breach tracking tool, notifiedTM.  

About Data Privacy Day

Data Privacy Day began in the United States and Canada in January 2008 as an extension of the Data Protection Day celebration in Europe. Data Protection Day commemorates the Jan. 28, 1981, signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection. NCSA, the nation’s leading nonprofit, public-private partnership promoting cybersecurity and privacy education and awareness, leads the effort in North America each year. For more information, visit https://staysafeonline.org/data-privacy-day/.

About the National Cyber Security Alliance

NCSA is the Nation’s leading nonprofit, public-private partnership promoting cybersecurity and privacy education and awareness. NCSA works with a broad array of stakeholders in government, industry and civil society. NCSA’s primary partners are the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and NCSA’s Board of Directors, which includes representatives from ADP; AIG; American Express; Bank of America; Cofense; Comcast Corporation; Eli Lilly and Company; ESET North America; Facebook; Intel Corporation; Lenovo; LogMeIn; Marriott International; Mastercard; MediaPro; Microsoft Corporation; Mimecast; KnowBe4; NortonLifeLock; Proofpoint; Raytheon; Trend Micro, Inc.; Uber: U.S. Bank; Visa and Wells Fargo. NCSA’s core efforts include Cybersecurity Awareness Month (October); Data Privacy Day (Jan. 28); STOP. THINK. CONNECT.™, the global online safety awareness and education campaign co-founded by NCSA and the Anti-Phishing Working Group with federal government leadership from the Department of Homeland Security; and CyberSecure My Business™, which offers webinars, web resources and workshops to help businesses be resistant to and resilient from cyberattacks. For more information on NCSA, please visit https://staysafeonline.org.

Media Contact  

Identity Theft Resource Center  
Alex Achten   
Earned & Owned Media Specialist  
888.400.5530 Ext. 3611  
media@idtheftcenter.org  

  • A T-Mobile repeat data breach event resulted from unauthorized access to 200,000 customer accounts, including call records.
  • It is the fourth time T-Mobile has sent a data breach notification since 2018. The T-Mobile data breach in December was the second one in 2020.
  • An investigation into the SolarWinds data hack has not revealed any evidence suggesting the attackers sought or stole mass amounts of personal information. The target appears to be either intellectual property or the personal information of particular individuals for espionage purposes.
  • For information about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notifiedTM.
  • Keep an eye out for the ITRC’s 15th Annual Data Breach Report. The 2020 Data Breach Report will be released on January 27, 2021. 
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the Identity Theft Resource Center toll-free at 888.400.5530 or via live-chat on the company website. 
https://soundcloud.com/idtheftcenter/the-weekly-breach-breakdown-podcast-by-itrc-second-verse-same-as-the-first-season-2-episode-1

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for January 8, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. We started this podcast and a sister monthly program in 2020 in response to the shifts in privacy, security and identity issues: the changes in how criminals collect and use consumer and, increasingly, business information.

One of the trends that the ITRC has identified, and will explore in a report this spring, is the rise in the number of repeat data breaches, even as the overall number of data events is declining. That leads us to the title of this week’s episode – “Second Verse, Same as the First.”

While most of us were prepping for a socially distanced Christmas celebration, one of the largest mobile telephone companies posted a data breach notice on its website. It was not the first time T-Mobile issued a breach notice; it was the fourth time since 2018.

T-Mobile Repeat Data Breach Event

T-Mobile announced that an unauthorized party accessed a small percent of customer accounts, about 200,000 accounts, in early December 2020. The compromised data may have included call records — such as when a call was made, how long the call lasted, the phone numbers called and other information that might be found on a customer’s bill.

T-Mobile says the hackers did not access names, home or email addresses, financial data and account passwords or PINs. An investigation is on-going.

The December data event is the second time an attacker accessed customer information in the same year. Just months into 2020, a breach of the T-Mobile employee email system allowed criminals to see customer data and potentially misuse it. Information about more than one million prepaid customers was exposed in 2019, and cybercriminals compromised nearly two million accounts in 2018.

A Shift in Data Thieves Tactics

Research conducted by the ITRC shows the number of consumers who report being the victim of more than one identity crime has increased 33 percent in the past 18 months. It comes at a time when data thieves are shifting their tactics and targets. Our research shows they are focusing more on business data and less on mass amounts of consumer personal data.

While data breaches are dropping, cyberattacks are rising. The two are not the same. That’s an important distinction as a large and consequential cybersecurity breach occurred in late December 2020 and is likely still underway.

SolarWinds Data Hack Update

We talked about the attack in our last podcast before the holiday break, but the scope of this attack warrants an update.

Here’s what happened: A group of professional cybercriminals affiliated with the Russian government’s intelligence service was able to insert software into a common technology service used by governments and private companies, known as SolarWinds. An estimated 18,000 organizations have been exposed to the malware, including some of the largest agencies in the U.S. government – the Departments of Commerce, Treasury, Justice, State and most of the Fortune 500.

The good news for consumers is at this point, after nearly a month of investigation, there is no indication the attackers sought or stole mass amounts of personal information. As is common with this particular group of threat actors, the target appears to be intellectual property or the personal information of specific individuals for espionage purposes – not profit.

We will release a detailed report on the impact of identity-related crimes in May. We will issue our report on 2020 data breaches and trends on January 27, just a few weeks from now.

Contact the ITRC

If you have questions about how to protect your information from data breaches and data exposures, visit www.idtheftcenter.org, where you will find helpful tips on this and many other topics.

If you think you have already been the victim of an identity crime or a data breach and you need help figuring out what to do next, contact us. You can speak with an expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during regular business hours. Just visit www.idtheftcenter.org to get started.

Next week listen to our sister podcast, The Fraudian Slip, which focuses on identity-related fraud when we talk with the Deputy Chief of the Internal Revenue Service’s Criminal Division about identity crimes and how they might impact your taxes.

  • A Canon data breach resulted from a ransomware attack on the company by the Maze ransomware group. Canon is just one of many companies recently hit with a ransomware attack, a trend the Identity Theft Resource Center predicts to continue in 2021.  
  • The mobile video game Animal Jam suffered a data breach affecting 46 million users after threat actors stole a database. However, WildWorks, the game’s owner, has been very transparent throughout the entire process, setting an example of how businesses should approach data breaches. 
  • Insurance tech company Vertafore discovered files containing driver-related information for 28 million Texas residents were posted to an unsecured online storage service.  
  • For more information about recent data breaches, consumers and businesses should visit the ITRC’s data breach tracking tool, notifiedTM.  
  • Keep an eye out for the ITRC’s 15th Annual Data Breach Report. The 2020 Data Breach Report will be released on January 27, 2021. 
  • If you believe you are a victim of identity theft from a data breach, contact the ITRC toll-free at 888.400.5530 or through live-chat on the company website.  

Notable Data Compromises for November 2020 

Of all the data breaches the Identity Theft Resource Center (ITRC) tracked in November, three stood out: Canon, WildWorks – Animal Jam, and Vertafore. All three data events are notable for different reasons. One highlights a trend and prediction made by the ITRC; another shows transparency by the company throughout the process; the third leaves 28 million individuals’ driver-related information exposed. 

Canon 

Camera manufacturer Canon recently suffered a data breach that was caused by a ransomware attack, but the company only acknowledged the attack was the result of ransomware in November. According to techradar.com and Bleeping Computer, the Canon IT department notified their staff in August that the company was suffering “widespread system issues affecting multiple applications, Teams, email and other systems.” On November 25, the company acknowledged the Canon data breach was due to a ransomware attack by the Maze ransomware group.  

It is unknown how many people are affected by the Canon data breach. However, files that contained information about current and former employees from 2005 to 2020, their beneficiaries, and dependents were exposed. Information in those files included Social Security numbers, driver’s license numbers or government-issued identification numbers, financial account numbers provided to Canon for direct deposit, electronic signatures and birth dates. 

Canon is just one of many companies that have been hit with a ransomware attack. As the ITRC mentioned in its 2021 predictions, cybercriminals are making more money defrauding businesses with ransomware attacks and phishing schemes that rely on poor consumer behaviors than traditional data breaches that rely on stealing personal information. As a result of the ransomware rise, data breaches are on pace to be down by 30 percent in 2020 and the number of individuals impacted down more than 60 percent year-over-year.  

WildWorks – Animal Jam 

Animal Jam, an educational game launched by WildWorks in 2010, suffered a data breach after threat actors stole a database. According to the WildWorks CEO, cybercriminals gained access to 46 million player records after compromising a company server. The information exposed in the Animal Jam data breach includes seven million email addresses, 32 million usernames, encrypted passwords, approximately 15 million birth dates, billing addresses and more. 

WildWorks has been very transparent throughout the entire process. The company provided a detailed breakdown of the information taken in the Animal Jam data breach, how the data event happened, where the information was circulated, whether people’s accounts are safe and the next steps to take. The ITRC believes WildWorks has set an example of how other businesses should share information with impacted consumers after a data breach.  

Anyone affected by the Animal Jam data breach should change their email and password for their account (consumers should switch to a 12-character passphrase because it is easier to remember and harder to guess). Users should also change the email and password of other accounts that share the same email and password. If any users think their account was used illegally, they are encouraged to contact the Animal Jam security team by emailing support@animaljam.com  

Vertafore 

Vertafore, a Denver based insurance tech company, recently discovered three files containing driver-related information were posted to an unsecured online storage service. The files included data from before February 2019 on nearly 28 million Texas drivers. Vertafore says the files have since been secured, but they believe the files were accessed without authorization. To learn more about this data breach, read the ITRC’s latest blog, and listen to our podcast on the event. 

Unfortunately, companies continue to leave databases unsecured, which is tied with ransomware as the most common cause of data compromises, according to IBM. Consumers impacted by the Vertafore data event need to follow the advice given by Vertafore and the Texas Department of Public Safety

notifiedTM  

For more information about recent data breaches, consumers and businesses should visit the ITRC’s data breach tracking tool, notifiedTM, free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.  

Contact the ITRC 

If you believe you are the victim of an identity crime or your identity has been compromised in a data breach, you can speak with an ITRC expert advisor at no-cost by phone (888.400.5530) or live-chat. Just go to www.idtheftcer.org to get started. Also, victims of a data breach can download the free ID Theft Help app to access resources, a case log and much more.  

*Originally posted December 2015. Updated as of December 14, 2020.

  • Facebook users have recently been receiving messages about winning a “Christmas bonus.” These messages are scams. 
  • The messages come from cloned accounts of one of the user’s real Facebook friends.  
  • If anyone receives a message about a Christmas bonus on Facebook, they should ignore it. If it comes from the Facebook page or someone they know, they should alert them that their Facebook has been hacked or cloned. People should also consider reporting it to Facebook.  
  • If anyone wants to learn more about the Facebook Christmas bonus scam or believes they are a victim, they should contact the Identity Theft Resource Center toll-free at 888.400.5530 or by live-chat on the company website. 
One user alerted others and pointed to the ITRC for free assistance

Facebook users have been targeted by scammers offering a “Christmas bonus” or a “Christmas Benefit.” The Identity Theft Resource Center (ITRC) has spotted multiple Facebook Christmas bonus scam posts warning others of the scam.      

Who is the Target 

Facebook users; social media profiles

What is the Scam 

Example of Christmas bonus

Facebook users receive messages from individuals in their contact lists about winning a “Christmas bonus.” The messages are coming from the cloned accounts of friends, and they state that the individual has won a Facebook Christmas Bonus Giveaway. The targeted victim is then directed to contact a “Facebook Agent,” who will send a message that the winning is a random contest sponsored by Powerball.

The scammers will then ask for personal information to deliver the winnings. They may also ask for a small “transfer fee” to transfer the money into the victim’s account. Once the victim gives them their money or their personal information, the scammers disappear and do not award the “bonus.” Facebook Christmas bonus scams can use various tactics from scam to scam. However, they all are after the same thing. 

“Christmas Bonus Cash Guarantee” Facebook page targeting vulnerable populations

What They Want 

Personal information or direct payment 

How You Can Avoid Being Scammed 

  • If you receive a Facebook message stating that you have won something, chances are it is a scam. Do not respond.  
  • Delete the message and inform your friend that their Facebook account might be hacked or cloned. 
  • Report the Facebook Christmas bonus scam to Facebook 

If you believe you are a victim of a Facebook Christmas bonus scam or would like to learn more, contact the ITRC Center toll-free. You can call (888.400.5530) or use the live-chat function on the company website. Just go to www.idtheftcenter.org to get started.  

By Identity Theft Resource Center CEO, Eva Velasquez & Synchrony CISO, Gleb Reznik

The 2020 holiday season will certainly be one of the most unusual ones we have seen, thanks to the biggest holiday shopping trend – a dramatic shift in online transactions prompted by the COVID-19 pandemic. Online shopping involves non-cash transactions using digital payment methods. While the most obvious are debit and credit cards, there are also peer-to-peer payment apps, digital wallets and online versions of contactless payments like Apple Pay and Google Pay.

There is a truism in cybercrime as there is in bank robbery: thieves go where the money is. There are many opportunities for bad actors to take advantage of consumers and businesses during the shopping season. We expect the identity thieves will look to take advantage of the rise in online shopping.

Tune in to our latest podcast

Historic and Current Holiday Shopping Trends

Holiday shopping has always been a busy time for consumers. Last year, there was an estimated $1.1 trillion spent on the shopping frenzy.

According to the Better Business Bureau (BBB), approximately 65 percent of consumers shopped online during the holidays in 2019.

Online retailers have seen sales grow steadily over the years. According to the U.S. Department of Commerce, sales have risen between one to two percent each year.

Online Holiday Shopping Trends So Far in the 2020 Holiday Season

With all of that said, 2020 looks to be a watershed year. In just the first ten days of the holiday shopping season, U.S. consumers spent $21.7 billion online, a 21 percent year-over-year increase, according to Adobe Analytics.

There is no surprise in this online holiday shopping trend. The same Adobe Analytics report shows 63 percent of consumers are avoiding stores and buying more online, with health concerns due to the pandemic driving the decision for 81 percent of shoppers.

Advice for Consumers

  • Have strong password management – If someone has strong password management, an identity thief will not be able to access multiple accounts if they gain access to one account with stolen credentials from a scam or shoulder surfing. It is especially important to ignore “customer service representatives” who call about online orders or accounts. At the Identity Theft Resource Center (ITRC), we recommend using at least a twelve-digit passphrase because they are easier to remember and harder for an identity thief to crack.
  • Beware of phishing emails with emotional triggers – People should keep an eye out for shopping discounts sent to their phones claiming huge store discounts if they download an app and enter their credit card information. Another popular phishing email is package tracking scams that offer to track someone’s packages after making their purchase with a link to open or download. No one should ever click on a link, attachment or file from an unknown email because that is how scammers strike with malware, ransomware and steal people’s personal information.
  • Use credit cards and not debit cards – Credit cards provide more protection than debit cards. One of the biggest reasons is because debit cards are linked with bank accounts. If an identity thief compromises a debit card, the victim’s bank account can be immediately drained of all available funds. It may take time to restore the stolen funds, leaving the cardholder without access to the money.
  • Shop on secure websites – People need to do their homework before providing any of their payment information or other data. Consumers can check a business’s reputation at third party review organizations like the BBB and Yelp. Using search terms like “Scam” or “Complaints” along with the website or company name can give someone insight into the experience of other customers. 
  • Do not use public Wi-Fi – No one should ever use public Wi-Fi to check their bank account information or to make purchases. Some public Wi-Fi connections are not secure, and a hacker could have the ability to position themselves between the user and the connection point to steal their data. If someone wants to use public Wi-Fi to kill time while in the store or to check on products they want to buy, they need to avoid entering any personal information.

Advice for Businesses

  • Secure your information – Businesses need to take all of the necessary steps to ensure customers’ personal information is secure. It starts by making sure all systems are protected with properly configured cybersecurity tools. Time and time again, we see businesses and technology providers fail to configure passwords, resulting in exposed sensitive data for anyone to see online.
  • Have security software – Businesses need to protect their networks from cyberattacks. If a system does not have appropriate security software like network and application firewalls, malware protection and a program to patch known security flaws, identity thieves will steal whatever customer and company information they want.
  • Talk to the employees about online security – A business can have all the security measures in place, but it does not matter if employees click on links in phishing schemes. Company executives and cybersecurity teams should talk to employees about security, so they do not end up being their weakest link.

What the Post-Pandemic Marketplace Will Look Like

While many things are uncertain about our post-pandemic world, one safe bet is that online holiday shopping will continue to rise. Statistics show online shopping was already on the rise before COVID-19. With the even bigger surge during the pandemic, it will force businesses to get serious, if they are not already, about e-commerce and a digital-first model. In a sense, every day could be Black Friday!

For more information on online shopping during the holiday season or online holiday shopping trends, contact the ITRC at no-cost by calling 888.400.5530 or by live-chat on the company website.

Also, download the free ID Theft Help app, which has access to resources, a case log for an identity theft resolution process and much more.

Synchrony is a proud financial sponsor of the Identity Theft Resource Center.

  • Vertafore, a Denver based insurance tech company, discovered three files containing driver-related information were posted to an unsecured online storage service. The files included data from before February 2019 on nearly 28 million Texas drivers.
  • The files included lienholder information, drivers’ license numbers, names, dates of birth, addresses and vehicle registration histories.
  • Failing to secure a cloud database is tied with ransomware as the most common cause of data compromise, according to IBM. The ITRC’s own data breach information corroborates the findings.
  • Consumers impacted by the Vertafore data compromise need to follow the advice given by Vertafore and the Texas Department of Public Safety. Vertafore is offering one year of free credit monitoring and identity restoration services.
  • For more information on the Texas driver’s records exposed, contact the Identity Theft Resource Center toll-free at 888.400.5530 or live-chat on the company website.
  • For the latest on data breaches, visit the ITRC’s data breach tracking tool notifiedTM.

Subscribe to the Weekly Breach Breakdown Podcast

Every week the Identity Theft Resource Center (ITRC) looks at some of the top data compromises from the previous week and other relevant privacy and cybersecurity news in our Weekly Breach Breakdown Podcast. This week, we will discuss the Vertafore data compromise that exposed personal information to the risk of being stolen by a cybercriminal by not installing security on a cloud storage service.

What We Know

There is one thing that almost everyone carries in their pocket – their driver’s license. Without a driver’s license, people can’t legally drive or show proof of age or identity. It is one of the most important forms of identification a person needs in the U.S. That is why a recent event that led to Texas driver’s records exposed has millions of people worried about how it could affect them.

Vertafore, a Denver based insurance tech company, discovered that three files containing driver-related information were moved to an unsecured online storage service. In other words, it was moved to a third-party cloud database with no security. The files included data before February 2019 on nearly 28 million Texas drivers. The files included lienholder information, drivers’ license numbers, names, dates of birth, addresses and vehicle registration histories.

In a statement announcing that Texas driver’s records were exposed, Vertafore says there is no evidence of information misuse. However, the company acknowledges that there is evidence an unknown and unauthorized party accessed the information. Other Vertafore data – including partner, vendor or additional supplier information – and systems remain unimpacted. No Vertafore systems were found to include known software vulnerabilities, and Vertafore immediately secured the suspect files.

Investigators hired by the company believe the unauthorized access to the data occurred between March 11 and August 1 of 2020. The files supported one of Vertafore’s products that helps insurance companies determine insurance policy costs. The files did not contain Social Security numbers or financial information about consumers. Vertafore is offering one year of free credit monitoring and identity restoration services.

Cloud Databases Continue to be Left Unsecured

Unfortunately, this kind of event is far too common. On last week’s podcast, we highlighted another company that left a cloud database unsecured, leading to nearly ten million people’s travel accounts being available online.

Failing to secure a cloud database is tied with ransomware as the most common cause of data compromise, according to IBM. The ITRC’s own data breach information corroborates the findings. Most of the time, there is no evidence data thieves removed or copied the data – meaning the risk of misuse is relatively low. However, it is not zero. It is why consumers impacted by the Vertafore data compromise need to follow the advice given by Vertafore and the Texas Department of Public Safety.

How the Data Ends Up in the Hands of a Private Company

The event that led to Texas driver’s records exposed has prompted consumers to ask questions about how their driver’s license and related data ends up in the hands of a private company. That is not an uncommon question when data breaches, compromises and exposures involve businesses that victims have never heard of – and did not give permission for their data to be shared.

While the answer to the question varies from state to state, the response is almost always some version of “it’s legal.” Also, consumers rarely have the opportunity to “opt-in” or “opt-out” of the sale or sharing of information like driver’s license data by the government.

In response to questions about the Vertafore compromise, the State of Texas issued a statement about the use of driver’s data:

“Texas law permits, and at times requires, the release to authorized parties of driver license and vehicle registration information.”

In the case of Vertafore, the permitted use involves ensuring companies have the data they need to appropriately price insurance premiums for drivers.

Even the nation’s toughest privacy law, the California Consumer Privacy Act (CCPA), allows personal information from government agencies to be sold and shared for certain purposes without the consumers’ consent. Generally, consumers cannot opt-out of these uses if they are designed to prevent fraud or are used to verify someone’s identity.

notifiedTM  

For information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.  

Contact the ITRC

If you have questions about how to protect your information from data breaches and data exposures, or if you want to learn more about the Vertafore data compromise, contact the ITRC. You can speak with an advisor toll-free over the phone (888.400.5530), live-chat on the web, or email itrc@idtheftcenter.org during business hours. Just visit www.idtheftcenter.org to get started. Also, download the free ID Theft Help App to access resources, a case log and much more.  

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform. 

  • The software provider behind some of the largest travel websites, Prestige Software, maintained a cloud database without a password. The unsecured database led to approximately 10 million accounts being available to view online to anyone who knew where to look.  
  • Prestige Software provides technology services to Booking.com, Expedia, Hotels.com, Sabre and other hotel reservation websites around the world. Information included credit card details, payment details and reservation details dating back to 2013.  
  • While there is no evidence the exposed information is being misused, travel website users should change their passwords on their accounts (our experts suggest enacting a passphrase), add two-factor authentication, freeze their credit, monitor their bank statements for any unusual activity and keep an eye out for phishing attempts.  
  • For more information, contact the Identity Theft Resource Center toll-free at 888.400.5530 or live-chat on the company website. 
  • For the latest on data breaches, visit the ITRC’s data breach tracking tool notifiedTM

Subscribe to the Weekly Breach Breakdown Podcast 

Every week the Identity Theft Resource Center (ITRC) looks at some of the top data compromises from the previous week and other relevant privacy and cybersecurity news in our Weekly Breach Breakdown Podcast. This week, we look at the all too frequent event in the world of data – unsecured databases. 

A Lack of Secure Online Databases 

In the context of data protection, repeating the same mistake can have significant consequences. It is why cybersecurity professionals tend to focus on preventing data breaches. That requires them to continually adapt their strategies and tactics to match those of the treat actors who are frequently attacking company systems.  

 Securing online databases continues to slip away from cybersecurity teams. The software provider behind some of the world’s largest travel websites maintained a cloud database without a password, leading to 10 million accounts being available online for access by anyone who knew where to look.  

Forensic researchers believe the available information dates back to 2013 and only relates to hotel reservations. While the information contained in the unsecured database could be used to commit several identity crimes and fraud, right now, there is no evidence the information has been copied and removed from the database. Also, right now, there are no reports of the data being used. 

Software Provider Behind Large Travel Websites Leaves Database Unsecured 

Prestige Software provides technology services to websites that many consumers may have used, including: 

  • Booking.com 
  • Expedia 
  • Hotels.com 
  • Sabre (The reservation system used by American Airlines) 
  • Other hotel reservation websites & mobile apps 

The cloud database was hosted in an Amazon Web Services (AWS) environment that included basic security protections. However, they were not configured. Prestige Software confirmed the database was open to the internet and is now secured.  

Information Exposed Due to Unsecure Prestige Software Database 

The information stored in the unsecured database included large amounts of personal information like full names, email addresses, national I.D. numbers and phone numbers of hotel guests. Additional information stored includes: 

Credit card details: card number, cardholder’s name, CVV and expiration date 

Payment details: total cost of hotel reservations 

Reservation details: reservation number, dates of a stay, the price paid per night, additional requests made by guests, number of people, guest names and much more 

What Impacted Consumers Need To Do 

Consumers who have used these travel websites should assume that any information they shared since 2013 is in the wild and available to be misused in identity crimes, fraud and phishing schemes. Consumers should act as if they have already received a breach notice due to the unsecured database and take the necessary steps to protect their personal information

  • Change your passwords on the travel accounts to a longer, memorable passphrase. Make sure it is unique to the account. Do not use the same passphrase on more than only one account because it helps the bad guys. 
  • Add two-factor authentication. 
  • Freeze your creditif you haven’t already, and monitor your credit card statements for unusual activity over the next few months. 
  • Keep an eye out for phishing attemptsespecially related to any websites affected by this breach or other travel-related websites. Remember, the best protection is to never click on unsolicited links. If you are unsure, contact the company directly.  

How It Impacts Prestige Software 

For the company, the impacts of the lapse in cybersecurity could be significant. Prestige Software is based in Spain and subject to the European Union’s strict privacy and cybersecurity law, known as the General Data Protection Regulation (GDPR). Companies found to have failed to protect consumer information are subject to significant fines up to four percent of their annual revenue.  

Also, companies that process credit cards are subject to self-regulations. The penalty for failing to comply with the Payment Card Industry (PCI) standards include, in some cases, a company losing the right to process debit and credit cards. It is surprising that we have to continue to remind companies of a simple fact: Companies are responsible for securing their cloud environments, not cloud platform providers like Amazon, IBM, Microsoft or any other cloud services companies. Cloud hosts will make basic tools available, but companies have to use them. Also, companies are still responsible for patching their applications and maintaining their advanced cybersecurity tools.  

notifiedTM  

For information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.  

Contact the ITRC 

If you believe you have been affected by the Prestige Software database exposure and want to learn more or think you’re the victim of an identity crime, contact the ITRC at no-cost by calling 888.400.5530 or by live-chat on the company website. Also, download the free ID Theft Help App to access resources, a case log and much more.  

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform. 


Timberline, BankSight and MAXEX Headline the Most Notable Data Breaches in October

California Voters Pass Strongest Privacy Law in the U.S. – The California Privacy Rights Act (CPRA)

Reports Show Consumer Privacy and Cybersecurity Views Have Evolved