Posts

  • The Federal Emergency Management Agency (FEMA) reports that criminals are creating COVID-19 funeral scams. The announcement comes just days after the federal agency launched a new program to provide relief to the families of loved ones who died from COVID-19.
  • As part of the funeral scam, criminals contact people offering to register them for funeral assistance. Identity thieves are looking to steal money, as well as personal and financial information, to commit identity theft.
  • If you receive an unsolicited message offering to assist in registering for the program, you should contact FEMA directly. Also, you should never pay a fee or share personal information with anyone who sends an unsolicited message to obtain a government benefit on your behalf.
  • To report a funeral scam, call FEMA’s Helpline at 800.621.3362. To learn more, contact the Identity Theft Resource Center (ITRC) toll-free by phone (888.400.5530) or live-chat at the company website www.idtheftcenter.org.

The Federal Emergency Management Agency (FEMA) is doing what it can to help the families of loved ones who died from COVID-19. However, due to criminals, everyone needs to be on the lookout for COVID-19 funeral scams.

FEMA started a program in mid-April that offers up to $9,000 in relief to help families cover the funeral expenses for those who passed after June 20, 2020, from COVID-19. However, criminals have found a way to take advantage of the newest program.

FEMA has sounded the alarm with a fraud alert. They have received reports of scammers reaching out to people by phone, email, and online, offering to register them for funeral assistance. However, FEMA says that is not how the program works.

The Identity Theft Resource Center (ITRC) has received more than 1,500 reports of identity fraud related to government benefits since the beginning of the pandemic.

Who are the Targets?

The families and friends of loved ones who died from COVID-19 who are applying for FEMA’s COVID-19 Funeral Assistance Program.

What is the Scam?

FEMA says criminals are contacting people and offering to register them for funeral assistance. However, the criminals are asking for “fees” and other options to “expedite the process” to register for funeral expenses.

According to FEMA, any efforts that charge fees to assist in the application process are scams. The application process begins when you call the agency’s Funeral Assistance Line at 844.684.6333. FEMA will not contact you about the program unless you have already contacted them.

What They Want

Scammers hope to make away with either money or you or your deceased loved one’s personal information to commit an identity crime in you or your loved one’s name.

How to Avoid Being Scammed

  • If someone contacts you about the assistance program and you did not either apply or call FEMA directly, ignore it because it is a COVID-19 funeral scam. FEMA will not reach out until you either call them or apply for assistance.
  • Do not pay a fee for quicker service because that is another sign of a funeral scam. The government will not ask you to pay anything to get the FEMA benefits.
  • Do not provide your own or your deceased loved one’s personal or financial information to anyone based on an unsolicited call, text message, or email claiming to come from FEMA or another federal agency.
  • If you received a COVID-19 funeral scam call or email, report it to the FEMA Helpline at 800.621.3362.

Contact the ITRC

If you believe you are a victim of the COVID-19 funeral scam, received a suspicious message and want to know if it is a funeral scam, or want to learn more, contact the ITRC toll-free. You can call (888.400.5530) or use the live-chat function on the company website. Just go to www.idtheftcenter.org to get started.   

  • A new Apple privacy update, iOS 14.5, lets consumers stop Apple apps from tracking them.
  • Unless someone gives permission to an app, it cannot use their data for targeted ads, share their location data with advertisers, or share their advertising identity or any other identifiers with third parties.
  • If you do not want to be tracked by your Apple device, download Apple’s latest update (14.5), and select Settings > Privacy > Tracking, and toggle off Allow Apps to Request to Track. You can also decide on an app-by-app basis by selecting “Ask App Not to Track” or “Allow” once you download a new app.
  • To learn about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. 
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

He Loves Me Not

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for April 30, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. This week we’re going to focus on the seismic event in the data privacy world.

In Henry IV, Shakespeare’s play about taking action while others fail to act, Lady Percy says, “Some heavy business hath my lord in hand, And I must know it, else he loves me not.”

In this case, she’s referring to plans for a rebellion. However, in the context of this week’s episode, we’re talking about the new Apple privacy update, which gives consumers more control over their data as a substitute for privacy legislation. Later in the article, we will tell people how to take advantage of a new feature from the makers of the iPhone and iPad.

New Apple Privacy Update Feature

In an earlier episode, we talked about Apple’s controversial decision to add a built-in privacy feature that would block the ability of applications to track users. That data is used to serve ads to people either by the app owner, or if it’s sold to a third party that uses the information to target people with ads as they travel around the digital world.

Consumers Can Opt-Out of Being Tracked By their Apple Apps

Apple announced the new App Tracking Transparency feature in June 2020 to give app developers plenty of time to prepare for the change. And a big change it is. Unless someone gives permission to an app – including those made by Apple – it can’t use one’s data for targeted ads, share their location data with advertisers, or share their advertising identity or any other identifiers with third parties.

Many Privacy Experts & Consumer Advocates Favor the Change

Privacy experts and consumer advocates think the new Apple privacy update is a great step forward in giving people more direct control over their data, who has access to it, and how it is used. Advocates have long sought a shift in the U.S. to a more European privacy model where consumers must give their permission before personal information is collected and used.

From the beginning of the digital economy, the U.S. has built business models on a no-option basis. That means people have no choice but to surrender their personal information, which then becomes the property of the business, not them.

Thanks to a strong European privacy law that went into effect in 2018 – and several state laws and regulations in California, New York and Virginia – we are beginning to see the ability of consumers to “opt-out” of certain types of data collection and sales. That is to say consumers can tell a company to stop collecting, selling or sharing their information.

However, that approach is not universal since the U.S. has no national privacy law, and 48 of the 50 states have not passed specific data privacy laws. Enter the Apple privacy update that allows customers to block data collection.

What You Should Do If You Don’t Want to Be Tracked by Your Apple Device

If you don’t want to be tracked by your Apple devices, here’s what do you need to do:

  • Download and install the new iOS version 14.5 on your iPhone or iPad.
  • Once you do that, you can block access on an a la cart basis. When you download a new app, you will be asked if you want to let the app track your activity. You can select “Ask App Not to Track” or “Allow” if you are okay with that application collecting and using your data.
  • You can also opt-out of app tracking across every app you download by going to Settings > Privacy > Tracking, and toggling off Allow Apps to Request to Track. That way, any new app will be automatically informed you have requested not to be tracked. Also, all apps (unless you’ve already permitted them to track you) will be blocked from accessing your device’s information used for advertising. 
  • For apps that you have already downloaded and agreed to allow tracking, you can still turn those permissions on or off on a per-app basis in your device settings. 

The Lasting Effects Are Still Unknown

Predictions on how the Apple privacy update will affect consumer behavior, data sales, and ad revenues range from “meh” to Chicken Little-level “the sky is falling.” We will revisit this topic once we know if we can go about our business or need a hard hat.

Contact the ITRC

If anyone has questions about keeping their personal information private and how to protect it, or on the new Apple privacy update, they can visit www.idtheftcenter.org, where they will find helpful tips on these and many other topics. 

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. People can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Visit www.idtheftcenter.org to get started. 

Be sure to check out the most recent episode of our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown. 

  • Facebook and LinkedIn recently suffered data incidents that led to personal information like full names, emails and phone numbers being posted in identity marketplaces where cybercriminals buy and sell data.
  • While some have called the recent data leaks “data breaches,” technically and legally, they are not in the U.S. Rather, it is a legitimate and legal technique called “scraping.”
  • Even though these events are not data breaches, the Identity Theft Resource Center (ITRC) is creating an additional category of identity data compromises called “data leaks” to keep track of and report these kinds of events.
  • The Facebook and LinkedIn data leaks serve as good reminders to never post information online that you wouldn’t want people you don’t know or trust to see.
  • To learn about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. 
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

Data Breaches, Exposures, and Leaks! Oh, My!

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for April 23, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. In the movie version of The Wizard of Oz, Dorothy Gale of Kansas, along with the Scarecrow and Tin Man, are following the Yellow Brick Road through a dark and scary forest on their way to the Emerald City. They fear that wild animals are present as they chant “Lions…and Tigers…and Bears! Oh, my!” just before they meet the Cowardly Lion. Apply that principle to data security, and you get the title of today’s episode – “Data Breaches, Exposures, and Leaks! Oh, My!

Facebook and LinkedIn’s Recent Data Leaks

People may have seen media coverage about the recent data leaks at Facebook and LinkedIn. Personal information like full names, emails and phone numbers posted to user profiles were found in the identity marketplaces where cybercriminals buy and sell data.

In the case of Facebook, which would be the third-largest country in the world behind China and India if it were a Nation/State, the information on some half-a-billion people was exposed. Approximately 30 million live in the U.S. An even larger number of LinkedIn users were impacted by a similar event. To date, 837 million profiles have been exposed.

Facebook and LinkedIn Events Not Considered Data Breaches

These two recent data leaks have created quite the controversy in data privacy and security circles. People may have noticed that the ITRC has not referred to these events as data breaches. It’s because they technically and legally are not, at least under U.S. law. European Data Protection authorities have launched an investigation into both companies for potential violations of privacy laws. However, in the U.S., it’s a lot more complicated.

If you are a Facebook or LinkedIn user, you voluntarily provide the information posted to those and other social media websites. The companies try to limit the ability to copy user’s data. However, depending on how you configure your privacy settings, that information is, in fact, available for viewing by anyone. And if it can be seen, it can be misused.

Facebook and LinkedIn Suffered “Scraping”

There is a legitimate technique known as “scraping,” where companies copy large amounts of information that otherwise would require manual entry into a database. It is perfectly legal and typically involves getting permission and being transparent about how the data is used.

There are still some grey areas when it comes to private information being posted publicly on websites. In fact, there is a case pending before the U.S. Supreme Court directly on this question of copying information from LinkedIn. Lower courts have said publicly posted information is fair game for scraping even if LinkedIn’s terms and conditions say it is not.

Facebook and LinkedIn Events Fall Between the Cracks of Current Laws

What makes the recent data leaks at Facebook and LinkedIn so troubling is that they fall between the cracks of existing laws. If a criminal gained access to a company’s customer records that included names, addresses, phone numbers and email addresses, that would be a crime and considered a data breach.

Copying the same information posted voluntarily and publicly is not considered illegal today. Also, the current laws did not envision the ability to copy millions of unrelated records and combine them into a single database that could be used to commit identity fraud.

The ITRC to Create “Data Leak” Category of Identity Data Compromises

Even though these recent data leaks are not data breaches, the ITRC is creating an additional category of identity data compromises to keep track of and report these kinds of events. We’re going to call this new category “data leaks.”

It is also a good time to issue a reminder. Be careful what you post online. If you don’t want people you don’t know or trust to see your private information, don’t post it online.

Contact the ITRC

If anyone has questions about keeping their personal information private and how to protect it, they can visit www.idtheftcenter.org, where they will find helpful tips on these and many other topics. 

If someone thinks they have been the victim of an identity crime or a data breach – like the recent data leaks – and needs help figuring out what to do next, they should contact us. People can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Visit www.idtheftcenter.org to get started. 

 Be sure to check out the most recent episode of our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown. 

  • The proper disposal of e-waste – old electronic devices that are no longer used – is a priority, particularly for protecting personal data. The Identity Theft Resource Center (ITRC) reported 78 data compromises in 2020 around “physical attacks”; 52 percent of them from device theft and improper disposal.
  • E-waste puts personal information at risk and can have environmental impacts, too. It is why individuals need to adopt good e-waste solutions by educating themselves on the issue, re-evaluating their needs for more electronics and safeguarding their information.
  • Most people do not know how to recycle e-waste. Individuals should reuse electronics, if possible, and donate their old devices to be recycled if not. When people get rid of old electronics, they should put all of the data on a backup system and then wipe the device clean of personal information.
  • For more information, or if you believe you are a victim of identity theft, contact the ITRC toll-free by phone (888.400.5530) or live-chat. Just go to www.idtheftcenter.org to get started.

According to the Identity Theft Resource Center’s (ITRC) 2020 Data Breach Report, there were 78 “physical attacks” in 2020. Device theft and improper disposal (which includes electronic devices) made up 52 percent of the attacks. The Verizon 2020 Data Breach Investigations Report finds more than one thousand cases of loss involving mobile devices in 2019.

As technology continues to evolve, users and manufacturers are finding more ways to keep safety, environmental impact and security measures in mind – which revolve around how to recycle e-waste. Issues range from the risk of fire from batteries, devices being sent to landfills, and disposal of information that could lead back to a user’s account and put them at risk of identity theft.

What Are E-Waste Solutions?

There are a handful of e-waste solutions consumers should keep in mind.

  1. Education: People should learn about the dangers of e-waste and what they can do about it.
  2. Re-evaluating the need: One e-waste solution is to minimize e-waste itself. Do you need that extra device? What are you doing with your devices once you are done with them? Are you reusing electronics? Re-evaluating your need for electronics can help cut down on how many devices end up in a landfill.
  3. Safeguarding information: Before you dispose of any electronics, you should make sure you save your data on a backup system or hard drive and then wipe the device clean. That way, no one can access your files if the device is improperly recycled or ends up in the wrong hands. If you are getting rid of a phone, do a factory reset to restore the phone to “empty status.” By taking these steps, you are protecting your personal information.

How to Recycle E-Waste

Instead of discarding electronics, the best e-waste solution is to reuse or recycle devices. Local governments are increasingly hosting e-cycling initiatives. These programs keep electronics out of landfills and ensure devices are wiped clean of all user data. You can search online for e-cycling centers near you before disposing of electronics, including IoT devices and medical devices.

Many device manufacturers also accept old devices to be refurbished or recycled and provide credit toward a new device. Some will take a device from any manufacturer for recycling. Check with your device maker to see if they offer a recycling program.

Contact the ITRC

It is vital everyone does their part to help address e-waste to protect the environment and people’s personal information. If you have questions about how to recycle e-waste, other e-waste solutions, or you believe you are the victim of identity theft, contact us. You can speak with one of our expert advisors toll-free by phone (888.400.5530) or live-chat. Just go to www.idtheftcenter.org to get started. 

  • As more people get the coronavirus vaccine, the level of COVID vaccine fraud could rise, particularly around vaccine passport and scheduling apps and vaccination cards.
  • Right now, there are no programs in the U.S. that use or require a vaccine passport app. If anyone receives a message about one, it is a scam trying to steal people’s credentials or get them to pay for a fake app or service.
  • There are apps to schedule a vaccine. However, an app that asks for money or personal health information (PHI) should raise a red flag.
  • Many people are posting pictures online of their vaccination cards once they’ve gotten the COVID shot. The Identity Theft Resource Center (ITRC) does not recommend people post these photos unless they blur out their personal information to reduce identity risks.
  • If anyone wants to learn more about COVID vaccine fraud concerns or believes they have been the victim of a COVID vaccine scam, they can contact the ITRC toll-free by phone (888.400.5530) or live-chat. Just go to www.idtheftcenter.org to get started.

The number of Americans receiving the COVID vaccine is on the rise. According to the Centers for Disease Control and Prevention (CDC), well over 100 million vaccines have been administered, and more than 12 percent of Americans are fully vaccinated. States across the U.S. are moving beyond limited groups to vaccinate the general public, leading to concerns over COVID vaccine fraud. There are several different ways identity criminals could attack.

Vaccine Passport & Scheduling Apps

There are no current programs in the U.S. that use or require a vaccine passport. While the World Health Organization (WHO) says the race is on to develop a vaccine passport, any phone calls or messages to download a COVID vaccine passport app is a scam. However, there are apps for vaccine scheduling, like the CDC’s Vaccine Schedules app and other healthcare apps. With that said, any app that asks for money or personal health information (PHI) could be suspect. Fake apps often attempt to either steal someone’s credentials, get them to pay for the fraudulent app, or use a fraudulent vaccine scheduling service.

Vaccination Cards

Another COVID vaccine fraud concern involves COVID vaccine cards. By now, most people have probably seen at least one of their friends, family members or co-workers post a picture online of their COVID vaccination card. COVID vaccine cards have personal information (name, birth date and vaccination location) on them that people need to safeguard. Posting vaccine cards could help scammers create and sell phony vaccination cards or even hack accounts. The Identity Theft Resource Center (ITRC) recommends people remove or block sensitive information before they post their cards online.

According to a Better Business Bureau (BBB) alert, there have been no reports of fake vaccination cards sold in the U.S. However, in Great Britain, scammers have already been caught selling phony vaccination cards on eBay and TikTok.

How to Avoid a COVID Vaccine Scam

COVID vaccine scams based around fake websites and vaccines have been around since nearly the beginning of the global pandemic. There is no reason to believe the trend will decline as more COVID vaccines are administered. Consumers should be aware of the COVID vaccine fraud attempts and take the following steps to protect themselves:

  • Do not download any apps that claim to be a vaccine passport.
  • Only schedule vaccination appointments through official websites, a local health authority, or your medical provider. Services requiring payment to schedule an appointment are a sign of fraud.
  • Do not post pictures of your vaccination card online unless the personal information is blocked or removed.
  • Only get vaccinated from a licensed medical provider.
  • Do not respond to any calls, emails or text messages about COVID vaccines that ask for your personal information. Also, don’t click on any links, attachments or files unless you initiated the contact. If in doubt, reach out to the entity directly to verify the validity of a message.

Contact the ITRC

For more information on COVID vaccine fraud concerns, or if someone believes they are the victim of a COVID vaccine scam, contact the ITRC toll-free by phone (888.400.5530) or live-chat. Visit our website for the latest news on COVID scams and other identity-related issues. All people have to do is go to www.idtheftcenter.org to get started.

  • The Virginia Consumer Data Protection Act (VCDPA) will be the second strongest privacy law in the U.S., modeled after California privacy laws. It is scheduled to take effect on January 1, 2023. 
  • The VCDPA is not limited to people who live in Virginia. It applies to any businesses that collect the data of at least 100,000 Virginia residents during a calendar year, or at least 25,000 Virginia residents, and derives more than 50 percent of its gross revenue from the sale of personal information. 
  • Under the VCDPA, consumers will have the right to access personal data that businesses collect about them, correct inaccuracies in the data, request personal data be deleted in certain exceptions, and opt-in to the use of personal data and opt-out of the sale of personal data in certain circumstances. 
  • For information about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notified.   
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.  

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for February 26, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. Last week we talked about significant privacy changes being driven by a private company – specifically, Apple through an update in the operating system for iPhones. This week we focus on state laws that are fundamentally changing the legal and regulatory landscape across the country.

Some people of a certain age probably remember the School House Rock cartoons that, among other things, taught us about the functions of conjunctions. However, more memorably, about how laws are made. The short cartoon from 1975 gives us the title of today’s episode – “I’m just a bill…sitting here on Capitol Hill.”

New Virginia Privacy Law: “Virginia Consumer Data Protection Act (VCDPA)”

By the time people listen to the podcast or read the transcript, Governor Ralph Northam of Virginia is likely to have already signed the second strongest privacy law in the country, the Virginia Consumer Data Protection Act or VCDPA. Modeled after groundbreaking California privacy laws, the Virginia Consumer Data Protection Act adds new rights for Virginia residents and obligations for businesses that collect information about people who live in the Old Dominion.

However, VCDPA is not limited to businesses based in Virginia. Like the California Consumer Privacy Act (CCPA) and the European Union’s privacy law (GDPR) before that, the VCDPA applies to any business anywhere in the world if it:

  1. Collects the personal data of at least 100,000 Virginia residents during a calendar year; or
  2. Collects the personal data of at least 25,000 Virginia residents and derives more than 50 percent of its gross revenue from the sale of personal information.

Non-profits, government agencies, and colleges and universities are exempt, along with a few institutions regulated by certain federal privacy laws.

Under the Virginia Consumer Data Protection Act, consumers will have the right to:

  • Access personal data that a business collects and uses about them;
  • Correct inaccuracies in that data;
  • Request that personal data be deleted subject to certain exceptions;
  • Opt-in to the use of sensitive data in certain circumstances, with sensitive information being personal attributes like race or sexual orientation, biometric information, children’s information, and location data.
  • Opt-out of the sale of personal information and certain automated processes based on personal data. The VCDPA also requires businesses to let individuals opt-out of the sale of personal data to third parties as well as “targeted advertising.”

When the Virginia Consumer Data Protection Act Will Take Effect

Businesses will have until January 1, 2023 – when the VCDPA goes into effect – to get ready to comply with the law, the same day California’s updated privacy law, the California Privacy Rights Act (CPRA), becomes effective. Unlike the California law, the enforcement of the Virginia law will be the exclusive jurisdiction of the state attorney general – no individual consumer lawsuits are allowed for now.

Other Privacy Laws in the Works

The January 1, 2023 date could be crowded with new state privacy laws. There are currently ten other states considering similar privacy and cybersecurity laws and two that have established study commissions that will be required to report back to their state lawmakers by 2022.

The Possibility of a Federal Privacy Law

What about a federal privacy law passed by Congress that applies uniformly across the country? Even with a new Congress, many of the same roadblocks remain from past Congresses. One side wants state laws to be overruled, and the other side wants a federal law to be a floor, not a ceiling for the states. There is also the unanswered question about the ability of individuals to file lawsuits over violations of privacy.

Contact the ITRC

If anyone has questions about how to keep their personal information private and how to protect it, they can visit www.idtheftcenter.org, where they will find helpful tips on these and many other topics.

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. People can speak with an expert advisor on the phone, chat live on the web, or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Visit www.idtheftcenter.org to get started.

Be sure to check out the most recent episode of our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown.

In 2020, the number of individuals impacted by a data breach was down 66 percent from 2019; cybercriminals continue to shift away from mass attacks seeking consumer information and towards attacks aimed at businesses using stolen logins and passwords  

SAN DIEGO, January 28, 2021 – Today, the Identity Theft Resource Center® (ITRC), a nationally recognized non-profit organization established to support victims of identity crime, released its 15th annual Data Breach Report. According to the report, the number of U.S. data breaches tracked in 2020 (1,108) decreased 19 percent from the total number of breaches reported in 2019 (1,473). In 2020, 300,562,519 individuals were impacted by a data breach, a 66 percent decrease from 2019.  

The 2020 Data Breach Report shows the continuation of a trend from 2019: cybercriminals are less interested in stealing large amounts of consumers’ personal information. Instead, threat actors are more interested in taking advantage of bad consumer behaviors to attack businesses using stolen credentials like logins and passwords. Due to the shift in tactics, ransomware and phishing attacks directed at organizations are now the preferred data theft method by cyberthieves.  

Ransomware and phishing attacks require less effort, are largely automated, and generate much higher payouts than taking over individuals’ accounts. One ransomware attack can generate as much revenue in minutes as hundreds of individual identity theft attempts over months or years. According to Coveware, the average ransomware payout has grown from less than $10,000 per event in Q3 2018 to more than $233,000 per event in Q4 2020. 

Download the ITRC’s 2020 Data Breach Report 

“While it is encouraging to see the number of data breaches, as well as the number of people impacted by them decline, people should understand that this problem is not going away,” said Eva Velasquez, president and CEO of the Identity Theft Resource Center. “Cybercriminals are simply shifting their tactics to find a new way to attack businesses and consumers. It is vitally important that we adapt our practices, and shift resources, to stay one step ahead of the threat actors. Although resources continue to decline for victims of identity crimes, the ITRC will continue to help impacted individuals by providing guidance on the best ways to navigate the dangers of all types of identity crimes.” 

One notable case study highlighted in the ITRC’s 2020 Data Breach Report is the ransomware attack on Blackbaud, a technology services company used by non-profit, health and education organizations. A professional ransomware group stole information belonging to more than 475 Blackbaud customers before informing the company the information was being held hostage. The stolen information included personal information relating to more than 11 million people that was later reported to have been destroyed by the cybercriminals after Blackbaud paid a ransom.  

Another notable finding was that supply chain attacks are becoming increasingly popular with attackers since they can access the information of larger organizations or multiple organizations through a single, third-party vendor. Often, the organization is smaller, with fewer security measures than the companies they serve.  

To learn more about the latest data breaches, visit the ITRC’s interactive data breach tracking tool, notified. It is updated daily and free to consumers.  

For anyone that has been a victim of a data breach, the ITRC recommends downloading its free ID Theft Help app to manage the various aspects of an individual’s data breach case. 

Consumers and victims can receive free support and guidance from a knowledgeable live-advisor by calling 888.400.5530 or visiting idtheftcenter.org to live-chat. 

About the Identity Theft Resource Center  

Founded in 1999, the Identity Theft Resource Center® (ITRC) is a non-profit organization established to empower and guide consumers, victims, business and government to minimize risk and mitigate the impact of identity compromise and crime. Through public and private support, the ITRC provides no-cost victim assistance and consumer education through its website live-chat idtheftcenter.org, toll-free phone number 888.400.5530, and ID Theft Help app. The ITRC also equips consumers and businesses with information about recent data breaches through its data breach tracking tool, notified.   

Media Contact 

Identity Theft Resource Center 
Alex Achten 
Earned & Owned Media Specialist 
888.400.5530 Ext. 3611 
media@idtheftcenter.org  

The release of the 2020 ITRC Data Breach Report and launch of the ITRC’s data breach tracking tool supports the Data Privacy Day 2021 initiative to help build trust among consumers and promote transparency around data collection practices.

SAN DIEGO, January 13, 2021- Today, the Identity Theft Resource Center® (ITRC), a nationally recognized non-profit organization established to support victims of identity crime, announces its commitment to Data Privacy Day on January 28, 2021. The ITRC recognizes and supports the principle that all organizations share the responsibility of being conscientious stewards of personal information.

The ITRC will unveil the 15th annual edition of the ITRC Data Breach Report on January 28, 2021. One of the most widely quoted reports on data breach trends, the report will also explore the fundamental shifts underway in the root causes of identity-related crimes. The release of the 2020 ITRC Data Breach Report coincides with the launch of the ITRC’s new data breach tracking tool, notifiedTM, to assist consumers and businesses in making informed decisions about with whom they do business. Landmark state privacy and security laws, like the California Privacy Rights Act, require businesses to ensure third-party vendors’ cybersecurity processes protect consumer information.

“The ITRC is honored to take part in Data Privacy Day 2021 and to bring awareness to the importance of people and businesses taking action to protect personal and company information,” said Eva Velasquez, president and CEO of the Identity Theft Resource Center. “We want individuals to value protecting their own data and for businesses to keep people’s personal information safe. Likewise, our latest trend analysis shows that consumers have a big role to play in protecting their employer’s valuable business data and systems. It is critical that everyone take part in reducing the number of data compromises moving forward.”

Data Privacy Day is a global effort that generates awareness about the importance of privacy, highlights easy ways to protect personal information, and reminds organizations that privacy is good for business. This year, the focus is on encouraging individuals to “Own Your Privacy” by learning more about how to protect the valuable data that is online, and encouraging businesses to “Respect Privacy” by helping organizations keep individuals’ personal information safe while ensuring fair, relevant and legitimate data collection and processing practices.

According to a Pew Research Center study, 79 percent of U.S. adults report being concerned about how companies use their data. As technology evolves and the COVID-19 pandemic continues to influence how consumers interact with businesses online, data collection practices are becoming increasingly unavoidable, making it imperative that companies act responsibly.

“In recent years, we’ve seen the impact of more global awareness surrounding the abuse of consumer data, thanks to sweeping privacy measures like GDPR and CPRA,” said Kelvin Coleman, Executive Director for the National Cyber Security Alliance. “While legislative backing is key to reinforcing accountability for poor data privacy practices, one major goal of Data Privacy Day is to build awareness among businesses about the benefits of an ethical approach to data privacy measures separate from legal boundaries.”

For more information about Data Privacy Day 2021 and how to get involved, visit https://staysafeonline.org/data-privacy-day/.

For more information on the ITRC’s 2020 Data Breach Report, email media@idtheftcenter.org.

About the Identity Theft Resource Center®  

Founded in 1999, the Identity Theft Resource Center® (ITRC) is a non-profit organization established to empower and guide consumers, victims, business and government to minimize risk and mitigate the impact of identity compromise and crime. Through public and private support, the ITRC provides no-cost victim assistance and consumer education through its website live-chat idtheftcenter.org, toll-free phone number 888.400.5530, and ID Theft Help app. The ITRC also equips consumers and businesses with information about recent data breaches through its data breach tracking tool, notifiedTM.  

About Data Privacy Day

Data Privacy Day began in the United States and Canada in January 2008 as an extension of the Data Protection Day celebration in Europe. Data Protection Day commemorates the Jan. 28, 1981, signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection. NCSA, the nation’s leading nonprofit, public-private partnership promoting cybersecurity and privacy education and awareness, leads the effort in North America each year. For more information, visit https://staysafeonline.org/data-privacy-day/.

About the National Cyber Security Alliance

NCSA is the Nation’s leading nonprofit, public-private partnership promoting cybersecurity and privacy education and awareness. NCSA works with a broad array of stakeholders in government, industry and civil society. NCSA’s primary partners are the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and NCSA’s Board of Directors, which includes representatives from ADP; AIG; American Express; Bank of America; Cofense; Comcast Corporation; Eli Lilly and Company; ESET North America; Facebook; Intel Corporation; Lenovo; LogMeIn; Marriott International; Mastercard; MediaPro; Microsoft Corporation; Mimecast; KnowBe4; NortonLifeLock; Proofpoint; Raytheon; Trend Micro, Inc.; Uber: U.S. Bank; Visa and Wells Fargo. NCSA’s core efforts include Cybersecurity Awareness Month (October); Data Privacy Day (Jan. 28); STOP. THINK. CONNECT.™, the global online safety awareness and education campaign co-founded by NCSA and the Anti-Phishing Working Group with federal government leadership from the Department of Homeland Security; and CyberSecure My Business™, which offers webinars, web resources and workshops to help businesses be resistant to and resilient from cyberattacks. For more information on NCSA, please visit https://staysafeonline.org.

Media Contact  

Identity Theft Resource Center  
Alex Achten   
Earned & Owned Media Specialist  
888.400.5530 Ext. 3611  
media@idtheftcenter.org  

  • A T-Mobile repeat data breach event resulted from unauthorized access to 200,000 customer accounts, including call records.
  • It is the fourth time T-Mobile has sent a data breach notification since 2018. The T-Mobile data breach in December was the second one in 2020.
  • An investigation into the SolarWinds data hack has not revealed any evidence suggesting the attackers sought or stole mass amounts of personal information. The target appears to be either intellectual property or the personal information of particular individuals for espionage purposes.
  • For information about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notifiedTM.
  • Keep an eye out for the ITRC’s 15th Annual Data Breach Report. The 2020 Data Breach Report will be released on January 27, 2021. 
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the Identity Theft Resource Center toll-free at 888.400.5530 or via live-chat on the company website. 
https://soundcloud.com/idtheftcenter/the-weekly-breach-breakdown-podcast-by-itrc-second-verse-same-as-the-first-season-2-episode-1

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for January 8, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. We started this podcast and a sister monthly program in 2020 in response to the shifts in privacy, security and identity issues: the changes in how criminals collect and use consumer and, increasingly, business information.

One of the trends that the ITRC has identified, and will explore in a report this spring, is the rise in the number of repeat data breaches, even as the overall number of data events is declining. That leads us to the title of this week’s episode – “Second Verse, Same as the First.”

While most of us were prepping for a socially distanced Christmas celebration, one of the largest mobile telephone companies posted a data breach notice on its website. It was not the first time T-Mobile issued a breach notice; it was the fourth time since 2018.

T-Mobile Repeat Data Breach Event

T-Mobile announced that an unauthorized party accessed a small percent of customer accounts, about 200,000 accounts, in early December 2020. The compromised data may have included call records — such as when a call was made, how long the call lasted, the phone numbers called and other information that might be found on a customer’s bill.

T-Mobile says the hackers did not access names, home or email addresses, financial data and account passwords or PINs. An investigation is on-going.

The December data event is the second time an attacker accessed customer information in the same year. Just months into 2020, a breach of the T-Mobile employee email system allowed criminals to see customer data and potentially misuse it. Information about more than one million prepaid customers was exposed in 2019, and cybercriminals compromised nearly two million accounts in 2018.

A Shift in Data Thieves Tactics

Research conducted by the ITRC shows the number of consumers who report being the victim of more than one identity crime has increased 33 percent in the past 18 months. It comes at a time when data thieves are shifting their tactics and targets. Our research shows they are focusing more on business data and less on mass amounts of consumer personal data.

While data breaches are dropping, cyberattacks are rising. The two are not the same. That’s an important distinction as a large and consequential cybersecurity breach occurred in late December 2020 and is likely still underway.

SolarWinds Data Hack Update

We talked about the attack in our last podcast before the holiday break, but the scope of this attack warrants an update.

Here’s what happened: A group of professional cybercriminals affiliated with the Russian government’s intelligence service was able to insert software into a common technology service used by governments and private companies, known as SolarWinds. An estimated 18,000 organizations have been exposed to the malware, including some of the largest agencies in the U.S. government – the Departments of Commerce, Treasury, Justice, State and most of the Fortune 500.

The good news for consumers is at this point, after nearly a month of investigation, there is no indication the attackers sought or stole mass amounts of personal information. As is common with this particular group of threat actors, the target appears to be intellectual property or the personal information of specific individuals for espionage purposes – not profit.

We will release a detailed report on the impact of identity-related crimes in May. We will issue our report on 2020 data breaches and trends on January 27, just a few weeks from now.

Contact the ITRC

If you have questions about how to protect your information from data breaches and data exposures, visit www.idtheftcenter.org, where you will find helpful tips on this and many other topics.

If you think you have already been the victim of an identity crime or a data breach and you need help figuring out what to do next, contact us. You can speak with an expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during regular business hours. Just visit www.idtheftcenter.org to get started.

Next week listen to our sister podcast, The Fraudian Slip, which focuses on identity-related fraud when we talk with the Deputy Chief of the Internal Revenue Service’s Criminal Division about identity crimes and how they might impact your taxes.