In a new Federal Emergency Management Agency (FEMA) scam reported to the Identity Theft Resource Center (ITRC), criminals claim to be part of the Community Emergency Response Team (CERT) program. They try to convince people on Facebook that they won a large amount of money and should claim the funds.
Scammers are after people’s personal information, account information and money.
Anyone who receives a message on Facebook that claims to come from a friend about winning funds through the CERT program should report it to Facebook and block the friend.
People should not respond to any suspicious messages on Facebook or click on any links.
For more information on the FEMA scam involving the CERT program, contact the ITRC toll-free at 888.400.5530, or live-chat with an expert advisor on the company website.
A new Federal Emergency Management Agency (FEMA) scam reported to the Identity Theft Resource Center (ITRC) shows scammers posing as Community Emergency Response Team (CERT) program members on Facebook. Criminals message people regarding winning money, and they urge them to contact the CERT program to claim their winnings. Government money program scams often ask for a “transaction fee” or for the “winner” to divulge their personally identifiable information (PII) before they get the money.
Who is the Target
Facebook users and social media profiles
What is the Scam
In this particular FEMA scam, the scammers pose as an individual’s friend on Facebook. The “messenger” tries to convince the Facebook user they won $150,000. However, the “winner” has to contact the CERT program by phone to claim their winning money. These scams can be convincing because some people believe the message is coming from a friend.
What They Want
PII
Account information
Money
How You Can Avoid Being Scammed
If something seems too good to be true, it probably is. You should not respond to messages like these, click on any links sent to you, or input any personal information into a form sent to you.
If the messenger is posing as someone you know and you do respond, ask the messenger a question only the person they claim to be would know to confirm whether or not it is them.
If you have questions about the FEMA scam, contact the ITRC. You can speak with an advisor toll-free over the phone (888.400.5530), live-chat on the web, or email itrc@idtheftcenter.org during business hours. Just visit www.idtheftcenter.org to get started.
https://www.idtheftcenter.org/wp-content/uploads/2020/12/itrc_ss_emergency-response-plan-covid19_1677869944-1.jpg6671000Alex Hamiltonhttps://www.idtheftcenter.org/wp-content/uploads/2018/06/32smWideLogo_edited-1-300x71.pngAlex Hamilton2020-12-18 10:45:472021-01-15 18:12:33Scammers Pose as Community Emergency Response Teams (CERTs) in new FEMA Scam
The U.S. Food and Drug Administration (FDA) warns consumers that while a vaccine is closer to distribution, so are COVID-19 vaccine scams.
The FDA fears misleading products could cause Americans to delay or stop appropriate medical treatment, leading to life-threatening harm.
There is also a fear that the COVID-19 vaccine scams could lead to many people having their personally identifiable information (PII) and personal health information (PHI) stolen.
Consumers should only get vaccines from approved medical providers, not respond to any calls that ask for PHI or PII, and not click on any links claiming to sell cures.
For more information, contact the Identity Theft Resource Center toll-free by live-chat on the company website or by calling 888.400.5530.
A coronavirus vaccine is closer to reality, with companies like Pfizer and Moderna seeking permission to distribute their vaccines to Americans. However, the U.S. Food and Drug Administration (FDA) and investigators warn that scammers are also waiting, ready to take advantage of those desperate for the vaccine by tricking them with a COVID-19 vaccine scam.
The FDA fears deceptive and misleading products might cause Americans to delay or stop appropriate medical treatment, leading to serious and life-threatening harm. There is also a fear that bogus claims about vaccines and treatments could lead to people having their personally identifiable information (PII) and personal health information (PHI) stolen by cybercriminals.
Who is the Target
Vulnerable & high-risk populations; individuals waiting for the vaccine
What is the Scam
COVID-19 vaccine scams could come in many different forms. Investigators expect scammers to create fake websites, try to sell fake vaccines and treatments, and try to get people’s PII and PHI along the way. Identity thieves used similar tactics while trying to take advantage of a shortage of COVID-19 tests and personal protective equipment (PPE) like masks, gloves and gowns near the beginning of the pandemic.
How You Can Avoid Being Scammed
Homeland Security investigators say you should only get vaccinated from an approved medical provider.
Do not respond to any calls about COVID-19 vaccines that ask for your personal information like Social Security Number and “promise to reserve you a vaccine.”
Do not click on any posts or ads claiming to sell cures. Remember, if it seems too good to be true, it probably is.
Never click on any links, open any attachments, or download any files in an email claiming to offer a COVID-19 vaccine.
To learn more about COVID-19 vaccine scams, or if you believe you are a victim of a vaccine scam, contact the Identity Theft Resource Center toll-free by calling 888.400.5530. You can also visit the company website to live-chat with an expert advisor. Go to www.idtheftcenter.org to get started.
Businesses should be sure to secure their information, have the proper security software and talk to their employees about security.
During the pandemic, the online shopping surge is forcing retailers to focus more on e-commerce and a digital-first business model.
The 2020 holiday season will certainly be one of the most unusual ones we have seen, thanks to the biggest holiday shopping trend – a dramatic shift in online transactions prompted by the COVID-19 pandemic. Online shopping involves non-cash transactions using digital payment methods. While the most obvious are debit and credit cards, there are also peer-to-peer payment apps, digital wallets and online versions of contactless payments like Apple Pay and Google Pay.
There is a truism in cybercrime as there is in bank robbery: thieves go where the money is. There are many opportunities for bad actors to take advantage of consumers and businesses during the shopping season. We expect the identity thieves will look to take advantage of the rise in online shopping.
Tune in to our latest podcast
Historic and Current Holiday Shopping Trends
Holiday shopping has always been a busy time for consumers. Last year, there was an estimated $1.1 trillion spent on the shopping frenzy.
According to the Better Business Bureau (BBB), approximately 65 percent of consumers shopped online during the holidays in 2019.
Online Holiday Shopping Trends So Far in the 2020 Holiday Season
With all of that said, 2020 looks to be a watershed year. In just the first ten days of the holiday shopping season, U.S. consumers spent $21.7 billion online, a 21 percent year-over-year increase, according to Adobe Analytics.
There is no surprise in this online holiday shopping trend. The same Adobe Analytics report shows 63 percent of consumers are avoiding stores and buying more online, with health concerns due to the pandemic driving the decision for 81 percent of shoppers.
Advice for Consumers
Have strong password management – If someone has strong password management, an identity thief will not be able to access multiple accounts if they gain access to one account with stolen credentials from a scam or shoulder surfing. It is especially important to ignore “customer service representatives” who call about online orders or accounts. At the Identity Theft Resource Center (ITRC), we recommend using at least a twelve-digit passphrase because they are easier to remember and harder for an identity thief to crack.
Beware of phishing emails with emotional triggers – People should keep an eye out for shopping discounts sent to their phones claiming huge store discounts if they download an app and enter their credit card information. Another popular phishing email is package tracking scams that offer to track someone’s packages after making their purchase with a link to open or download. No one should ever click on a link, attachment or file from an unknown email because that is how scammers strike with malware, ransomware and steal people’s personal information.
Use credit cards and not debit cards – Credit cards provide more protection than debit cards. One of the biggest reasons is because debit cards are linked with bank accounts. If an identity thief compromises a debit card, the victim’s bank account can be immediately drained of all available funds. It may take time to restore the stolen funds, leaving the cardholder without access to the money.
Shop on secure websites – People need to do their homework before providing any of their payment information or other data. Consumers can check a business’s reputation at third party review organizations like the BBB and Yelp. Using search terms like “Scam” or “Complaints” along with the website or company name can give someone insight into the experience of other customers.
Do not use public Wi-Fi – No one should ever use public Wi-Fi to check their bank account information or to make purchases. Some public Wi-Fi connections are not secure, and a hacker could have the ability to position themselves between the user and the connection point to steal their data. If someone wants to use public Wi-Fi to kill time while in the store or to check on products they want to buy, they need to avoid entering any personal information.
Advice for Businesses
Secure your information – Businesses need to take all of the necessary steps to ensure customers’ personal information is secure. It starts by making sure all systems are protected with properly configured cybersecurity tools. Time and time again, we see businesses and technology providers fail to configure passwords, resulting in exposed sensitive data for anyone to see online.
Have security software – Businesses need to protect their networks from cyberattacks. If a system does not have appropriate security software like network and application firewalls, malware protection and a program to patch known security flaws, identity thieves will steal whatever customer and company information they want.
Talk to the employees about online security – A business can have all the security measures in place, but it does not matter if employees click on links in phishing schemes. Company executives and cybersecurity teams should talk to employees about security, so they do not end up being their weakest link.
What the Post-Pandemic Marketplace Will Look Like
While many things are uncertain about our post-pandemic world, one safe bet is that online holiday shopping will continue to rise. Statistics show online shopping was already on the rise before COVID-19. With the even bigger surge during the pandemic, it will force businesses to get serious, if they are not already, about e-commerce and a digital-first model. In a sense, every day could be Black Friday!
For more information on online shopping during the holiday season or online holiday shopping trends, contact the ITRC at no-cost by calling 888.400.5530 or by live-chat on the company website.
Also, download the free ID Theft Help app, which has access to resources, a case log for an identity theft resolution process and much more.
Synchrony is a proud financial sponsor of the Identity Theft Resource Center.
https://www.idtheftcenter.org/wp-content/uploads/2020/12/itrc_ss_woman-working-job-scam-computer-holiday_758375248.jpg6671000Alex Hamiltonhttps://www.idtheftcenter.org/wp-content/uploads/2018/06/32smWideLogo_edited-1-300x71.pngAlex Hamilton2020-12-02 12:28:112020-12-02 12:28:13Online Holiday Shopping Trends Shift Due to COVID-19 Impact on Small Businesses and Consumers
If anyone comes across an unknown message regarding the COVID-19 holiday season, they should ignore it and go directly back to the source to confirm the message’s legitimacy.
People should take steps to protect their personal information when shopping online, taking part in holiday gatherings (both in person or via a video platform), at the gas pump, and when receiving electronic gifts.
To learn more, contact the Identity Theft Resource Center toll-free at 888.400.5530 or via live-chat on the company website.
COVID-19 has changed the way people live. Many people are working from home, there are restrictions on what people can do in public, and many businesses remain shut down or open at a limited capacity. It has also changed the way scammers attack consumers.
The 2020 holiday season will also be much different than year’s past. According to IBM’s latest U.S. Retail Index Report, COVID-19 has accelerated the shift away from physical stores to digital shopping by roughly five years.
Criminals may adopt new tactics to take advantage of the pandemic, but what will not be different is scammers’ and identity thieves’ ability to find ways to strike.
Watch for COVID-19 Holiday Scams
Here are some scams to watch for this COVID-19 holiday season.
1. Job Scams – Much of the economy remains shut down or open in a limited capacity. Millions of people are looking to gig economy jobs like Uber, Lyft and DoorDash to get by. People could rely on gig economy jobs even more during the holidays to make extra cash. The Federal Trade Commission (FTC) reported losses of $134 million in 2019 to social media scams.
In the first half of 2020, the FTC already reported $117 million, with most scams coming from viewing an ad. Scammers may claim in advertisements that they can get shoppers access to premium jobs for the holidays with big tips in exchange for an upfront fee. Gig economy scams can also lead consumers to phishing websites that steal login credentials.
2. Giving Scams – People typically give more to charities around the holiday season. However, with more families in need of help in 2020, we may see an even bigger increase in people making donations. Expect criminals to attack with giving scams, looking to steal people’s money and personal information. In fact, scammers have used giving scams to take advantage of people since the beginning of the pandemic.
3. Grandparent Scams – Another popular holiday scam is the grandparent scam. A grandparent scam is where scammers claim a family member is in trouble and needs help. With the holidays here, scammers could pose as sick family members.
4. Online Shopping Scams – Many more people will be shopping online this holiday season. According to the Better Business Bureau (BBB), 65 percent of people shopped online last year. This year, online shopping is expected to increase by 10 percent to 75 percent. With the increase in web traffic, consumers should be wary of messages claiming they have been locked out of their accounts. Scammers may send phishing emails making such claims while looking to steal usernames, passwords and account information.
How to Protect Yourself from COVID-19 Holiday Scams
While scammers will try to trick consumers, there are things people can do to protect themselves from a COVID-19 holiday scam.
If someone comes across an ad for a job or a deal online that seems too good to be true, it probably is. Consumers should go back to the source directly by contacting the company to confirm the message’s validity.
If someone receives an email, text message or phone call they are not expecting, ignore it. If any of the messages contain links, attachments or files, do not click or download them because they could have malware designed to steal people’s personal information or lead to a phishing attack. Again, consumers should reach out directly to who the caller, email sender or text message sender claimed to be or the company they claimed to be with.
People should only donate to legitimate charities and organizations registered with their state. Consumers can determine if a charity, non-profit or company is legitimate by searching for the charity’s charitable registration information on the Secretary of State’s website, looking for online reviews and Googling the entity with the word “scam” after it.
No one should ever make a payment over the phone to someone they do not know or were not expecting to hear from. Scammers will try to trick people with robocalls to steal their sensitive information and commit identity theft.
How to Protect Your Personally Identifiable Information (PII) This Holiday Season
Identity Thieves will try different ways to steal people’s PII. It is crucial consumers can protect their PII during the holidays, and year-round, to make sure it does not end up in the hands of a criminal.
1. At the Pump – More people will travel by car this year than usual. Travelers on the road should keep an eye out for gas station skimmers. Skimmers insert a thin film into the card reader or use a Bluetooth device at a gas pump to steals the card’s information that allows the thief to misuse the payment card account. If the pump looks tampered with, pay inside. Newer gas pumps use contactless technology and chipped payment cards that are very secure. Use those pumps if possible.
2. Holiday Gatherings – It is always important to protect all personal information at holiday gatherings. While no one ever imagines a trusted friend or family member will go through their stuff, people fall victim every year. Keep wallets or purses with financial cards or I.D. cards within reach.
3. Zoom and Other Online Video Platforms – Not all family gatherings will be in person in 2020 due to COVID-19. Some families will meet virtually via a video platform. When people use a video platform, it’s important they remember to secure the call by using strict privacy settings and not sharing any personal information with someone they don’t know.
4. Shopping Online – With more people shopping online for the 2020 holiday season, people need to practice good cyber hygiene. Make sure to navigate directly to a retailer’s website rather than click on a link in an ad, email, text or social media post. Phishing schemes are very sophisticated these days and spotting a spoofed website of well-known and local brands can be difficult even for trained cybersecurity professionals.
Consumers will still need to do their due diligence to ensure a business website is legitimate. There is inherently less risk of falling for a scam website by shopping at well-known retailers. It only takes a bit of homework to separate the scams from legitimate small online businesses. Using search terms like “Scam” or “Complaints” along with the website or company name can give people insight into the experience of other customers.
When setting up a new online account, be sure to use multi-factor authentication. Multi-factor authentication creates a second layer of security to reduce the risk of a criminal taking over someone’s account.
5. Electronic Gifts – With the advent of smart home devices, many gifts connect to the internet, presenting security risks. It is important consumers update the software on the device. It is also a good idea to have antivirus software installed on any computer, tablet or internet device if possible, along with a secure password on the home network router.
For more information on how to stay safe during the COVID-19 holiday season contact the Identity Theft Resource Center toll-free at 888.400.5530 or live-chat with an identity theft advisor at no-cost.
For access to more resources, download the ITRC’s free ID Theft Help app.
https://www.idtheftcenter.org/wp-content/uploads/2020/11/itrc_ss_family-christmas-cybersafety_1203023305.jpg6671000Alex Hamiltonhttps://www.idtheftcenter.org/wp-content/uploads/2018/06/32smWideLogo_edited-1-300x71.pngAlex Hamilton2020-11-18 14:06:242020-11-18 14:11:46Tips to Keep Your Identity Safe During the 2020 COVID-19 Holiday Season
Timberline Billing Service recently determined a supposed ransomware attack led to encrypted files and information removed from their network. So far, the Identity Theft Resource Center (ITRC) has tracked 14 impacted schools.
A database exposure was recently discovered at BankSight Software Systems, exposing over 300 million records for at least 100,000 people.
MAXEX exposed 9 GB of internal data, including confidential banking documents, system login credentials, emails, the company’s data breach incident response policy, and reports from penetration tests.
For more information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM.
For more information, contact the ITRC toll-free at 888.400.5530, or by live-chat via the company website. People can also download the free ID Theft Help app to access advisors, resources, a case log and much more.
There were many notable data breaches in October, all tracked by the Identity Theft Resource Center (ITRC). Since 2005, the ITRC has compiled publicly-reported U.S. data breaches as part of our data breach tracking efforts. The ITRC tracks both publicly-reported data breaches and data exposures in a database containing 25 different information fields that are updated daily. Of the notable data breaches in October, Timberline, BankSight and MAXEX top the list.
Timberline Billing Service
Timberline Billing Service, a company that claims Medicaid for education agencies in Iowa, recently determined that someone accessed their network between February 12, 2020 and March 4, 2020. The supposed ransomware attack led to encrypted files and information removed from the system.
However, the investigation was unable to determine what information was removed. The information exposed includes names, dates of birth, Medicaid I.D. numbers, billing information, support service code and identification numbers, medical record numbers, treatment information, medical information regarding diagnoses and symptoms and Social Security numbers. However, the information exposed varies from school to school.
Of the 190 schools in Iowa Timberline assists, so far, the ITRC has tracked 14 impacted schools:
Fort Dodge Community School District
Iowa City Community School District
Cherokee Community School District
Kingsley-Pierson Community School District
Central Decatur Community School District
Clinton Community School District
Muscatine Community School District
Saydel Community School District
Sheldon Community School District
Mid-Prairie Community School District
Hudson Community School District
Dallas Center-Grimes Community School District
Knoxville Community School District
Oskaloosa Community School District
Timberline says they are taking steps to enhance their security systems, resetting all user passwords, requiring frequent password rotations and migrating school and student data to a cloud location. Timberline is also offering a year of identity monitoring services through Experian to impacted children. Impacted individuals should monitor their accounts for any suspicious activity and contact the appropriate company and act if needed.
BankSight Software Systems, Inc.
vpnMentor’s research team recently discovered an exposed BankSight database, exposing over 300 million records for at least 100,000 individuals. According to vpnMentor, the exposed information includes the following: names, Social Security numbers, email addresses, phone numbers, home and business addresses, employment and business ownership details, financial data for businesses and individuals, and personal notes from people looking for loans or postpone on loan payments, exposing private family and business information.
vpnMentor says they contacted BankSight, and BankSight shut down the server one day later. The information exposed allows a hacker to create sophisticated fraud schemes and target customers of BankSight’s clients. BankSight customers should contact the company to determine the steps to take to protect their client’s data.
MAXEX, LLC.
Of the notable data breaches in October, MAXEX does not impact the most people. However, it potentially creates the most significant risk to affected individuals. According to BankInfoSecurity, MAXEX, a residential mortgage trading company, exposed 9 GB of its internal data, including software development for its loan-trading platform. The data also had confidential banking documents, system login credentials, emails, the company’s data breach incident response policy, and reports from penetration tests done years ago.
The company also leaked the complete mortgage documents for at least 23 people in New Jersey and Pennsylvania. The records include tax returns, IRS transcripts, credit reports, bank account statements, scans of birth certificates, passports and driver’s licenses, letters from employers, divorce records, academic transcripts and Social Security numbers for the mortgage applicants and their children.
MAXEX says they have retained security experts and contacted law enforcement agencies. They also have a computer forensics unit tracing the source of the breach and providing resolution advice. The company says they have fixed the issue that led to the breach. MAXEX says its mortgage trading platform was unaffected. However, links to the data are circulating on forums where stolen data is posted. On one platform, the information has been downloaded more than 1,000 times, according to BankInfoSecurity.
While the data compromise only impacted a limited number of people, it does not always matter how many people it affected. Rather, the information that was exposed or stolen. Impacted individuals should begin contacting the appropriate companies to determine the next steps to take. Some of the steps to take include freezing your and your child’s credit, checking your reports for suspicious activity, and taking part in credit monitoring or identity monitoring services.
notifiedTM
For more information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.
Contact the ITRC
If you believe you are the victim of an identity crime or your identity has been compromised in a data breach, like one of the notable data breaches in October, you can speak with an ITRC expert advisor on the website via live-chat or by calling toll-free at 888.400.5530. Finally, victims of a data breach can download the free ID Theft Help app to access advisors, resources, a case log and much more.
Read more of our latest information & educational resources below
https://www.idtheftcenter.org/wp-content/uploads/2020/11/itrc_ss_data-storage-breach_645117268.jpg6671000Alex Hamiltonhttps://www.idtheftcenter.org/wp-content/uploads/2018/06/32smWideLogo_edited-1-300x71.pngAlex Hamilton2020-11-12 12:14:232020-11-12 12:14:25Timberline, BankSight and MAXEX Headline the Most Notable Data Breaches in October
Election scams are beginning to appear, prompting the FBI and Cybersecurity and Infrastructure Security Agency (CISA) to warn consumers that spoofed internet domains and email accounts pose cyber and disinformation risks to voters.
Identity thieves are seeking many different forms of personally identifiable information (PII), looking to commit malware attacks, and creating fake websites to collect PII or spread false or misleading information.
Consumers should never share PII, respond to any unexpected messages until they have verified the website address, email address or text message link by checking with the legitimate source.
For more information, or if you fell victim to an election scam, reach out to the Identity Theft Resource Center toll-free at 888.400.5530 or on our website via live-chat.
The general election is less than one month away, and scammers are aware. Multiple voting organizations are expressing concerns over fake election-related websites that look like official voting resources, but contain false or misleading information, as well as phishing emails that are designed to gather personally identifiable information (PII) or spread malware. Some states are also seeing scammers trying to trick voters with phony text messages, like in California, where they mimic ballot-tracking text services. The FBI and Cybersecurity and Infrastructure Security Agency (CISA) want to help people spot and avoid every form of election scam.
Who It Is Targeting
Voters; Online device users
What It Is
Scammers are using many different tactics to try to trick voters:
They create fake election-related websites to spread misinformation, confuse people, or trick voters into sharing personal information ahead of the November 3 elections. According to the FBI and CISA, election scams around fake websites aim to mislead voters and try to use interest around voting to steal people’s passwords. Scammers create websites that try to imitate election websites by altering one or two letters in the site’s address.
Another election scam the FBI and CISA want people to be aware of is phishing emails. Scammers email voters from spoofed addresses that appear to come from election officials.
Scammers are using text messages to attack, too. Some text messages claim they are from the United States Postal Service (USPS). Others look like they are from the Registrar of Voters asking consumers to take a survey or re-register to vote. Some even offer prizes for voting or registering to vote.
What They Are After
“There’s risk to you personally,” James Lee, Chief Operating Officer of the Identity Theft Resource Center (ITRC), told NBC 7 San Diego in an interview. “And in this case, because we’re talking about an election, there’s risk to our society. There’s risk to our country.”
All of these election scams try to steal usernames, passwords or email addresses. They lead to the collection of PII and spread malware, leading to the potential of more compromises and financial losses in the future.
What You Can Do
Verify the spelling of all websites, email addresses or links in text messages. Make sure domains consist of http or https at the beginning of the domain, and .gov at the end if it is a government website.
If you receive an unexpected or unsolicited email or text message, ignore it and do not click on any links. Go directly to the source to verify the validity of the message.
Disable or remove unneeded applications from your devices.
If you believe you are a victim of an election scam or want to learn more, contact the ITRC to speak with an expert advisor toll-free at 888.400.5530. You can also live-chat with us on our company website.
https://www.idtheftcenter.org/wp-content/uploads/2020/10/itrc_SS_election-scams-voting_1784036579.jpg6671000Alex Hamiltonhttps://www.idtheftcenter.org/wp-content/uploads/2018/06/32smWideLogo_edited-1-300x71.pngAlex Hamilton2020-10-12 14:42:142020-10-19 13:13:18Election Scams Begin to Surface with the General Election Less than One Month Away
Shopify recently announced that two support team members allegedly committed insider theft and obtained transactional records of at least 100 merchants.
Data exposed in the Shopify data compromise includes names, physical addresses, email addresses, products, and services purchased.
Businesses should consider reducing their privilege access based on the employee’s status, watch data movement across the company, and have tools to give visibility to file activities.
Consumers should change their usernames and passwords for their Shopify account, keep an eye out for phishing emails, and act on a breach notification letter if they receive one.
Anyone impacted by the Shopify data exposure can call the ITRC toll-free at 888.400.5530, or live-chat on the company website with an expert advisor.
The E-commerce platform, Shopify, is used by online businesses and retail point-of-systems all over the world. One of the most notable companies is Kylie Cosmetics, Kylie Jenner’s well-known make-up company. Kylie Cosmetics is one of an unknown number of merchants, believed to be between 100 – 200 merchants, impacted by a recent Shopify data exposure. While information is still limited, there are important facts and tips for both consumers and businesses to know about this case of an insider threat.
What Happened
On September 22, Shopify announced that two members of their support team were engaged in a scheme to obtain customer transaction records from merchants. While there is no evidence of the data of the impacted merchants being utilized right now, the e-commerce company says they are only in the early stages of the investigation. Data exposed by the Shopify compromise includes email addresses, names, physical addresses as well as products and services purchased.
According to MarketWatch, the order details do not include financial information like credit card information or additional personal information. Shopify says most of their merchants are not affected, and the ones that are have been notified. They say they will also be updating affected merchants as more information becomes available.
How the Shopify Data Exposure Impacts Businesses
More people are working from home now than ever due to COVID-19, which means remote workers may have more access privileges than usual with fewer security restrictions. The Shopify data exposure is a great example of the dangers of an organization offering employees too much access privilege. Security experts also say that insider threats are growing with more people getting accustomed to working from home.
How Businesses Can Protect Themselves
Reduce privilege access based on the employee and their position.
Watch data movements across the entire company environment whether employees are on or off the network.
Adopt a zero-trust framework so the security team can better track who is coming in and out of the network.
Have tools in place that give visibility into file movements, enabling them to verify that corporate intellectual property and sensitive data is not leaving the organization.
How the Shopify Data Exposure Impacts Consumers
While only names, email addresses and address information were exposed, consumers affected by the Shopify data exposure could be at risk of receiving phishing emails or other emails that try to target financial information.
What Consumers Should Do
Change their usernames and passwords for their account.
Watch out for phishing emails and other emails attempting to collect financial information or other personally identifiable information (PII).
Watch for a breach notification letter. If they get one, it should not be ignored. Consumers need to act and follow the steps provided in the letter. Consumers should also take advantage of credit monitoring if it is provided and consider freezing their credit.
While full payment information is not believed to be involved, it is still a good idea for consumers to regularly check their accounts for any suspicious activity.
Contact the Identity Theft Resource Center
Victims of the Shopify data exposure are encouraged to contact the Identity Theft Resource Center (ITRC) toll-free at 888.400.5530 or live-chat with an expert advisor on our website. Data breach victims can also download the ITRC’s ID Theft Help app to access resources, advisors, a case log and much more.
A recent report by Comparitech says that six percent of all Google Cloud environments are misconfigured and left open to the web for anyone to see.
Dunkin Donuts settled in a lawsuit with the State of New York after being accused of not taking appropriate action in response to two cyberattacks dating back to 2015.
217 Blackbaud users have announced they are impacted by the technology services provider data breach. The breach has affected at least 5.7 million individuals.
To learn about the latest data breaches, visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notifiedTM. Consumers impacted by a data breach can call the ITRC at 888.400.5530 or live-chat with an expert advisor on the company website.
It’s a busy week in the world of data breaches. A report released reports six percent of all Google Cloud environments are misconfigured and left open to the web where anyone can view them; Dunkin Donuts paid a settlement over a series of cyberattacks that resulted in multiple Dunkin Donuts data breaches; There’s also an update in the data breach of Blackbaud.
Subscribe to the Weekly Breach Breakdown Podcast
Every week, the Identity Theft Resource Center (ITRC) looks at some of the top data compromises of the previous week in our Weekly Breach Breakdown podcast. This week, Dunkin, Blackbaud and Google Cloud highlight the list.
Misconfigured Google Cloud Environments
2020 has had its share of high-profile data events. Sar far in September, an estimated 100,000 customers of a high-end gaming gear company had their private information exposed from a misconfigured server. Another misconfigured server impacted 70 dating and e-commerce sites, leaking personal information and dating preferences. In Wales, personally identifiable information (PII) of Welsh residents who tested positive for COVID-19 was exposed when it was uploaded to a public server.
According to a recent research report published by Comparitech, six percent of all Google Cloud environments are misconfigured and left open to the web where anyone can view their contents. Amazon, the largest cloud provider, has also had issues with clients failing to secure their databases. There is no evidence that any of the data was stolen or misused by threat actors. However, the kinds of data Comparitech uncovered includes thousands of scanned documents such as passports, birth certificates and personal profiles from children. This is not considered a data breach. Rather, it is categorized as a data exposure because their information was not taken; it was just exposed on the internet. With that said, it is a poor cybersecurity practice that puts consumers at risk.
If anyone uses a cloud database in their business, they should make sure their information is secure, starting with a password.
Dunkin Donuts Data Breach Settlement
Dunkin, the company many know as Dunkin Donuts, experienced multiple data breaches where at least 300,000 customers’ information was stolen. A settlement from a lawsuit with the State of New York was reached due to the Dunkin Donuts data breaches. The lawsuit alleged that Dunkin Donuts failed to take appropriate action in response to two cyberattacks dating back to 2015.
The New York Attorney General says Dunkin Donuts failed to notify its customers of a 2015 breach, reset account passwords to prevent further unauthorized access, or freeze the store customer cards registered with their accounts. The State also claimed Dunkin Donuts failed to implement appropriate safeguards to limit future attacks.
The company was notified by a third-party vendor in 2018 that customer accounts had, again, been attacked. Although the company contacted customers after the 2018 Dunkin Donuts data breach, the State claimed the notification was incomplete and misleading.
Dunkin Donuts will pay the State $650,000, refund New York customers impacted by the data breach, and will be required to take additional steps to prevent further Dunkin Donuts data breaches.
Businesses with customers in New York should check to see if the State’s new privacy and cybersecurity law, known as New York SHIELD, applies to them. It has very specific notice requirements in the event personal information is exposed in a data breach.
Blackbaud Data Breach Update
The ITRC notified consumers of a data breach of Blackbaud in August. The technology services provider announced in July that data thieves stole information belonging to the non-profit and education organizations that use Blackbaud to process client information. The cybercriminals demanded a ransom, and Blackbaud paid it in exchange for proof the client information was destroyed.
Since the data breach of Blackbaud was announced, 217 different Blackbaud users of all shapes and sizes have reported their client’s information was impacted in the ransomware attack. Not every organization has listed how many people have been affected. However, the latest count from the organizations that have is 5.7 million individuals.
Blackbaud has not shared the number of customers with compromised information. Instead, they have relied on the customers to self-report it. Breach notices continue to be filed each day, and the ITRC will keep consumers updated on any future developments.
notifiedTM
For more information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.
Contact the ITRC
If you believe you are the victim of an identity crime, or your identity has been compromised in a data breach, like the data breach of Blackbaud, you can speak with an ITRC expert advisor on the website via live-chat or by calling toll-free at 888.400.5530. Victims of a data breach can also download the free ID Theft Help app to access advisors, resources, a case log and much more.
Join us on our weekly data breach podcastto get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.
Cense.Ai left a temporary data storage repository online, accessible to anyone with a web browser. It led to the exposure of nearly 2.6 million records, including sensitive data and other personally identifiable information (PII).
A recent data breach of Freepik, a photos and graphics website, happened when hackers used a known software vulnerability to gain access to one of its databases storing user data. It led to hackers obtaining usernames and passwords for 8.3 million users.
After detecting unauthorized access to certain devices, ArbiterSports learned an unauthorized party obtained a backup copy of a database with PII in a recent data breach. ArbiterSports reached an agreement with the unauthorized party to have the files deleted.
Victims of a data compromise can speak with an Identity Theft Resource Center expert advisor on the website via live-chat, or by calling toll-free at 888.400.5530.
August was another month full of data breaches, all tracked by the Identity Theft Resource Center (ITRC). Since 2005, the ITRC has compiled publicly-reported U.S. data breaches as part of our data breach tracking efforts. The ITRC tracks both publicly reported data breaches, and data exposures in a database containing 25 different information fields and 63 different identity attributes that are updated daily. Of the recent data breaches in August, Cense.Ai, Freepik and ArbiterSports are three of the most notable.
Cense.Ai
A recent Cense.Ai data exposure led to almost 2.6 million records, including sensitive data and other personally identifiable information (PII), accessible to anyone on the web. According to TechNadu, a database containing names, dates of birth, addresses, insurance records, medical diagnosis notes, clinics, insurance provider details, accounts, payment records and more was left online due to an error.
Security Researcher, Jeremiah Fowler, found two folders containing the sensitive data and managed to remove the port from the IP address of the Cense’s website. Fowler found that all individuals listed had been in a car accident. In most cases, there was also information like policy numbers, claim numbers and the date of the accident.
According to PCMag, Cense.Ai has not commented publicly about the exposure, and the company did not immediately respond to PCMag’s request for comment. Anyone affected by the Cense.Ai data exposure should monitor all of their accounts for any suspicious activity. If you find anything out-of-the-ordinary in your records, contact the appropriate company and take additional action if needed.
Freepik
Freepik is a website that provides access to high-quality free photos and design graphics. In mid-August, the popular site announced that they suffered a data breach. According to the company’s statement, there was a breach from a SQL injection in Flaticon that allowed an attacker to get user information from their database. A little more than eight million users were affected. 4.5 million users had no hashed passwords due to exclusively federated logins (through Google, Facebook, etc.), and the hacker only obtained their email address. However, the additional 3.8 million users had both their email addresses and hashed passwords stolen. Freepik says they have taken extra measures to reduce their risk of a similar attack in the future. The company is also in the process of notifying all affected users.
Users who had their passwords stolen in this recent data breach should change their password and the password of any other accounts that share the same password. Also, switch to a nine to ten-character passphrase. They are easier to remember and harder for hackers to guess.
ArbiterSports
ArbiterSports is used by many for end-to-end activities management solution. However, some users of the officiating software company were notified of a data breach that exposed account usernames and passwords, names, addresses, dates of birth, email addresses and Social Security numbers. According to the company’s notification letter, ArbiterSports recently detected unauthorized access to certain devices in their network and an attempt to encrypt their systems.
After an investigation, the company learned the unauthorized party obtained a backup copy of a database made for business continuity reasons. The database contained PII for over 539,000 users. While ArbiterSports was able to prevent their devices from being encrypted, the unauthorized party still demanded payment in exchange for deleting the files. The two reached an agreement, and the files were deleted.
ArbiterSports is offering a free one-year membership of Experian’s IdentityWorks Credit 3B to detect possible misuse of personal information and to provide identity protection focused on identification and resolution of identity theft. Anyone affected should also change their username and password, as well as the username or password of any other accounts that share the same credentials.
notifiedTM
For more information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.
Contact the ITRC If you believe you are the victim of an identity crime, or your identity has been compromised in a data breach, you can speak with an ITRC expert advisor on the website via live-chat, or by calling toll-free at 888.400.5530. Finally, victims of a data breach can download the free ID Theft Help app to access advisors, resources, a case log and much more.
The coronavirus is making a lasting impact on the United States in many different ways. More than 175,000 people have died from the coronavirus, and 57+ million Americans have filed for unemployment. Another noticeable impact is the dramatic increase in scams and identity theft. There have been more than 92,000 COVID-19 fraud reports and $118+ million lost from fraud, according to the Federal Trade Commission. A story published by the Washington Post reports that no event over the last decade has spawned as many schemes or lasted this long.
Since COVID-19 began seriously affecting the U.S. in March, fraudsters and scammers have been trying to take advantage of the situation to steal or misuse people’s personally identifiable information (PII) in any way possible to commit identity theft. Recently, scammers have been taking advantage of the medical space to commit financial identity theft from COVID-19, using many different methods.
Medicare and Medicaid Scams
There is some good news when it comes to COVID-19 scams. COVID-related phishing scams appear to be on the decline. According to CheckPoint, July saw a 50 percent decrease in COVID-19 scams compared to June. However, CheckPoint reported that COVID-19 medical and vaccine-related scams are still in high demand as the race is on to find a vaccine. The U.S. Department of Health and Human Services Office of the Inspector General (HHS-OIG) echoes a similar message. The HHS-OIG says scammers are offering tests to Medicare beneficiaries in exchange for PII, like Medicare and Medicaid information to commit financial identity theft.
The AMAC Foundation is so concerned about the current issue that they and Medicare.gov are sending a notice warning recipients of the scams. The HHS-OIG believes fraudsters are targeting recipients with telemarketing calls, text messages, social media messages and door-to-door visits in their effort to steal PII. PII can be used to bill Federal health care and commit financial identity theft fraudulently.
Insurance Scams
Insurance scams are another financial identity theft concern from COVID-19 with telemedicine being so widely available, as mentioned by the Coalition Against Insurance Fraud. The Coalition warns that costly insurance scams can exploit the burgeoning arms-length telemedicine. Tele-schemes can steal patients’ identities and defraud their insurance policies.
Medical Identity Theft Threat
While fraudsters are using the medical space to commit financial identity theft from COVID-19, there is also a risk of medical identity theft. According to a story published by CBS Dallas, hackers know more people are using the healthcare system, and they know they can take advantage of the situation.
If hackers get their hands on medical records, it could leave a lasting impact. The Senior Director of Threat Hunting and Intelligence at Binary Defense says someone who steals a victim’s identity can go as far as getting an expensive medical procedure done and charge it to the victim’s insurance account. The story suggests consumers give out the bare minimum amount of PII at medical appointments, ensure the provider’s online portals are secure, and ask providers to delete all of their medical records from the database once they are no longer a patient to help reduce their risk of falling victim to identity theft.
What You Can Do
Scammers are using Medicare and Medicaid scams, insurance scams, and a rise in people using the healthcare system to commit identity theft – particularly financial identity theft from COVID-19. However, there are still actions you can take to reduce your risk of falling victim to a COVID-19 scam or financial identity theft.
Medicare and Medicaid beneficiaries should be cautious of any unsolicited requests for Medicare or Medicaid numbers
Keep an eye out for unexpected calls or messages that ask for PII. If someone receives a message with a link or an attachment, do not click or open anything. (NOTE: A physician or trusted health care provider will approve any COVID-19 tests or treatments.)
Anyone suspicious of COVID-19 healthcare fraud should report it online to the U.S. Department of Health and Human Services Office of Inspector General or call 800.HHS.TIPS
If you are the victim of financial identity theft from COVID-19, or a COVID-19 scam, you can call the Identity Theft Resource Center toll-free at 888.400.5530. You can also live-chat on our website to speak with an expert advisor.
https://www.idtheftcenter.org/wp-content/uploads/2020/08/ITRC_SS_financial-id-theft-covid-19-scams_1335151931.jpg6651000Alex Hamiltonhttps://www.idtheftcenter.org/wp-content/uploads/2018/06/32smWideLogo_edited-1-300x71.pngAlex Hamilton2020-08-26 15:58:132020-08-26 15:59:46Financial Identity Theft Linked to COVID-19 Affects Medical Sector During Pandemic
GET ID THEFT NEWS
Stay informed with alerts, newsletters, and notifications from the Identity Theft Resource Center