Posts

,

Tips to Keep Your Identity Safe During the 2020 COVID-19 Holiday Season 

  • The 2020 COVID-19 holiday season is upon us. This year, consumers should be on the lookout for job scamsgiving scamsgrandparent scams and online shopping scams, to name a few.  
  • If anyone comes across an unknown message regarding the COVID-19 holiday season, they should ignore it and go directly back to the source to confirm the message’s legitimacy. 
  • People should take steps to protect their personal information when shopping online, taking part in holiday gatherings (both in person or via a video platform), at the gas pump, and when receiving electronic gifts. 
  • To learn more, contact the Identity Theft Resource Center toll-free at 888.400.5530 or via live-chat on the company website.  

COVID-19 has changed the way people live. Many people are working from home, there are restrictions on what people can do in public, and many businesses remain shut down or open at a limited capacity. It has also changed the way scammers attack consumers. 

The 2020 holiday season will also be much different than year’s past. According to IBM’s latest U.S. Retail Index Report, COVID-19 has accelerated the shift away from physical stores to digital shopping by roughly five years. 

Criminals may adopt new tactics to take advantage of the pandemic, but what will not be different is scammers’ and identity thieves’ ability to find ways to strike.  

Watch for COVID-19 Holiday Scams   

Here are some scams to watch for this COVID-19 holiday season. 

1. Job Scams – Much of the economy remains shut down or open in a limited capacity. Millions of people are looking to gig economy jobs like Uber, Lyft and DoorDash to get by. People could rely on gig economy jobs even more during the holidays to make extra cash. The Federal Trade Commission (FTC) reported losses of $134 million in 2019 to social media scams.

In the first half of 2020, the FTC already reported $117 million, with most scams coming from viewing an ad. Scammers may claim in advertisements that they can get shoppers access to premium jobs for the holidays with big tips in exchange for an upfront fee. Gig economy scams can also lead consumers to phishing websites that steal login credentials. 

2. Giving Scams – People typically give more to charities around the holiday season. However, with more families in need of help in 2020, we may see an even bigger increase in people making donations. Expect criminals to attack with giving scams, looking to steal people’s money and personal information. In fact, scammers have used giving scams to take advantage of people since the beginning of the pandemic.  

3. Grandparent Scams – Another popular holiday scam is the grandparent scam. A grandparent scam is where scammers claim a family member is in trouble and needs help. With the holidays here, scammers could pose as sick family members. 

4. Online Shopping Scams – Many more people will be shopping online this holiday season. According to the Better Business Bureau (BBB), 65 percent of people shopped online last year. This year, online shopping is expected to increase by 10 percent to 75 percent. With the increase in web traffic, consumers should be wary of messages claiming they have been locked out of their accounts. Scammers may send phishing emails making such claims while looking to steal usernames, passwords and account information.  

How to Protect Yourself from COVID-19 Holiday Scams 

While scammers will try to trick consumers, there are things people can do to protect themselves from a COVID-19 holiday scam. 

  • If someone comes across an ad for a job or a deal online that seems too good to be true, it probably is. Consumers should go back to the source directly by contacting the company to confirm the message’s validity. 
  • If someone receives an email, text message or phone call they are not expecting, ignore it. If any of the messages contain links, attachments or files, do not click or download them because they could have malware designed to steal people’s personal information or lead to a phishing attack. Again, consumers should reach out directly to who the caller, email sender or text message sender claimed to be or the company they claimed to be with.  
  • People should only donate to legitimate charities and organizations registered with their state.   Consumers can determine if a charity, non-profit or company is legitimate by searching for the charity’s charitable registration information on the Secretary of State’s website, looking for online reviews and Googling the entity with the word “scam” after it. 
  • No one should ever make a payment over the phone to someone they do not know or were not expecting to hear from. Scammers will try to trick people with robocalls to steal their sensitive information and commit identity theft. 

How to Protect Your Personally Identifiable Information (PII) This Holiday Season 

Identity Thieves will try different ways to steal people’s PII. It is crucial consumers can protect their PII during the holidays, and year-round, to make sure it does not end up in the hands of a criminal.  

1. At the Pump – More people will travel by car this year than usual. Travelers on the road should keep an eye out for gas station skimmers. Skimmers insert a thin film into the card reader or use a Bluetooth device at a gas pump to steals the card’s information that allows the thief to misuse the payment card account. If the pump looks tampered with, pay inside. Newer gas pumps use contactless technology and chipped payment cards that are very secure. Use those pumps if possible.  

2. Holiday Gatherings – It is always important to protect all personal information at holiday gatherings. While no one ever imagines a trusted friend or family member will go through their stuff, people fall victim every year. Keep wallets or purses with financial cards or I.D. cards within reach.  

3. Zoom and Other Online Video Platforms – Not all family gatherings will be in person in 2020 due to COVID-19. Some families will meet virtually via a video platform. When people use a video platform, it’s important they remember to secure the call by using strict privacy settings and not sharing any personal information with someone they don’t know.  

4. Shopping Online – With more people shopping online for the 2020 holiday season, people need to practice good cyber hygiene. Make sure to navigate directly to a retailer’s website rather than click on a link in an ad, email, text or social media post. Phishing schemes are very sophisticated these days and spotting a spoofed website of well-known and local brands can be difficult even for trained cybersecurity professionals. 

Consumers will still need to do their due diligence to ensure a business website is legitimate. There is inherently less risk of falling for a scam website by shopping at well-known retailers. It only takes a bit of homework to separate the scams from legitimate small online businesses. Using search terms like “Scam” or “Complaints” along with the website or company name can give people insight into the experience of other customers. 

When setting up a new online account, be sure to use multi-factor authentication. Multi-factor authentication creates a second layer of security to reduce the risk of a criminal taking over someone’s account. 

5. Electronic Gifts – With the advent of smart home devices, many gifts connect to the internet, presenting security risks. It is important consumers update the software on the device. It is also a good idea to have antivirus software installed on any computer, tablet or internet device if possible, along with a secure password on the home network router.  

For more information on how to stay safe during the COVID-19 holiday season contact the Identity Theft Resource Center toll-free at 888.400.5530 or live-chat with an identity theft advisor at no-cost.

For access to more resources, download the ITRC’s free ID Theft Help app.  

COVID-19 Could Lead to Increase in Travel Loyalty Account Takeover

Travel Safe with These Cybersecurity Protection Tips

Mystery Shopper Scams Resurface during COVID-19

/by

Timberline, BankSight and MAXEX Headline the Most Notable Data Breaches in October

  • Timberline Billing Service recently determined a supposed ransomware attack led to encrypted files and information removed from their network. So far, the Identity Theft Resource Center (ITRC) has tracked 14 impacted schools.  
  • A database exposure was recently discovered at BankSight Software Systems, exposing over 300 million records for at least 100,000 people.  
  • MAXEX exposed 9 GB of internal data, including confidential banking documents, system login credentials, emails, the company’s data breach incident response policy, and reports from penetration tests. 
  • For more information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM
  • For more information, contact the ITRC toll-free at 888.400.5530, or by live-chat via the company website. People can also download the free ID Theft Help app to access advisors, resources, a case log and much more. 

There were many notable data breaches in October, all tracked by the Identity Theft Resource Center (ITRC). Since 2005, the ITRC has compiled publicly-reported U.S. data breaches as part of our data breach tracking efforts. The ITRC tracks both publicly-reported data breaches and data exposures in a database containing 25 different information fields that are updated daily. Of the notable data breaches in October, Timberline, BankSight and MAXEX top the list. 

Timberline Billing Service 

Timberline Billing Service, a company that claims Medicaid for education agencies in Iowa, recently determined that someone accessed their network between February 12, 2020 and March 4, 2020. The supposed ransomware attack led to encrypted files and information removed from the system.

However, the investigation was unable to determine what information was removed. The information exposed includes names, dates of birth, Medicaid I.D. numbers, billing information, support service code and identification numbers, medical record numbers, treatment information, medical information regarding diagnoses and symptoms and Social Security numbers. However, the information exposed varies from school to school.  

Of the 190 schools in Iowa Timberline assists, so far, the ITRC has tracked 14 impacted schools: 

  • Fort Dodge Community School District 
  • Iowa City Community School District 
  • Cherokee Community School District 
  • Kingsley-Pierson Community School District 
  • Central Decatur Community School District 
  • Clinton Community School District 
  • Muscatine Community School District 
  • Saydel Community School District 
  • Sheldon Community School District 
  • Mid-Prairie Community School District 
  • Hudson Community School District 
  • Dallas Center-Grimes Community School District 
  • Knoxville Community School District 
  • Oskaloosa Community School District 

Timberline says they are taking steps to enhance their security systems, resetting all user passwords, requiring frequent password rotations and migrating school and student data to a cloud location. Timberline is also offering a year of identity monitoring services through Experian to impacted children. Impacted individuals should monitor their accounts for any suspicious activity and contact the appropriate company and act if needed.  

BankSight Software Systems, Inc. 

vpnMentor’s research team recently discovered an exposed BankSight database, exposing over 300 million records for at least 100,000 individuals. According to vpnMentor, the exposed information includes the following: names, Social Security numbers, email addresses, phone numbers, home and business addresses, employment and business ownership details, financial data for businesses and individuals, and personal notes from people looking for loans or postpone on loan payments, exposing private family and business information.  

vpnMentor says they contacted BankSight, and BankSight shut down the server one day later. The information exposed allows a hacker to create sophisticated fraud schemes and target customers of BankSight’s clients. BankSight customers should contact the company to determine the steps to take to protect their client’s data.  

MAXEX, LLC.  

Of the notable data breaches in October, MAXEX does not impact the most people. However, it potentially creates the most significant risk to affected individuals. According to BankInfoSecurity, MAXEX, a residential mortgage trading company, exposed 9 GB of its internal data, including software development for its loan-trading platform. The data also had confidential banking documents, system login credentials, emails, the company’s data breach incident response policy, and reports from penetration tests done years ago.

The company also leaked the complete mortgage documents for at least 23 people in New Jersey and Pennsylvania. The records include tax returns, IRS transcripts, credit reports, bank account statements, scans of birth certificates, passports and driver’s licenses, letters from employers, divorce records, academic transcripts and Social Security numbers for the mortgage applicants and their children.  

MAXEX says they have retained security experts and contacted law enforcement agencies. They also have a computer forensics unit tracing the source of the breach and providing resolution advice. The company says they have fixed the issue that led to the breach. MAXEX says its mortgage trading platform was unaffected. However, links to the data are circulating on forums where stolen data is posted. On one platform, the information has been downloaded more than 1,000 times, according to BankInfoSecurity.  

While the data compromise only impacted a limited number of people, it does not always matter how many people it affected. Rather, the information that was exposed or stolen. Impacted individuals should begin contacting the appropriate companies to determine the next steps to take. Some of the steps to take include freezing your and your child’s credit, checking your reports for suspicious activity, and taking part in credit monitoring or identity monitoring services.  

notifiedTM 

For more information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free. 

Contact the ITRC 

If you believe you are the victim of an identity crime or your identity has been compromised in a data breach, like one of the notable data breaches in October, you can speak with an ITRC expert advisor on the website via live-chat or by calling toll-free at 888.400.5530. Finally, victims of a data breach can download the free ID Theft Help app to access advisors, resources, a case log and much more. 

Read more of our latest information & educational resources below

California Voters Pass Strongest Privacy Law in the U.S. – The California Privacy Rights Act (CPRA)

QR Code Security Threats Begin to Grow as Digital Barcode Popularity Rises

Unsubscribe Email Scam Looks to Trick Consumers

/by

Election Scams Begin to Surface with the General Election Less than One Month Away

  • Election scams are beginning to appear, prompting the FBI and Cybersecurity and Infrastructure Security Agency (CISA) to warn consumers that spoofed internet domains and email accounts pose cyber and disinformation risks to voters. 
  • Scammers are also looking to trick voters by mimicking ballot-tracking text services
  • Identity thieves are seeking many different forms of personally identifiable information (PII), looking to commit malware attacks, and creating fake websites to collect PII or spread false or misleading information. 
  • Consumers should never share PII, respond to any unexpected messages until they have verified the website address, email address or text message link by checking with the legitimate source.  
  • For more information, or if you fell victim to an election scam, reach out to the Identity Theft Resource Center toll-free at 888.400.5530 or on our website via live-chat.  

The general election is less than one month away, and scammers are aware. Multiple voting organizations are expressing concerns over fake election-related websites that look like official voting resources, but contain false or misleading information, as well as phishing emails that are designed to gather personally identifiable information (PII) or spread malware. Some states are also seeing scammers trying to trick voters with phony text messages, like in California, where they mimic ballot-tracking text services. The FBI and Cybersecurity and Infrastructure Security Agency (CISA) want to help people spot and avoid every form of election scam.  

Who It Is Targeting 

Voters; Online device users 

What It Is 

Scammers are using many different tactics to try to trick voters: 

  • They create fake election-related websites to spread misinformation, confuse people, or trick voters into sharing personal information ahead of the November 3 elections. According to the FBI and CISA, election scams around fake websites aim to mislead voters and try to use interest around voting to steal people’s passwords. Scammers create websites that try to imitate election websites by altering one or two letters in the site’s address.  
  • Another election scam the FBI and CISA want people to be aware of is phishing emails. Scammers email voters from spoofed addresses that appear to come from election officials.  
  • Scammers are using text messages to attack, too. Some text messages claim they are from the United States Postal Service (USPS). Others look like they are from the Registrar of Voters asking consumers to take a survey or re-register to vote. Some even offer prizes for voting or registering to vote. 

What They Are After 

“There’s risk to you personally,” James Lee, Chief Operating Officer of the Identity Theft Resource Center (ITRC), told NBC 7 San Diego in an interview. “And in this case, because we’re talking about an election, there’s risk to our society. There’s risk to our country.” 

All of these election scams try to steal usernames, passwords or email addresses. They lead to the collection of PII and spread malware, leading to the potential of more compromises and financial losses in the future. 

What You Can Do 

  • Verify the spelling of all websites, email addresses or links in text messages. Make sure domains consist of http or https at the beginning of the domain, and .gov at the end if it is a government website. 
  • If you receive an unexpected or unsolicited email or text message, ignore it and do not click on any links. Go directly to the source to verify the validity of the message. 
  • Find election information from trustworthy websites, like the Election Assistance Commission.  
  • Make sure all of your applications are up-to-date and update your anti-virus and anti-malware systems. 
  • If possible, use two-factor authentication (2FA) on your accounts.  
  • Disable or remove unneeded applications from your devices. 

If you believe you are a victim of an election scam or want to learn more, contact the ITRC to speak with an expert advisor toll-free at 888.400.5530. You can also live-chat with us on our company website. 

/by

Shopify Data Exposure Affects Hundreds of Online Businesses

  • Shopify recently announced that two support team members allegedly committed insider theft and obtained transactional records of at least 100 merchants.  
  • Data exposed in the Shopify data compromise includes names, physical addresses, email addresses, products, and services purchased. 
  • Businesses should consider reducing their privilege access based on the employee’s status, watch data movement across the company, and have tools to give visibility to file activities. 
  • Consumers should change their usernames and passwords for their Shopify account, keep an eye out for phishing emails, and act on a breach notification letter if they receive one. 
  • Anyone impacted by the Shopify data exposure can call the ITRC toll-free at 888.400.5530, or live-chat on the company website with an expert advisor.  

The E-commerce platform, Shopify, is used by online businesses and retail point-of-systems all over the world. One of the most notable companies is Kylie Cosmetics, Kylie Jenner’s well-known make-up company. Kylie Cosmetics is one of an unknown number of merchants, believed to be between 100 – 200 merchants, impacted by a recent Shopify data exposure. While information is still limited, there are important facts and tips for both consumers and businesses to know about this case of an insider threat.  

What Happened 

On September 22, Shopify announced that two members of their support team were engaged in a scheme to obtain customer transaction records from merchants. While there is no evidence of the data of the impacted merchants being utilized right now, the e-commerce company says they are only in the early stages of the investigation. Data exposed by the Shopify compromise includes email addresses, names, physical addresses as well as products and services purchased. 

According to MarketWatch, the order details do not include financial information like credit card information or additional personal information. Shopify says most of their merchants are not affected, and the ones that are have been notified. They say they will also be updating affected merchants as more information becomes available. 

How the Shopify Data Exposure Impacts Businesses 

More people are working from home now than ever due to COVID-19, which means remote workers may have more access privileges than usual with fewer security restrictions. The Shopify data exposure is a great example of the dangers of an organization offering employees too much access privilege. Security experts also say that insider threats are growing with more people getting accustomed to working from home. 

How Businesses Can Protect Themselves 

  • Reduce privilege access based on the employee and their position. 
  • Watch data movements across the entire company environment whether employees are on or off the network. 
  • Adopt a zero-trust framework so the security team can better track who is coming in and out of the network. 
  • Have tools in place that give visibility into file movements, enabling them to verify that corporate intellectual property and sensitive data is not leaving the organization. 

How the Shopify Data Exposure Impacts Consumers 

While only names, email addresses and address information were exposed, consumers affected by the Shopify data exposure could be at risk of receiving phishing emails or other emails that try to target financial information.  

What Consumers Should Do  

  • Change their usernames and passwords for their account. 
  • Watch out for phishing emails and other emails attempting to collect financial information or other personally identifiable information (PII). 
  • Watch for a breach notification letter. If they get one, it should not be ignored. Consumers need to act and follow the steps provided in the letter. Consumers should also take advantage of credit monitoring if it is provided and consider freezing their credit. 
  • While full payment information is not believed to be involved, it is still a good idea for consumers to regularly check their accounts for any suspicious activity.  

Contact the Identity Theft Resource Center 

Victims of the Shopify data exposure are encouraged to contact the Identity Theft Resource Center (ITRC) toll-free at 888.400.5530 or live-chat with an expert advisor on our website. Data breach victims can also download the ITRC’s ID Theft Help app to access resources, advisors, a case log and much more. 

Read more of our latest news below

iPhone 12 Chatbot Scam Begins to Spread Through Text Messages

Dunkin Donuts Data Breach Settlement Highlights Busy Week of Data Compromise Updates

50,000+ Fake Login Pages for Top Brands from Credential Theft

/by

Dunkin Donuts Data Breach Settlement Highlights Busy Week of Data Compromise Updates

  • A recent report by Comparitech says that six percent of all Google Cloud environments are misconfigured and left open to the web for anyone to see.  
  • Dunkin Donuts settled in a lawsuit with the State of New York after being accused of not taking appropriate action in response to two cyberattacks dating back to 2015.
  • 217 Blackbaud users have announced they are impacted by the technology services provider data breach. The breach has affected at least 5.7 million individuals.
  • To learn about the latest data breaches, visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notifiedTM. Consumers impacted by a data breach can call the ITRC at 888.400.5530 or live-chat with an expert advisor on the company website.

It’s a busy week in the world of data breaches. A report released reports six percent of all Google Cloud environments are misconfigured and left open to the web where anyone can view them; Dunkin Donuts paid a settlement over a series of cyberattacks that resulted in multiple Dunkin Donuts data breaches; There’s also an update in the data breach of Blackbaud.

Subscribe to the Weekly Breach Breakdown Podcast

Every week, the Identity Theft Resource Center (ITRC) looks at some of the top data compromises of the previous week in our Weekly Breach Breakdown podcast. This week, Dunkin, Blackbaud and Google Cloud highlight the list.

Misconfigured Google Cloud Environments

2020 has had its share of high-profile data events. Sar far in September, an estimated 100,000 customers of a high-end gaming gear company had their private information exposed from a misconfigured server. Another misconfigured server impacted 70 dating and e-commerce sites, leaking personal information and dating preferences. In Wales, personally identifiable information (PII) of Welsh residents who tested positive for COVID-19 was exposed when it was uploaded to a public server.

According to a recent research report published by Comparitech, six percent of all Google Cloud environments are misconfigured and left open to the web where anyone can view their contents. Amazon, the largest cloud provider, has also had issues with clients failing to secure their databases. There is no evidence that any of the data was stolen or misused by threat actors. However, the kinds of data Comparitech uncovered includes thousands of scanned documents such as passports, birth certificates and personal profiles from children. This is not considered a data breach. Rather, it is categorized as a data exposure because their information was not taken; it was just exposed on the internet. With that said, it is a poor cybersecurity practice that puts consumers at risk.

If anyone uses a cloud database in their business, they should make sure their information is secure, starting with a password.

Dunkin Donuts Data Breach Settlement

Dunkin, the company many know as Dunkin Donuts, experienced multiple data breaches where at least 300,000 customers’ information was stolen. A settlement from a lawsuit with the State of New York was reached due to the Dunkin Donuts data breaches. The lawsuit alleged that Dunkin Donuts failed to take appropriate action in response to two cyberattacks dating back to 2015.

The New York Attorney General says Dunkin Donuts failed to notify its customers of a 2015 breach, reset account passwords to prevent further unauthorized access, or freeze the store customer cards registered with their accounts. The State also claimed Dunkin Donuts failed to implement appropriate safeguards to limit future attacks.

The company was notified by a third-party vendor in 2018 that customer accounts had, again, been attacked. Although the company contacted customers after the 2018 Dunkin Donuts data breach, the State claimed the notification was incomplete and misleading.

Dunkin Donuts will pay the State $650,000, refund New York customers impacted by the data breach, and will be required to take additional steps to prevent further Dunkin Donuts data breaches.

Businesses with customers in New York should check to see if the State’s new privacy and cybersecurity law, known as New York SHIELD, applies to them. It has very specific notice requirements in the event personal information is exposed in a data breach.

Blackbaud Data Breach Update

The ITRC notified consumers of a data breach of Blackbaud in August. The technology services provider announced in July that data thieves stole information belonging to the non-profit and education organizations that use Blackbaud to process client information. The cybercriminals demanded a ransom, and Blackbaud paid it in exchange for proof the client information was destroyed.

Since the data breach of Blackbaud was announced, 217 different Blackbaud users of all shapes and sizes have reported their client’s information was impacted in the ransomware attack. Not every organization has listed how many people have been affected. However, the latest count from the organizations that have is 5.7 million individuals.

Blackbaud has not shared the number of customers with compromised information. Instead, they have relied on the customers to self-report it. Breach notices continue to be filed each day, and the ITRC will keep consumers updated on any future developments. 

notifiedTM

For more information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.

Contact the ITRC

If you believe you are the victim of an identity crime, or your identity has been compromised in a data breach, like the data breach of Blackbaud, you can speak with an ITRC expert advisor on the website via live-chat or by calling toll-free at 888.400.5530. Victims of a data breach can also download the free ID Theft Help app to access advisors, resources, a case log and much more.

Join us on our weekly data breach podcastto get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.

Read more of our latest news below

iPhone 12 Chatbot Scam Begins to Spread Through Text Messages

Unemployment Benefits Mail Fraud Scams Strike Across the U.S.

50,000+ Fake Login Pages for Top Brands from Credential Theft

/by

Cense.Ai, Freepik and ArbiterSports Headline Recent Data Breaches

  • Cense.Ai left a temporary data storage repository online, accessible to anyone with a web browser. It led to the exposure of nearly 2.6 million records, including sensitive data and other personally identifiable information (PII).
  • A recent data breach of Freepik, a photos and graphics website, happened when hackers used a known software vulnerability to gain access to one of its databases storing user data. It led to hackers obtaining usernames and passwords for 8.3 million users.
  • After detecting unauthorized access to certain devices, ArbiterSports learned an unauthorized party obtained a backup copy of a database with PII in a recent data breach. ArbiterSports reached an agreement with the unauthorized party to have the files deleted.
  • Victims of a data compromise can speak with an Identity Theft Resource Center expert advisor on the website via live-chat, or by calling toll-free at 888.400.5530.

August was another month full of data breaches, all tracked by the Identity Theft Resource Center (ITRC). Since 2005, the ITRC has compiled publicly-reported U.S. data breaches as part of our data breach tracking efforts. The ITRC tracks both publicly reported data breaches, and data exposures in a database containing 25 different information fields and 63 different identity attributes that are updated daily. Of the recent data breaches in August, Cense.Ai, Freepik and ArbiterSports are three of the most notable.

Cense.Ai

A recent Cense.Ai data exposure led to almost 2.6 million records, including sensitive data and other personally identifiable information (PII), accessible to anyone on the web. According to TechNadu, a database containing names, dates of birth, addresses, insurance records, medical diagnosis notes, clinics, insurance provider details, accounts, payment records and more was left online due to an error.

Security Researcher, Jeremiah Fowler, found two folders containing the sensitive data and managed to remove the port from the IP address of the Cense’s website. Fowler found that all individuals listed had been in a car accident. In most cases, there was also information like policy numbers, claim numbers and the date of the accident.

According to PCMag, Cense.Ai has not commented publicly about the exposure, and the company did not immediately respond to PCMag’s request for comment. Anyone affected by the Cense.Ai data exposure should monitor all of their accounts for any suspicious activity. If you find anything out-of-the-ordinary in your records, contact the appropriate company and take additional action if needed. 

Freepik

Freepik is a website that provides access to high-quality free photos and design graphics. In mid-August, the popular site announced that they suffered a data breach. According to the company’s statement, there was a breach from a SQL injection in Flaticon that allowed an attacker to get user information from their database. A little more than eight million users were affected. 4.5 million users had no hashed passwords due to exclusively federated logins (through Google, Facebook, etc.), and the hacker only obtained their email address. However, the additional 3.8 million users had both their email addresses and hashed passwords stolen. Freepik says they have taken extra measures to reduce their risk of a similar attack in the future. The company is also in the process of notifying all affected users.

Users who had their passwords stolen in this recent data breach should change their password and the password of any other accounts that share the same password. Also, switch to a nine to ten-character passphrase. They are easier to remember and harder for hackers to guess.

ArbiterSports

ArbiterSports is used by many for end-to-end activities management solution. However, some users of the officiating software company were notified of a data breach that exposed account usernames and passwords, names, addresses, dates of birth, email addresses and Social Security numbers. According to the company’s notification letter, ArbiterSports recently detected unauthorized access to certain devices in their network and an attempt to encrypt their systems.

After an investigation, the company learned the unauthorized party obtained a backup copy of a database made for business continuity reasons. The database contained PII for over 539,000 users. While ArbiterSports was able to prevent their devices from being encrypted, the unauthorized party still demanded payment in exchange for deleting the files. The two reached an agreement, and the files were deleted.

ArbiterSports is offering a free one-year membership of Experian’s IdentityWorks Credit 3B to detect possible misuse of personal information and to provide identity protection focused on identification and resolution of identity theft. Anyone affected should also change their username and password, as well as the username or password of any other accounts that share the same credentials. 

notifiedTM

For more information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.

Contact the ITRC If you believe you are the victim of an identity crime, or your identity has been compromised in a data breach, you can speak with an ITRC expert advisor on the website via live-chat, or by calling toll-free at 888.400.5530. Finally, victims of a data breach can download the free ID Theft Help app to access advisors, resources, a case log and much more.

Read more of our latest breaches below

Fortnite Gaming Data Being Sold for Hundreds of Millions of Dollars Per Year

Online Job Scams See Rise Amid Pandemic

“Meow” Attacks Lead to 4,000 Deleted Databases and Perplexed Security Experts

/by

Financial Identity Theft Linked to COVID-19 Affects Medical Sector During Pandemic

The coronavirus is making a lasting impact on the United States in many different ways. More than 175,000 people have died from the coronavirus, and 57+ million Americans have filed for unemployment. Another noticeable impact is the dramatic increase in scams and identity theft. There have been more than 92,000 COVID-19 fraud reports and $118+ million lost from fraud, according to the Federal Trade Commission. A story published by the Washington Post reports that no event over the last decade has spawned as many schemes or lasted this long.

Since COVID-19 began seriously affecting the U.S. in March, fraudsters and scammers have been trying to take advantage of the situation to steal or misuse people’s personally identifiable information (PII) in any way possible to commit identity theft. Recently, scammers have been taking advantage of the medical space to commit financial identity theft from COVID-19, using many different methods.

Medicare and Medicaid Scams

There is some good news when it comes to COVID-19 scams. COVID-related phishing scams appear to be on the decline. According to CheckPoint, July saw a 50 percent decrease in COVID-19 scams compared to June. However, CheckPoint reported that COVID-19 medical and vaccine-related scams are still in high demand as the race is on to find a vaccine. The U.S. Department of Health and Human Services Office of the Inspector General (HHS-OIG) echoes a similar message. The HHS-OIG says scammers are offering tests to Medicare beneficiaries in exchange for PII, like Medicare and Medicaid information to commit financial identity theft.

The AMAC Foundation is so concerned about the current issue that they and Medicare.gov are sending a notice warning recipients of the scams. The HHS-OIG believes fraudsters are targeting recipients with telemarketing calls, text messages, social media messages and door-to-door visits in their effort to steal PII. PII can be used to bill Federal health care and commit financial identity theft fraudulently.

Insurance Scams

Insurance scams are another financial identity theft concern from COVID-19 with telemedicine being so widely available, as mentioned by the Coalition Against Insurance Fraud. The Coalition warns that costly insurance scams can exploit the burgeoning arms-length telemedicine. Tele-schemes can steal patients’ identities and defraud their insurance policies.

Medical Identity Theft Threat

While fraudsters are using the medical space to commit financial identity theft from COVID-19, there is also a risk of medical identity theft. According to a story published by CBS Dallas, hackers know more people are using the healthcare system, and they know they can take advantage of the situation.

If hackers get their hands on medical records, it could leave a lasting impact. The Senior Director of Threat Hunting and Intelligence at Binary Defense says someone who steals a victim’s identity can go as far as getting an expensive medical procedure done and charge it to the victim’s insurance account. The story suggests consumers give out the bare minimum amount of PII at medical appointments, ensure the provider’s online portals are secure, and ask providers to delete all of their medical records from the database once they are no longer a patient to help reduce their risk of falling victim to identity theft.

What You Can Do

Scammers are using Medicare and Medicaid scams, insurance scams, and a rise in people using the healthcare system to commit identity theft – particularly financial identity theft from COVID-19. However, there are still actions you can take to reduce your risk of falling victim to a COVID-19 scam or financial identity theft.

  • Medicare and Medicaid beneficiaries should be cautious of any unsolicited requests for Medicare or Medicaid numbers
  • Keep an eye out for unexpected calls or messages that ask for PII. If someone receives a message with a link or an attachment, do not click or open anything. (NOTE: A physician or trusted health care provider will approve any COVID-19 tests or treatments.)
  • Anyone suspicious of COVID-19 healthcare fraud should report it online to the U.S. Department of Health and Human Services Office of Inspector General or call 800.HHS.TIPS

If you are the victim of financial identity theft from COVID-19, or a COVID-19 scam, you can call the Identity Theft Resource Center toll-free at 888.400.5530. You can also live-chat on our website to speak with an expert advisor.

Read more of our latest news below

Being Able to Identify a Phishing Attack is More Important Now Than Ever

Netflix Email Phishing Scam Could Steal Credit Card Information

Hacked Dating Apps are a Popular Target for Social Engineering Scams

/by

Blackbaud Data Breach Leaves Lasting Impact on U.S. and International Nonprofits

Updated as of 10/9/2020- The recent social-good relationship management software data breach has nonprofit organizations left to figure out what to do next. Blackbaud, a cloud software company, used primarily by nonprofits, announced that they were the victim of a ransomware attack. Also, according to a filing with the U.S. Securities and Exchange Commission, Blackbaud acknowledges that a ransomware attack in May that affected its clients could have exposed much more personally identifiable information (PII) – including banking details – than the company initially believed. The number of people affected is still unknown, and more information needs to be gathered to judge the attack’s actual scope.

However, the Identity Theft Resource Center (ITRC) has tracked 255 organizations and seven million people affected. People who engage with organizations that utilize Blackbaud could be at risk of scams and social engineering.  

What Happened

In May 2020, a ransomware attack was partially thwarted. However, the perpetrator copied a subset of data before being locked out. The hackers then offered to delete the data for an undisclosed amount of money. According to Blackbaud, they paid the ransom and received confirmation that the copy they removed had been destroyed. However, the confirmation was not detailed. Blackbaud says they have no reason to believe that any data went beyond the cybercriminal, was or will be misused.

The information exposed in the breach includes telephone numbers, email addresses, dates of birth, mailing addresses, donation dates, donation amounts and other donor profile information.

Right now, the following third-party vendors are reporting Social Security numbers being involved: The University of Detroit Mercy, Seeds of Peace, Crystal Stairs, Inc., Concord Academy, Bridgewater State University, Spectrum Health Lakeland, Vermont Student Assistance Corporation, Ball State University Foundation, William & Mary Business School Foundation, Salem State University, University of South Carolina Upstate Foundation, Shady Hill School, Berkshire Farm Center & Services for Youth, Inc., and Marywood University. 

There have also been notices of financial information and credit card information being exposed. Blackbaud is calling the incident a security incident.

How it Can Impact You

No one knows if there has been more PII stolen except for the hackers. Consumers impacted by the Blackbaud data breach could be at risk of scams (particularly giving and donation scams) and social engineering tactics. Multiple sectors were also impacted by the attack.

Healthcare Sector

Healthcare organizations all over the world use Blackbaud as their cloud software company. According to Blackbaud, 30 of the top 32 largest nonprofit hospitals are powered by their solutions. The ITRC has seen multiple data breach notices from healthcare organizations affected by the Blackbaud data breach. Since the breach impacted donors primarily, it could mean those individuals may be more susceptible to being targeted by fraudsters in the future. As of this writing, no personal health information (PHI) has been involved.

Education Sector

Blackbaud plays a significant role in the education sector. They offer school management software to K-12 schools, as well as universities. Some of the management software includes student information, learning management, enrollment management and school websites. Many schools and districts have acknowledged they were impacted by the Blackbaud data breach. Most of the information involved includes donor information, alumni information and student demographic information.

Nonprofit/NGO Sector

Blackbaud is a service that is primarily by nonprofits. Blackbaud offers an array of software services that cater to nonprofits worldwide, but are best known for their customer relationship management (CRM) tools. Many nonprofits use these to nurture their donors and fundraising. The range of types of nonprofits affected by the attack is vast. In fact, some Blackbaud nonprofits continue to come forward about whether or not they may have been impacted. Now, many nonprofits are trying to figure out their next steps for how to securely manage their CRM needs.  

What You Need to Do

The Blackbaud data breach and its impacts on businesses and consumers are specific to each affected entity and customer. Blackbaud has said that it notified its affected customers of the breach, and those customers should be notifying their impacted individuals. Depending on what information was exposed, the steps for those affected individuals could vary. Anyone who receives a notification letter regarding the Blackbaud data breach should not dismiss the letter and take the notice’s recommended steps.

The biggest threat, based on the data compromised, is social engineering. Employees of the nonprofit organizations impacted by the breach may receive emails that look like they are from an executive, in an attempt at spear phishing.

Donors and members of the nonprofit organizations impacted by the Blackbaud data breach may receive messages asking to provide their personally identifiable information (PII) to update their contact or financial information, either directly through the email or through a link that does not actually belong to the nonprofit they are affiliated with. If an employee comes across an email they find suspicious, they should go directly back to the person it claimed to come from and verify the validity of the message if it is internal. If it is someone claiming to be from outside the organization, it should be run by their manager, IT services, or someone familiar with the relationship.

Anyone who believes they were impacted by the Blackbaud data breach can call the ITRC toll-free at 888.400.5530. They can also live-chat with an expert advisor. Another option if the free ID Theft Help app. The app has resources for victims, a case log, access to an advisor and much more.

You might also like…

Being Able to Identify a Phishing Attack is More Important Now Than Ever

Netflix Email Phishing Scam Could Steal Credit Card Information

Hacked Dating Apps are a Popular Target for Social Engineering Scams

/by

Data Breaches in the Healthcare Industry Continue Due to Availability of Valuable Information

Significant and negatively impactful data breaches in the healthcare industry have happened for a long time. Back in 2015, Anthem suffered a massive data breach that led to as many as 80 million people having their information stolen. In 2019, third-party billings and collection agency, American Medical Collection Agency (AMCA), suffered a data breach that affected over 24 million people and 20 healthcare entities. That included Quest Diagnostics, who had 11.9 million patients impacted. More recent healthcare data breaches include Florida Orthopaedic Institute, University of Utah Health and PaperlessPay.

What Does it Mean to You?

Data breaches in the healthcare industry continue to happen because of the availability of both personally identifiable information (PII) and personal health information (PHI) available to bad actors. Hackers can do a lot of damage with access to sensitive PHI and PII, like Social Security numbers, health insurance numbers, drivers licenses or identification numbers, medication lists, conditions, diagnoses and financial information. Fraudsters can submit use this data to file fraudulent health insurance claims, apply for medical care and prescription medications, use the information on billing and much more.

According to the Protenus 2020 Breach Barometer, in 2019,  data breaches in the healthcare industry continued to be a problem, involving sensitive patient information, with public reports of hacking jumping 48.6 percent from 2018. The 2020 IBM Report on the average cost of a data breach reported that the most expensive attacks in 2019 occurred in the healthcare sector. According to the Identity Theft Resource Center’s (ITRC) 2019 Data Breach Report, there were 525 medical and healthcare data breaches in 2019, exposing over 39 million sensitive records. The medical and healthcare sector had the second-highest number of breaches and sensitive records exposed of all the sectors the ITRC tracks.

What Can You Do?

Data breaches in the healthcare industry will continue to happen because of the troves of information. However, there are things consumers can do to reduce their risk.

  • Victims should change their username and password for their affected healthcare account
  • Consumers should also change their username and password on any other accounts that have the same username or password as their healthcare account
  • Depending on what piece of PHI is exposed, victims should contact the affected healthcare provider to see what steps need to be taken

Victims of a data breach in the health care industry can call the ITRC toll-free at 888.400.5530 for more information on the next steps they need to take. They can also live-chat with an ITRC expert advisor.

Victims are also encouraged to download the free ID Theft Help app. The app has tools for data breach victims, including a case log to track all of their steps taken, access to helpful resources during the resolution process, instant access to an advisor and much more.

Read more…

Being Able to Identify a Phishing Attack is More Important Now Than Ever

Netflix Email Phishing Scam Could Steal Credit Card Information

Hacked Dating Apps are a Popular Target for Social Engineering Scams

/by

Pharmacy Data Breaches Reveal the Lasting Impacts Small Data Events Can Have

Another week has gone by, and in this week’s Weekly Breach Breakdown, the Identity Theft Resource Center (ITRC) highlights a handful of data compromises that could leave a big impact on businesses and consumers. The ITRC has been tracking publicly-notified U.S. data breaches since 2005 to look for patterns, new trends and any information that could better help educate on the need for understanding the value of protecting personally identifiable information (PII). Some of the data compromises highlighted this week include CVS, Walgreens and Walmart pharmacy data breaches with a unique twist; an athlete recruiting tool; and one state’s taxpayer system. All of these breaches have one thing in common: they are relatively small data events that can still leave a lasting impact.

CVS, Walgreens and Walmart Pharmacy Data Breaches

Three well-known companies suffered from individual pharmacy data breaches. It wasn’t a cyberattack or failure to secure their electronic records; instead, some of their stored health information was physically stolen, leaving the potential for a serious impact on the individuals whose information was exposed. During recent protests in several cities, pharmacies owned by Walmart, Walgreens and CVS were looted. Paper files and computer equipment containing customer information was taken from individual stores, not the companies at-large. The missing information included prescriptions, consent forms, birth dates, addresses, medications and physician information. All three companies affected by the pharmacy data breaches notified impacted patients, but only CVS released the number of customers involved – 21,289.

Front Rush Data Compromise

The next data compromise includes student-athlete recruiting tool, Front Rush. Front Rush recently notified 61,000 athletes and coaches that their information was open to the internet due to a misconfigured cloud database for four years. In a notice to individuals impacted, Front Rush acknowledged that they could not tell if anyone accessed or removed any PII while it was exposed to the web from 2016-2020. Some of the personal information in the database included: Social Security numbers, Driver’s Licenses, student IDs, passports, financial accounts, credit card information, birth certificates and health insurance information.

The Vermont Department of Taxes Data Compromise

The state of Vermont recently notified more than 70,000 taxpayers that the online credentials they used to file certain types of tax forms had been exposed on the internet since 2017. State officials say they lacked the tools to tell if the information was downloaded from their systems by threat actors, but they believe the risk of an identity crime is low. However, the State Department of Taxes is recommending taxpayers take precautions like monitoring bank and credit accounts, reviewing credit reports and reporting any suspicious activity to local law enforcement.

What it Means

Stolen credentials like logins and passwords, like the information breached in Vermont, are currently the number one cause of data breaches, according to IBM. However, that is tied with misconfigured cloud security that leads to data being exposed to the web, as in Front Rush. Misconfigured cloud security generally means that someone forgot to set up a password or other security tool when they configured the database. Stolen physical records and devices ranks five out of ten on the attack scale for the most common attack vectors.

For more information about the latest data breaches, subscribe to the ITRC’s data breach newsletter.

NotifiedTM

Keep an eye out for the ITRC’s new data breach tracker NotifiedTM. It is updated daily and free to consumers. Businesses that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the ITRC’s three paid subscriptions. Subscriptions help ensure the ITRC’s free identity crime services stay free. Notified launches later this month.

If someone believes they are the victim of identity theft or their information has been compromised in a data breach, they can call the ITRC toll-free at 888.400.5530 to speak with an expert advisor. They can also use live-chat. Finally, victims of a data breach can download the free ID Theft Help app to access advisors, resources, a case log and much more. Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.

 You might also like…

Being Able to Identify a Phishing Attack is More Important Now Than Ever

Netflix Email Phishing Scam Could Steal Credit Card Information

Hacked Dating Apps are a Popular Target for Social Engineering Scams

/by