Posts

  • In 2020, the Federal Trade Commission (FTC) received nearly 100,000 business or personal loan fraud reports, many of them related to Small Business Administration (SBA) loan identity fraud.
  • That’s more than double the number of loan fraud reports from a year earlier. The Identity Theft Resource Center (ITRC) has also seen a spike in SBA loan identity crime reports since the COVID-19 pandemic.
  • Identity thieves apply for SBA loans (primarily Economic Injury Disaster (EIDL) and Paycheck Protection Program (PPP) loans) using stolen Social Security numbers and business Employer Identification numbers (EINs).
  • Scammers are also targeting consumers through phishing schemes in an attempt to steal their Social Security Numbers and other personal information needed to commit SBA loan identity fraud.
  • If anyone believes they are the victim of an SBA loan identity crime or would like to learn how to protect themselves from becoming a victim, they can contact the ITRC to speak with an advisor toll-free at 888.400.5530 or via live-chat. Just go to www.idtheftcenter.org to get started.

Small Business Administration (SBA) loan identity fraud spiked in 2020 due to COVID-19, and it continues to be a growing issue in 2021. The Federal Trade Commission (FTC) says in 2019, they received 43,920 reports of fraud involving business or personal loans; the number more than doubled in 2020 as the FTC had 99,650 reports. The FTC acknowledges that not all of the reports are related to SBA loan identity fraud, but also notes many of them are.

The Identity Theft Resource Center (ITRC) has seen a spike in calls and live-chats around SBA loan-related identity theft. The contacts continue today as contact center advisors work to help victims. Here is a testimonial from one victim who turned to the ITRC regarding their SBA loan identity crime case:

“I want to thank you for all your suggestions. You are the third (organization) I have contacted and by far the most helpful. I received a form from the Small Business Administration, and after returning it with the police report and the Identity Theft Report, I was informed that my debt with them would be canceled. It is such a huge weight off me. I did everything you suggested, and our credit is frozen with all the CRA’s. Thank you again.”

There are different forms of SBA loan-related identity theft of which  businesses and consumers should be aware:

Economic Injury Disaster Loans (EIDLs)

Economic Injury Disaster (EIDL) loans, loans for businesses that suffer substantial economic injury located within a disaster area, have always been available through the SBA. However, they have been expanded as part of the CARES Act to provide relief to businesses experiencing financial loss due to COVID-19. Identity fraud from an EIDL loan occurs when a threat actor applies for an EIDL loan using either a consumer’s Social Security Number (SSN) or a business’s Employer Identification Number (EIN).

Paycheck Protection Program Loans (PPPs)

Paycheck Protection Program (PPP) loans were designed to help businesses maintain their payroll and keep their workforce during COVID-19, and they are available through a lender. Identity fraud from a PPP loan occurs when an identity thief applies for a PPP loan using a stolen SSN, a business EIN or other stolen personal information needed to obtain a loan.

What to do if You Are a Victim of SBA Loan Identity Fraud

If a consumer or a business is the victim of an SBA loan identity crime (whether it’s from either an EIDL or PPP loan), they should take the following steps:

  1. Go back to the source of the loan to notify them of the identity fraud. If the identity fraud is from an EIDL loan, the victim should contact the SBA. If the fraud involves a PPP loan, the affected party should contact the lender that issued the loan. See below for more information on what the SBA requires people to submit, where to submit it, and details on their process.
  2. File an Identity Theft Report with the FTC at www.IdentityTheft.gov. An Identity Theft Report is one of the required documents by the SBA to cancel the loan debt as quickly as possible. Other documents needed include photo identification issued by a federal or state agency and a completed and signed Declaration of Identity Theft. For more information on the steps required by the SBA, click here.
  3. Place a credit freeze to lock credit files until they are needed.A credit freeze is the most effective way to ensure new loans or accounts are not opened.
  4. A less effective option is to place a fraud alert on credit files to alert potential creditors to take extra precautions before extending credit.
  5. Verify with the Secretary of State’s Office or another government agency where the business is registered to ensure the company’s ownership and registration status have not been changed.

Contact the ITRC

Anyone who believes they are a victim of SBA loan identity fraud should contact the ITRC for more information. People can speak to an advisor by phone (888.400.5530) or by live-chat to develop a resolution plan. Anyone who wants to document their steps can use the ITRC’s ID Theft Help app’s case log feature. Consumers who want to learn more can also check out our latest education resources at www.idtheftcenter.org.

  • A Canon data breach resulted from a ransomware attack on the company by the Maze ransomware group. Canon is just one of many companies recently hit with a ransomware attack, a trend the Identity Theft Resource Center predicts to continue in 2021.  
  • The mobile video game Animal Jam suffered a data breach affecting 46 million users after threat actors stole a database. However, WildWorks, the game’s owner, has been very transparent throughout the entire process, setting an example of how businesses should approach data breaches. 
  • Insurance tech company Vertafore discovered files containing driver-related information for 28 million Texas residents were posted to an unsecured online storage service.  
  • For more information about recent data breaches, consumers and businesses should visit the ITRC’s data breach tracking tool, notifiedTM.  
  • Keep an eye out for the ITRC’s 15th Annual Data Breach Report. The 2020 Data Breach Report will be released on January 27, 2021. 
  • If you believe you are a victim of identity theft from a data breach, contact the ITRC toll-free at 888.400.5530 or through live-chat on the company website.  

Notable Data Compromises for November 2020 

Of all the data breaches the Identity Theft Resource Center (ITRC) tracked in November, three stood out: Canon, WildWorks – Animal Jam, and Vertafore. All three data events are notable for different reasons. One highlights a trend and prediction made by the ITRC; another shows transparency by the company throughout the process; the third leaves 28 million individuals’ driver-related information exposed. 

Canon 

Camera manufacturer Canon recently suffered a data breach that was caused by a ransomware attack, but the company only acknowledged the attack was the result of ransomware in November. According to techradar.com and Bleeping Computer, the Canon IT department notified their staff in August that the company was suffering “widespread system issues affecting multiple applications, Teams, email and other systems.” On November 25, the company acknowledged the Canon data breach was due to a ransomware attack by the Maze ransomware group.  

It is unknown how many people are affected by the Canon data breach. However, files that contained information about current and former employees from 2005 to 2020, their beneficiaries, and dependents were exposed. Information in those files included Social Security numbers, driver’s license numbers or government-issued identification numbers, financial account numbers provided to Canon for direct deposit, electronic signatures and birth dates. 

Canon is just one of many companies that have been hit with a ransomware attack. As the ITRC mentioned in its 2021 predictions, cybercriminals are making more money defrauding businesses with ransomware attacks and phishing schemes that rely on poor consumer behaviors than traditional data breaches that rely on stealing personal information. As a result of the ransomware rise, data breaches are on pace to be down by 30 percent in 2020 and the number of individuals impacted down more than 60 percent year-over-year.  

WildWorks – Animal Jam 

Animal Jam, an educational game launched by WildWorks in 2010, suffered a data breach after threat actors stole a database. According to the WildWorks CEO, cybercriminals gained access to 46 million player records after compromising a company server. The information exposed in the Animal Jam data breach includes seven million email addresses, 32 million usernames, encrypted passwords, approximately 15 million birth dates, billing addresses and more. 

WildWorks has been very transparent throughout the entire process. The company provided a detailed breakdown of the information taken in the Animal Jam data breach, how the data event happened, where the information was circulated, whether people’s accounts are safe and the next steps to take. The ITRC believes WildWorks has set an example of how other businesses should share information with impacted consumers after a data breach.  

Anyone affected by the Animal Jam data breach should change their email and password for their account (consumers should switch to a 12-character passphrase because it is easier to remember and harder to guess). Users should also change the email and password of other accounts that share the same email and password. If any users think their account was used illegally, they are encouraged to contact the Animal Jam security team by emailing support@animaljam.com  

Vertafore 

Vertafore, a Denver based insurance tech company, recently discovered three files containing driver-related information were posted to an unsecured online storage service. The files included data from before February 2019 on nearly 28 million Texas drivers. Vertafore says the files have since been secured, but they believe the files were accessed without authorization. To learn more about this data breach, read the ITRC’s latest blog, and listen to our podcast on the event. 

Unfortunately, companies continue to leave databases unsecured, which is tied with ransomware as the most common cause of data compromises, according to IBM. Consumers impacted by the Vertafore data event need to follow the advice given by Vertafore and the Texas Department of Public Safety

notifiedTM  

For more information about recent data breaches, consumers and businesses should visit the ITRC’s data breach tracking tool, notifiedTM, free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.  

Contact the ITRC 

If you believe you are the victim of an identity crime or your identity has been compromised in a data breach, you can speak with an ITRC expert advisor at no-cost by phone (888.400.5530) or live-chat. Just go to www.idtheftcer.org to get started. Also, victims of a data breach can download the free ID Theft Help app to access resources, a case log and much more.  

  • Timberline Billing Service recently determined a supposed ransomware attack led to encrypted files and information removed from their network. So far, the Identity Theft Resource Center (ITRC) has tracked 14 impacted schools.  
  • A database exposure was recently discovered at BankSight Software Systems, exposing over 300 million records for at least 100,000 people.  
  • MAXEX exposed 9 GB of internal data, including confidential banking documents, system login credentials, emails, the company’s data breach incident response policy, and reports from penetration tests. 
  • For more information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM
  • For more information, contact the ITRC toll-free at 888.400.5530, or by live-chat via the company website. People can also download the free ID Theft Help app to access advisors, resources, a case log and much more. 

There were many notable data breaches in October, all tracked by the Identity Theft Resource Center (ITRC). Since 2005, the ITRC has compiled publicly-reported U.S. data breaches as part of our data breach tracking efforts. The ITRC tracks both publicly-reported data breaches and data exposures in a database containing 25 different information fields that are updated daily. Of the notable data breaches in October, Timberline, BankSight and MAXEX top the list. 

Timberline Billing Service 

Timberline Billing Service, a company that claims Medicaid for education agencies in Iowa, recently determined that someone accessed their network between February 12, 2020 and March 4, 2020. The supposed ransomware attack led to encrypted files and information removed from the system.

However, the investigation was unable to determine what information was removed. The information exposed includes names, dates of birth, Medicaid I.D. numbers, billing information, support service code and identification numbers, medical record numbers, treatment information, medical information regarding diagnoses and symptoms and Social Security numbers. However, the information exposed varies from school to school.  

Of the 190 schools in Iowa Timberline assists, so far, the ITRC has tracked 14 impacted schools: 

  • Fort Dodge Community School District 
  • Iowa City Community School District 
  • Cherokee Community School District 
  • Kingsley-Pierson Community School District 
  • Central Decatur Community School District 
  • Clinton Community School District 
  • Muscatine Community School District 
  • Saydel Community School District 
  • Sheldon Community School District 
  • Mid-Prairie Community School District 
  • Hudson Community School District 
  • Dallas Center-Grimes Community School District 
  • Knoxville Community School District 
  • Oskaloosa Community School District 

Timberline says they are taking steps to enhance their security systems, resetting all user passwords, requiring frequent password rotations and migrating school and student data to a cloud location. Timberline is also offering a year of identity monitoring services through Experian to impacted children. Impacted individuals should monitor their accounts for any suspicious activity and contact the appropriate company and act if needed.  

BankSight Software Systems, Inc. 

vpnMentor’s research team recently discovered an exposed BankSight database, exposing over 300 million records for at least 100,000 individuals. According to vpnMentor, the exposed information includes the following: names, Social Security numbers, email addresses, phone numbers, home and business addresses, employment and business ownership details, financial data for businesses and individuals, and personal notes from people looking for loans or postpone on loan payments, exposing private family and business information.  

vpnMentor says they contacted BankSight, and BankSight shut down the server one day later. The information exposed allows a hacker to create sophisticated fraud schemes and target customers of BankSight’s clients. BankSight customers should contact the company to determine the steps to take to protect their client’s data.  

MAXEX, LLC.  

Of the notable data breaches in October, MAXEX does not impact the most people. However, it potentially creates the most significant risk to affected individuals. According to BankInfoSecurity, MAXEX, a residential mortgage trading company, exposed 9 GB of its internal data, including software development for its loan-trading platform. The data also had confidential banking documents, system login credentials, emails, the company’s data breach incident response policy, and reports from penetration tests done years ago.

The company also leaked the complete mortgage documents for at least 23 people in New Jersey and Pennsylvania. The records include tax returns, IRS transcripts, credit reports, bank account statements, scans of birth certificates, passports and driver’s licenses, letters from employers, divorce records, academic transcripts and Social Security numbers for the mortgage applicants and their children.  

MAXEX says they have retained security experts and contacted law enforcement agencies. They also have a computer forensics unit tracing the source of the breach and providing resolution advice. The company says they have fixed the issue that led to the breach. MAXEX says its mortgage trading platform was unaffected. However, links to the data are circulating on forums where stolen data is posted. On one platform, the information has been downloaded more than 1,000 times, according to BankInfoSecurity.  

While the data compromise only impacted a limited number of people, it does not always matter how many people it affected. Rather, the information that was exposed or stolen. Impacted individuals should begin contacting the appropriate companies to determine the next steps to take. Some of the steps to take include freezing your and your child’s credit, checking your reports for suspicious activity, and taking part in credit monitoring or identity monitoring services.  

notifiedTM 

For more information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free. 

Contact the ITRC 

If you believe you are the victim of an identity crime or your identity has been compromised in a data breach, like one of the notable data breaches in October, you can speak with an ITRC expert advisor on the website via live-chat or by calling toll-free at 888.400.5530. Finally, victims of a data breach can download the free ID Theft Help app to access advisors, resources, a case log and much more. 


Read more of our latest information & educational resources below

QR Code Security Threats Begin to Grow as Digital Barcode Popularity Rises

Unsubscribe Email Scam Looks to Trick Consumers

  • Approximately 56 percent of California voters passed The California Privacy Rights Act (CPRA). The law will be the toughest privacy law in the U.S. once it goes into effect in 2023.
  • California residents will have more control over what happens to their personal information when businesses collect it. Consumers from the state can also have information corrected they think is inaccurate.
  • California businesses will be required to update agreements with contractors and sub-contractors that binds them to meet the provisions of the CPRA.
  • For more information on the privacy law, contact the ITRC at no-cost by calling 888.400.5530 or by live-chat on the company website.

California voters went to the polls to decide the fate of the strongest privacy law in the United States. After counting the ballots, Proposition 24 – The California Privacy Rights Act (CPRA) – passed and will go into effect in 2023.

Subscribe to the Weekly Breach Breakdown Podcast

Every week the Identity Theft Resource Center (ITRC) looks at some of the top data compromises from the previous week and other relevant privacy and cybersecurity news in our Weekly Breach Breakdown Podcast. This week, we look at CPRA and what it means for businesses and consumers.

How The California Privacy Rights Act Passed

Approximately 56 percent of California voters approved the privacy law. However, Big Tech and Big Privacy joined forces to oppose the proposal. The initiative was proposed to strengthen the existing state privacy law, The California Consumer Privacy Act (CCPA), in many different ways.

What Consumers Need to Know About The California Privacy Rights Act

There are a few different things for California residents to know about the CPRA:

  1. Since voters approved the CPRA and not the state legislature, it will be more difficult to amend the law in the future. The legislature must submit any proposed changes to the popularly approved law to the voters in a future election. That makes it very difficult to weaken the privacy provisions in the CPRA.
  2. The CPRA gives California residents even more control over what happens to their personal information when a business collects it. The CCPA gives residents the right to access the information companies collect about them and request it be deleted in certain circumstances. It also prohibits the sale of their information for marketing purposes. The CPRA will give consumers rights linked to sharing information – not just selling data to third parties – clarifying one of the most confusing parts of the current privacy law, the CCPA.
  3. The CPRA adds a right to correct any information that a consumer thinks is inaccurate. Californians will now have the right to opt-out of automated decision processes that use their personal information. Also, they will have the right to see how automated decision processes work.
  4. The CPRA creates a new category of personal information that California residents can access and control in certain circumstances, like sharing information with third parties. The new category is known as “sensitive personal information” and includes precise geolocation data, race, religion, sexual orientation, Social Security numbers and certain health information.
  5. Finally, the new privacy law gives consumers the right of data portability, which means someone can tell a company to share their information with another company. It is like when someone changes their mobile phone or insurance companies.

What Businesses Need to Know About The California Privacy Rights Act

Businesses will also have a host of new duties that apply to them:

  1. Companies will have to create data silos, meaning they will have to keep personal information used in marketing separate from other consumer information. Companies, especially smaller ones, are already struggling to meet the existing consumer rights of access, review, deletion and opt-out. The new provision could compound the compliance issues.
  2. The most significant change for businesses will be the requirement that companies update agreements with contractors and sub-contractors that bind them to meet the provisions of the CPRA. In past podcast episodes, the ITRC has talked about data breaches resulting from “supply chain attacks.” That is where a company has good cybersecurity. Still, a third-party vendor ends up breached, and the company’s customer data is exposed. The requirement to update agreements with contractors and sub-contractors is designed to address supply chain attacks and clarify that everyone in the supply chain is responsible for protecting consumer information.
  3. Businesses do get some benefits in the CPRA. Employee and B2B data are exempt from the law until at least 2023, and businesses may be charged fees if consumers opt-out of data collection and sharing. That provision is the reason privacy advocates joined Big Tech companies to oppose the CPRA.

Toughest Privacy Law in the United States

The CPRA will be the toughest privacy law in the U.S. when it goes into full effect in 2023. In the meantime, state officials will propose the regulations needed to implement the new law. In the case of the CPRA, there will also be a new state agency created to enforce the new privacy law. For now, the California Attorney General will continue to enforce the existing law, CCPA.

Privacy Law Passed in Massachusetts

There was another state privacy law recently approved by a vote in Massachusetts. Car owners now have the right to see the information their car is wirelessly sharing with automakers. Approximately 75 percent of voters approved the proposal; carmakers have until 2022 to comply.

notifiedTM 

For information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.  

Contact the ITRC

If you have a question about The California Privacy Rights Act, data privacy, or if you receive a breach notice and you’d like to know how to protect yourself, contact the ITRC. You can speak with an expert advisor toll-free at 888.400.5530 or by live-chat on the company website. Also, download the free ID Theft Help App to access resources, a case log and much more. 

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.  

  • The Identity Theft Resource Center (ITRC) discovered multiple social media posts encouraging people to leave their Social Security numbers in the comment section of popular social media sites. It is known as the “Social Security number challenge.” 
  • While many people will not fall for the challenge, it is a reminder that there are fake social media profiles that ask for personal information.  
  • No one should ever give out any personal information publically or to someone they do not know, especially on social media. 
  • For more information, contact the ITRC for no-cost assistance by phone at 888.400.5530 or by live-chat via the company website.  

Have you ever heard of the Social Security number challenge? Someone posts a call to action on social media for people to “drop their Social Security number” in the comments. The Identity Theft Resource Center (ITRC) recently was notified of the trending Social Security number challenge on Facebook. 

Image from Facebook

While the challenge seems far-fetched, it is a good reminder that there are fake social media profiles that ask for personal information like “your mother’s maiden name” or “the answer to your security question.”  

Who It Is Targeting 

Facebook and social media users 

What It Is 

A social media challenge where someone posts on social media asking others to place their Social Security number in the comments. It is known as the “Social Security number challenge.”  

What They Are After 

In this particular case, people’s Social Security numbers. However, there are fake social media profiles that ask for other personal information like account security answers (your mother’s maiden name or dog’s name) that could lead to lots of damage if used in your password or other.

What You Can Do 

Never give out personal information to anyone you do not know. It’s impossible to know whose hands the information will end up in and what they might do with it. Personal information can be used to commit many different forms of identity theft. 

If you want to learn more about social media safety or have questions about the use of your Social Security number, contact the ITRC toll-free at 888.400.5530 to speak with an expert advisor. You can also live-chat with an advisor on the company website.  


Read more of our latest information & educational resources below

QR Code Security Threats Begin to Grow as Digital Barcode Popularity Rises

Unsubscribe Email Scam Looks to Trick Consumers

Social Media Scams are on the Rise as More People Use the Platforms to Connect

  • Cense.Ai left a temporary data storage repository online, accessible to anyone with a web browser. It led to the exposure of nearly 2.6 million records, including sensitive data and other personally identifiable information (PII).
  • A recent data breach of Freepik, a photos and graphics website, happened when hackers used a known software vulnerability to gain access to one of its databases storing user data. It led to hackers obtaining usernames and passwords for 8.3 million users.
  • After detecting unauthorized access to certain devices, ArbiterSports learned an unauthorized party obtained a backup copy of a database with PII in a recent data breach. ArbiterSports reached an agreement with the unauthorized party to have the files deleted.
  • Victims of a data compromise can speak with an Identity Theft Resource Center expert advisor on the website via live-chat, or by calling toll-free at 888.400.5530.

August was another month full of data breaches, all tracked by the Identity Theft Resource Center (ITRC). Since 2005, the ITRC has compiled publicly-reported U.S. data breaches as part of our data breach tracking efforts. The ITRC tracks both publicly reported data breaches, and data exposures in a database containing 25 different information fields and 63 different identity attributes that are updated daily. Of the recent data breaches in August, Cense.Ai, Freepik and ArbiterSports are three of the most notable.

Cense.Ai

A recent Cense.Ai data exposure led to almost 2.6 million records, including sensitive data and other personally identifiable information (PII), accessible to anyone on the web. According to TechNadu, a database containing names, dates of birth, addresses, insurance records, medical diagnosis notes, clinics, insurance provider details, accounts, payment records and more was left online due to an error.

Security Researcher, Jeremiah Fowler, found two folders containing the sensitive data and managed to remove the port from the IP address of the Cense’s website. Fowler found that all individuals listed had been in a car accident. In most cases, there was also information like policy numbers, claim numbers and the date of the accident.

According to PCMag, Cense.Ai has not commented publicly about the exposure, and the company did not immediately respond to PCMag’s request for comment. Anyone affected by the Cense.Ai data exposure should monitor all of their accounts for any suspicious activity. If you find anything out-of-the-ordinary in your records, contact the appropriate company and take additional action if needed. 

Freepik

Freepik is a website that provides access to high-quality free photos and design graphics. In mid-August, the popular site announced that they suffered a data breach. According to the company’s statement, there was a breach from a SQL injection in Flaticon that allowed an attacker to get user information from their database. A little more than eight million users were affected. 4.5 million users had no hashed passwords due to exclusively federated logins (through Google, Facebook, etc.), and the hacker only obtained their email address. However, the additional 3.8 million users had both their email addresses and hashed passwords stolen. Freepik says they have taken extra measures to reduce their risk of a similar attack in the future. The company is also in the process of notifying all affected users.

Users who had their passwords stolen in this recent data breach should change their password and the password of any other accounts that share the same password. Also, switch to a nine to ten-character passphrase. They are easier to remember and harder for hackers to guess.

ArbiterSports

ArbiterSports is used by many for end-to-end activities management solution. However, some users of the officiating software company were notified of a data breach that exposed account usernames and passwords, names, addresses, dates of birth, email addresses and Social Security numbers. According to the company’s notification letter, ArbiterSports recently detected unauthorized access to certain devices in their network and an attempt to encrypt their systems.

After an investigation, the company learned the unauthorized party obtained a backup copy of a database made for business continuity reasons. The database contained PII for over 539,000 users. While ArbiterSports was able to prevent their devices from being encrypted, the unauthorized party still demanded payment in exchange for deleting the files. The two reached an agreement, and the files were deleted.

ArbiterSports is offering a free one-year membership of Experian’s IdentityWorks Credit 3B to detect possible misuse of personal information and to provide identity protection focused on identification and resolution of identity theft. Anyone affected should also change their username and password, as well as the username or password of any other accounts that share the same credentials. 

notifiedTM

For more information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.

Contact the ITRC If you believe you are the victim of an identity crime, or your identity has been compromised in a data breach, you can speak with an ITRC expert advisor on the website via live-chat, or by calling toll-free at 888.400.5530. Finally, victims of a data breach can download the free ID Theft Help app to access advisors, resources, a case log and much more.


Read more of our latest breaches below

Fortnite Gaming Data Being Sold for Hundreds of Millions of Dollars Per Year

Online Job Scams See Rise Amid Pandemic

“Meow” Attacks Lead to 4,000 Deleted Databases and Perplexed Security Experts

With some businesses opening back up after temporarily closing due to the COVID-19 pandemic, scammers are trying to capitalize using online job scams to steal people’s personal information.

Recently, Scripps Health found hackers exploiting job seekers through phishing emails with Scripps Health-themed “lures.” Scripps sent the following email to warn their community members:

Image provided to the Identity Theft Resource Center by public

ATA Engineering, another San Diego-based company, reports they also are seeing similar-type online job scams.

The Identity Theft Resource Center (ITRC) has seen a rise in victims contacting the organization about online job scams, including phishing emails. Some of the particular job scams reported to the ITRC include ones from Indeed, Zip Recruiter, and Facebook. The ITRC has had more than 40 victims reach out about online job scams the last three months.

Who Is It Targeting

People looking for work amist the COVID-19 pandemic

What Is It

Either a fake listing posted on a job board or a phishing email, robocall, social media message, or text message looking for a response.

What Are They After

While scammers attack in different ways, they are all looking for one thing: personal information. They hope they can trick people who are desperate or vulnerable into giving up sensitive data like usernames and passwords, financial data, or Social Security numbers. Once scammers have that information, they can commit many different forms of identity theft.

How You Can Avoid It

  • Never click on a link or open an attachment from an email you are not expecting. Instead, go directly to the source to verify the validity of the message.
  • Review all emails and websites carefully to make sure there are no suspicious addresses, subject lines or URLs.
  • Be careful about how much personal data you share, at least during the application process. Do not turn over information like your Social Security number until you are hired.
  • Make sure you have the job, and it is legitimate, before giving away financial information like a bank account number or routing number for direct depositing of paychecks.

If you think you may have fallen victim to an online job scam, you can call the ITRC toll-free at 888.400.5530. You can also live-chat with an expert advisor on the company website.


Read more of our latest articles below

A recent data breach of Dave, an online banking service, has users of the service searching for answers. Hackers often target digital banking services for their plethora of consumer records. In 2018, hackers leaked the information of 2.8 billion consumer data records, costing $654 billion in damages to U.S. organizations. Additionally, since the start of COVID-19, there has been a 50 percent increase in mobile banking. Dave is a fintech company that allows users to link their bank accounts and loan payments for upcoming bills to avoid overdraft fees. The Dave.com data breach occurred after the company’s third-party service provider, Waydev, was breached, allowing hackers access to over seven million users’ data.

What Happened

Dave suffered an attack, resulting in 7,516,625 user records being published on RAID, a hacker forum. Some of the information that was exposed from the Dave.com data breach included names, emails, birth dates, physical addresses, phone numbers, encrypted Social Security numbers and Bcrypt hashed passwords. The company uncovered the hacker’s access point into the database and has since notified customers of the exposure. After becoming aware of the incident, Dave enlisted law enforcement and the FBI to conduct an ongoing investigation, according to ZDNet.

What Does This Mean for You?

While there is no evidence that hackers have used the data from the Dave.com data breach to gain access to accounts or conduct any unlawful actions, there is still a lot of harm that could potentially be done. One threat is social engineering, where someone manipulates someone else into divulging personal information. Since multiple forms of information were exposed, there is an even higher and potentially more harmful risk for those impacted.

While the threat level is not as high as social engineering, hackers could also target victims with mail-forwarding and sign up for accounts with the victim’s information.

Next Steps to Take

Affected users of Dave should consider taking immediate action to minimize the risks of identity theft. Some important next steps include:

  • Change the usernames and passwords on any accounts that share a username and password with their Dave.com account – opt for a stronger, unique passphrase
  • Look out for account sign-ups and websites which they are not familiar
  • Avoid clicking on any links or opening any attachments in messages they are not expecting or giving out personal information on the phone. Instead, users should reach out directly to verify the validity of the message.

Anyone affected by the Dave.com data breach can call the Identity Theft Resource Center (ITRC) toll-free at 888.400.5530 for more information on the next steps they need to take. They can also live-chat with an expert advisor. Finally, victims should consider downloading the free ID Theft Help app for access to resources, a case log to track their activities in managing their data breach case and much more.

You might also like…

Being Able to Identify a Phishing Attack is More Important Now Than Ever

Netflix Email Phishing Scam Could Steal Credit Card Information

Hacked Dating Apps are a Popular Target for Social Engineering Scams

Significant and negatively impactful data breaches in the healthcare industry have happened for a long time. Back in 2015, Anthem suffered a massive data breach that led to as many as 80 million people having their information stolen. In 2019, third-party billings and collection agency, American Medical Collection Agency (AMCA), suffered a data breach that affected over 24 million people and 20 healthcare entities. That included Quest Diagnostics, who had 11.9 million patients impacted. More recent healthcare data breaches include Florida Orthopaedic Institute, University of Utah Health and PaperlessPay.

What Does it Mean to You?

Data breaches in the healthcare industry continue to happen because of the availability of both personally identifiable information (PII) and personal health information (PHI) available to bad actors. Hackers can do a lot of damage with access to sensitive PHI and PII, like Social Security numbers, health insurance numbers, drivers licenses or identification numbers, medication lists, conditions, diagnoses and financial information. Fraudsters can submit use this data to file fraudulent health insurance claims, apply for medical care and prescription medications, use the information on billing and much more.

According to the Protenus 2020 Breach Barometer, in 2019,  data breaches in the healthcare industry continued to be a problem, involving sensitive patient information, with public reports of hacking jumping 48.6 percent from 2018. The 2020 IBM Report on the average cost of a data breach reported that the most expensive attacks in 2019 occurred in the healthcare sector. According to the Identity Theft Resource Center’s (ITRC) 2019 Data Breach Report, there were 525 medical and healthcare data breaches in 2019, exposing over 39 million sensitive records. The medical and healthcare sector had the second-highest number of breaches and sensitive records exposed of all the sectors the ITRC tracks.

What Can You Do?

Data breaches in the healthcare industry will continue to happen because of the troves of information. However, there are things consumers can do to reduce their risk.

  • Victims should change their username and password for their affected healthcare account
  • Consumers should also change their username and password on any other accounts that have the same username or password as their healthcare account
  • Depending on what piece of PHI is exposed, victims should contact the affected healthcare provider to see what steps need to be taken

Victims of a data breach in the health care industry can call the ITRC toll-free at 888.400.5530 for more information on the next steps they need to take. They can also live-chat with an ITRC expert advisor.

Victims are also encouraged to download the free ID Theft Help app. The app has tools for data breach victims, including a case log to track all of their steps taken, access to helpful resources during the resolution process, instant access to an advisor and much more.


Read more…

Being Able to Identify a Phishing Attack is More Important Now Than Ever

Netflix Email Phishing Scam Could Steal Credit Card Information

Hacked Dating Apps are a Popular Target for Social Engineering Scams

Another week has gone by, and in this week’s Weekly Breach Breakdown, the Identity Theft Resource Center (ITRC) highlights a handful of data compromises that could leave a big impact on businesses and consumers. The ITRC has been tracking publicly-notified U.S. data breaches since 2005 to look for patterns, new trends and any information that could better help educate on the need for understanding the value of protecting personally identifiable information (PII). Some of the data compromises highlighted this week include CVS, Walgreens and Walmart pharmacy data breaches with a unique twist; an athlete recruiting tool; and one state’s taxpayer system. All of these breaches have one thing in common: they are relatively small data events that can still leave a lasting impact.

CVS, Walgreens and Walmart Pharmacy Data Breaches

Three well-known companies suffered from individual pharmacy data breaches. It wasn’t a cyberattack or failure to secure their electronic records; instead, some of their stored health information was physically stolen, leaving the potential for a serious impact on the individuals whose information was exposed. During recent protests in several cities, pharmacies owned by Walmart, Walgreens and CVS were looted. Paper files and computer equipment containing customer information was taken from individual stores, not the companies at-large. The missing information included prescriptions, consent forms, birth dates, addresses, medications and physician information. All three companies affected by the pharmacy data breaches notified impacted patients, but only CVS released the number of customers involved – 21,289.

Front Rush Data Compromise

The next data compromise includes student-athlete recruiting tool, Front Rush. Front Rush recently notified 61,000 athletes and coaches that their information was open to the internet due to a misconfigured cloud database for four years. In a notice to individuals impacted, Front Rush acknowledged that they could not tell if anyone accessed or removed any PII while it was exposed to the web from 2016-2020. Some of the personal information in the database included: Social Security numbers, Driver’s Licenses, student IDs, passports, financial accounts, credit card information, birth certificates and health insurance information.

The Vermont Department of Taxes Data Compromise

The state of Vermont recently notified more than 70,000 taxpayers that the online credentials they used to file certain types of tax forms had been exposed on the internet since 2017. State officials say they lacked the tools to tell if the information was downloaded from their systems by threat actors, but they believe the risk of an identity crime is low. However, the State Department of Taxes is recommending taxpayers take precautions like monitoring bank and credit accounts, reviewing credit reports and reporting any suspicious activity to local law enforcement.

What it Means

Stolen credentials like logins and passwords, like the information breached in Vermont, are currently the number one cause of data breaches, according to IBM. However, that is tied with misconfigured cloud security that leads to data being exposed to the web, as in Front Rush. Misconfigured cloud security generally means that someone forgot to set up a password or other security tool when they configured the database. Stolen physical records and devices ranks five out of ten on the attack scale for the most common attack vectors.

For more information about the latest data breaches, subscribe to the ITRC’s data breach newsletter.

NotifiedTM

Keep an eye out for the ITRC’s new data breach tracker NotifiedTM. It is updated daily and free to consumers. Businesses that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the ITRC’s three paid subscriptions. Subscriptions help ensure the ITRC’s free identity crime services stay free. Notified launches later this month.

If someone believes they are the victim of identity theft or their information has been compromised in a data breach, they can call the ITRC toll-free at 888.400.5530 to speak with an expert advisor. They can also use live-chat. Finally, victims of a data breach can download the free ID Theft Help app to access advisors, resources, a case log and much more. Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.


 You might also like…

Being Able to Identify a Phishing Attack is More Important Now Than Ever

Netflix Email Phishing Scam Could Steal Credit Card Information

Hacked Dating Apps are a Popular Target for Social Engineering Scams