Posts

Everything’s Bigger in Texas

Welcome to the Identity Theft Resource Center’s (ITRC’s) Weekly Breach Breakdown for September 10, 2021. Our podcast is possible thanks to support from Experian. Each week we look at the most recent events and trends related to data security and privacy. For the past two weeks, we’ve concentrated on what happens when you receive a notice that your personal information has been compromised. This week, we’re going to talk about a data breach involving personal information for children and the unique risks created when children’s personal information is exposed.

When you grow up in the southern U.S, you learn very quickly that the saying “Everything’s bigger in Texas” is absolutely true. The Lone Star state is twice the size of Germany. Texans eat 54,000 tons of catfish each year. That’s six times the weight of the Eiffel Tower. There are high school football stadiums in Texas that seat more than 19,000 people, enough to fit the entire population of three average-size U.S. cities.

Dallas I.S.D. Data Breach

This week, the Dallas, Texas Independent School District (Dallas I.S.D.) has earned a different distinction: the target of a significant data breach.

More than 145,000 students attend 230 schools across the district that employs 22,000 people. That doesn’t include independent contractors and vendors who also serve the Dallas schools.

School officials announced late Friday before Labor Day that an “unauthorized third-party” had accessed, downloaded and stored personal information on a cloud data storage site. The stolen data included information on current and former students and their parents as well as current and former employees and contractors dating back to 2010.

The compromised information includes full names, addresses, Social Security numbers (SSNs), phone numbers, dates of birth, and employment and salary information for current and former employees and contractors. The breached data also includes full names, SSNs, dates of birth, parent and guardian information, and grades for current and former students. According to the school district, some students’ custody status and medical conditions may have also been exposed.

What Happened

As is typical in the early days of data breaches, there are many unknowns and a lot of reluctance to share information about what happened. Dallas I.S.D. has hired forensic investigators to determine how the cybercriminals gained access to the student, parent and employee information. However, little is known about how cybercriminals got their hands on the employees, contractors and student’s personal information.

School officials are not calling this a ransomware attack. However, they acknowledge that they have communicated with the data thieves who claim the information has not been sold or shared, but has been removed from the cloud database. Ransomware attacks against schools have dramatically increased as students return for the new school year and identity criminals look for children’s personal information. One cybersecurity firm reports seeing more than 1,700 attacks against schools around the world each week in July.

The Impacts of a Children’s Personal Information Being Stolen

Dallas I.S.D. is offering credit monitoring and identity theft recovery services for one year. The ITRC always recommends data breach victims take advantage of those offers. However, the release of student information is especially troubling as criminals who take control of a young person’s identity can cause significant harm over time.

Imagine a high school student applying for college and being denied financial aid or admission because someone had used their SSN to report income or obtain credit. An identity thief can abuse the personal information for children for years before the parents or child learn of the crime.

Freeze Your Child’s Credit

It’s important for parents to not only freeze their own credit, but to freeze their children’s credit, too. That won’t prevent your child’s information from being exposed in a data breach. However, it will keep a cybercriminal from using the children’s personal information to ruin their credit and perhaps their education and work opportunities when they grow up.

Contact the ITRC

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an ITRC expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.

Thanks again to Experian for supporting the ITRC and this podcast. Listen next week as we talk about credit freezes with the founder of Frozen Pii on our sister podcast, The Fraudian Slip. We will be back in two weeks with another episode of the Weekly Breach Breakdown.

  • T-Mobile’s most recent 2021 data breach impacts 50+ million people. The exposed information includes Social Security numbers (SSNs), driver’s licenses, phone numbers, and International Mobile Equipment Identities (IMEIs) and International Mobile Subscriber Identities (IMSIs).
  • According to Threatpost, Microsoft’s Power Apps management portal exposed the data of 47 businesses for months, including 38 million people’s personal records. The information exposed varies by company. However, it ranges from names, COVID-19 vaccination status, email addresses, and phone numbers to SSNs and job titles.
  • Approximately 1.4 million people were impacted by a ransomware attack on St. Joseph’s/Candler Health System in Georgia that shut down the healthcare provider’s systems. Information compromised includes health insurance information, financial information and medical records information.
  • Anyone impacted by a data breach should follow the advice in the notification letter, change their password to a long and unique passphrase and keep an eye out for phishing attempts that claim to be from the breached organization.
  • For more information about August 2021 data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified.   
  • If you believe you are a victim of identity theft from a data breach, contact the ITRC toll-free at 888.400.5530 or through live-chat on the company website www.idtheftcenter.org.

Notable August Data Breaches

Of the nearly 160 data events the Identity Theft Resource Center (ITRC) tracked in August, three stand out: T-Mobile, Microsoft and Georgia’s St. Joseph’s/Candler Health System (SJ/C). T-Mobile’s latest 2021 data breach highlights the jump in mobile breaches. The Microsoft data event is significant because it’s due to a flaw in a platform’s security. Finally, SJ/C exposed 1.4 million people’s personal information after a ransomware attack on the healthcare system.

T-Mobile

According to T-Mobile, identity criminals compromised T-Mobile’s systems. The company says hackers gained access to their testing environments and then used brute force attacks and other methods to make their way into other IT servers. T-Mobile located and closed the access point they believe was used to gain entry to their servers.

On August 17, T-Mobile confirmed that approximately 47 million people were impacted by their latest data breach in 2021. T-Mobile also said the data stolen from their systems includes personal information like customers’ names, dates of birth, Social Security numbers (SSNs), and driver’s license/identity information for current, past, and prospective customers.

However, in an update on August 20, T-Mobile said they discovered that phone numbers, as well as the typical numbers that allow a mobile phone to be identified and join a network (the International Mobile Equipment Identity (IMEI) and International Mobile Subscriber Identity (IMSI)), were also compromised in the third T-Mobile data breach since December 2020. T-Mobile identified another 5.3 million current customer accounts with one or more associated names, addresses, dates of birth, phone numbers, and IMEIs and IMSIs illegally accessed. For more information on the T-Mobile data breach and steps to take, click here.

Microsoft

According to Threatpost, research from UpGuard revealed Microsoft’s Power Apps management portal accidentally exposed the data of 47 businesses for months, including 38 million people’s personal records. UpGuard reports that Microsoft’s Power Apps platform was flawed in the way it forced customers to configure their data as private or public. The article says that Microsoft does not consider the data issue a vulnerability, rather a configuration issue that can be improved.

Information exposed varies per business. However, the personal information ranges from names, COVID-19 vaccination status, email addresses and phone numbers to SSNs and job titles. Some of the notable businesses impacted are American Airlines, Ford, the Maryland Department of Health and the New York City schools. 

UpGuard says since disclosure of the issue, Microsoft released a tool for checking Power Apps portals for leaky data. Microsoft also plans to change the product so that permissions will be enforced by default. Microsoft’s data event is one of the first data breaches in 2021 the ITRC has seen due to a flaw in platform security. It is considered one of the rarest forms of data compromise.

St. Joseph’s/Candler Health System

On August 10, SJ/C, a healthcare system in Savannah, Georgia, released information on a ransomware attack on their systems. According to the news release, SJ/C found suspicious activity in its IT network and launched an investigation. The investigation determined that the incident resulted in an unauthorized party gaining access to its IT networks between December 18, 2020 and June 17, 2021 and launching a ransomware attack, making the systems inaccessible.

Nearly 1.4 million individuals were impacted by the data breach, both patients and employees. At-risk information includes SSNs, driver’s license numbers, patient account numbers, billing account numbers, financial information, health insurance plan member I.D. numbers, medical record numbers, medical and clinical treatment information and much more.

SJ/C says, following the incident, they have implemented and will continue to adopt additional safeguard and technical security measures to further protect and monitor its systems. The ITRC has seen similar incidents happen across the U.S., including at Scripps Health in San Diego, California.

What to Do if These Breaches Impact You

Anyone who receives a data breach notification letter should follow the advice offered by the impacted company. The ITRC suggests you immediately change your password and switch to a 12+-character passphrase, change the passwords of other accounts with the same password as the breached account, consider using a password manager, use multi-factor authentication with an app (not SMS/Text) and to keep an eye out for phishing attempts that claim to be from the breached organization.   

T-Mobile recommends all eligible customers sign up for scam blocking protection through the company’s Scam Shield as protection from the latest data breach in 2021. They are also directing people to a customer support webpage with breach information and access to tools.

SJ/C has a toll-free incident response line to answer people’s questions about the latest data breach in 2021. Anyone can call 855.623.1933 Monday through Friday between 8 a.m. and 5:30 p.m. EST. Additional information is available at www.sjchs.org.

notified 

For more information about August data breaches in 2021, or other data compromises, consumers and businesses should visit the ITRC’s data breach tracking tool, notified, free to consumers.   

Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.      

Contact the ITRC 

If you believe you are the victim of an identity crime or your identity has been compromised in a data event, you can speak with an ITRC expert advisor toll-free by phone (888.400.5530) or live-chat. Just go to www.idtheftcer.org to get started.   

T-Mobile recently suffered its second data breach since February 2021 and its third breach since December 2020. The latest T-Mobile data breach leaves many current, former and prospective customers wondering what happened, how it happened and what they need to do to stay safe.

What Happened?

According to T-Mobile, a bad actor compromised T-Mobile’s systems. The company says they located and closed the access point they believe was used to gain entry to their servers.

On August 17, 2021, T-Mobile confirmed that approximately 47 million people were impacted by the data breach. T-Mobile also said the data stolen from their systems included personal information like customers’ names, dates of birth, Social Security numbers (SSNs), and driver’s license/identity information for current, past, and prospective customers.

However, in an update on August 20, 2021, T-Mobile said they discovered that phone numbers, as well as the typical numbers that allow a mobile phone to be identified and join a network (the International Mobile Equipment Identity (IMEI) and International Mobile Subscriber Identity (IMSI)), were also compromised. T-Mobile identified another 5.3 million current customer accounts that had one or more associated names, addresses, dates of birth, phone numbers, and IMEIs and IMSIs illegally accessed.

The Verge reports that the Federal Communications Commission (FCC) is investigating the T-Mobile data breach that may have impacted as many as 100 million customers.

What Does It Mean to You?

Identity criminals can use information like your SSN and driver’s license to commit an array of identity crimes like false applications for loans, credit cards or bank accounts in your name. IMEIs and IMSIs could be used to track your mobile device or assist in SIM swapping attacks where someone hijacks your phone number to intercept multi-factor authentication codes or other information.

What Can You Do to Protect Yourself from the T-Mobile Data Breach?

  • Freeze your credit. T-Mobile is offering identity protection services to impacted customers, including credit monitoring. While monitoring your credit is informative, it does not offer protection. It tells you what happened but does not stop anything from happening. A credit freeze does. Freezing your credit is free, easy and does not impact your credit.
  • Change your passwords and PIN numbers. You want to make sure you do not use the same passwords or PINs on more than one account. The Identity Theft Resource Center (ITRC) recommends you switch to a unique passphrase (something you can remember that is at least 12 characters long). You can also use a password manager to generate and keep track of your credentials. Cybercriminals want us to reuse passwords on more than one account because it makes it easier for them to commit identity crimes.
  • Use multi-factor authentication (MFA or 2FA) on your accounts. MFA and 2FA provide an added layer of security. Also, if possible, use an authentication app rather than having a code sent by text to your phone because the text messages can be spoofed and intercepted in a SIM swapping scheme. Authentication apps are available for free from Microsoft, Google and other software providers.
  • Have a plan if your IMEI or IMSI information is used fraudulently. It’s unknown if or how the IMEI or IMSI information stolen in the T-Mobile data breach will be used. However, it is important you have a plan if it is. There is no reason to panic about your phone being disabled. However, in the unlikely event it is, plan how you will contact T-Mobile. You can do this through their website t-mobile.com, an in-person visit to a T-Mobile store or using a landline telephone.  
  • FOR BUSINESSES: You can’t lose control over the information you don’t have. Don’t collect more information than you need. Don’t keep the sensitive information longer than you need to complete the transaction. Also, keep what data you do collect and maintain safe and secure by encrypting it. Finally, make sure you offer MFA or 2FA for your customers’ and prospects’ protection when logging into their accounts.

What Are the Next Steps to Take?

  • Closely monitor your financial accounts (credit cards, banking, utilities, etc.) for any signs of fraudulent activity.
  • Stay alert for a data breach notification, as well as any potential identity fraud due to the T-Mobile data breach. While it is easy to ignore a breach notification, there are usually important steps in the notices, like how to activate free identity protection services. In T-Mobile’s notification letter, the company offers two years of free identity protection services. They also recommend all eligible T-Mobile customers sign up for scam blocking protection through the company’s Scam Shield, and directs people to a customer support webpage with breach information and access to tools.
  • Be on the lookout for phishing emails exploiting the T-Mobile data breach to get you to click on a malicious link or share sensitive information.
  • Act if your driver’s license is impacted. If your driver’s license information has been compromised, contact the Department of Motor Vehicles (DMV) in your state to notify them your information may have been exposed. See if you can place an alert on your license number and check your driving record.

Contact the ITRC

While this T-Mobile data breach leaves uncertainty for many, the ITRC does not want anyone to panic. As long as you have a plan, you will be able to address any misuse of your information.

The ITRC remains available to help you. If you have questions about the T-Mobile data breach or believe you may be impacted by it, contact the ITRC toll-free by phone (888.400.5530) or live-chat on the company website (www.idtheftcenter.org). ITRC expert advisors will walk you through the steps you need to take and help you create a resolution plan.

  • T-Mobile recently suffered its third data breach since December of 2020. The T-Mobile data compromise has affected over 40 million people and led to information like Social Security numbers (SSNs) and driver’s license information being hacked.  
  • Cybersecurity researchers claim the T-Mobile data compromise may impact as many as 100 million current, past and prospective customers. 
  • To protect yourself from the T-Mobile data compromise, consider freezing your credit, changing your passwords and PIN numbers to long and unique passphrases, using multi-factor authentication and not ignoring breach notices.  
  • To learn about recent data breaches, like the T-Mobile data compromise, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC’s) data breach tracking tool, notified
  • For more information on the T-Mobile data compromise, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.  

Facts Are Stubborn, But Statistics Are Pliable 

Welcome to the Identity Theft Resource Center’s (ITRC)Weekly Breach Breakdownfor August 20, 2021. Our podcast is possible thanks to support from Abine and Experian. Each week we look at the most recent events and trends related to data security and privacy. This week, we talk about the T-Mobile data compromise, which is one of the most significant data breaches so far this year. We also talk about what you should do in response, even if you are not impacted by it. 

Mark Twain once wrote that “Facts are stubborn things, but statistics are pliable.” Apply that same principle to data breaches and you get the natural pattern that emerges when personal information is suddenly stolen or exposed by a cybercriminal. The typical response goes something like this:  

  • “We don’t have any evidence there has been a breach, but we will investigate.” 
  • Followed by “We have investigated and found that a small number of customers information has been compromised, but we do not believe any sensitive or personal data is at risk.” 
  • That statement is often followed by an update that sounds like this: “We have now determined that more than X million of our valued customers are directly impacted by unauthorized access by cybercriminals of our systems, and the data involved does include Social Security numbers (SSNs) and other personal information.”  

T-Mobile Suffers its Second Data Breach Since February 2021 

We don’t “name and shame” companies at the ITRC. Cyberattacks and data breaches are an unfortunate consequence of our digital society. It’s only logical that the more you investigate, the more you know, meaning numbers change. We have laws, regulations and courts to handle the blame game. We do, though, use anecdotes to help educate consumers and businesses on how to protect themselves.  

What Happened? 

This week, T-Mobile finds itself in the unenviable position of providing a teaching moment thanks to its third data breach since December 2020 and its second data breach since February 2021. The nation’s third-largest mobile telecom provider did not know it had been breached until a cybercriminal posted customer information stolen from T-Mobile in an identity marketplace used by identity thieves. 

Cybersecurity researchers claim as many as 100 million current, past and prospective customers may be impacted by the T-Mobile data compromise. T-Mobile has confirmed the personal information of 47 million people has been compromised, including customers’ first and last names, dates of birth, SSNs and driver’s license/identity information in some instances. 

T-Mobile customers can visit the carrier’s website t-mobile.com to learn more about the company’s actions to help victims of the breach. 

What Should You Do to Protect Yourself After the T-Mobile Data Compromise? 

What should you do if you are a T-Mobile customer? Actually, it doesn’t matter if you are a T-Mobile customer or not. Here are some actions that everyone should take to help protect their personal information today and after a data breach:  

  1. Do not ignore data breach notices. There are a lot of them. However, there are usually important action steps in the notices, like how to activate free identity protection services. 
  1. Freeze your creditCredit monitoring is helpful, but it offers no protection. It tells you what happened, but it doesn’t stop anything from happening. To protect yourself, freeze your credit. It’s free, easy and doesn’t impact your credit. 
  1. Change your passwords and PIN numbers to make sure you do not use the same passwords or PINs on more than one account. Make sure the password is long, at least 12 characters, and is something you can remember. You can also use a password manager to generate and keep track of your credentials. Cybercriminals love it when we reuse passwords on more than one account. 
  1. Use multi-factor authentication (MFA or 2FA) on all your accounts that offer it. If possible, use an authentication app rather than have a code sent by text to your phone. Authentication apps are available for free from Microsoft, Google and other software providers. 
  1. If you are a business, make sure you don’t collect more personal information than you need. Don’t keep it longer than you need to complete the transaction. Also, keep what data you do collect and maintain safe and secure by encrypting it. Make sure you offer MFA for your customers’ and prospects’ protection, too. 

Contact the ITRC 

You can always call us at the ITRC if you have questions about what you should do if you receive a data breach notice or hear about a breach in the media, like the T-Mobile data compromise. Just visit www.idtheftcenter.org, where you’ll find helpful tips. You can speak with an expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST).  

Thanks again to Experian and Abine for supporting the ITRC and this podcast. We’ll be back next week with another episode of the Weekly Breach Breakdown

  • Criminals claiming to be with the Internal Revenue Service (IRS) are targeting people with emails as taxpayers continue to receive the third round of Economic Impact Payments (EIP) that began in March 2021.
  • Identity criminals send messages claiming you can receive an EIP Payment. They say the IRS is sending payments each week to qualified individuals as they continue to process tax returns.
  • However, messages like these are IRS scams seeking your personal and financial information to commit identity theft and fraud.
  • The IRS will never email, text, call or send a message on social media to anyone. If you receive a message claiming to be from the IRS, ignore it. You are also encouraged to forward it to the IRS at phishing@irs.gov and note that it seems to be a phishing scam seeking your personal information.
  • To learn more, or if you believe you have received IRS scams by email, contact the Identity Theft Resource Center (ITRC) toll-free by phone (888.400.5530) or live-chat at www.idtheftcenter.org to speak with an expert advisor.

The third round of Economic Impact Payments (EIP) from the Internal Revenue Service (IRS) began to go out in March 2021. However, the Identity Theft Resource Center (ITRC) continues to receive messages about IRS scams by email, like the one below.

According to an official IRS notice, the Service is still sending EIP Payments weekly as 2020 tax returns are processed. Criminals have been striking with scams since the first stimulus package was passed in 2020. While many EIP Payments have been received, you should beware of scams asking for payment to receive compensation and remember that the IRS will never call, message or email anyone.

Who are the Targets?

U.S. Taxpayers

What is the Scam?

In the latest IRS scams by email, identity criminals send emails to inboxes claiming that they are eligible to receive a payment after the last annual calculation of their “fiscal activity.” The email goes on to say that each week the IRS will continue to send the third EIP Payments to eligible individuals as they process tax returns. The phishing emails also include a button to “claim my payment.”

What They Want

Scammers want you to either respond or click on a malicious link so they can steal your personal and financial information to commit different forms of identity crimes, including financial identity theft.

How to Avoid Being Scammed

  • Ignore emails, texts or social media messages claiming to be from the IRS. Do not respond to the messages or click on any links or attachments because they could be malicious. Acting on the IRS scams by email, text or social media could lead to having your information stolen. The IRS will not email or message anyone. Do not share any personal information, including credit card and bank account numbers, except on the official www.IRS.gov website or the representative you contacted by calling the IRS.
  • Ignore calls claiming to be from the IRS. While IRS scams by email continue to circulate, identity criminals could call you, too. If you receive an unsolicited call claiming to be from the IRS, ignore it. The IRS will not call anyone unsolicited, either.
  • Send phishing emails to the IRS. The IRS asks anyone who receives a phony email to forward it to phishing@irs.gov and note that it seems to be a phishing scam seeking your information.
  • Report the identity crime. You can report any identity fraud to the Federal Trade Commission (FTC) by visiting www.IdentityTheft.gov.

If you have received IRS scams by email, text message, social media or by phone, you can also contact the ITRC toll-free by calling 888.400.5530 or using the live-chat function at www.idtheftcenter.org. ITRC expert advisors will help you create a resolution plan with the steps you need to take.

  • President Joseph R. Biden signed an executive order extending a pause on student loan payments to January 31, 2022. However, some borrowers are already reporting a rise in student loan forgiveness scams where people pose as loan providers that can help pay off student loans.
  • Identity thieves ask for information like Social Security numbers (SSNs), federal student aid I.D.s, bank account information and credit card information to commit different forms of identity theft and fraud.
  • Some loan forgiveness solicitations are not attempts to steal your information. However, they are designed to steer you into high-cost loan repayment programs with high interest rates or fees.
  • Be skeptical of anyone who calls or emails you offering to pay off your student loans. Call your loan provider to see if the message was legitimate, and do research on the loan provider the caller claims to represent.  
  • If you fall victim to an identity scam, call your bank or credit card provider to stop payments or close your accounts. Also, contact your loan servicer so they can monitor your account. Finally, check your credit report for any suspicious activity and strongly consider freezing your credit.
  • To learn more about student loan forgiveness scams, or to create a resolution plan, contact the Identity Theft Resource Center toll-free by phone (888.400.5530) or live-chat on the company website www.idtheftcenter.org.

Student loan forgiveness scams have been around for a long time. However, they have spiked during the COVID-19 pandemic. President Joseph R. Biden recently issued an executive order extending student loan relief until January 31, 2022. While the extension is welcome news to many borrowers, it also means student loan forgiveness scams will continue for the foreseeable future. CNBC reports an uptick in student loan forgiveness scams. The Identity Theft Resource Center (ITRC) has also received inquiries about the scams, like the one below:

While the voicemail might not be a scam, people who receive voicemails like these should use caution. The same advice applies to emails received about student loans resuming, especially if the sender claims to be from a loan provider that was not used to take out the loan. COVID-19 has given criminals and unethical loan processors more ways to take advantage of people who have been hurt financially over the last year and a half. It could be a scammer looking to exploit the pause in payments due to COVID-19, and any potential confusion it brings.

Who are the Targets?

Former and current college students who are paying off student loans

What is the Scam?

Identity thieves call or email people with student loans claiming to be a loan provider or the U.S. Department of Education. They offer to reduce and help pay off monthly payments. Scammers ask for all sorts of personally identifiable information (PII) over the phone so that they can commit different forms of identity crimes like account takeover.

However, not all of the unsolicited student loan calls and emails are identity scams. Some are reported to be attempts to steer borrowers into repayment programs with high fees and high interest rates.

What They Want

Criminals ask for PII like Social Security numbers (SSNs), federal student aid I.D.s, credit card information and bank account information to commit identity theft. Unethical loan processors attempt to enroll borrowers in high-cost loan repayment programs.

How to Avoid Being Scammed

  • To avoid student loan forgiveness scams, be skeptical of anyone who calls you to help you pay off your student loans. Google the name of the loan provider the caller claims to be working for and see if there are any complaints. Also, if you have any doubts, contact your loan provider directly about the inquiry.
  • Look for the name of the program that is being offered to you. CNBC says, in some scams, criminals have claimed they are part of “Biden loan forgiveness” or “CARES Act loan forgiveness,” two programs that do not exist.
  • If you receive an email about student loan forgiveness, check the sender’s email address to make sure the email is coming from an address that ends in .gov.
  • If you provide a scammer with bank account or credit card information, call your bank or credit card provider to stop the payments immediately, and close your accounts if needed. It’s also a good idea to contact your student loan servicer, especially if you provided information such as your federal student aid I.D., so they can monitor your account, and check your credit report for suspicious activity. The ITRC strongly recommends you also freeze your credit.
  • Finally, report the student loan forgiveness scams to the Federal Trade Commission (FTC) at www.IdentityTheft.gov.

To learn more about student loan forgiveness scams, or if you believe you were the victim of a scam, contact the ITRC toll-free by calling 888.400.5530. You can also visit the company website to live-chat with an expert advisor. Go to www.idtheftcenter.org to get started.  

  • data breach of telecommunications company Mint Mobile occurred after some phone numbers were ported and data was accessed. The Mint Mobile data breach is one of the latest data events to affect a telecommunications company, highlighting the risk of mobile breaches. 
  • Insurance company BackNine suffered a data compromise due to a misconfigured database, impacting 711,000 files with information including Social Security numbers (SSNs) and medical diagnoses. The data event stresses the importance of being careful when using cloud databases. 
  • CNA Financial Corporation fell victim to a ransomware attack, leading to a data breach that impacted 75,349 people. Attacks like this, which involved SSNs, on businesses continue to rise. 
  • For more information about July data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified.    
  • If you believe you are a victim of identity theft from a data breach, contact the ITRC toll-free at 888.400.5530 or through live-chat on the company website www.idtheftcenter.org.   

Notable July Data Breaches 

Of the 163 data events the Identity Theft Resource Center (ITRC) tracked in July, three stand out: Mint Mobile, BackNine and CNA Financial Corporation. All three data events are notable for unique reasons. One highlights the risk of mobile breaches. Another is an example of the need to be careful with cloud databases. The third is a ransomware attack that involves Social Security numbers (SSNs).  

Try our Latest Breaches feature at notified.idtheftcenter.org

Mint Mobile 

A Mint Mobile data breach occurred after phone numbers were ported by cybercriminals and data was accessed. Sometime between June 8-10, a threat actor ported the phone numbers for a handful of Mint Mobile subscribers to another carrier without authorization. According to Bleeping Computer, Mint Mobile disclosed that an unauthorized person also potentially accessed subscribers’ personal information, including call histories, names, addresses, emails and passwords.  

Try our Custom Breach Search feature at notified.idtheftcenter.org

Bleeping Computer reports that Mint Mobile has not said how the threat actor gained access to subscribers’ information. However, based on the accessed data, hackers likely hacked user accounts or compromised a Mint Mobile application used to manage customers.  

The Mint Mobile data breach is the latest to shine a light on the risk of mobile data breaches and the need for better security for customer-facing support systems. In January, the ITRC highlighted a similar breach of U.S. Cellular where hackers gained access to protected systems by installing malware on a computer at a U.S. Cellular retail store.  

BackNine 

A data breach of BackNine, an insurance technology startup, led to 711,000 files being impacted. According to TechCrunch, a security lapse exposed insurance applications at BackNine after one of its cloud servers was left unprotected on the internet. The storage server was misconfigured, and anyone with internet access could view the files.  

Personal information exposed includes names, addresses, phone numbers, SSNs, medical diagnoses, medications taken and detailed completed questionnaires about an applicant’s health, past and present. Other files included lab and test results, such as bloodwork and electrocardiograms. Some files also contained driver’s license numbers. The exposed documents date as far back as 2015 to as recent as July 2021.  

The BackNine data event is a prime example of why companies need to be careful when using cloud databases. If a cloud database is not configured correctly, anyone can access it and may commit an array of identity crimes. It is also important organizations do what they can to protect sensitive data to maintain people’s trust.  

CNA Financial Corporation 

Insurance company CNA Financial Corporation suffered a data breach linked to a ransomware attack. According to CNA’s breach notice, an investigation revealed that the threat actor accessed certain CNA systems at various times from March 5, 2021, to March 21, 2021, and copied a limited amount of information before deploying the ransomware.  

The breach notice states that the data event impacted 75,349 people, and information in the stolen files includes names, SSNs and, in some instances, information related to health benefits for certain people. CNA says, right now, there is no reason to believe the data was stolen or misused. However, they are offering free credit monitoring and fraud protection services through Experian. CNA is just one of many ransomware attacks on businesses being seen by the ITRC. 

What to Do if These Breaches Impact You 

Anyone who receives a data breach notification letter should follow the advice offered by the impacted company. The ITRC suggests you immediately change your password and switch to a 12+-character passphrase, change the passwords of other accounts with the same password as the breached account, consider using a password manager and to keep an eye out for phishing attempts that claim to be from the breached organization.   

Mint Mobile warns users affected by the Mint Mobile data breach to protect other accounts that use their phone numbers for validation purposes and reset account passwords since threat actors could have used the ported numbers for additional attacks. 

CNA Financial Corporation asks impacted individuals to review their “Information About Identity Theft Protection” document, which includes information on placing a fraud alert or credit freeze on a credit file.  

notified 

For more information about July data breaches, or other data compromises, consumers and businesses should visit the ITRC’s data breach tracking tool, notified, free to consumers.   

Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.      

Contact the ITRC 

If you believe you are the victim of an identity crime or your identity has been compromised in a data event, you can speak with an ITRC expert advisor at no cost by phone (888.400.5530) or live-chat. Just go to www.idtheftcer.org to get started.   

  • In 2020, the Federal Trade Commission (FTC) received nearly 100,000 business or personal loan fraud reports, many of them related to Small Business Administration (SBA) loan identity fraud.
  • That’s more than double the number of loan fraud reports from a year earlier. The Identity Theft Resource Center (ITRC) has also seen a spike in SBA loan identity crime reports since the COVID-19 pandemic.
  • Identity thieves apply for SBA loans (primarily Economic Injury Disaster (EIDL) and Paycheck Protection Program (PPP) loans) using stolen Social Security numbers and business Employer Identification numbers (EINs).
  • Scammers are also targeting consumers through phishing schemes in an attempt to steal their Social Security Numbers and other personal information needed to commit SBA loan identity fraud.
  • If anyone believes they are the victim of an SBA loan identity crime or would like to learn how to protect themselves from becoming a victim, they can contact the ITRC to speak with an advisor toll-free at 888.400.5530 or via live-chat. Just go to www.idtheftcenter.org to get started.

Small Business Administration (SBA) loan identity fraud spiked in 2020 due to COVID-19, and it continues to be a growing issue in 2021. The Federal Trade Commission (FTC) says in 2019, they received 43,920 reports of fraud involving business or personal loans; the number more than doubled in 2020 as the FTC had 99,650 reports. The FTC acknowledges that not all of the reports are related to SBA loan identity fraud, but also notes many of them are.

The Identity Theft Resource Center (ITRC) has seen a spike in calls and live-chats around SBA loan-related identity theft. The contacts continue today as contact center advisors work to help victims. Here is a testimonial from one victim who turned to the ITRC regarding their SBA loan identity crime case:

“I want to thank you for all your suggestions. You are the third (organization) I have contacted and by far the most helpful. I received a form from the Small Business Administration, and after returning it with the police report and the Identity Theft Report, I was informed that my debt with them would be canceled. It is such a huge weight off me. I did everything you suggested, and our credit is frozen with all the CRA’s. Thank you again.”

There are different forms of SBA loan-related identity theft of which  businesses and consumers should be aware:

Economic Injury Disaster Loans (EIDLs)

Economic Injury Disaster (EIDL) loans, loans for businesses that suffer substantial economic injury located within a disaster area, have always been available through the SBA. However, they have been expanded as part of the CARES Act to provide relief to businesses experiencing financial loss due to COVID-19. Identity fraud from an EIDL loan occurs when a threat actor applies for an EIDL loan using either a consumer’s Social Security Number (SSN) or a business’s Employer Identification Number (EIN).

Paycheck Protection Program Loans (PPPs)

Paycheck Protection Program (PPP) loans were designed to help businesses maintain their payroll and keep their workforce during COVID-19, and they are available through a lender. Identity fraud from a PPP loan occurs when an identity thief applies for a PPP loan using a stolen SSN, a business EIN or other stolen personal information needed to obtain a loan.

What to do if You Are a Victim of SBA Loan Identity Fraud

If a consumer or a business is the victim of an SBA loan identity crime (whether it’s from either an EIDL or PPP loan), they should take the following steps:

  1. Go back to the source of the loan to notify them of the identity fraud. If the identity fraud is from an EIDL loan, the victim should contact the SBA. If the fraud involves a PPP loan, the affected party should contact the lender that issued the loan. See below for more information on what the SBA requires people to submit, where to submit it, and details on their process.
  2. File an Identity Theft Report with the FTC at www.IdentityTheft.gov. An Identity Theft Report is one of the required documents by the SBA to cancel the loan debt as quickly as possible. Other documents needed include photo identification issued by a federal or state agency and a completed and signed Declaration of Identity Theft. For more information on the steps required by the SBA, click here.
  3. Place a credit freeze to lock credit files until they are needed.A credit freeze is the most effective way to ensure new loans or accounts are not opened.
  4. A less effective option is to place a fraud alert on credit files to alert potential creditors to take extra precautions before extending credit.
  5. Verify with the Secretary of State’s Office or another government agency where the business is registered to ensure the company’s ownership and registration status have not been changed.

Contact the ITRC

Anyone who believes they are a victim of SBA loan identity fraud should contact the ITRC for more information. People can speak to an advisor by phone (888.400.5530) or by live-chat to develop a resolution plan. Anyone who wants to document their steps can use the ITRC’s ID Theft Help app’s case log feature. Consumers who want to learn more can also check out our latest education resources at www.idtheftcenter.org.

  • A Canon data breach resulted from a ransomware attack on the company by the Maze ransomware group. Canon is just one of many companies recently hit with a ransomware attack, a trend the Identity Theft Resource Center predicts to continue in 2021.  
  • The mobile video game Animal Jam suffered a data breach affecting 46 million users after threat actors stole a database. However, WildWorks, the game’s owner, has been very transparent throughout the entire process, setting an example of how businesses should approach data breaches. 
  • Insurance tech company Vertafore discovered files containing driver-related information for 28 million Texas residents were posted to an unsecured online storage service.  
  • For more information about recent data breaches, consumers and businesses should visit the ITRC’s data breach tracking tool, notifiedTM.  
  • Keep an eye out for the ITRC’s 15th Annual Data Breach Report. The 2020 Data Breach Report will be released on January 27, 2021. 
  • If you believe you are a victim of identity theft from a data breach, contact the ITRC toll-free at 888.400.5530 or through live-chat on the company website.  

Notable Data Compromises for November 2020 

Of all the data breaches the Identity Theft Resource Center (ITRC) tracked in November, three stood out: Canon, WildWorks – Animal Jam, and Vertafore. All three data events are notable for different reasons. One highlights a trend and prediction made by the ITRC; another shows transparency by the company throughout the process; the third leaves 28 million individuals’ driver-related information exposed. 

Canon 

Camera manufacturer Canon recently suffered a data breach that was caused by a ransomware attack, but the company only acknowledged the attack was the result of ransomware in November. According to techradar.com and Bleeping Computer, the Canon IT department notified their staff in August that the company was suffering “widespread system issues affecting multiple applications, Teams, email and other systems.” On November 25, the company acknowledged the Canon data breach was due to a ransomware attack by the Maze ransomware group.  

It is unknown how many people are affected by the Canon data breach. However, files that contained information about current and former employees from 2005 to 2020, their beneficiaries, and dependents were exposed. Information in those files included Social Security numbers, driver’s license numbers or government-issued identification numbers, financial account numbers provided to Canon for direct deposit, electronic signatures and birth dates. 

Canon is just one of many companies that have been hit with a ransomware attack. As the ITRC mentioned in its 2021 predictions, cybercriminals are making more money defrauding businesses with ransomware attacks and phishing schemes that rely on poor consumer behaviors than traditional data breaches that rely on stealing personal information. As a result of the ransomware rise, data breaches are on pace to be down by 30 percent in 2020 and the number of individuals impacted down more than 60 percent year-over-year.  

WildWorks – Animal Jam 

Animal Jam, an educational game launched by WildWorks in 2010, suffered a data breach after threat actors stole a database. According to the WildWorks CEO, cybercriminals gained access to 46 million player records after compromising a company server. The information exposed in the Animal Jam data breach includes seven million email addresses, 32 million usernames, encrypted passwords, approximately 15 million birth dates, billing addresses and more. 

WildWorks has been very transparent throughout the entire process. The company provided a detailed breakdown of the information taken in the Animal Jam data breach, how the data event happened, where the information was circulated, whether people’s accounts are safe and the next steps to take. The ITRC believes WildWorks has set an example of how other businesses should share information with impacted consumers after a data breach.  

Anyone affected by the Animal Jam data breach should change their email and password for their account (consumers should switch to a 12-character passphrase because it is easier to remember and harder to guess). Users should also change the email and password of other accounts that share the same email and password. If any users think their account was used illegally, they are encouraged to contact the Animal Jam security team by emailing support@animaljam.com  

Vertafore 

Vertafore, a Denver based insurance tech company, recently discovered three files containing driver-related information were posted to an unsecured online storage service. The files included data from before February 2019 on nearly 28 million Texas drivers. Vertafore says the files have since been secured, but they believe the files were accessed without authorization. To learn more about this data breach, read the ITRC’s latest blog, and listen to our podcast on the event. 

Unfortunately, companies continue to leave databases unsecured, which is tied with ransomware as the most common cause of data compromises, according to IBM. Consumers impacted by the Vertafore data event need to follow the advice given by Vertafore and the Texas Department of Public Safety

notifiedTM  

For more information about recent data breaches, consumers and businesses should visit the ITRC’s data breach tracking tool, notifiedTM, free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.  

Contact the ITRC 

If you believe you are the victim of an identity crime or your identity has been compromised in a data breach, you can speak with an ITRC expert advisor at no-cost by phone (888.400.5530) or live-chat. Just go to www.idtheftcer.org to get started. Also, victims of a data breach can download the free ID Theft Help app to access resources, a case log and much more.