Posts

  • According to the Identity Theft Resource Center’s (ITRC) First Half 2021 Data Breach Analysis, data compromises are up 38 percent over the first quarter of 2021. If this trend from the data breach statistics continues, 2021 will set an all-time high for data compromises.
  • While data compromises are up, the number of individuals impacted is down 20 percent quarter-over-quarter. If the current trajectory holds, 2021 will see the fewest number of impacted individuals since 2016.
  • Phishing and Ransomware remain the top two root causes of data compromises for the second quarter and the first half of the year. However, supply chain attacks continue to increase in volume, scale and complexity.
  • To learn about recent data breaches, or to see the ITRC’s data breach statistics in our latest report, consumers and businesses should visit the ITRC’s data breach tracking tool, notified.
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

First Half 2021

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for July 9, 2021. Our podcast is possible thanks to support from Experian. Each week we look at the most recent events and trends related to data security and privacy. This week we look at the ITRC’s data breach statistics and trends for the second quarter of this year and what they tell us about how we may end 2021.

How the ITRC Reports Data

First, here’s a brief reminder of how the ITRC reports data. We only include information from U.S. data events that are publicly-reported. We report 1) data compromises, which includes data breaches, data exposures (think cloud databases with no security), and 2) data leaks, generally public information that is aggregated and used for a purpose other than that for which it was intended (think scraping information from social media sites that are sold for marketing lists or used for phishing attacks).

Key Takeaways from the ITRC’s First Half 2021 Data Breach Analysis

Now, let’s look at the key takeaways from this week’s ITRC First Half 2021 Data Breach Analysis:

  • According to the ITRC’s data breach statistics, data compromises are up 38 percent over the first quarter of 2021, putting us on a trajectory to end 2021 with a record level of compromises. Every month this year (except May) has seen data compromises higher than the month before. If this trend continues, we will exceed the all-time high number of compromises set in 2017 of 1,632 publicly-reported data events.
  • However, the number of people impacted by data compromises is down 20 percent quarter-over-quarter. That means we could end 2021 with fewer than 250 million victims of identity compromises, which continues a trend away from the mass collection of individual information that started in 2018.
  • The data breach statistics show we are on pace to have the highest number of data compromises ever in the same year that we could see the fewest number of people impacted since the all-time high was set in 2016.
  • Data compromises are rising or flat pretty much across the board, with half of the sectors tracked by the ITRC showing increases.
  • Manufacturing & Utilities and Professional Services are seeing significant increases while Healthcare and Retail are seeing data compromises drop. This shift reflects the broader trend of cybercriminals focusing their attention on critical infrastructure entities, so important they cannot be allowed to remain offline, and targets considered to be not as well defended. It is all in hopes of securing larger ransomware payments.
  • Phishing and Ransomware remain the #1 and #2 root causes of data compromises for the second quarter (Q2) and the first half of the year. However, supply chain attacks continue to increase in volume, scale and complexity. Attacks against vendors that give criminals access to many companies through a single data or security breach increased 19 percent in Q2. The 58 supply chain attacks through June 30, 2021 compares to the 70 malware-related compromises for the year so far. These data breach statistics indicate that third-party risks are poised to surpass malware as the third most common root cause of data events by the end of this year.
  • Just two days after the end of the second quarter, a major supply chain attack was launched against the cybersecurity provider Kaseya. Cybercriminals demanded a record $70 million in ransom to restore the operations of more than 1,500 companies impacted by the attack. It’s not known if any personal information has been compromised. However, we know this early third quarter (Q3) attack is an indication that cybercriminals are launching ever more sophisticated attacks that command larger and larger ransom payments.

Contact the ITRC

If you have questions about how to keep your personal information private or secure, visit www.idtheftcenter.org, where you will find helpful tips, and where you can download our First Half 2021 Data Breach Analysis to see our data breach statistics.

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during our normal business hours (6 a.m. to 5 p.m. PST). Just visit www.idtheftcenter.org to get started.

Thanks again to Experian for supporting the ITRC and this podcast. Be sure to check out our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown. 

  • With data breaches on the rise last 30 days to 45 days, it has been one of the most intense periods seen in a while because of the pace, scope and impact of the crimes.
  • GEICO suffered a data breach impacting 132,000 people and could lead to unemployment fraud; the Pennsylvania Department of Health and ParkMobile both had data incidents due to third-party providers; and Peloton had a problem with third-party software, allowing other users to see people’s personal information.
  • Researchers guessed up to 80 percent of iPhone and iPad users would take advantage of Apple’s new anti-tracking privacy feature. However, based on early downloads of the iOS update, 96 percent of users are using the new feature to opt-out of app-tracking.
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notified
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

Too Fast, Too Furious

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for May 14, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. This week we’re highlighting data breaches on the rise the past 30 days in one of the most intense periods of cyberattacks and data breaches we’ve seen in a while.

With all due respect to Vin Diesel and the rest of the cast of the Fast and Furious movie franchise, we’re calling this week’s episode “Too Fast, Too Furious” because of the pace, scope and impact of identity compromising events over the past 45 days – some of which are still ongoing. We also have a quick update on the impact of the recent privacy tools added to iPhones and iPads.

ITRC’s Notable Breaches for April

In the ITRC’s most recent monthly report of data breaches, we highlighted three major events:

  • GEICO’s breach of driver’s license data that impacted 132,000 customers;
  • The contact tracing service hired by the Pennsylvania Department of Health failing to secure the COVID-related personal health information of Keystone state residents; and,
  • Twenty-one (21) million users of the ParkMobile app having their information exposed thanks to a vulnerability in third-party software.

Each of these is unique in some ways but also reflective of broader trends.

GEICO

In the case of GEICO, when announcing the data breach at the nation’s second-largest auto insurance company, officials said the stolen data was being used as part of unemployment insurance fraud schemes. Pandemic-related benefits fraud is estimated to be closing in on $100 billion. The ITRC is on pace to surpass the total number of unemployment identity fraud victims we helped in 2020 by the end of May 2021.

Pennsylvania Dept. of Health & ParkMobile

The events involving the Pennsylvania Department of Health and the ParkMobile parking app are two variations of the same issue: problems with third-party suppliers. In the case of the Pennsylvania Department of Health, the vendor supplying COVID-19 contact tracing services didn’t secure the personal information of 72,000 people. With ParkMoble, a third-party software issue exposed user’s personal information. Issues with supply chains are an escalating trend when it comes to data compromises, especially cyberattacks where threat actors can steal the data of multiple companies in a single attack.

Peloton

More recently, an issue with third-party software also allowed users of the popular Peloton exercise bikes to see the personal information of other users. The flaw was found by an independent cybersecurity researcher who reported the issue to Peloton, which did not initially respond to his information. Ultimately, Peloton fixed the issue early this month, but not before opening three million subscribers to having their information exposed. Peloton has since acknowledged they have fixed the problem, and there is no evidence of anyone stealing the user information.

Update on the New Apple Privacy Feature

Finally, an update on how many people are taking up Apple’s offer to block mobile app owners from collecting and selling user data without first getting consent. Researchers guessed before the launch of the new anti-tracking privacy feature that as many as 80 percent of iPhone and iPad users would take advantage of the blocking technology.

The actual numbers based on early downloads of the iOS update is 96 percent of users are saying no to app-tracking. That’s a giant obscene gesture to companies that rely on third-party data for marketing and advertising and the platforms that collect and sell user information. Now here is the next question: Who will follow Apple’s lead in addressing the privacy and cybersecurity concerns of consumers?

Contact the ITRC

If anyone has questions about keeping their personal information private and how to protect it, data breaches on the rise or on the new Apple privacy update, they can visit www.idtheftcenter.org. They will find helpful tips on these and many other topics. People can also sign-up to receive our regular email updates on identity scams and compromises.

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. Victims can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Visit www.idtheftcenter.org to get started. 

Be sure to listen next week to our sister podcast – The Fraudian Slip – when we’ll talk to the Chief Privacy Officer of Synchrony, a leading financial services company. We will be back in two weeks with another episode of the Weekly Breach Breakdown.

While the number of data compromises is only up slightly (12 percent increase in Q1 2021), individuals impacted is on a steep rise due to more supply chain attacks in 2021 

SAN DIEGO, April 7, 2021 – Today, the Identity Theft Resource Center® (ITRC), a nationally recognized nonprofit organization established to support victims of identity crime, released its U.S. data breach findings for the first quarter of 2021. 

According to the ITRC’s analysis, publicly-reported U.S. data compromises in Q1 2021 are up 12 percent (363) from Q4 2020. The number of individuals impacted is up 564 percent (51 million in Q1 2021 versus eight million in Q4 2020). A primary reason for the gap in compromises and impacts is a 42 percent rise in the number of supply chain attacks compared to Q4 2020, a trend discussed in the ITRC’s 2020 Data Breach Report.  

One hundred and thirty-seven (137) organizations reported being impacted by supply chain attacks in Q1 2021 at 27 different third-party vendors, including IT provider Accellion. The publicly-reported supply chain attacks affected seven million people. Nineteen supply chain attack-related compromises were reported in Q4 2020. Other conclusions from the Q1 2021 report include

  • Phishing and ransomware attacks continue to be the primary root causes of data compromises.  
  • The increase in data compromises and impacted individuals was also influenced by 59 data events reported in early Q1 2021 that occurred in late December 2020.  
  • The 2020 supply chain and ransomware attack against IT provider Blackbaud continues to result in new data breach notices; 62 new notices in Q1 2021 that impacted approximately 146,000 additional individuals. More than 12.8 million people at 555 organizations have now been affected by the attack first reported in mid-2020. 
  • The report reinforces the trends highlighted by the ITRC, the FBI, and various security vendors that point to a rise in cybercrimes focused on stealing company resources using personal information.  

Download the ITRC’s 2021 Q1 Data Breach Analysis and Key Takeaways  

“While the number of data compromises is only up slightly, the rise in supply chain attacks is troubling,” said Eva Velasquez, president and CEO of the Identity Theft Resource Center. “Supply chain, phishing, and ransomware attacks reflect a broader trend that cybercriminals want to exploit multiple organizations through a single point-of-attack. The most important action people can take to help protect themselves is to exercise good cyber-hygiene habits.”  

The FBI’s most recent Internet Crime Complaint Center (IC3) Report shows phishing as the number one complaint for individuals and businesses in 2020. According to the report, $1.8 billion in business losses was directly attributed to Business Email Compromise, a form of phishing.  

For more information about recent data breaches, or any of the data breaches discussed in the Q1 2021 Date Breach Report, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified.  

For consumers who have been victims of a data breach, the ITRC recommends downloading its free ID Theft Help app to manage the various aspects of an individual’s data breach case.  

Anyone can receive free support and guidance from a knowledgeable live-advisor by calling 888.400.5530 or visiting www.idtheftcenter.org to live-chat.  

About the Identity Theft Resource Center   

Founded in 1999, the Identity Theft Resource Center® (ITRC) is a non-profit organization established to empower and guide consumers, victims, business and government to minimize risk and mitigate the impact of identity compromise and crime. Through public and private support, the ITRC provides no-cost victim assistance and consumer education through its website live-chat idtheftcenter.org, toll-free phone number 888.400.5530, and ID Theft Help app. The ITRC also equips consumers and businesses with information about recent data breaches through its data breach tracking tool, notified.    

Media Contact  

Identity Theft Resource Center  
Alex Achten  
Earned & Owned Media Specialist  
888.400.5530 Ext. 3611  
media@idtheftcenter.org   


  • According to a report from Javelin Strategies, traditional identity theft is declining. However, what one might think of as identity theft is being replaced by identity fraud.
  • trend identified by the Identity Theft Resource Center (ITRC) in 2020. Cybercriminals continue to move away from mass data breaches of consumer information to more targeted attacks like phishing, ransomware and supply chain attacks.
  • There is no reason for consumers to panic. One record exposed is one too many, but one can’t determine the risk represented by a data breach based on the size of the breach. Knowing what records are exposed is far more important than how many records are compromised.
  • To learn about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. 
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

The Path is Smooth That Leadeth on to Danger

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for April 2, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. Last week we talked about the FBI’s most recent cybercrime report that shows an exponential increase in cybercrime and the losses associate with it. This week we look at how people can assess what that really means for them or their business.

In his poem, Adonis and Venus, Shakespeare wrote, “The path is smooth that leadeth on to danger.” That is the title of this week’s episode, reflecting how our desire for convenience often leads to risky behaviors.

Traditional Identity Theft is on the Decline

Let’s start with a good and bad news trend. A report from Javelin Strategies is the latest to show that “traditional identity theft” is declining. That’s good news. However, here is the “but” people may be expecting: what we think of as identity theft is being replaced by identity fraud.

Identity Fraud Cases Are on the Rise

What does that mean? It’s part of the general trend we’ve discussed where cybercriminals move away from mass data breaches of consumer information to more targeted attacks. Phishing, ransomware and supply chain attacks are good examples of the kinds of exploits that allow criminals to hit a company. The criminals reap hundreds of thousands of dollars from a single organization instead of the old-school way of attacking thousands of consumers.

However, less risk to individuals is not the same as low or no risk. In fact, the whole concept of identity fraud is based on using consumer behaviors to lure people into a scam. Maybe it’s a text that says someone’s Amazon account has been frozen, and the user needs to click on a link to verify their password to unlock it – and they do. They have just given them their login and password, which regulars of the podcast know are 10x more valuable to a data thief than a consumer’s credit card information.

Maybe someone gets an email from Google or Microsoft claiming their payment card is about to expire. All the user needs to click on is a link to log in and update their information. However, the email and login webpage are deep fakes, and the user just shared their login, password and credit card information with criminals.

All of these phishing techniques are predicated on our behaviors as humans, the need to instantly address any issue that appears by text or email in the most convenient way possible.

While different research reports come up with different identity fraud case totals, they all agree it is on the rise, and the dollar value starts with a B, as in billions. Right now, one might be thinking, “Well, that’s just great. Do I panic now or panic later?”

No Reason for Consumers to Panic

First, there is no reason to panic at all. People may have seen a media headline that talked about more records being exposed in data breaches in 2020 than in the past 15 years combined. While that is attention-grabbing, it’s not particularly meaningful.

One record exposed is one too many, but the reality is one can’t determine the risk represented by a data breach based on the size of the breach. Someone’s date of birth and Social Security number are two records. They may have been exposed thousands of times over the past 15 years, but they are still only two data points, and they don’t change.  However, the risk associated with each data point is very different.

Knowing what records are exposed is far more important than how many records are compromised. Knowing how to protect your own information is the most important information, and that’s where the ITRC can help.

Contact the ITRC

If anyone has questions about keeping their personal information private and how to protect it, they can visit www.idtheftcenter.org, where they will find helpful tips on these and many other topics. 

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. People can speak with an expert advisor on the phone, chat live on the web, or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Visit www.idtheftcenter.org to get started.  

Be sure to check out the most recent episode of our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown.  

  • While there were only a handful of supply chain attacks in 2020, there have already been three high-profile attacks in 2021 with the Accellion data breach, the SITA data breach and the Microsoft Exchange server attack.  
  • The Identity Theft Resource Center (ITRC) began to see a rise in supply chain cyberattacks in the second half of 2020 with the Blackbaud data breach and the SolarWinds cyberattack.  
  • For more information on these incidents and the recent rise in supply chain attacks, listen to the ITRC’s Weekly Breach Breakdown podcast. 
  • To learn about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified.   
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org

Don’t Shoot the Messenger

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for March 12, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. We’ve focused for the past two episodes on data privacy and how state laws are giving consumers more rights and businesses more obligations to keep personal information safe and secure. This week, we talk about the challenges of doing just that – protecting data – while supply chain attacks are on the rise 

In Shakespeare’s Antony and Cleopatra, a messenger is sent to inform the Egyptian Queen that her lover has married another, prompting a threat to treat his eyes as the Ptolemaic version of tennis balls. In response, the messenger reminds Cleopatra that “I that do bring the news made not the match.” Today, we would say the title to this week’s episode is – “Don’t shoot the messenger.” 

Yet, this is where many businesses find themselves now as they send out data breach notices to customers – even though they did not cause the problem. A vendor did. 

A Look Back at the Blackbaud Data Breach 

People might recall that one of the highest-profile cyberattacks in 2020 involved a company known as Blackbaud. The company, an IT provider to nonprofits, healthcare and education institutions, was breached and the data of more than 500 companies and 12 million individuals were held for ransom. People might also recall that these kinds of attacks where a cybercriminal can get the information of many companies from a single vendor is known as a supply chain attack. 

The ITRC’s 2020 Data Breach Report Studies the Blackbaud Data Breach

Supply Chain Attacks on the Rise  

There were only a handful of supply chain attacks in all of 2020. However, so far in 2021, there have been three high-profile attacks – two in the last two weeks. One of the events involves one of the biggest names in technology: Microsoft. 

This cluster of attacks reinforces a trend the ITRC saw take hold toward the second half of 2020 with the Blackbaud breach. It was followed by the block-buster cyberattack against the IT services company SolarWinds, which impacted cabinet-level agencies in the U.S. government and an undetermined number of private sector companies (believed to be in the thousands). 

Accellion Data Breach 

While the SolarWinds attack appears to be the work of cybercriminals seeking intelligence information for the Russian government (not consumer data to sell), the ransomware group that attacked software provider Accellion wanted information that it could hold hostage or sell outright. It did not want information from Accellion, but from the customers whose information could be stolen from Accellion’s tech platform. 

The criminals went to the time and expense of reverse-engineering the 20-year-old Accellion platform and found new flaws, as well as old ones. They unpatched ones that allowed criminals to extract information from high-profile clients – including law firms, telecommunications companies, universities, grocery store chains and government agencies in the U.S. and other countries. 

SITA Data Breach 

We don’t know how a supply chain cyberattack against tech provider SITA was executed. However, we know that the company processes the frequent flier information of 90 percent of the world’s airlines. The company describes the cyberattack as “highly sophisticated,” and member airlines have started informing their frequent fliers of the breach.  

Microsoft Exchange Server Attack 

The third supply chain cyberattack in this most recent string is also the most dangerous. A cybercriminal group based in China was able to exploit flaws in Microsoft Exchange servers. The kinds that run the ubiquitous Outlook email software inside organizations. The threat actors inserted backdoors into company email systems that could be used to take control of the email system from outside the network where the server resides. 

More than 100,000 organizations worldwide could be impacted by the cyberattack, including at least 30,000 in the U.S. Government officials and Microsoft leaders have all encouraged organizations operating Exchange servers to patch their servers immediately. They have also made a series of tools available to help users determine if the attack has impacted them. 

Fortunately, these issues do not involve the cloud-based Microsoft 365 services used by individuals and small businesses that include Outlook email. 

Contact the ITRC 

If anyone has questions about keeping their personal information private and how to protect it, they can visit www.idtheftcenter.org, where they will find helpful tips on these and many other topics. That includes small businesses, too. 

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. People can speak with an expert advisor on the phone, chat live on the web, or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Visit www.idtheftcenter.org to get started. 

Be sure to check out the most recent episode of our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown. 


In 2020, the number of individuals impacted by a data breach was down 66 percent from 2019; cybercriminals continue to shift away from mass attacks seeking consumer information and towards attacks aimed at businesses using stolen logins and passwords  

SAN DIEGO, January 28, 2021 – Today, the Identity Theft Resource Center® (ITRC), a nationally recognized non-profit organization established to support victims of identity crime, released its 15th annual Data Breach Report. According to the report, the number of U.S. data breaches tracked in 2020 (1,108) decreased 19 percent from the total number of breaches reported in 2019 (1,473). In 2020, 300,562,519 individuals were impacted by a data breach, a 66 percent decrease from 2019.  

The 2020 Data Breach Report shows the continuation of a trend from 2019: cybercriminals are less interested in stealing large amounts of consumers’ personal information. Instead, threat actors are more interested in taking advantage of bad consumer behaviors to attack businesses using stolen credentials like logins and passwords. Due to the shift in tactics, ransomware and phishing attacks directed at organizations are now the preferred data theft method by cyberthieves.  

Ransomware and phishing attacks require less effort, are largely automated, and generate much higher payouts than taking over individuals’ accounts. One ransomware attack can generate as much revenue in minutes as hundreds of individual identity theft attempts over months or years. According to Coveware, the average ransomware payout has grown from less than $10,000 per event in Q3 2018 to more than $233,000 per event in Q4 2020. 

Download the ITRC’s 2020 Data Breach Report 

“While it is encouraging to see the number of data breaches, as well as the number of people impacted by them decline, people should understand that this problem is not going away,” said Eva Velasquez, president and CEO of the Identity Theft Resource Center. “Cybercriminals are simply shifting their tactics to find a new way to attack businesses and consumers. It is vitally important that we adapt our practices, and shift resources, to stay one step ahead of the threat actors. Although resources continue to decline for victims of identity crimes, the ITRC will continue to help impacted individuals by providing guidance on the best ways to navigate the dangers of all types of identity crimes.” 

One notable case study highlighted in the ITRC’s 2020 Data Breach Report is the ransomware attack on Blackbaud, a technology services company used by non-profit, health and education organizations. A professional ransomware group stole information belonging to more than 475 Blackbaud customers before informing the company the information was being held hostage. The stolen information included personal information relating to more than 11 million people that was later reported to have been destroyed by the cybercriminals after Blackbaud paid a ransom.  

Another notable finding was that supply chain attacks are becoming increasingly popular with attackers since they can access the information of larger organizations or multiple organizations through a single, third-party vendor. Often, the organization is smaller, with fewer security measures than the companies they serve.  

To learn more about the latest data breaches, visit the ITRC’s interactive data breach tracking tool, notified. It is updated daily and free to consumers.  

For anyone that has been a victim of a data breach, the ITRC recommends downloading its free ID Theft Help app to manage the various aspects of an individual’s data breach case. 

Consumers and victims can receive free support and guidance from a knowledgeable live-advisor by calling 888.400.5530 or visiting idtheftcenter.org to live-chat. 

About the Identity Theft Resource Center  

Founded in 1999, the Identity Theft Resource Center® (ITRC) is a non-profit organization established to empower and guide consumers, victims, business and government to minimize risk and mitigate the impact of identity compromise and crime. Through public and private support, the ITRC provides no-cost victim assistance and consumer education through its website live-chat idtheftcenter.org, toll-free phone number 888.400.5530, and ID Theft Help app. The ITRC also equips consumers and businesses with information about recent data breaches through its data breach tracking tool, notified.   

Media Contact 

Identity Theft Resource Center 
Alex Achten 
Earned & Owned Media Specialist 
888.400.5530 Ext. 3611 
media@idtheftcenter.org  

  • Approximately 56 percent of California voters passed The California Privacy Rights Act (CPRA). The law will be the toughest privacy law in the U.S. once it goes into effect in 2023.
  • California residents will have more control over what happens to their personal information when businesses collect it. Consumers from the state can also have information corrected they think is inaccurate.
  • California businesses will be required to update agreements with contractors and sub-contractors that binds them to meet the provisions of the CPRA.
  • For more information on the privacy law, contact the ITRC at no-cost by calling 888.400.5530 or by live-chat on the company website.

California voters went to the polls to decide the fate of the strongest privacy law in the United States. After counting the ballots, Proposition 24 – The California Privacy Rights Act (CPRA) – passed and will go into effect in 2023.

Subscribe to the Weekly Breach Breakdown Podcast

Every week the Identity Theft Resource Center (ITRC) looks at some of the top data compromises from the previous week and other relevant privacy and cybersecurity news in our Weekly Breach Breakdown Podcast. This week, we look at CPRA and what it means for businesses and consumers.

How The California Privacy Rights Act Passed

Approximately 56 percent of California voters approved the privacy law. However, Big Tech and Big Privacy joined forces to oppose the proposal. The initiative was proposed to strengthen the existing state privacy law, The California Consumer Privacy Act (CCPA), in many different ways.

What Consumers Need to Know About The California Privacy Rights Act

There are a few different things for California residents to know about the CPRA:

  1. Since voters approved the CPRA and not the state legislature, it will be more difficult to amend the law in the future. The legislature must submit any proposed changes to the popularly approved law to the voters in a future election. That makes it very difficult to weaken the privacy provisions in the CPRA.
  2. The CPRA gives California residents even more control over what happens to their personal information when a business collects it. The CCPA gives residents the right to access the information companies collect about them and request it be deleted in certain circumstances. It also prohibits the sale of their information for marketing purposes. The CPRA will give consumers rights linked to sharing information – not just selling data to third parties – clarifying one of the most confusing parts of the current privacy law, the CCPA.
  3. The CPRA adds a right to correct any information that a consumer thinks is inaccurate. Californians will now have the right to opt-out of automated decision processes that use their personal information. Also, they will have the right to see how automated decision processes work.
  4. The CPRA creates a new category of personal information that California residents can access and control in certain circumstances, like sharing information with third parties. The new category is known as “sensitive personal information” and includes precise geolocation data, race, religion, sexual orientation, Social Security numbers and certain health information.
  5. Finally, the new privacy law gives consumers the right of data portability, which means someone can tell a company to share their information with another company. It is like when someone changes their mobile phone or insurance companies.

What Businesses Need to Know About The California Privacy Rights Act

Businesses will also have a host of new duties that apply to them:

  1. Companies will have to create data silos, meaning they will have to keep personal information used in marketing separate from other consumer information. Companies, especially smaller ones, are already struggling to meet the existing consumer rights of access, review, deletion and opt-out. The new provision could compound the compliance issues.
  2. The most significant change for businesses will be the requirement that companies update agreements with contractors and sub-contractors that bind them to meet the provisions of the CPRA. In past podcast episodes, the ITRC has talked about data breaches resulting from “supply chain attacks.” That is where a company has good cybersecurity. Still, a third-party vendor ends up breached, and the company’s customer data is exposed. The requirement to update agreements with contractors and sub-contractors is designed to address supply chain attacks and clarify that everyone in the supply chain is responsible for protecting consumer information.
  3. Businesses do get some benefits in the CPRA. Employee and B2B data are exempt from the law until at least 2023, and businesses may be charged fees if consumers opt-out of data collection and sharing. That provision is the reason privacy advocates joined Big Tech companies to oppose the CPRA.

Toughest Privacy Law in the United States

The CPRA will be the toughest privacy law in the U.S. when it goes into full effect in 2023. In the meantime, state officials will propose the regulations needed to implement the new law. In the case of the CPRA, there will also be a new state agency created to enforce the new privacy law. For now, the California Attorney General will continue to enforce the existing law, CCPA.

Privacy Law Passed in Massachusetts

There was another state privacy law recently approved by a vote in Massachusetts. Car owners now have the right to see the information their car is wirelessly sharing with automakers. Approximately 75 percent of voters approved the proposal; carmakers have until 2022 to comply.

notifiedTM 

For information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.  

Contact the ITRC

If you have a question about The California Privacy Rights Act, data privacy, or if you receive a breach notice and you’d like to know how to protect yourself, contact the ITRC. You can speak with an expert advisor toll-free at 888.400.5530 or by live-chat on the company website. Also, download the free ID Theft Help App to access resources, a case log and much more. 

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.  

  • Data breaches are down 30 percent in Q3 of 2020 compared to Q3 of 2019 when you look at the Blackbaud ransomware attack as a single event. 
  • Data breaches are down 10 percent in Q3 of 2020 compared to Q3 of 2019 when you look at the Blackbaud ransomware attack as a series of data breaches.  
  • Regardless of how the Blackbaud ransomware attack is viewed, the number of individuals impacted by a data breach is down nearly two-thirds.  
  • Anyone who believes they are a victim of a data breach is encouraged to contact the Identity Theft Resource Center to learn more about the next step to take. Victims can call toll-free at 888.400.5530 or live-chat with an expert-advisor on the company website. 

2020 has seen many different data breach trends. In the first half of 2020, the Identity Theft Resource Center (ITRC) reported a 33 percent decrease in data breaches and a 66 percent decrease in individuals impacted. The ITRC has compiled the Q3 2020 data breach statistics, and the number of compromises has dropped. However, there is one data breach that skews all the data. 

Two Ways to Look at the Numbers 

With the ongoing global pandemic and one particularly nasty ransomware attack against IT service provider, Blackbaud, reported in the third quarter, the Q3 numbers can be interpreted in two ways. 

Data Breaches Down 30 Percent Treating Blackbaud as a Single Event 

If we treat the Blackbaud attack as a single event, the number of data compromises reported so far in 2020 remains well below the 2019 trend line, with nearly a 30 percent decrease year-over-year. Looking at the rest of 2020, absent a significant data breach, 2020 could end with just over 1,000 data breaches. That would be the lowest number of breaches in five years, dating back to 2015. 

Data Breaches Down 10 Percent Treating Blackbaud as a Series of Breaches 

If the Blackbaud ransomware attack is treated as a series of data breaches, the year-over-year trend line changes significantly. However, the number of data breaches is still down in comparison to 2019. There have been 247 data breaches reported as a result of the Blackbaud ransomware attack. Once you add those to the overall number of data compromises, we go into Q4 with a 10 percent decrease in data breaches compared to this time last year.  

Individuals Impacted by Data Breaches Down Two-Thirds 

No matter how Blackbaud is categorized, one data point remains the same: the number of individuals who have been impacted in 2020 by an information breach. So far in 2020, roughly 292 million people have had their personal information compromised, nearly two-thirds fewer people than in 2019. The ITRC will have more information to share on our Q3 Data Breach Trends Report, which will be released later in October. We will also discuss the details on our sister podcast, The Fraudian Slip, in two weeks. 

Subscribe to the Weekly Breach Breakdown Podcast 

Every week, the ITRC looks at some of the top data compromises from the previous week, and other relevant cybersecurity news in our Weekly Breach Breakdown podcast. This week, we are looking at the Q3 data breach trends and the latest numbers.  

notifiedTM 

For more information about recent data breaches, or any of the data breaches discussed in Q3, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free. 

Contact the ITRC 

If you receive a breach notice due to the Blackbaud ransomware attack or any other data compromise and want to know what steps to take to protect yourself, contact one of the ITRC expert advisors by phone toll-free 888.400.5530, or by live-chat on the company website. Victims of a data breach can also download the free ID Theft Help App to access advisors, resources, a case log and much more. 

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform. 


Read more of our latest news below

Shopify Data Exposure Affects Hundreds of Online Businesses

Dunkin Donuts Data Breach Settlement Highlights Busy Week of Data Compromise Updates

50,000+ Fake Login Pages for Top Brands from Credential Theft