Posts

Another week has gone by, and in this week’s Weekly Breach Breakdown, the Identity Theft Resource Center (ITRC) highlights a handful of data compromises that could leave a big impact on businesses and consumers. The ITRC has been tracking publicly-notified U.S. data breaches since 2005 to look for patterns, new trends and any information that could better help educate on the need for understanding the value of protecting personally identifiable information (PII). Some of the data compromises highlighted this week include CVS, Walgreens and Walmart pharmacy data breaches with a unique twist; an athlete recruiting tool; and one state’s taxpayer system. All of these breaches have one thing in common: they are relatively small data events that can still leave a lasting impact.

CVS, Walgreens and Walmart Pharmacy Data Breaches

Three well-known companies suffered from individual pharmacy data breaches. It wasn’t a cyberattack or failure to secure their electronic records; instead, some of their stored health information was physically stolen, leaving the potential for a serious impact on the individuals whose information was exposed. During recent protests in several cities, pharmacies owned by Walmart, Walgreens and CVS were looted. Paper files and computer equipment containing customer information was taken from individual stores, not the companies at-large. The missing information included prescriptions, consent forms, birth dates, addresses, medications and physician information. All three companies affected by the pharmacy data breaches notified impacted patients, but only CVS released the number of customers involved – 21,289.

Front Rush Data Compromise

The next data compromise includes student-athlete recruiting tool, Front Rush. Front Rush recently notified 61,000 athletes and coaches that their information was open to the internet due to a misconfigured cloud database for four years. In a notice to individuals impacted, Front Rush acknowledged that they could not tell if anyone accessed or removed any PII while it was exposed to the web from 2016-2020. Some of the personal information in the database included: Social Security numbers, Driver’s Licenses, student IDs, passports, financial accounts, credit card information, birth certificates and health insurance information.

The Vermont Department of Taxes Data Compromise

The state of Vermont recently notified more than 70,000 taxpayers that the online credentials they used to file certain types of tax forms had been exposed on the internet since 2017. State officials say they lacked the tools to tell if the information was downloaded from their systems by threat actors, but they believe the risk of an identity crime is low. However, the State Department of Taxes is recommending taxpayers take precautions like monitoring bank and credit accounts, reviewing credit reports and reporting any suspicious activity to local law enforcement.

What it Means

Stolen credentials like logins and passwords, like the information breached in Vermont, are currently the number one cause of data breaches, according to IBM. However, that is tied with misconfigured cloud security that leads to data being exposed to the web, as in Front Rush. Misconfigured cloud security generally means that someone forgot to set up a password or other security tool when they configured the database. Stolen physical records and devices ranks five out of ten on the attack scale for the most common attack vectors.

For more information about the latest data breaches, subscribe to the ITRC’s data breach newsletter.

NotifiedTM

Keep an eye out for the ITRC’s new data breach tracker NotifiedTM. It is updated daily and free to consumers. Businesses that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the ITRC’s three paid subscriptions. Subscriptions help ensure the ITRC’s free identity crime services stay free. Notified launches later this month.

If someone believes they are the victim of identity theft or their information has been compromised in a data breach, they can call the ITRC toll-free at 888.400.5530 to speak with an expert advisor. They can also use live-chat. Finally, victims of a data breach can download the free ID Theft Help app to access advisors, resources, a case log and much more. Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.


 You might also like…

Being Able to Identify a Phishing Attack is More Important Now Than Ever

Netflix Email Phishing Scam Could Steal Credit Card Information

Hacked Dating Apps are a Popular Target for Social Engineering Scams

Each year, about half of U.S. taxpayers rely on a tax preparer and a tax preparation service to help them file their required tax returns. These professionals offer a wide array of options, from a very simple franchise that plugs in the numbers on the consumer’s behalf to certified public accountants that know the ins and outs of the entire U.S. tax code. From accounting firms to walk-in services like H&R Block, TurboTax/Intuit, Credit Karma or Jackson Hewitt, these tax preparation services often have one major similarity: they are a hot target for hackers and identity thieves.

Trusting an outsider with highly-sensitive personal data is not something that people should take lightly. Having a professional take responsibility for the paperwork, helping to navigate the annual changes to tax laws and even assisting in the event of an IRS audit are all reason enough to pay someone to take care of the filing. However, the sheer volume of personally identifiable information (PII) that a tax preparer must collect and store means there are literal treasure troves of identities waiting to be compromised by a malicious actor.

There are plenty of ways that stolen PII from a tax preparation service can benefit a hacker. First, accessing a stolen return not only means the hacker can file the return for themselves and steal any refunds the consumer was expecting, it also means having the ability to file a fraudulent return every year. Hackers can cause even more harm with information gleaned from a tax preparer’s computer; credential stuffing is another major concern, as the complete information they might steal can be used to access the victim’s other accounts.

There are some important steps that consumers can take to protect themselves when using a tax preparation service. First, people should only choose a professional tax preparer who has a valid IRS Preparer Tax Identification Number (PTIN), but also understand that there are many different services, ability-levels and offerings that a professional can provide. It is also important for a consumer to find out what the preparer’s credentials are—such as having an accounting degree or being a member of a professional organization—before signing on to work with them. Consumers should not hesitate to ask what information the preparer will be able to access, how that information will be stored and for how long, who will be able to access that information and other related questions. There have been many situations where tax preparation services and professionals have been the target of malicious actors and understanding how they are going to safeguard information is just as important as their capabilities.

More guidelines from the IRS are available, but consumers are also cautioned to begin using a nine to ten character passphrase in place of the traditional eight-character password. A passphrase is longer and easier to remember, which makes it both harder for fraudsters to guess and more likely that consumers will deploy a different passphrase for each account.

If someone falls victim to identity theft from a data breach, they can live-chat with an Identity Theft Resource Center expert advisor through the organization’s website, as well as call toll-free at 888.400.5530 for an action plan that is customized to their needs. The free ID Theft Help App for iOS and Android also provides a number of resources for consumers to use in the event of a data breach or suspected identity theft.


You might also like…

Stalker Data Breach Leads to Sale of Users’ Credentials

Non-Traditional Data Compromises Make Up the Latest Week of Breaches

Mystery Shopper Scams Surface During COVID-19

Identity theft is not one single type of crime. There are many different ways a criminal can use your information, such as applying for government benefits, getting a job under your Social Security number, receiving medical care or prescription drugs in your name, and of course, the financial aspects. But stealing from your bank account or signing up for a new credit card in your name are just scraping the surface when it comes to the harm identity theft can cause.

Tax identity theft occurs when someone uses your compromised information to file a tax return in your name. They fudge the numbers, enter an unrelated refund dispersal option like a prepaid debit card, and make off with your money before you ever know that anything has gone wrong.

How do they get their hands on your data in the first place? There are many ways, including:

  • Imposter scams
  • Data breaches
  • Stolen mail or W-2s
  • CEO/HR phishing scams
  • Corrupt insiders/tax preparation services
  • Unsecured and public Wi-Fi hotspots
  • Social Security number that is lost, stolen or compromised

Of course, it’s just as easy for a criminal to purchase your previously stolen information online, then use it to file a fraudulent return.

How can you know if someone has filed a return with your stolen information? Again, you may find out in different ways, but one common way is for the IRS to inform you.

They don’t usually call you up and say, “Guess what? Someone stole your identity!” Instead, it’s a lot more likely that the IRS will reject your legitimate tax return because someone has already filed using your Social Security number. Another way is someone not necessarily filing the entire return in your name, but rather claiming your dependents on their return if they’ve stolen your kids’ identities; in that case, the IRS will still contact you about the duplicated dependents. Finally, the IRS might contact you if someone files a business return involving your identity as an employee and the agency wants you to answer for the unreported income you supposedly earned but didn’t list on your return.

The fact of tax identity theft is that hundreds of millions of consumers’ identities have been compromised in different data breaches over the years. That means no one is immune from the threat of having their tax refund stolen.

For more questions and answers about tax identity theft, read our tips here.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Tidying Up For Your Identity, Mobile Device and More…