Posts

  • When the Identity Theft Resource Center (ITRC) was founded nearly 22 years ago, the root cause of most data breaches and data crimes involved paper. Now, it is far and away cyberattacks.
  • Phishing is the number one attack vector that leads to data breaches, ransomware second and malware third.
  • However, there are ways to protect yourself from cyberattacks. Back up your information, update your software, use strong and unique passphrases, and collect and maintain less information.
  • To learn about recent data breaches, consumers and businesses should visit the ITRC’s data breach tracking tool, notified. 
  • If you believe you are the victim of an identity crime, data breach or want to learn more ways to protect yourself from cyberattacks, contact the ITRC. Call toll-free at 888.400.5530 or live-chat on the company website www.idtheftcenter.org.

The Crimes, They Are Changing

Welcome to the Identity Theft Resource Center’s (ITRC’s)Weekly Breach Breakdown for October 15, 2021. Our podcast is possible thanks to support from Experian. Each week, we look at the most recent events and trends related to data security and privacy. We also use a lot of literary references – especially Shakespeare. Today, though, we turn to a different classic for inspiration – Bob Dylan – in honor of Cybersecurity Awareness Month. October is the time each year when you focus on ways to protect yourself from cyberattacks and other identity crimes. That’s why we’re calling today’s episode: The crimes, they are changing.

The Rise in Digital Data Theft

When the ITRC was founded nearly 22 years ago, the root cause of most data breaches and data crimes involved paper. Digital data theft didn’t arrive until the mid-2000s. Even then, it was usually because someone’s laptop or external hard drive was stolen.

Not so today. Physical attacks and human errors were once the leading cause of data compromises. Today it is far and away cyberattacks. In fact, cyberattacks are so common that the number of data breaches and exposures associated with them so far this year exceeds all forms of data compromises in 2020.

Phishing is the leading attack vector that leads to data breaches. The login and password credentials stolen in these email, text and website-related attacks are often used by cybercriminals to access company networks and databases held hostage in a ransomware assault – the second most common cause of data compromises.

Malware is the third leading cause of identity-related data breaches. It is often used to exploit software flaws or penetrate networks as part of a ransomware attack or just good old-fashioned data theft. Caught in the cross-hairs of all these cyberattacks are consumers – people whose data is held in trust by organizations that are the targets of cybercriminals.

The ITRC to Release Inaugural Business Aftermath Report

We often think of data breaches and ransomware only impacting big businesses whose names we recognize. However, later this month, the ITRC will issue a new report on the impact of identity crimes on small businesses and solopreneurs – the tens of millions of companies with zero or just a handful of employees. Without giving away too much right now, the research shows more than half of all small businesses have experienced one or more data breaches, security breaches or both.

Use Good Cyber-Hygiene Habits to Protect Yourself

What are some ways to protect yourself from cyberattacks both at work and at home?  The actions must be the same. Regular listeners already know the basics of a good cyber defense. Make good back-ups of your information, update or patch your software as fast as possible, and practice good password hygiene. Do not use the same password at work and at home. Each account gets a unique, 12+ character password.

There are two additional ways to protect yourself from cyberattacks you should consider:

  1. Collect and maintain less information. If you are a business, get rid of the personal data you no longer need once you complete a transaction. The same is true for consumers. Don’t keep sensitive information you no longer need. Cyberthieves can’t steal what you don’t have.
  2.  If you are a business leader, train your teams like you’re voting in Chicago – early and often. If you’re a consumer, you can use some routine training, too. Why is this important? Cybercriminals are constantly improving their attack methods and inventing new ones. We need to make sure we know what to do to stay safe from identity scams and cyber risks, and that takes training and education.

Contact the ITRC

If you think you have been the victim of an identity crime or a data breach and need help figuring out what to do next, you can speak with an expert advisor on the phone (888.400.5530), live on the web or exchange emails during our normal business hours. Just visit www.idtheftcenter.org.

Thanks again to Experian for supporting the ITRC and this podcast. Be sure to join us next week for our sister podcast, The Fraudian Slip, when we talk more about cyber education with Zarmeena Waseem of the National Cybersecurity Alliance and our very own ITRC CEO, Eva Velasquez. We will be back in two weeks with another episode of the Weekly Breach Breakdown.

  • The trendline continues to point to a record-breaking year for data compromises.  Phishing is far and away the primary way criminals attack businesses & individuals. 
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified.  
  • If you believe you are the victim of an identity crime or a data breach, contact the ITRC. Call toll-free at 888.400.5530 or live-chat on the company website www.idtheftcenter.org.   

The ITRC Goes to Washington 

Welcome to the Identity Theft Resource Center’s (ITRC’s)Weekly Breach Breakdown for October 8th, 2021. Our podcast is possible thanks to support from Experian. Each week we look at the most recent events and trends related to data security and privacy. This week we’re going to look at the data breach trends for the third quarter of 2021 and we’re going to talk about a congressional hearing this week. That’s why we’re calling this episode – The ITRC Goes to Washington. Listen to the full episode on your preferred podcast platform.

On Wednesday, the U.S. Senate Committee on Commerce, Science, & Transportation met to hear from a panel of experts on how to enhance data privacy & security. The ITRC was invited to share the latest data breach trends and offer suggestions on how to reduce the cyberattacks that lead to data breaches that ultimately may lead to an identity crime. 

2021 Data Breach Trends & Q3 Analysis 

Committee Chair Maria Cantwell of Washington started the hearing by sharing the latest stats on data breaches, pulled directly from the ITRC’s Q3 Data Breach Analysis that had been issued just about two hours earlier. And here’s what the report concluded: 

• The number of data compromises publicly-reported this year have already exceeded the total number of events in 2021 by 17 percent.  

• The trendline continues to point to a record-breaking year for data compromises. We are only 238 data events away from the all-time high set in 2017. It’s highly likely we will see a new high-water mark between a combined 1700 to 1800 data breaches, data exposures, and data leaks compared to 15.  

• The number of victims increased in Q3 by ~160M individuals. That’s more than all victims in Q1 & Q2 combined. That’s a huge jump and it means a lot of people are at risk of an identity crime, but about 100M of those people are victims of a data exposure related to 20 organizations that did not secure their cloud databases.  Those are lower-risk events since the data had not been copied or removed from the database where it was stored. 

Phishing is far and away the primary way criminals attack businesses & individuals. Ransomware is so pervasive, though, that the total number of data breaches related to a ransomware attack against an organization so far this year exceeds the total number of ALL types of data compromises last year. 

• There is a disturbing trend developing where organizations and state agencies are not sharing specifics about data compromises or reporting them on a timely basis. One state has not posted a data breach notice in the past 12 months.  

• There is some good news in the latest data breach numbers: There have been no publicly reported data compromises in 2021 attributed to payment card skimming devices. If this trend continues, this will be the first year since chip & PIN payment cards were first introduced where they have been no reported data breaches caused by skimmers.  

3 Actions To Address Identity Crimes

The Senate also asked the ITRC for recommendations on how to address the interrelated issues of cyberattacks, data breaches, and identity crimes. We offered three actions that we believe will be helpful: 

• Better cybersecurity standards and practices that are enforceable 

• Better enforcement of laws and regulations 

• And, a better victim notification system  

We also suggested there also needs to be discussion around how to better support victims of identity crimes. 

October is Cybersecurity Awareness Month 

It’s Cybersecurity Awareness Month and the ITRC encourages you to take this time to learn how to protect yourself, your family, and friends from cyber and identity criminals. You’ll find a wealth of information on our website – idtheftcenter.org. Later this month we’ll release our first report on what happens to small businesses and solopreneurs when they suffer a cyber or identity crime. And in November, the ITRC will unveil a new website with new tools and ways to communicate with or team of identity advisors. 

On October 27, we’ll issue our very first Business Aftermath Report. As a companion to our longtime report on the impact of identity crimes on consumers, the Business Aftermath Report will look at what happens to small businesses and solopreneurs after a security breach, a data breach or both.  

Contact the ITRC 

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an ITRC expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.  

Thanks again to Experian for supporting the ITRC and this podcast. Be sure to join us next week for another episode of the Weekly Breach Breakdown. 

  • A new report from Intel 471 reveals that cybercriminals are going after one-time passwords, known as OTPs.
  • The attackers deceive people into giving them a one-time password or other verification codes via a mobile device, which the criminals use to steal money from the now compromised account.
  • Also, do not share personal information with anyone you do not know until you verify they are who they claim to be.
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified
  • If you believe you are the victim of an identity crime or a data breach, contact the ITRC. Call toll-free at 888.400.5530 or live-chat on the company website www.idtheftcenter.org.  

Nice Things

Welcome to the Identity Theft Resource Center’s (ITRC’s)Weekly Breach Breakdown for October 1, 2021. Our podcast is possible thanks to support from Experian. Each week we look at the most recent events and trends related to data security and privacy. This week we dig into a troubling development that we all kind of knew was coming but maybe didn’t want to admit it. Cybercriminals are finding ways to steal those one-time passwords you send to your phone by text. 

This is why we can’t have nice things in our adult world. Every time someone comes up with a new way of protecting our personal information from the grubby little fingers of threat actors, the criminals find a new way to steal our data. That seems to be the case when it comes to two-factor authentic education, also known as multifactor authentication, or MFA.

New Report Shows Cybercriminals are Targeting One-Time Passwords

This week, a cybersecurity research team at Intel 471 issued a report that noted, “Two-factor authentication is one of the easiest ways for people to protect any online account.” Now, criminals are trying to circumvent that protection. Cyber thieves are using various tactics to gain account information, including impersonating banks and legitimate services on phone calls.

Using social engineering methods, the attackers deceive people into giving them a one-time password or other verification code via a mobile device, which the crooks then use to steal money from the now compromised account.

The criminals buy easy-to-use applications that send a potential victim a text message requesting their phone number. Once a target’s phone number has been entered into a chat message, the malicious application takes over from there. The researchers at Intel 471 found that about 80 percent of people targeted by cybercriminals will end up providing their information to threat actors, allowing them to drain the money from their accounts.

Variations on these OTP attack schemes include:

  • Specialty software that targets accounts on social media.
  • Media networks such as Facebook, Instagram and Snapchat.
  • Financial services like PayPal and Venmo.

Even an automated tool allows an attacker to make any phone call that appears to be from a specific bank.

Once a call is answered, the criminals use a script to trick potential victims into sharing information such as ATM, PINs, credit card verification codes or one-time passwords. Quoting the Intel 471 researchers again, while SMS and phone-based one-time password services are better than nothing, criminals have found ways to socially engineer their way around the safeguards. It was always a matter of time before the bad guys found a way around this layer of defense in these particular instances. The weak security link is the user who willingly gives information to someone they believe to be a legitimate representative at a company where they do business.

To Avoid an OTP Text Scam, the ITRC Advises You To

  • Always verify the legitimacy of any contact you do not initiate, whether it is a phone call, email, text message or a social media instant message.
  • Don’t share any personal information with anyone you do not personally know and trust until you verify the person contacting you is who they claim to be. Also, make sure they have a good reason for asking you for information they should already know.

Today is the first day of Cyber Security Awareness Month. The ITRC has a full list of activities planned, including participating in industry events and special guests on our sister podcast, The Fraudian Slip. We will also issue two very important reports this month. Next week, on October 6, we’ll publish our Q3 Data Breach Analysis that shows how many new data compromises were reported in the past three months and what the trends tell us.

On October 27, we’ll issue our very first Business Aftermath Report. As a companion to our longtime report on the impact of identity crimes on consumers, the Business Aftermath Report will look at what happens to small businesses and solopreneurs after a security breach, a data breach or both.

Contact the ITRC

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an ITRC expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started. 

Thanks again to Experian for supporting the ITRC and this podcast. We will be back next week with another episode of the Weekly Breach Breakdown.

This year’s Cybersecurity Awareness Month initiative highlights the importance of cybersecurity by encouraging individuals & organizations to take measures to ensure they stay safe online  

SAN DIEGO, September 22, 2021 – Today, the Identity Theft Resource Center® (ITRC), a nationally recognized nonprofit organization established to support victims of identity crime, announced its commitment to Cybersecurity Awareness Month (CSAM), held annually in October. The ITRC joins the growing global effort to promote the awareness of staying safe online. CSAM 2021 is a collaborative effort among businesses, government agencies, colleges and universities, associations, nonprofit organizations, and individuals committed to the CSAM theme of ‘Do Your Part. #BeCyberSmart.’ 

“The importance of good cybersecurity and its link to identity protection is reinforced every day,” said Eva Velasquez, President and CEO of the Identity Theft Resource Center. “Cybersecurity is a critical issue that affects everyone, whether you are a business owner, company employee, or a consumer. Online safety, identity protection and data privacy is important for everyone. The ITRC continues to stay committed to our mission, to help consumers and businesses with best practices, and to help everyone #BeCyberSmart.” 

The ITRC will lead or participate in the following activities during CSAM 2021: 

  • Sept 29, 2021 – “How to Secure Your Online Life” Webinar 

On September 29, the ITRC will take part in a webinar with Verity-IT, National Institute of Standards and Technology (NIST), and the Cybersecurity and Infrastructure Agency (CISA) of the U.S. Department of Homeland Security on how to secure your online life. The one-hour session will give an overview of the cyber basics. 

  • Oct 6, 2021 – Release of Q3 2021 Data Breach Trend Analysis 

On October 6, the ITRC will release its data breach information for the third quarter of 2021. In the ITRC’s H1 2021 Data Breach Trend Analysis, the ITRC reported a 38 percent increase in data breaches quarter-over-quarter and predicted an all-time high number of data breaches by year’s end if breaches continued at the first half of the year’s pace. Sign up for the Monthly Data Breach Newsletter to get alerts and this report directly to your inbox. 

Save The Date – ITRC 2021 Business Aftermath Report to be released October 2021
  • Oct 27, 2021 – Release of Inaugural Business Aftermath Report 

On October 27, the ITRC will release its first-ever report on the impacts of identity crimes and cyberattacks on small businesses. Cyberattacks and the resulting security and data breaches can have a devastating effect on any business. However, small organizations and solopreneurs often lack the resources to prevent or defend against cybercrimes. The 2021 Business Aftermath Report is the first major independent, publicly-reported research into what happens specifically to small businesses following a data or security breach. Sign up to get this report directly to your inbox and more highlights from the ITRC. 

  • Oct 27, 2021 – Nasdaq Cybersecurity Summit 

On October 27 at 10 a.m. EST/7 a.m. PST, the National Cyber Security Alliance (NCSA) will host its annual Nasdaq Cybersecurity Summit virtually and at the Nasdaq MarketSite in Times Square, New York. The ITRC will participate as a partner in this event that looks at research and best practices for designing security products and processes that are usable by those who need them. 

  • The ITRC’s Weekly Breach Breakdown and Fraudian Slip Podcast Episodes  

Check out the ITRC’s latest podcasts, “The Fraudian Slip” (monthly), where we talk about all-things identity compromise, crime and fraud that impact people and businesses, as well as “The Weekly Breach Breakdown” (weekly), covering the most recent events and trends related to data security and privacy.  

More on CSAM 2021 

Technology plays a part in almost everything we do in life. Mobile and connected smart devices are woven into society as an integral part of how people communicate and access services essential to their well-being. Despite these great advances in technology and the conveniences this provides, recent events have shown us how quickly our lives and businesses can be disrupted when cybercriminals and adversaries use technology to do harm. Now in its 18th year, CSAM continues to build momentum and impact with the ultimate goal of providing everyone with the information they need to stay safe online.  

The ITRC is proud to support this far-reaching online safety awareness and education initiative co-led by CISA the NCSA. 

For more information about CSAM 2021, staying safe online and how to participate in a wide variety of activities, visit staysafeonline.org/cybersecurity-awareness-month/. You can also follow and use the official hashtag #BeCyberSmart on social media throughout the month.  

About the Identity Theft Resource Center 

Founded in 1999, the Identity Theft Resource Center® (ITRC) is a national nonprofit organization established to empower and guide consumers, victims, business and government to minimize risk and mitigate the impact of identity compromise and crime. Through public and private support, the ITRC provides no-cost victim assistance and consumer education through its website live-chat idtheftcenter.org and toll-free phone number 888.400.5530. The ITRC also equips consumers and businesses with information about recent data breaches through its data breach tracking tool, notified. The ITRC offers help to specific populations, including the deaf/hard of hearing and blind/low vision communities.  

About Cybersecurity Awareness Month 

Cybersecurity Awareness Month is designed to engage and educate public and private-sector partners through events and initiatives with the goal of raising awareness about cybersecurity to increase the resiliency of the nation in the event of a cyber incident. Since the Presidential proclamation establishing Cybersecurity Awareness Month in 2004, the initiative has been formally recognized by Congress, federal, state and local governments and leaders from industry and academia. This united effort is necessary to maintain a cyberspace that is safer and more resilient and remains a source of tremendous opportunity and growth for years to come. For more information, visit staysafeonline.org/cybersecurity-awareness-month/.  

About National Cyber Security Alliance  

The National Cyber Security Alliance is a nonprofit alliance on a mission to create a more secure connected world. We enable powerful, public-private partnerships in our mission to educate and inspire individuals to protect themselves, their families and their organizations for the collective good. For more information on the National Cyber Security Alliance, please visit https://staysafeonline.org

Media Contact     

Identity Theft Resource Center     
Alex Achten     
Head of Earned & Owned Media Relations      
888.400.5530 Ext. 3611     
media@idtheftcenter.org 

Everything’s Bigger in Texas

Welcome to the Identity Theft Resource Center’s (ITRC’s) Weekly Breach Breakdown for September 10, 2021. Our podcast is possible thanks to support from Experian. Each week we look at the most recent events and trends related to data security and privacy. For the past two weeks, we’ve concentrated on what happens when you receive a notice that your personal information has been compromised. This week, we’re going to talk about a data breach involving personal information for children and the unique risks created when children’s personal information is exposed.

When you grow up in the southern U.S, you learn very quickly that the saying “Everything’s bigger in Texas” is absolutely true. The Lone Star state is twice the size of Germany. Texans eat 54,000 tons of catfish each year. That’s six times the weight of the Eiffel Tower. There are high school football stadiums in Texas that seat more than 19,000 people, enough to fit the entire population of three average-size U.S. cities.

Dallas I.S.D. Data Breach

This week, the Dallas, Texas Independent School District (Dallas I.S.D.) has earned a different distinction: the target of a significant data breach.

More than 145,000 students attend 230 schools across the district that employs 22,000 people. That doesn’t include independent contractors and vendors who also serve the Dallas schools.

School officials announced late Friday before Labor Day that an “unauthorized third-party” had accessed, downloaded and stored personal information on a cloud data storage site. The stolen data included information on current and former students and their parents as well as current and former employees and contractors dating back to 2010.

The compromised information includes full names, addresses, Social Security numbers (SSNs), phone numbers, dates of birth, and employment and salary information for current and former employees and contractors. The breached data also includes full names, SSNs, dates of birth, parent and guardian information, and grades for current and former students. According to the school district, some students’ custody status and medical conditions may have also been exposed.

What Happened

As is typical in the early days of data breaches, there are many unknowns and a lot of reluctance to share information about what happened. Dallas I.S.D. has hired forensic investigators to determine how the cybercriminals gained access to the student, parent and employee information. However, little is known about how cybercriminals got their hands on the employees, contractors and student’s personal information.

School officials are not calling this a ransomware attack. However, they acknowledge that they have communicated with the data thieves who claim the information has not been sold or shared, but has been removed from the cloud database. Ransomware attacks against schools have dramatically increased as students return for the new school year and identity criminals look for children’s personal information. One cybersecurity firm reports seeing more than 1,700 attacks against schools around the world each week in July.

The Impacts of a Children’s Personal Information Being Stolen

Dallas I.S.D. is offering credit monitoring and identity theft recovery services for one year. The ITRC always recommends data breach victims take advantage of those offers. However, the release of student information is especially troubling as criminals who take control of a young person’s identity can cause significant harm over time.

Imagine a high school student applying for college and being denied financial aid or admission because someone had used their SSN to report income or obtain credit. An identity thief can abuse the personal information for children for years before the parents or child learn of the crime.

Freeze Your Child’s Credit

It’s important for parents to not only freeze their own credit, but to freeze their children’s credit, too. That won’t prevent your child’s information from being exposed in a data breach. However, it will keep a cybercriminal from using the children’s personal information to ruin their credit and perhaps their education and work opportunities when they grow up.

Contact the ITRC

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an ITRC expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.

Thanks again to Experian for supporting the ITRC and this podcast. Listen next week as we talk about credit freezes with the founder of Frozen Pii on our sister podcast, The Fraudian Slip. We will be back in two weeks with another episode of the Weekly Breach Breakdown.

  • It’s standard, if not legally required, for businesses to issue a notice of data breach letter if they were breached. They usually include what information was accessed and offer some form of identity protection, like in the recent T-Mobile data breach notice.
  • The same standard applies to data breach settlement letters. There is often some free product or service offered, like in the recent Wawa data breach settlement.
  • Don’t ignore a notice of data breach letter or lawsuit settlement letters. You could be leaving valuable protections (credit monitoring, anti-spam services, best practices, etc.) and the occasional compensation (a settlement payment) for your trouble on the table.
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC’s) data breach tracking tool, notified.
  • If you believe you are the victim of an identity crime or a data breach, contact the ITRC. Call toll-free at 888.400.5530 or live-chat on the company website www.idtheftcenter.org.    

All’s Well that Ends Well

Welcome to the Identity Theft Resource Center’s (ITRC’s) Weekly Breach Breakdown for September 3, 2021. Our podcast is possible thanks to support from Experian. Each week we look at the most recent events and trends related to data security and privacy. Last week we talked about what it takes to file a successful lawsuit after a data breach. This week we look at what to do when your personal information has been exposed and you receive a notice of data breach letter, and later when you get a notice after a data breach lawsuit has been settled.

Shakespeare dispensed a lot of advice in his plays, none more helpful than in Act 1 Scene 1 of All’s Well that Ends Well: “Love all, trust a few, do wrong to none.” Do you know what else is filled with helpful advice? A well-written data breach notice.

Laws Around A Notice of Data Breach Letter

Every U.S. state, territory and the District of Columbia has a law that requires consumers to be notified when their personal information has been compromised. That’s pretty much where the commonality ends. The definition of personal information, the form of a notice, the distribution method, the length of time that can pass before a notice of data breach letter is issued, and the remedies available to impacted consumers are unique to each state.

However, it’s pretty much standard practice, if not legally required by your state, for businesses to disclose in broad terms what information was accessed and to offer some form of identity protection.  There are often other protection tips in the notice, including changing your passwords.

Consumers Ignore Notice of Data Breach Letters

Unfortunately, most people ignore both the notice and the advice. We’ve talked here about recent studies from the University of Michigan and Carnegie Mellon University that show nearly three-quarters of people who receive a notice of data breach letter don’t even know they received it. Only one-third of data breach victims change their passwords (and those who do used a weaker, similar password to the one that was compromised).

Protection Advice & Free Services Offered by Breached Companies is Improving

The recently breached T-Mobile raised the bar by offering not only credit monitoring, but also identity remediation services in the event a customer’s personal information is misused. T-Mobile is also offering free anti-spam services for all impacted customers and account takeover protections for pre-paid customers.

T-Mobile suggests you change your passwords, so you are not using the same password that has been compromised on any other account. Regular listeners to the ITRC podcasts will be familiar with this advice.

Data Breach Lawsuit Settlement Letters Also Offer Free Products

When a notice of data breach letter is issued, it is not the only time breach victims are offered free swag. When breach lawsuits are settled, there is often some free product or service provided. However, victims are usually required to take some action to get the award.

Wawa Data Breach Settlement

That’s the case with the recent settlement of a lawsuit against the east-coast-based convenience store chain Wawa, better known for its deli sandwiches than the 2019 data breach. Of the 22 million people who received settlement letters and are eligible for a settlement payment, those who made a purchase with a debit or credit card during the breach period but did not see evidence of identity fraud will get $5 gift cards. Those who can present proof of actual or attempted fraud will get a $15 gift card. Those who can show evidence they lost money can receive as much as $500 cash.

All claims must be submitted by November 29, 2021. So, the clock’s ticking if you want a free Wawa meatball grinder with extra cheese.

The Key Takeaway

In both of these scenarios, the key takeaway is the same: do not ignore a notice of data breach letter or lawsuit settlement letters. You could be leaving valuable protections and the occasional compensation for your trouble on the table.

Contact the ITRC

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an ITRC expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.

Thanks again to Experian for supporting the ITRC and this podcast. Be sure to check out our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown.

  • Earlier this year, the U.S. Supreme Court issued a major decision that set a new standard. People impacted by data errors cannot file a data breach lawsuit for damages unless there is actual, probable harm.
  • This week the Sixth Circuit Court of Appeals based in Ohio ruled that a person lacked standing to sue, even though their credit score dropped because their mortgage lender reported, by mistake, that they had failed to make a payment.
  • A data breach lawsuit is subject to the same rules for filing a claim. They are all but guaranteed to be tossed out of court unless there is actual harm from the breach at issue.
  • What can be done to address this? Congress can make it clear that organizations that fail to protect data can be sued based on the risk of future harm. Or states can pass their own laws allowing data breach lawsuits based on potential damages.
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC’s) data breach tracking tool, notified.
  • If you believe you are the victim of identity theft, contact the ITRC. Call toll-free at 888.400.5530 or live-chat on the company website www.idtheftcenter.org.   

Measure for Measure

Welcome to the Identity Theft Resource Center’s (ITRC)Weekly Breach Breakdown for August 27, 2021. Our podcast is possible thanks to support from Abine and Experian. Each week we look at the most recent events and trends related to data security and privacy. Today we dive into a subject we haven’t explored before, and for good reason – filing a data breach lawsuit. It’s a bit complex and a little dry. However, it is very important when it comes to the concept of justice for victims of data breaches. So, bear with us as we talk about the legal idea of standing and what recent court rulings mean when it comes to the ability for data breach victims to sue for damages in federal courts.

Shakespeare mentioned the legal profession more than any other, outside of royalty, devoting several of his plays to various concepts of justice. One of his dark comedies – Measure for Measure – is even named for the very concept of justice: punishment should fit the crime.

That’s a concept that cuts both ways – for and against defendants in criminal courts, and the same is true of plaintiffs in civil trials where money damages are the punishment.

“Standing” Needed to File a Civil Data Breach Lawsuit

To file a civil lawsuit in federal court, you must have what is called “standing.” You must have a valid reason to stand at the bar of justice. For years, U.S. courts have been split over what is a good reason when it comes to the standing of a person whose personal information has been exposed in a data breach. Some courts said the mere threat of harm was enough to justify a data breach lawsuit. Others ruled that no, proof of actual harm was required before a data breach lawsuit could be filed. After a data breach, your ability to sue for damages had more to do with where you lived than what happened to your data.

U.S. Supreme Court Sets A New Standard for Data Breach Lawsuits

Earlier this year, though, the U.S. Supreme Court issued a major decision that set a new standard: People impacted by data errors cannot file a data breach lawsuit for damages unless there is actual, probable harm. Inconvenience, threat or harm no longer counts as an acceptable reason in some federal courts. Now, plaintiffs filing lawsuits based on those kinds of claims lack standing. No standing = no lawsuit.

Now, you may have noticed the subtle distinction that the Supreme Court decision was based on data errors, not data breaches. How very observant of you, and you are correct. However, it’s called the Supreme Court for a reason. Lower federal courts are bound to follow the decision of the Supremes and are now applying the new standard to similar but not identical cases.

Ohio Sixth Circuit Court of Appeals Ruling

This week the Sixth Circuit Court of Appeals based in Ohio ruled that a person lacked standing to sue, even though their credit score dropped because their mortgage lender reported, by mistake, that they had failed to make a payment. The lower credit score was inconvenient but not harmful, according to the Court.

What It Means for Data Breach Lawsuits

What does this have to do with data breaches? A data breach lawsuit is subject to the same rules for filing a claim. That means data breach lawsuits are all but guaranteed to be tossed out of court unless there is actual harm from the breach at issue. That’s very difficult to prove in the best of times. When there have already been more than 1,100 data breaches reported this year, how do you prove which data breach caused the harm?

That doesn’t even begin to address the bigger issue of identity criminals don’t always use the data right away, or only once. The risk of harm down the road is high, and the ITRC’s 2021 Consumer Aftermath Report shows nearly three in ten identity crime victims are hit a second or third time, sometimes before the original impacts are resolved.

What Can Be Done?

Congress can make it clear that organizations that fail to protect data can be sued based on the risk of future harm. Or states can pass their own laws allowing data breach lawsuits based on potential damages.

However, the reality is that this is the exact situation that Shakespeare wrote about in Measure for Measure: “O just, but severe law.”

Contact the ITRC

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours. Just visit www.idtheftcenter.org to get started.

Thanks again to Experian and Abine for supporting the ITRC and this podcast. We’ll be back next week with another episode of the Weekly Breach Breakdown.

  • According to IBM’s new report on data breach costs, breached businesses in 2020 paid ten percent more than companies in 2019.
  • In the U.S., the country with the highest number of cyberattack-related data breaches, the average data breach costs a company a little more than $9 million.
  • However, there’s also good news in the report. If an organization has deployed modern security tools and automation, the average breach costs drop by about 80 percent.
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC’s) data breach tracking tool, notified.
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

The Cost of Living

Welcome to the Identity Theft Resource Center’s (ITRC)Weekly Breach Breakdown for August 6, 2021. Our podcast is possible thanks to support from Experian. Each week we look at the most recent events and trends related to data security and privacy. This week we talk about the ever-increasing data breach costs, direct costs to businesses that are breached and the indirect expenses to consumers who are the ultimate victim of the breaches.

Mark Twain once wrote the “the cost of living hasn’t effected its popularity.” The same can be said of data breaches. Despite the billions of dollars spent on improving cybersecurity, the number of cyberattacks that lead to data breaches continues at a high pace.

Breached businesses also continue to see the cost of recovery continue to rise, too. There is nothing in sight that leads experts to believe the costs associated with data breaches will level off or decrease anytime soon.

IBM Releases New Report on Data Breach Costs

The benchmark report of data breach costs is published by IBM Security based on research from the Ponemon Institute. The 2021 report, the 17th annual edition, is based on 537 breaches across 17 countries in 17 different industries – backed by nearly 3,500 interviews.

What’s the bottom line? There are several key findings:

  • Nearly 18 percent of 2020 breaches involved remote workers. Those companies paid $1 million more on average in total data breach costs than organizations where remote work was not a factor.
  • The biggest share of breach costs is attributed to lost business, including customer turnover, lost revenue and the increased costs of new customer acquisition thanks to reputation damage.
  • The average cost per record lost jumped to $161, up from $146 in the previous year. If the record involved Personally Identifiable Information (PII), the average cost was $180 per record.
  • The average number of days to find and fix data breaches grew by one week in 2020 to 287 days. Think of that this way: if a breach started on January 1, it would take until October 14 to stop it.
  • There is some good news in the IBM report. If an organization has deployed modern security tools and automation, the average breach costs drop by about 80 percent.

Average Data Breach Costs in the U.S. Over $9 Million

Remember the bottom line mentioned earlier? In the U.S., the country with the highest number of cyberattack-related data breaches, the average data breach costs a company a little more than $9 million.

These are average figures based on data breaches that range from 1,000 to 100,000 records lost. The costs go up by a factor of 100 when you get above one million records lost, which is not uncommon these days. Other factors that increase data breach costs include ransom payments and the complexity of a company’s IT infrastructure.

Not included in the report is how much of these increased data breach costs are passed along to consumers in the form of higher fees or prices. The report also does not quantify the impact on small businesses that don’t have the technical or financial resources that large enterprises do.

In October, the ITRC plans to publish a report on just that, how identity crimes impact small businesses, and how they recover. Stay tuned for more about our first Business Aftermath Report.

Also, listen next week to our sister podcast, The Fraudian Slip, when the ITRC CEO and the Founder of privacy protection company Abine discuss how consumers can protect themselves and their data while online.

Contact the ITRC

If you have questions about how to keep your personal information private and secure, visit www.idtheftcenter.org, where you will find helpful tips. 

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during normal business hours (6 a.m.-5 p.m. PST). 

Thanks again to Experian for supporting the ITRC and this podcast. We will be back in two weeks with another episode of the Weekly Breach Breakdown

  • According to a new report from NTT Application Security, the percent of application software being patched has dropped below 50 percent. It is partly because more applications are being tested in the wake of recent high-profile cyberattacks. 
  • The average time to fix the most severe software vulnerabilities in a large enterprise is 203 days. That number is more than twice that figure in some industries. 
  • The report also reveals that most applications in 10 of the 11 leading industries tracked by NTT Application Security have at least one software flaw open to attack every day of the year. 
  • Cybersecurity teams are failing to fix software vulnerabilities on a timely basis, which is one reason why cybercriminals have success attacking businesses
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC’s) data breach tracking tool, notified
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.  

A King of Shreds & Patches 

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for July 30, 2021Our podcast is possible thanks to support from Experian and Sentilink. Each week we look at the most recent events and trends related to data security and privacy. This week, we discuss one of the primary causes of cyberattacks that leads to data compromises – known but unpatched software vulnerabilities and flaws.  

In Shakespeare’s Hamlet, the troubled prince refers to his uncle, a usurper of the Danish throne, as a rag-tag monarch: “A king of shreds & patches.” That description also applies to how much modern software is riddled with known flaws that give cybercriminals an easy path into organizations. There’s a report out this week that gives us a clue into just how difficult it is to patch software, even when the bugs are well known. 

Cybersecurity Teams Struggle to Quickly Fix Software Vulnerabilities 

Global cybersecurity provider NTT Application Security claims that cybersecurity teams are struggling to fix issues quickly. So far this year, the percent of application software being patched has dropped below 50 percent, partly because more applications are being tested in the wake of recent high-profile cyberattacks. 

Still, the time to patch has not improved over time. The average time to fix the most severe software vulnerabilities and flaws in a large enterprise is 203 days. In some industries, the number is more than twice that figure. The time needed to fix software used in the agriculture and forestry sector is the highest at 513 days, on average. The education sector, a common target for ransomware attacks, is the second slowest industry and requires an average of 478 days to fix a known flaw. 

How long does it take for a cybercriminal to exploit software vulnerabilities? A 2020 report puts the time to breach a system at as few as two hours once a flaw is publicly announced, usually at the same time a fix is issued. 

The Consequences of Slow Response Times to Patch Flaws 

The universally slow patch cycle where companies prioritize which software vulnerabilities they fix in what order has an unintended consequence, too. The lower the risk, the longer the time to patch. That allows cybercriminals to develop new attacks that link several lower-risk flaws into a single attack that is hard to detect and defend.  

NTT Application Security’s research shows that the same kind of software vulnerabilities continue to appear in new and updated applications. Most of the flaws identified in the first six months of 2021 fall into the same five categories month after month. 

What does that tell us? According to the report’s authors, it means that the people who are developing software and the teams that are protecting systems are not talking to one another, at least not enough to learn what bugs are common and how to fix them. 

Most Applications Have At least One Software Flaw Open to Attack 

There’s one last statistic from the NTT Application Security report that should be discussed. A majority of applications in 10 of the 11 leading industries tracked by NTT have at least one software flaw open to attack every day of the year. That explains why cybercriminals are successful at attacking businesses

Next week, we’ll take a look at the ever-growing costs to businesses that suffer a data compromise as calculated in a new report from IBM

Contact the ITRC 

If you have questions about how to keep your personal information private and secure, visit www.idtheftcenter.org, where you will find helpful tips. 

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during normal business hours (6 a.m.-5 p.m. PST). 

Thanks again to Sentilink and Experian for supporting the ITRC and this podcast. Be sure to check out our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown


  • According to the Identity Theft Resource Center’s (ITRC) First Half 2021 Data Breach Analysis, data compromises are up 38 percent over the first quarter of 2021. If this trend from the data breach statistics continues, 2021 will set an all-time high for data compromises.
  • While data compromises are up, the number of individuals impacted is down 20 percent quarter-over-quarter. If the current trajectory holds, 2021 will see the fewest number of impacted individuals since 2016.
  • Phishing and Ransomware remain the top two root causes of data compromises for the second quarter and the first half of the year. However, supply chain attacks continue to increase in volume, scale and complexity.
  • To learn about recent data breaches, or to see the ITRC’s data breach statistics in our latest report, consumers and businesses should visit the ITRC’s data breach tracking tool, notified.
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

First Half 2021

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for July 9, 2021. Our podcast is possible thanks to support from Experian. Each week we look at the most recent events and trends related to data security and privacy. This week we look at the ITRC’s data breach statistics and trends for the second quarter of this year and what they tell us about how we may end 2021.

How the ITRC Reports Data

First, here’s a brief reminder of how the ITRC reports data. We only include information from U.S. data events that are publicly-reported. We report 1) data compromises, which includes data breaches, data exposures (think cloud databases with no security), and 2) data leaks, generally public information that is aggregated and used for a purpose other than that for which it was intended (think scraping information from social media sites that are sold for marketing lists or used for phishing attacks).

Key Takeaways from the ITRC’s First Half 2021 Data Breach Analysis

Now, let’s look at the key takeaways from this week’s ITRC First Half 2021 Data Breach Analysis:

  • According to the ITRC’s data breach statistics, data compromises are up 38 percent over the first quarter of 2021, putting us on a trajectory to end 2021 with a record level of compromises. Every month this year (except May) has seen data compromises higher than the month before. If this trend continues, we will exceed the all-time high number of compromises set in 2017 of 1,632 publicly-reported data events.
  • However, the number of people impacted by data compromises is down 20 percent quarter-over-quarter. That means we could end 2021 with fewer than 250 million victims of identity compromises, which continues a trend away from the mass collection of individual information that started in 2018.
  • The data breach statistics show we are on pace to have the highest number of data compromises ever in the same year that we could see the fewest number of people impacted since the all-time high was set in 2016.
  • Data compromises are rising or flat pretty much across the board, with half of the sectors tracked by the ITRC showing increases.
  • Manufacturing & Utilities and Professional Services are seeing significant increases while Healthcare and Retail are seeing data compromises drop. This shift reflects the broader trend of cybercriminals focusing their attention on critical infrastructure entities, so important they cannot be allowed to remain offline, and targets considered to be not as well defended. It is all in hopes of securing larger ransomware payments.
  • Phishing and Ransomware remain the #1 and #2 root causes of data compromises for the second quarter (Q2) and the first half of the year. However, supply chain attacks continue to increase in volume, scale and complexity. Attacks against vendors that give criminals access to many companies through a single data or security breach increased 19 percent in Q2. The 58 supply chain attacks through June 30, 2021 compares to the 70 malware-related compromises for the year so far. These data breach statistics indicate that third-party risks are poised to surpass malware as the third most common root cause of data events by the end of this year.
  • Just two days after the end of the second quarter, a major supply chain attack was launched against the cybersecurity provider Kaseya. Cybercriminals demanded a record $70 million in ransom to restore the operations of more than 1,500 companies impacted by the attack. It’s not known if any personal information has been compromised. However, we know this early third quarter (Q3) attack is an indication that cybercriminals are launching ever more sophisticated attacks that command larger and larger ransom payments.

Contact the ITRC

If you have questions about how to keep your personal information private or secure, visit www.idtheftcenter.org, where you will find helpful tips, and where you can download our First Half 2021 Data Breach Analysis to see our data breach statistics.

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during our normal business hours (6 a.m. to 5 p.m. PST). Just visit www.idtheftcenter.org to get started.

Thanks again to Experian for supporting the ITRC and this podcast. Be sure to check out our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown.