Educational Newsletters

The Cyber Threat Landscape Will Get Worse Before (and if) it Gets Better


By Mark Pribish
Vice President and ID Theft Practice Leader

November 2020 

Based on the three “headline news” articles below, I believe no one organiztion can prevent itself from a data breach event: 

To prove this point, while the total number of data breaches were down in the first six months of 2020, over 27 billion records have been exposed so far this year (please see here) which is more than four times higher than any previously reported equivalent time period. 

This leads me to believe two things:  

  • With all the financial and IT resources of the U.S. government and private industry – no one organization can ever prevent itself from experiencing a data breach event.
  • Cyber threats and attacks are no longer just a technology risk – but a business and consumer risk. 

So what can be done?  We need to create a new security culture with a new sense of urgency for both business and consumers. 

If you are a business and you are not proactively monitoring the ongoing risk associated with cyber threats and attacks across your entire enterprise, including the Board/C-Suite level, you're putting the viability of your business in serious jeopardy and creating liability by not adequately protecting your business assets along with your customer information. 

And if you are a consumer – especially with employees working from home and students studying remotely – and you are not proactively monitoring your and your family members’ Personally Identifiable Information (PII), then you are increasing your risk to hackers and online scammers especially during the COVID crisis. 

As the world responds to the new COVID working environment and employers and consumers become more reliant on technology, having a plan to respond and recovery from a data breach and/or identity theft event is more important than ever. 

When life is perfect and there are no data breach and identity theft events, we can take a deep breath and relax. 

Unfortunately, life is not perfect based on recent FBI cybersecurity warnings, a broken cybersecurity market and a shortage of cybersecurity workers. 

So an important question to ask the organization you work for is what is the formal response and recovery plan that is in place in the event of a data breach or hacking event? 

And as an individual consumer, the question to ask yourself is are you doing everything you can to protect you and your family members against hackers and online scammers? 

Sincerely,

Mark

Cybercriminals are not Stable and Cybersecurity is Unpredictable


By Mark Pribish
Vice President and ID Theft Practice Leader

October 2020 

With October Cybersecurity Awareness Month at the halfway point, it is important to note that cyber-thieves and ID theft criminals never rest and continue to stay ahead of law enforcement, businesses and consumers. 

Cybersecurity Awareness Month was launched by the National Cyber Security Alliance & the U.S. Department of Homeland Security in October 2004 – with a mission to educate consumers, small and medium-sized businesses, corporations, and colleges. 

Based on the above, now is a great time for consumers and businesses to evaluate their cybersecurity posture – especially during the COVID-19 environment – with a focus on response and recovery. 

Why response and recovery? Because consumers and employees continue to click on phishing emails and organizations continue to experience data breach events such as ransomware. 

Two recent examples include Blackbaud (Blackbaud Ransomware Attack Gets Worse) and Twitter (Twitter Hackers Posed as Company IT Officials Making a Support Call).

Blackbaud – a cloud technology company confirmed in early October that “stolen data also included bank account data and Social Security numbers, far more personally identifiable information than the company first thought.”  

Specific to Twitter, the New York State Department of Financial Services released its findings and concluded "the hack was relatively unsophisticated, caused by scammers who posed as members of Twitter's IT help desk and directed employees to a phishing website designed to look like a company site." 

Blackbaud is your typical data breach example where their first statement on July 16, 2020 said while they were hacked, “that credit card information, bank account information, or Social Security numbers were not stolen.” 

Fast forward 60 days later and Blackbaud now admits that their data breach “had access to more unencrypted data than previously disclosed, including bank account information, Social Security numbers, usernames and/or passwords.” 

Unfortunately, the final story for most data breaches rarely reflect the initial news report and speak of what's known at the moment, but never discuss the long-term – which is exactly what happened to Blackbaud and Twitter. 

The fact is that the threat of a data breach or an ID Theft event can be a lifelong problem that may affect you (and me) long into the future and in ways you (and I) likely haven't even thought about. 

In Blackbaud’s case, their data breach event has affected 6 million people so far, including my alma mater, The University of Dayton. 

With all the education and resources – including October Cybersecurity Awareness Month – consumers and businesses continue to fail phishing tests (after cyber-awareness trainings) and still click on actual phishing emails. 

My advice to consumers and small businesses is a heightened awareness of phishing emails, unfamiliar links and attachments, and to reconsider the information that is being shared on social media. 

After all, cybercriminals are not stable and cybersecurity is unpredictable – especially during Cybersecurity Awareness Month. 

Sincerely,

Mark

Protecting Yourself from the Internet of Things (IoT)


By Mark Pribish
Vice President and ID Theft Practice Leader
September 2020

After hearing the phrase “uncertain times” for the last six months, I am beginning to believe that it may be overused – as most consumers tune out the meaning of overused words and phrases relating to risk and danger.

Unfortunately, words and phrases such as cybersecurity, data breach, identity theft, personal privacy, and stolen credentials are still not understood by consumers. 

At the same time, as consumers continue to read about weak passwords and phishing emails relating to common access points for hackers, I believe the new access point is the Internet of Things (IoT) as hackers are taking advantage of unsecure access to smart technology. 

Two recent examples include Why the Garmin Data Breach Should Be a Wakeup Call for Every CEO (please see here) and Amazon Ring Leaks Thousands of Customer Data (please see here).   

According to Chief Executive Magazine, “Garmin confirmed it had been the victim of a cyberattack that caused a days-long outage in late July, during which users worldwide were unable to upload their fitness data from the company’s sports devices. Garmin reportedly paid a sizable ransom to get its data back.” 

And according to Threatpost – which is a leading source for IT and business security – “2019 saw an explosion of privacy issues and scandals for Amazon-owned Ring.  Researchers found several flaws in the IoT device, including one that allowed attackers to spy on families, or one that exposed Wi-Fi network passwords.” 

The IoT allows smart technology products such as gaming devices, home appliances, medical wearables, sports equipment, cars, and toys to send and receive data over the internet and to be controlled remotely. 

The good news is that smart technology has the potential to improve our lives from home security, energy conservation, to physical fitness.  The bad news is that smart technology can also increase our exposure to risk with poor security features and placing the responsibility of security on the consumer. 

The fact is smart technology devices collect, store, process, and use personal information such as names, addresses, phone numbers, email addresses, payment account information, GPS-based location, and activity patterns. 

A new security report from Palo Alto Networks states that “57% of IoT devices are vulnerable to cyberattacks of medium to high severity.” 

The Palo Alto report offered best practices to protect IoT devices from cyberattacks including: 

Based on the above, and the increase in IoT-related data breaches due to unsecured IoT devices enjoy your smart technology devices – and stay safe and smart by changing your default passwords and staying up to date on the latest IoT updates. 

Sincerely,

 

Mark

 

 

Online Students are New ID Theft and Fraud Targets


By Mark Pribish
Vice President and ID Theft Practice Leader

August 2020  

With colleges and universities beginning the new school year, it reminded me of when I attended the University of Dayton for four great years and graduated in 1981. 

I had the time of my life and made many lifetime friends. Student life was simple, no laptops, no smartphones, no social media, socializing at the library, and the music was fantastic. 

However, with today’s laptops, smartphones, and social media – the risk of ID theft and fraud for students is higher than ever. 

Now and to make matters worse, most students studying online and remotely are at a higher risk based on the COVID-19 pandemic – and this May 27, 2020 Federal Trade Commission (FTC) article titled COVID-19 scams targeting college students helps confirm it. 

With a significant increase in phony LinkedIn, Facebook and other social media friend requests placing many students at risk – as this August 12, 2020 article titled COVID-19 is shattering cyberattack records highlights – the daily inundation of misinformation has given cybercriminals an endless resource of cyber-based ammo to implement their attacks. 

But college students are not the only targets as colleges, universities and K-12 districts across the U.S. have become cyber targets for personal information and intellectual capital based on this July 1, 2020 article titled US schools leaked 24.5 million records in 1,327 data breaches since 2005.

 California had the most educational data breaches accounting for 157 of the 1,328 breaches (11.8 percent). The list of worst-hit states include New York with 89, Texas with 79, Illinois and Ohio each with 60, and Florida with 58.  Colleges account for 74% of education data breaches. 

And not to sound like a broken record, please see this July 14, 2020 article titled FBI warning-cybercrimes are up and school districts could be the target

So what can parents and students do to mitigate their exposure to cyber scams and identity theft? 

  1. The COVID-19 pandemic has new email phishing attacks that try to trick parents working from home and students studying remotely into giving away credentials for access to their employers' and college/university networks. You need to stay vigilant and be careful with every email.
  2. A new voice phishing scam uses a combination of one-on-one phone calls and custom phishing sites to steal VPN credentials from again – both parents and students.
  3. Limit what you share online, use and regularly change strong passwords on smartphones, tablets and laptops, and use a crosscut shredder.
  4. Parents and students need to know “student rights” under FERPA. The Federal Educational Rights and Privacy Act (FERPA) protects the privacy of student records.

 As ID theft criminals continue to use the Social Security Numbers of students to obtain employment, rent an apartment, open a utility, cell phone, bank account, or to access government benefits be ever vigilant of new and emerging scams.

 Sincerely,

 Mark

Telehealth Creates New Cyber and Medical ID Theft Risks


By Mark Pribish
Vice President and ID Theft Practice Leader

July 2020 

I am following up on my June 2020 article titled “Medical ID Theft Risks Increase During the COVID-19 Crisis” where I said “we need to be more vigilant about cyber scams, phishing scams, hackers, and insider threats that are targeting our online presence – including Telehealth services.” 

Based on reader response and this July 27, 2020 HealthITSecurity article titled Telehealth Is the New Normal, But So Is Online Fraud (please see here), I will continue the discussion on how the current COVID-19 pandemic has increased consumer risks through cyber scams and medical identity theft.  

To place Telehealth services in perspective, HealthITSecurity, states that “before COVID-19, the United States telehealth market was estimated at about $3 billion with 11% of consumers using telehealth in 2019. Fast forward to pandemic-plagued 2020, the telehealth market is poised to grow to $250 billion with 46% of consumers now using telehealth, according to McKinsey & Company.” 

“Unfortunately,” and according to HealthITSecurity, “these benefits are being offset by a variety of fraud schemes where healthcare fraud in the US is approaching $300 billion annually and while the Department of Health & Human Services and the Centers for Medicare & Medicaid Services eased their telehealth requirements to serve more patients during the pandemic, there could be an inadvertent wave of billing fraud and risk patient safety.” 

The fact is, the COVID-19 pandemic has cyber scammers, phishing scammers, hackers and even the insider threat targeting healthcare professionals and consumers. 

Examples of fraud scams, phishing scams, hacking, and insider threats include: 

  • Fraud scams including fake or fraudulent COVID-19 cures through fraudulent phone calls, fake social media content, and door-to-door sales. 
  • Phishing and Vishing Scams including fake emails, texts and phone calls to get you to share personal information like account numbers, Social Security numbers, or your login IDs and passwords.
  • Hacking / Malware where hackers use malicious software such as viruses, worms, Trojan viruses, spyware, adware, and ransomware. 
  • Insider Threats including current and former employees like the careless worker, the disgruntled employee, the malicious insider, and the outside contractor or vendor. 

While Telehealth is an emerging opportunity with great potential, Telehealth has great potential to contribute to medical identity theft. 

According to this April 13, 2020 Association of Certified Fraud Examiners (ACFE) blog, “as Telehealth services proliferate, telehealth fraud schemes will continue to evolve (please see here). 

Consumers need to be aware that the insider threat, hacker, phishing or vishing scammer, or fraudster stealing or using your personal information (e.g., name, Social Security number, Medicare number, etc.) can also originate with Telehealth services. 

Consumers can also reduce their risk of medical identity theft by safeguarding their health insurance cards, regularly reviewing credit reports, medical benefit explanations, medical bills, and prescription bills.

 Sincerely,

 Mark

Medical ID Theft Risks Increase During the COVID-19 Crisis


By Mark Pribish
Vice President and ID Theft Practice Leader

June 2020

Since people started working from home due to the COVID-19 crisis, the risk of financial and non-financial identity theft, fraud and scams have significantly increased.

Keyword phrases such as cybercrime, cyber thieves, data breach, digital spying, identity theft, personal privacy, phishing, and reputational risk have been reported and written about relating to both individuals and businesses more than ever.

As if it was not enough to constantly fight hackers and scammers at the office, most American workers are now fighting the same hackers, scammers and ID theft criminals remotely, from our “private” homes.

Understanding that many people live their lives online through social media, dating websites, reading the news, and the use of smartphones – the COVID-19 crisis has increased access points to the American consumer and worker more than ever.

One example of a new access point for many consumers is Telehealth.

According to the Centers for Disease Control (CDC) June 10, 2020 update titled Using Telehealth to Expand Access to Essential Health Services during the COVID-19 Pandemic (please see here), “Telehealth services help provide necessary care to patients while minimizing the transmission risk of the COVID-19 virus to healthcare personnel (HCP) and patients” and “while telehealth technology and its use are not new, widespread adoption among Healthcare Providers and patients beyond simple telephone calls has been relatively slow.”

The CDC stated that recent policy changes during the COVID-19 pandemic have reduced barriers to telehealth access and have promoted the use of telehealth as a way to deliver acute, chronic, primary and specialty care that can help improve patient health outcomes.

However, and while Telehealth is a timely, valuable and useful tool, this June 22, 2020 article titled Security Experts Warn Of Elevated Threat Of Medical ID Theft During Coronavirus Pandemic (please see here) reported that “the coronavirus pandemic presents a greater threat for medical identity theft as patients interact with the health care system.”

One security expert, Randy Pargman, a former senior computer scientist with the Federal Bureau of Investigation (FBI) said that “companies across the board are more susceptible to theft of personal information during this pandemic because the attackers know they can take advantage of this situation.”

Pargman also said “patient files are rife with personal data ranging from social security numbers to insurance information.”

Whether it is a cybercriminal hacking medical files or the insider threat stealing medical files, I am certain that Telehealth services have just as many vulnerabilities as the many healthcare systems, hospitals and medical groups that have already experienced data breach events.

As we continue to work from home, we need to be more vigilant than ever about the cyber scams, phishing scams, hackers, and insider threats that are targeting our online presence – including Telehealth services.

Sincerely,

Mark

Credit Freezes Versus Credit Locks; What You Should Know


May 2020

By Mark Pribish
Vice President and ID Theft Practice Leader

According to a May 22, 2020 ComputerWeekly.com article titled Covid-19 will leave organizations exposed to higher cyber risks (please see here https://www.computerweekly.com/news/252483503/Covid-19-will-leave-organisations-exposed-to-higher-cyber-risks), “hacking attacks and phishing emails could become the new norm.”

The fact is the risk of a data breach event is now higher than ever based on the “increase in phishing email attacks, malicious keylogger attacks and the distribution of password-stealing software.”

This means that individual consumers might not know for months or even years that their Personally Identifiable Information (PII) was stolen by cyber thieves and ID theft criminals.

Since the COVID-19 crisis began, state and federal law enforcement has reported on numerous cybersecurity attacks and phishing scams including:

  • Sophisticated COVID-19 related phishing attacks that use PDF attachments to bypass software security defenses
  • Fake shipping emails pretending to be from FedEx and UPS to trick customers into downloading malware
  • Phony LinkedIn “connect” and Facebook “friend” requests to trick users into downloading malware
  • Fraudulent small business lending emails targeting small business owners including small law firms
  • New and innovative “vishing” phone scams impersonating government organizations and charities to solicit donations

With an increase in cyber scams, data breach events and ID theft victims during the current COVID-19 crisis, consumers might consider placing a credit freeze on their credit report.

However, be careful as Consumer Reports Magazine states (please see here https://www.consumerreports.org/credit-protection-monitoring/why-a-free-credit-freeze-is-better-than-a-credit-lock/) that “even though credit freezes are now free, credit bureaus are pushing consumers to lock their credit instead.”

According to Consumer Reports, “credit locks and freezes are similar. They both prevent others from accessing your credit information, eliminating the possibility that a fraudster could open a new credit account in your name. To entice consumers to use credit locks, the credit bureaus cite convenience and may offer special deals.”

To conclude, a credit freeze – also known as a security freeze – is a free tool that lets consumers restrict access to their credit report, which in turn makes it more difficult for ID theft criminals to open new accounts in an individual consumer’s name. The reason is that most creditors need to see a consumer’s credit report before they approve a new account. If they cannot see an individual consumer credit report, they will not extend the credit.

Based on the COVID-19 Crisis, a credit or security freeze is another option you should consider to protect you and your family members.

Sincerely,

Mark

FBI, Secret Service and Homeland Security Continue to Issue COVID-19 Scam and Fraud Alerts


April 2020

By Mark Pribish
Vice President and ID Theft Practice Leader

After working the last six weeks from home, along with most Americans in the United States, there has been no slowing down of COVID-19 alerts from the FBI, Secret Service and Homeland Security regarding the personal privacy and identity theft risks to every consumer in America. 

The news headlines below are just a small example of the daily and weekly alerts released by law enforcement to help protect individuals from the numerous identity theft, phishing and cyber related fraud events: 

Based on the above, consumers need to be aware of sophisticated COVID-19 related phishing attacks that use PDF attachments to bypass software security defenses. 

Consumers also need to know about fake shipping emails pretending to be from FedEx and UPS along with new and innovative phone scams. 

There has also been a significant increase in phony LinkedIn, Facebook and other social media friend requests that are putting many consumers at risk. 

Lastly and according to my colleague Jeremy Villanueva, the Manager of Customer Support Operations for the Merchants Information Solutions Recovery Advocate Center – a new and emerging consumer risk is the “stimulus check scam and fraud.”

According to Jeremy, Forbes Magazine published an April 28 article titled Scammers have registered 150,000 fake stimulus check websites. Here’s how to protect yourself (please see here), where fraudsters create a copy of the IRS's official "Get My Payment" site and when a user goes to Google to search for the real stimulus check tracker, they might instead be lured to a fake site.

If a consumer submits their information, "scammers can then use the newly acquired credentials to try to beat the victim to their stimulus check. Then they can input another bank account to receive the money, or just use your personal information for identity theft.”

In just the month of April, Jeremy’s team of highly-trained Recovery Advocates has helped numerous victims of stimulus check fraud along with other consumers who have become victims of COVID-19 related scams return to pre-identity theft status. 

To conclude, consumers need to stay up to date on the latest COVID-19 related scams and fraud events to protect themselves and family members. 

Sincerely,

Mark

Coronavirus Fear and Anxiety drives Phishing Scams


March 2020

By Mark Pribish
Vice President and ID Theft Practice Leader 

I read a great article last week by Risk Based Security – a leader in vulnerability intelligence – about modern phishing attempts (please see here) and “how malicious attackers are targeting unsuspecting people on the web.” 

This article said there was a “tendency to associate phishing with crude boilerplate emails, dubious attachments, and poor attention spans” but instead, sophisticated “attackers were spoofing system update prompts or redirecting users to pages with all sorts of dubious code.” 

But it gets worse as cyber thieves and ID theft criminals did not take long to take advantage of fear and anxiety surrounding the global COVID-19 pandemic. 

Risk Based Security then released another article titled Coronavirus Isn’t the Only Virus Going Around (please see here) reporting that “malicious attackers will always find new ways to target individuals and organizations. This time, hackers are installing malware on computers and harvesting user credentials by preying on people’s curiosity and fear of the coronavirus (COVID-19).” 

One new phishing example is where “scammers pose as the Centers for Disease Control (CDC) advising that there are new COVID-19 cases reported in the user’s city and requesting that they follow a link to learn more. From there, clicking the provided URL covertly redirects the user to a spoofed login page. If the user completes the process by providing their credentials, they are now compromised.” 

For years I have written and spoken on how IT and hacking are the sizzle that make the news headlines, however, the vast majority of data breach events are the result of phishing emails and not high technology hacking tools. 

According to the FBI’s Internet Crime Complaint Center (IC3) 2019 Internet Crime Report (please see here), phishing scams were the most common type of internet crime last year where 114,000 U.S. consumers lost more than $57.8 million in 2019 as the result of phishing. 

Consumers need to be reminded that cyber thieves and ID theft criminals pretend to be a trustworthy party to trick people into handing over personal details or account information and that COVID-19 related scams and frauds are showing up in multiple locations including the internet, your work email and your personal email. 

Based on the severity of our national emergency concerning the Novel Coronavirus Disease (COVID-19) Outbreak – we need to be diligent and aware of the numerous phishing emails and scams in the foreseeable future.  

Sincerely,

Mark

Business ID Theft Refund Fraud is a Growing Threat


February 2020

By Mark Pribish
Vice President and ID Theft Practice Leader

Most people are aware of taxpayer identity theft refund fraud when the victim's Social Security Number is used to file a fraudulent return to claim a refund or credit.

However, most people are not familiar with business identity theft refund fraud.

According to a new January 2020 General Accounting Office (GAO) Identity Theft Report, identity theft criminals can claim a business’s tax refund by fraudulently using the business’s tax ID number and other identifying information. 

The GAO report stated that between January 2017 and August 2019, the Internal Revenue Service (IRS) helped prevent $384 million in fraudulent business identity theft refunds

The fact is identity theft criminals are constantly looking for ways to steal the identities of individuals, tax professionals and businesses in order to file fraudulent tax returns for refunds as consumers and businesses – especially small businesses – can be unsuspecting victims of tax fraud schemes. 

The IRS states that business identity theft occurs when identity theft criminals “create, use, or try to use a business’s identifying information – such as an Employer Identification Number (EIN) – in an attempt to claim a tax refund.” 

The IRS has recognized business identity theft is a growing threat and that identity thieves show a sophisticated knowledge of the tax code and filing practices as they attempt to file fraudulent returns with potentially large refunds. 

Nearly one year ago (in April 2019), the IRS reported a 10 percent increase in the number of businesses notifying the IRS that they were victims of business identity theft (2,233 notifications in 2017 to 2,450 in 2018). 

Business identity theft impacts both the government (e.g. loss of revenue) and small businesses, which can experience reputational risk, financial and credit risk along with other types of financial fraud. 

To help both consumers and businesses, the IRS launched Identity Theft Central to improve online access to information on identity theft and data security protection for taxpayers, tax professionals and businesses.  

I believe Identity Theft Central will be a great new resource on how to report identity theft and for providing taxpayers information to protect themselves including: 

  • Taxpayer Guide to Identity Theft, including what to do if someone becomes a victim of identity theft
  • Identity Theft Information for Tax Professionals, including knowing responsibilities under the law
  • Identity Theft Information for Businesses, including how to recognize the signs of identity theft

For years, law enforcement in general and the FBI in particular have always stated that education, awareness and community outreach are critical in responding to identity theft criminals and cybersecurity thieves. 

Stay vigilant this tax season and use the new Identity Theft Central FTC resource, especially if you have a small business. 

Sincerely,

Mark

Make a Stronger Cybersecurity Commitment in 2020


December 2019

By Mark Pribish
Vice President and ID Theft Practice Leader

 

Every consumer and small business owner needs to make a commitment to do more to safeguard personal and business information in 2020. 

To help with your cybersecurity commitment, I am highlighting three topics including identity theft terms, consumer need-to-knows and small business best practices. 

First, Consumer Affairs has an identity theft glossary that serves as a great reminder to the current threat environment including: 

  • Keylogger: A keylogger is a computer program that records a person’s keystrokes to obtain confidential data.
  • Phishing: Phishing is a popular type of internet scam in which fraudsters send emails claiming to be from a reputable company to trick individuals into revealing personal information.
  • Smishing: Similar to phishing, smishing (or SMS phishing) is when someone attempts to mine sensitive information under a fake identity through text messages.
  • Vishing: Like phishing or smishing, vishing is when an identity thief attempts to gain sensitive information over the phone. 

Second, consumers need-to-know how to protect themselves from becoming a victim of ID theft during the holiday season such as: 

Third, small business need to implement cybersecurity best practices to help mitigate their exposure from identity theft and data breach events: 

  • Annual employee education should be the No. 1 priority. Talk to your employees about identity theft and data breach risks because the threat level is rising and you don't want it to sink your business.
  • Your small business needs to create, test and update a written information security and governance policy annually, including penetration testing and a simulated data-breach event.
  • Consider adding cyber liability insurance to help respond to evolving state and federal breach notification laws since most small businesses lack the financial and human resources to respond to a data breach. 

Based on the above, ring in 2020 with a stronger cybersecurity commitment to help reduce your cybersecurity risks. 

Sincerely,

Mark

Another Data Breach Letter: Another 12 Months of Credit Bureau Monitoring


November 2019

By Mark Pribish
Vice President and ID Theft Practice Leader 

I just received a November 8, 2019 Notice of Data Privacy Incident letter from Delta Dental notifying me that “a data privacy incident may affect the security of my personal health information.” 

Delta stated in my notification letter that “we take this incident very seriously and are providing you with information and access to resources so that you can protect your personal information, should you feel it is appropriate to do so.” 

The notification letter went on to say that on July 8, 2019, Delta Dental of Arizona became aware of suspicious activity and learned that a Delta Dental employee fell victim to an “email phishing scheme” that allowed an unauthorized individual to gain access to said employee’s email account. 

Delta Dental’s third party forensic investigation revealed that “the email account contained my first and last name and Social Security number, Member ID, or Subscriber ID, and data of birth.”  

For those of you unaware, this is the type of information hackers and ID theft criminals use to open fraudulent credit card accounts and other lines of credit in your and my name.  

The same hackers and ID theft criminals can also use this information to commit non-financial ID theft related opportunities by fraudulently creating a driver’s license, passport, health insurance card, or to commit taxpayer ID theft and refund fraud. 

The letter went on to say “in an abundance of caution, we are offering you access to 12 months of credit monitoring and identity theft restoration services at no cost to you” and “we sincerely regret any concern or inconvenience that incident has caused.”

 Well here is my concern: my Social Security number, thanks to Delta Dental (along with Equifax and Capital One) is out there forever

Consumers need to be aware that a data breach or an ID Theft event can be a lifelong problem that may affect you (and me) long into the future and in ways you (and I) likely haven't even thought about. 

Consumers also to need to know that “free credit monitoring services” will not help much after 12 months or at all with non-financial ID theft, such as taxpayer ID theft and refund fraud, medical ID theft and credential (e.g. driver's license, passport, employee and student IDs) ID theft. 

The final story for most data breaches rarely reflect the initial news report and speak of what's known at the moment, but rarely discuss the long-term threat that endures. 

Instead of minimizing the potential impact of a data breach by telling affected individuals that there has been no evidence that your information is being misused - companies need to be more open in telling you about the long term risks associated with a data breach such as non-financial ID theft, the limitations of credit monitoring, and most importantly how you will be taken care of if you become an ID theft victim.

Sincerely,

 

Mark

Personal Privacy and the Internet of Things (IoT)


October 2019

By Mark Pribish
Vice President & ID Theft Practice Leader

Keywords: #Personal Privacy, #Internet of Things, #Smart Devices, #Identity Theft

Have you ever thought about how installing smart or connected devices such as a residential doorbell or security camera using a Wi-Fi connection can put your personal or business data at risk of being hacked or sold to third parties like advertisers? 

An October 1, 2019 article titled Smart Home Devices and Privacy Risk (please see here) states “while ‘smart home’ or internet of things (IoT) devices have become more prevalent and may make every day or business tasks more convenient, they also diminish consumers’ privacy and introduce serious risks, for both users and device developers and manufacturers.” 

According to Statista, a leading provider of market and consumer data, there will be 75 billion connected devices worldwide by 2025 (please see here). 

When I think of connected devices I think of business sectors such as Utilities (programmable thermostats), Residential Security (residential doorbells with surveillance cameras and microphones), Smart and Self-Driving Automobiles (onboard computers, infotainment/entertainment systems and apps) and Healthcare (medical devices such as a pacemaker and mobile apps) to name a few. 

In each instance, these connected business sectors and devices help save money, increase efficiencies and improve our quality of life. 

The same business sectors and devices can also give hackers and insider threats the opportunity to steal personally identifiable information (PII) leading to any consumer becoming a victim of identity theft. 

Think about it, if you can unlock the front door of your house remotely – so can a hacker. If you can start your car or unlock the door locks of your car remotely – so can a hacker? 

And if any of your devices or service providers are connected to the cloud to collect, store and/or transfer information – hackers and insider threats can collect, store and/or transfer the same information. 

While consumers are excited to have a more connected lifestyle, consumers should also be concerned about the increased risk of identity theft and data breach events. 

So what can you do about it?  Consumers can protect themselves in a number of ways including:

  1. By changing their default usernames and passwords
  2. Setting strong passwords
  3. Updating their security software regularly
  4. Check the device for default privacy and security settings
  5. Disabling remote access to your IoT devices (where applicable)

Every IoT device comes with a built-in web interface to configure the settings mentioned above. In addition to securing any new smart devices you may purchase, be sure to configure any existing IoT devices you already have.

 Sincerely,

Mark

 

2020 Prediction: Senior ID Theft to Get Significantly Worse


September 2019

By Mark Pribish
Vice President & ID Theft Practice Leader

KEYWORDS: senior identity theft/ senior fraud / cybercrime / personal privacy

Whenever I speak publicly about cybersecurity and identity theft, I always share the latest research reports or identity theft trends to look for recent patterns that can help consumers and businesses mitigate their risks against identity theft. 

Based on the first half of this year – where 11 of the largest 13 data breach events occurred at medical or healthcare organizations (please see here) affecting nearly 24 million healthcare related records, I believe senior identity theft and fraud will get significantly worse in 2020. 

According to Protenus, a healthcare compliance analytics company, (please see here) this healthcare industry data breach pattern includes 503 incidents affecting nearly 15.1 million patient records in 2018 and 477 data breaches affecting 5.6 million patient records in 2017. 

When you think about lost or stolen Personally Identifiable Information (PII), most people think about credit card information, bank account information, taxpayer identity theft and refund fraud, utilities identity theft and fraud, and credential identity theft such as driver’s license or passport fraud. 

Very few people think about medical identity theft in general and senior identity theft in particular. 

However, when the collections firm American Medical Collections Agency (AMCA) – which services laboratories, hospitals, physician groups, billing services and medical providers throughout the United States – experienced a data breach including Labcorp affecting 7.7 million patients and Quest Diagnostics affecting 11.9 million patients, I wondered how safe and secure all American consumer billing records really are? 

Another interesting statistic comes from the 2019 Federal Trade Commission (FTC) Consumer Sentinel Network Data Book where 39% of fraud complaints and 15.9% of identity theft complaints impacted seniors (60 years or older) in 2018 (please see here).       

However and at first glance, if you add the mature market (50 – 59 years of age), the “Identity Theft Reports by Age” from the FTC Consumer Sentinel Network shows a three year average of 36% of identity theft victims were 50 years and older. 

  • 50 years of age and older – 31.3% in 2018
  • 50 years of age and older – 36.6% in 2017
  • 50 years of age and older – 40% in 2016

While there were “only” 14.4 million identity theft victims in 2018, which represented a drop from the record-breaking 16.7 million victims in 2017, it is estimated that out-of-pocket fraud costs for victims more than doubled in 2 Years to $1.7 billion

The FTC report also showed that younger people reported losing money to fraud more often than older people – but older people lost nearly twice the amount to fraud.

To conclude, nearly 50 million health related records have been reported stolen from over 1,000 data breaches over the last 30 months. 

With National Cybersecurity Awareness Month taking place in October, I believe senior identity theft and fraud will rise in 2020!

Who’s the Insider Threat at Your Company?


August 2019

By Mark Pribish
Vice President & ID Theft Practice Leader

KEYWORDS cybersecurity / cybercrime / insider threat / personal privacy 

I just attended the Blackhat 2019 Conference – which is the largest information security event in the world – on August 7-8 and listened to a very informative presentation by John Grim Managing Principal – Americas, Verizon Threat Research Advisory Center or VTRAC on the recently released Verizon’s Insider Threat Report

Grim began the presentation by highlighting Verizon’s five insider threat categories including the following:

  • The Careless Worker
  • The Inside Agent
  • The Disgruntled Employee
  • The Malicious Insider
  • The Feckless Third Party

As a side note, I had to look up the word “feckless” which has a number of meanings including irresponsible, incompetent, inept, and lacking character.

Grim defined insiders as “full- and part-time employees, independent contractors, interns, and other staff, as well as business partners and third parties with some level of privileged access.”  He also said that “human resource controls, security access principles, training and third-party management controls can mitigate risks.”

According to Verizon’s Insider Threat Report, “twenty percent of cybersecurity incidents and 15 percent of the data breaches investigated within the Verizon 2018 DBIR originated from people within the organization, with financial gain (47.8 percent) and pure fun (23.4 percent) being the top motivators.”

In addition, these attacks, which exploit internal data and system access privileges, are often only found months or years after they take place, making their potential impact on a business significant.

To put all this in perspective, Capital One’s recent data breach was impacted by the very insider threat or “feckless third party” when an irresponsible, former Amazon employee lacking character and integrity is now being charged with computer fraud.

Just as I wrote in a recent LinkedIn post about Capital One’s data breach event that the question should be “who’s in your wallet?” – I believe every business and organization, based on Verizon’s Insider Report should be asking “who’s the insider threat at your company?”

To conclude, Verizon offers organizations an opportunity to “identify pockets of risk within the employee base, real-life case scenarios, and countermeasure strategies to consider when developing a comprehensive Insider Threat Program.”

You can go to this link to read Verizon’s Insider Threat Report.

Sincerely,

Mark

Apps Are a Bigger Personal Privacy Threat than Facebook


July 2019

KEYWORDS cybersecurity / cybercrime / social media / apps / personal privacy

Four years ago I wrote an article titled “Are apps and social media putting your privacy at risk?” (please see here) where I asked readers when was the last time they read the terms and conditions or adjusted the privacy settings of their smartphone apps or social-media accounts?

On Wednesday (July 24, 2019) the Federal Trade Commission (FTC) announced that Facebook “will pay a record-breaking $5 billion fine to resolve a government probe into its privacy practices and the social media giant will restructure its approach to privacy” (please see here).

The FTC also said that Facebook’s “data policy was deceptive to ‘tens of millions’ of people who used Facebook’s facial recognition tool and also violated its rules against deceptive practices when it did not disclose phone numbers collected to enable a security feature would be used for advertising.”  I will get back to facial recognition in a moment.

So when you think about why consumers use apps and social media, you think about convenience, entertainment and networking opportunities.  Common app examples include requesting transportation, adjusting our home thermostat, accepting a LinkedIn invite, posting on social media or playing a game.  This is the reality of our evolving lifestyle and is the world that we live in today.

Another reality is that our everyday app use and access to social media increases our personal privacy risks.  For example, while you are thinking about convenience, entertainment and networking opportunities – so are the cyber thieves and ID theft criminals who are leveraging your social networks and apps to do their dirty work. Common social media examples include fake LinkedIn invites, fake Facebook accounts, fake Twitter accounts, fake reviews, and even fake news.

Over the last few years, cybersecurity research has shown that most social media scams were manually shared, where the scam spread rapidly. These scams are lucrative for cybercriminals because people are more likely to click something “posted by a friend."  The mobile threat, including mobile apps, have also been ripe for attacks, as many consumers associate cyber threats with their PCs and neglect even basic security precautions on their smartphones.

Consumers need to be reminded that apps and social media can track your search engine history, purchasing habits, geographical location, and even look into your files and contact list – all without your knowledge and sometimes without your permission.  The type of personal information being collected and sold includes your smartphone's unique device ID, phone's location, phone number, your age, gender, likes, dislikes, search-engine habits, e-mails, usernames and more to third party marketers and data brokers.

So, returning to facial recognition and the extremely popular facial recognition app called FaceApp, you may want to read this article titled All your friends are posting aging selfies with FaceApp – a Russian app that's raising privacy concerns (please see here).

Essentially, FaceApp is a photo editing app where you can see what you would look like with a beard, gray hair, and even wrinkles.  Unfortunately, to use FaceApp you have to give it permission to access all your photos along with access to Siri and Search.  In addition, FaceApp has access to refreshing in the background – “even when you are not using it, it is using you,” according to Rob La Gesse, former vice president at Rackspace, who shared his FaceApp thoughts on Facebook on Wednesday, July 17, 2019.

Based on the above, here are my five tips to help you minimize your privacy risks:

Limit and/or eliminate sharing your personal information online.

  • Increase your privacy awareness by reviewing and adjusting your privacy settings.
  • Be aware that some apps reset your privacy settings during major upgrades.
  • Learn more on how the apps you have installed use your personal information and for what purposes.
  • Consider using "privacy assistant software" to help keep your privacy preferences current.

I will conclude by asking the same question again:  when was the last time you read the terms and conditions or adjusted the privacy settings of your smartphone apps or social-media accounts?

Sincerely,

Mark

4 Data Breach Best Practice Tips for Small Businesses


June, 2019

According to a June 4, 2019 Security Magazine article titled Data Breaches Cost $654 Billion in 2018 (please see here https://www.securitymagazine.com/articles/90320-data-breaches-cost-654-billion-in-2018), “cybercriminals exposed 2.8 billion consumer data records in 2018, costing more than $654 billion to U.S. organizations.”

Personally identifiable information (PII) was the most targeted data, with 54 percent of stolen PII being date of birth and/or Social Security Numbers.

In addition, “name and physical address (49 percent) and personal health information (46 percent) were the second and third most commonly compromised type of PII in 2018.”

Based on the above, and the just released 2019 Verizon Data Breach Investigations Report (DBIR) where Verizon found that 43% of data breaches happened to small businesses, I have listed below my four data breach best practice tips to help small businesses prepare for and mitigate their exposure to a data breach event.

Best Practice #1 - every small business needs to understand the cybersecurity threat landscape.

Staying on top of all the security news and knowing the latest security trends is a time consuming and challenging task.  I recommend regularly reading Brian Krebs (please see here https://krebsonsecurity.com/) who is the author of a daily blog covering cybersecurity, data breach and cybercrime trends.

Best Practice #2 - is to have a written information security and governance policy and to update this policy each year.  Once complete, have every employee – even small businesses with two to five employees – sign this information security policy document acknowledging that they have read, understand and agree to the policy.

Best Practice #3 – is to have a data breach risk management plan in place. The lack of cybersecurity preparedness, the lack of data breach planning and the lack of employee privacy training have made small businesses a target for cyber criminals. Your data breach risk management plan should include pre-breach planning with a focus on an information security risk assessment and employee education and awareness.  It should also include post-breach planning with a focus on state and federal breach notification laws and a list of incident response vendors such as your insurance broker, legal services, forensic services, and public relations.

Best Practice #4 - every small business owner should consider having a cyber liability insurance policy which can help protect your business from cybercrime and a data breach event.  The CEOs and CIOs of Equifax and Target were not fired because they were hacked or breached, they were fired for their failed management response to their breach events.  Cyber insurance can help your business be resilient and compromise ready.

With the threat environment changing so quickly, chances are your security policies and procedures (if your business has security policies and procedures) are not keeping up; just as state and federal laws are not keeping up with the newest technologies.

These four best practices will help your small business respond to new threats along with the changing regulatory environment.  

Sincerely,

Mark Pribish | Vice President and ID Theft Practice Leader

To learn more about these threats and how to protect yourself and your family from Identity Theft, you can read my past newsletters below.

Your Cell Phone Number is a Threat to Your Personal Privacy


April, 2019

I read with great interest an article titled Phone numbers are the new Social Security numbers (please see here) that highlights how "cellphone numbers have become a primary way for tech companies like Facebook to uniquely identify users and secure accounts, in some ways becoming a proxy for a national ID."

The article goes on to say that cellphone numbers are becoming Americans' latest national identification number as Congress mandated that consumers could take their phone number from one provider to another.

This means that consumers can have a de facto "cellphone number for life" system.

Think about how your cell phone number / smartphone is used as a personal computer to do your banking, watch movies, and more including the following:

 - Texting
 - Email
 - Social Media
 - Camera
 - Banking
 - Reading news
 - Online shopping
 - Checking the weather
 - WhatsApp
 - Watching videos on YouTube

Now think about how your smartphone is also a potential threat to your personal privacy. While you can install some privacy related apps, you still give up most of your privacy.

Here are some examples of how your personal privacy can be at risk through your smartphone:

 - Geotracking — a smartphone is able to locate itself via the integrated GPS chip. While disclosing location data may seem harmless, it is still an invasion of privacy. This data can be used to build a profile on you or a family member, which can subsequently be used for a phishing attack.

 - Wi-Fi tracking — as cellular connections often falter indoors, retailers have offered free Wi-Fi to their shoppers. While consumers click to accept the terms of service, an invasion of privacy is taking place as retailers can determine which departments the shoppers have visited and how long they spent there.

 - Microphone eavesdropping — every smartphone has a microphone, and it's another security risk. While the main concern for many of us may be someone eavesdropping on private conversations, microphones also can be used for data collection.

So let's conclude with your personal privacy risks related to your cell phone number.

The next time someone asks you for your cellphone number, remember that it is increasingly used to connect to private information maintained by all types of companies including financial institutions, retailers and social networks.

Your cell phone number can also be used to monitor and predict what you view and purchase online or even what you watch on television.

It is important to know that your cell phone number is not regulated and no companies are mandated to keep it private. Studies indicate that half the U.S. population no longer have a landline. Many consumers in the 20-30 year age bracket have never had a landline. Many young consumers have no credit history and therefore no link to their social security number.

On the other hand, most teenagers are equipped with a cell phone number at the average age of thirteen years old. That cell phone number often remains with them for decades providing a detailed digital identification system of information.

This detailed digital identification system of information applies to all of us, so be smart with your cell phone number and who you share it with.

Sincerely,

Mark Pribish | Vice President and ID Theft Practice Leader

To learn more about these threats and how to protect yourself and your family from Identity Theft, you can read my past newsletters below.