Educational Newsletters

Former FBI Special Agent John Iannarelli Offers Tips on Cybersecurity

By Mark Pribish
Vice President and ID Theft Practice Leader

Is your business safe from the cybersecurity threat? 

According to the Allianz Risk Barometer for 2020, cyber incidents ranked as the number one business risk in its ninth annual survey of risk experts. 

Based on the above, I just interviewed former FBI Special Agent John Iannarelli ( in between his national television appearances on Fox News and Fox Business. 

Mr. Iannarelli retired from the FBI after more than 20 years of service, during which time he was the FBI’s National Spokesperson, on the FBI Cyber Division executive staff, an FBI SWAT team member, and the Assistant Special Agent in Charge of the FBI’s Phoenix Division, where he oversaw all Criminal, Cyber, and Counter Intelligence Investigations throughout Arizona. 

Since leaving the FBI, Mr. Iannarelli is an active contributor for national news outlets, keynote speaker, author, and security consultant. 

I asked Mr. Iannarelli for simple advice on how to keep small businesses safer in 2020 and he offered the following security tips for small businesses and sole proprietors: 

Ransomware - “Maintaining a strong firewall, keeping your security software up to date, and the patching of vulnerable software is critical", said Iannarelli. He also said, “The restoration of your computer files from a backup is the fastest way to safely regain access to your data.” Mr. Iannarelli recommends “to not pay the ransom as there is no guarantee that you will be able to regain access to your files and that once you pay the cyber criminals they are likely to attack again.” 

Free Public Wi-Fi - Hackers steal consumer data from devices connected to unsecure networks by positioning themselves between you and the connection point. This means that instead of talking directly with the hotspot, you end up sending your data to the hacker. Mr. Iannarelli recommends “use of VPN encryption to help prevent cybercriminals from hacking into your Wi-Fi connection and intercepting the data you send and receive.” 

Vendor Due Diligence - According to the Ponemon Institute, third-party breaches remain a dominant security challenge for small and large business with over 63% of data breaches linked to a third party. He said, “Small businesses should establish information security and governance best practices including a data breach and incident response policy and plan.” This will help protect your small business but also help win new business by elevating your small business due diligence profile. 

State and Federal Notification Laws - Since the United States does not have a Federal Privacy law, Mr. Iannarelli stated that “understanding current state privacy laws where your small business conducts business is critical to responding to a data breach event in a timely and effective manner.” 

If you have been victimized by an online scam or any other cyber fraud, be sure to report it to the FBI’s Internet Crime Complaint Center at or call your local FBI office. 



Make a Stronger Cybersecurity Commitment in 2020

By Mark Pribish
Vice President and ID Theft Practice Leader


Every consumer and small business owner needs to make a commitment to do more to safeguard personal and business information in 2020. 

To help with your cybersecurity commitment, I am highlighting three topics including identity theft terms, consumer need-to-knows and small business best practices. 

First, Consumer Affairs has an identity theft glossary that serves as a great reminder to the current threat environment including: 

  • Keylogger: A keylogger is a computer program that records a person’s keystrokes to obtain confidential data.
  • Phishing: Phishing is a popular type of internet scam in which fraudsters send emails claiming to be from a reputable company to trick individuals into revealing personal information.
  • Smishing: Similar to phishing, smishing (or SMS phishing) is when someone attempts to mine sensitive information under a fake identity through text messages.
  • Vishing: Like phishing or smishing, vishing is when an identity thief attempts to gain sensitive information over the phone. 

Second, consumers need-to-know how to protect themselves from becoming a victim of ID theft during the holiday season such as: 

Third, small business need to implement cybersecurity best practices to help mitigate their exposure from identity theft and data breach events: 

  • Annual employee education should be the No. 1 priority. Talk to your employees about identity theft and data breach risks because the threat level is rising and you don't want it to sink your business.
  • Your small business needs to create, test and update a written information security and governance policy annually, including penetration testing and a simulated data-breach event.
  • Consider adding cyber liability insurance to help respond to evolving state and federal breach notification laws since most small businesses lack the financial and human resources to respond to a data breach. 

Based on the above, ring in 2020 with a stronger cybersecurity commitment to help reduce your cybersecurity risks. 



Another Data Breach Letter: Another 12 Months of Credit Bureau Monitoring

By Mark Pribish
Vice President and ID Theft Practice Leader 

I just received a November 8, 2019 Notice of Data Privacy Incident letter from Delta Dental notifying me that “a data privacy incident may affect the security of my personal health information.” 

Delta stated in my notification letter that “we take this incident very seriously and are providing you with information and access to resources so that you can protect your personal information, should you feel it is appropriate to do so.” 

The notification letter went on to say that on July 8, 2019, Delta Dental of Arizona became aware of suspicious activity and learned that a Delta Dental employee fell victim to an “email phishing scheme” that allowed an unauthorized individual to gain access to said employee’s email account. 

Delta Dental’s third party forensic investigation revealed that “the email account contained my first and last name and Social Security number, Member ID, or Subscriber ID, and data of birth.”  

For those of you unaware, this is the type of information hackers and ID theft criminals use to open fraudulent credit card accounts and other lines of credit in your and my name.  

The same hackers and ID theft criminals can also use this information to commit non-financial ID theft related opportunities by fraudulently creating a driver’s license, passport, health insurance card, or to commit taxpayer ID theft and refund fraud. 

The letter went on to say “in an abundance of caution, we are offering you access to 12 months of credit monitoring and identity theft restoration services at no cost to you” and “we sincerely regret any concern or inconvenience that incident has caused.”

 Well here is my concern: my Social Security number, thanks to Delta Dental (along with Equifax and Capital One) is out there forever

Consumers need to be aware that a data breach or an ID Theft event can be a lifelong problem that may affect you (and me) long into the future and in ways you (and I) likely haven't even thought about. 

Consumers also to need to know that “free credit monitoring services” will not help much after 12 months or at all with non-financial ID theft, such as taxpayer ID theft and refund fraud, medical ID theft and credential (e.g. driver's license, passport, employee and student IDs) ID theft. 

The final story for most data breaches rarely reflect the initial news report and speak of what's known at the moment, but rarely discuss the long-term threat that endures. 

Instead of minimizing the potential impact of a data breach by telling affected individuals that there has been no evidence that your information is being misused - companies need to be more open in telling you about the long term risks associated with a data breach such as non-financial ID theft, the limitations of credit monitoring, and most importantly how you will be taken care of if you become an ID theft victim.




Personal Privacy and the Internet of Things (IoT)

By Mark Pribish
Vice President & ID Theft Practice Leader

Keywords: #Personal Privacy, #Internet of Things, #Smart Devices, #Identity Theft

Have you ever thought about how installing smart or connected devices such as a residential doorbell or security camera using a Wi-Fi connection can put your personal or business data at risk of being hacked or sold to third parties like advertisers? 

An October 1, 2019 article titled Smart Home Devices and Privacy Risk (please see here) states “while ‘smart home’ or internet of things (IoT) devices have become more prevalent and may make every day or business tasks more convenient, they also diminish consumers’ privacy and introduce serious risks, for both users and device developers and manufacturers.” 

According to Statista, a leading provider of market and consumer data, there will be 75 billion connected devices worldwide by 2025 (please see here). 

When I think of connected devices I think of business sectors such as Utilities (programmable thermostats), Residential Security (residential doorbells with surveillance cameras and microphones), Smart and Self-Driving Automobiles (onboard computers, infotainment/entertainment systems and apps) and Healthcare (medical devices such as a pacemaker and mobile apps) to name a few. 

In each instance, these connected business sectors and devices help save money, increase efficiencies and improve our quality of life. 

The same business sectors and devices can also give hackers and insider threats the opportunity to steal personally identifiable information (PII) leading to any consumer becoming a victim of identity theft. 

Think about it, if you can unlock the front door of your house remotely – so can a hacker. If you can start your car or unlock the door locks of your car remotely – so can a hacker? 

And if any of your devices or service providers are connected to the cloud to collect, store and/or transfer information – hackers and insider threats can collect, store and/or transfer the same information. 

While consumers are excited to have a more connected lifestyle, consumers should also be concerned about the increased risk of identity theft and data breach events. 

So what can you do about it?  Consumers can protect themselves in a number of ways including:

  1. By changing their default usernames and passwords
  2. Setting strong passwords
  3. Updating their security software regularly
  4. Check the device for default privacy and security settings
  5. Disabling remote access to your IoT devices (where applicable)

Every IoT device comes with a built-in web interface to configure the settings mentioned above. In addition to securing any new smart devices you may purchase, be sure to configure any existing IoT devices you already have.




2020 Prediction: Senior ID Theft to Get Significantly Worse

By Mark Pribish
Vice President & ID Theft Practice Leader

KEYWORDS: senior identity theft/ senior fraud / cybercrime / personal privacy

Whenever I speak publicly about cybersecurity and identity theft, I always share the latest research reports or identity theft trends to look for recent patterns that can help consumers and businesses mitigate their risks against identity theft. 

Based on the first half of this year – where 11 of the largest 13 data breach events occurred at medical or healthcare organizations (please see here) affecting nearly 24 million healthcare related records, I believe senior identity theft and fraud will get significantly worse in 2020. 

According to Protenus, a healthcare compliance analytics company, (please see here) this healthcare industry data breach pattern includes 503 incidents affecting nearly 15.1 million patient records in 2018 and 477 data breaches affecting 5.6 million patient records in 2017. 

When you think about lost or stolen Personally Identifiable Information (PII), most people think about credit card information, bank account information, taxpayer identity theft and refund fraud, utilities identity theft and fraud, and credential identity theft such as driver’s license or passport fraud. 

Very few people think about medical identity theft in general and senior identity theft in particular. 

However, when the collections firm American Medical Collections Agency (AMCA) – which services laboratories, hospitals, physician groups, billing services and medical providers throughout the United States – experienced a data breach including Labcorp affecting 7.7 million patients and Quest Diagnostics affecting 11.9 million patients, I wondered how safe and secure all American consumer billing records really are? 

Another interesting statistic comes from the 2019 Federal Trade Commission (FTC) Consumer Sentinel Network Data Book where 39% of fraud complaints and 15.9% of identity theft complaints impacted seniors (60 years or older) in 2018 (please see here).       

However and at first glance, if you add the mature market (50 – 59 years of age), the “Identity Theft Reports by Age” from the FTC Consumer Sentinel Network shows a three year average of 36% of identity theft victims were 50 years and older. 

  • 50 years of age and older – 31.3% in 2018
  • 50 years of age and older – 36.6% in 2017
  • 50 years of age and older – 40% in 2016

While there were “only” 14.4 million identity theft victims in 2018, which represented a drop from the record-breaking 16.7 million victims in 2017, it is estimated that out-of-pocket fraud costs for victims more than doubled in 2 Years to $1.7 billion

The FTC report also showed that younger people reported losing money to fraud more often than older people – but older people lost nearly twice the amount to fraud.

To conclude, nearly 50 million health related records have been reported stolen from over 1,000 data breaches over the last 30 months. 

With National Cybersecurity Awareness Month taking place in October, I believe senior identity theft and fraud will rise in 2020!

Who’s the Insider Threat at Your Company?

By Mark Pribish
Vice President & ID Theft Practice Leader

KEYWORDS cybersecurity / cybercrime / insider threat / personal privacy 

I just attended the Blackhat 2019 Conference – which is the largest information security event in the world – on August 7-8 and listened to a very informative presentation by John Grim Managing Principal – Americas, Verizon Threat Research Advisory Center or VTRAC on the recently released Verizon’s Insider Threat Report

Grim began the presentation by highlighting Verizon’s five insider threat categories including the following:

  • The Careless Worker
  • The Inside Agent
  • The Disgruntled Employee
  • The Malicious Insider
  • The Feckless Third Party

As a side note, I had to look up the word “feckless” which has a number of meanings including irresponsible, incompetent, inept, and lacking character.

Grim defined insiders as “full- and part-time employees, independent contractors, interns, and other staff, as well as business partners and third parties with some level of privileged access.”  He also said that “human resource controls, security access principles, training and third-party management controls can mitigate risks.”

According to Verizon’s Insider Threat Report, “twenty percent of cybersecurity incidents and 15 percent of the data breaches investigated within the Verizon 2018 DBIR originated from people within the organization, with financial gain (47.8 percent) and pure fun (23.4 percent) being the top motivators.”

In addition, these attacks, which exploit internal data and system access privileges, are often only found months or years after they take place, making their potential impact on a business significant.

To put all this in perspective, Capital One’s recent data breach was impacted by the very insider threat or “feckless third party” when an irresponsible, former Amazon employee lacking character and integrity is now being charged with computer fraud.

Just as I wrote in a recent LinkedIn post about Capital One’s data breach event that the question should be “who’s in your wallet?” – I believe every business and organization, based on Verizon’s Insider Report should be asking “who’s the insider threat at your company?”

To conclude, Verizon offers organizations an opportunity to “identify pockets of risk within the employee base, real-life case scenarios, and countermeasure strategies to consider when developing a comprehensive Insider Threat Program.”

You can go to this link to read Verizon’s Insider Threat Report.



Apps Are a Bigger Personal Privacy Threat than Facebook

July 2019

KEYWORDS cybersecurity / cybercrime / social media / apps / personal privacy

Four years ago I wrote an article titled “Are apps and social media putting your privacy at risk?” (please see here) where I asked readers when was the last time they read the terms and conditions or adjusted the privacy settings of their smartphone apps or social-media accounts?

On Wednesday (July 24, 2019) the Federal Trade Commission (FTC) announced that Facebook “will pay a record-breaking $5 billion fine to resolve a government probe into its privacy practices and the social media giant will restructure its approach to privacy” (please see here).

The FTC also said that Facebook’s “data policy was deceptive to ‘tens of millions’ of people who used Facebook’s facial recognition tool and also violated its rules against deceptive practices when it did not disclose phone numbers collected to enable a security feature would be used for advertising.”  I will get back to facial recognition in a moment.

So when you think about why consumers use apps and social media, you think about convenience, entertainment and networking opportunities.  Common app examples include requesting transportation, adjusting our home thermostat, accepting a LinkedIn invite, posting on social media or playing a game.  This is the reality of our evolving lifestyle and is the world that we live in today.

Another reality is that our everyday app use and access to social media increases our personal privacy risks.  For example, while you are thinking about convenience, entertainment and networking opportunities – so are the cyber thieves and ID theft criminals who are leveraging your social networks and apps to do their dirty work. Common social media examples include fake LinkedIn invites, fake Facebook accounts, fake Twitter accounts, fake reviews, and even fake news.

Over the last few years, cybersecurity research has shown that most social media scams were manually shared, where the scam spread rapidly. These scams are lucrative for cybercriminals because people are more likely to click something “posted by a friend."  The mobile threat, including mobile apps, have also been ripe for attacks, as many consumers associate cyber threats with their PCs and neglect even basic security precautions on their smartphones.

Consumers need to be reminded that apps and social media can track your search engine history, purchasing habits, geographical location, and even look into your files and contact list – all without your knowledge and sometimes without your permission.  The type of personal information being collected and sold includes your smartphone's unique device ID, phone's location, phone number, your age, gender, likes, dislikes, search-engine habits, e-mails, usernames and more to third party marketers and data brokers.

So, returning to facial recognition and the extremely popular facial recognition app called FaceApp, you may want to read this article titled All your friends are posting aging selfies with FaceApp – a Russian app that's raising privacy concerns (please see here).

Essentially, FaceApp is a photo editing app where you can see what you would look like with a beard, gray hair, and even wrinkles.  Unfortunately, to use FaceApp you have to give it permission to access all your photos along with access to Siri and Search.  In addition, FaceApp has access to refreshing in the background – “even when you are not using it, it is using you,” according to Rob La Gesse, former vice president at Rackspace, who shared his FaceApp thoughts on Facebook on Wednesday, July 17, 2019.

Based on the above, here are my five tips to help you minimize your privacy risks:

Limit and/or eliminate sharing your personal information online.

  • Increase your privacy awareness by reviewing and adjusting your privacy settings.
  • Be aware that some apps reset your privacy settings during major upgrades.
  • Learn more on how the apps you have installed use your personal information and for what purposes.
  • Consider using "privacy assistant software" to help keep your privacy preferences current.

I will conclude by asking the same question again:  when was the last time you read the terms and conditions or adjusted the privacy settings of your smartphone apps or social-media accounts?



4 Data Breach Best Practice Tips for Small Businesses

June, 2019

According to a June 4, 2019 Security Magazine article titled Data Breaches Cost $654 Billion in 2018 (please see here, “cybercriminals exposed 2.8 billion consumer data records in 2018, costing more than $654 billion to U.S. organizations.”

Personally identifiable information (PII) was the most targeted data, with 54 percent of stolen PII being date of birth and/or Social Security Numbers.

In addition, “name and physical address (49 percent) and personal health information (46 percent) were the second and third most commonly compromised type of PII in 2018.”

Based on the above, and the just released 2019 Verizon Data Breach Investigations Report (DBIR) where Verizon found that 43% of data breaches happened to small businesses, I have listed below my four data breach best practice tips to help small businesses prepare for and mitigate their exposure to a data breach event.

Best Practice #1 - every small business needs to understand the cybersecurity threat landscape.

Staying on top of all the security news and knowing the latest security trends is a time consuming and challenging task.  I recommend regularly reading Brian Krebs (please see here who is the author of a daily blog covering cybersecurity, data breach and cybercrime trends.

Best Practice #2 - is to have a written information security and governance policy and to update this policy each year.  Once complete, have every employee – even small businesses with two to five employees – sign this information security policy document acknowledging that they have read, understand and agree to the policy.

Best Practice #3 – is to have a data breach risk management plan in place. The lack of cybersecurity preparedness, the lack of data breach planning and the lack of employee privacy training have made small businesses a target for cyber criminals. Your data breach risk management plan should include pre-breach planning with a focus on an information security risk assessment and employee education and awareness.  It should also include post-breach planning with a focus on state and federal breach notification laws and a list of incident response vendors such as your insurance broker, legal services, forensic services, and public relations.

Best Practice #4 - every small business owner should consider having a cyber liability insurance policy which can help protect your business from cybercrime and a data breach event.  The CEOs and CIOs of Equifax and Target were not fired because they were hacked or breached, they were fired for their failed management response to their breach events.  Cyber insurance can help your business be resilient and compromise ready.

With the threat environment changing so quickly, chances are your security policies and procedures (if your business has security policies and procedures) are not keeping up; just as state and federal laws are not keeping up with the newest technologies.

These four best practices will help your small business respond to new threats along with the changing regulatory environment.  


Mark Pribish | Vice President and ID Theft Practice Leader

To learn more about these threats and how to protect yourself and your family from Identity Theft, you can read my past newsletters below.

Your Cell Phone Number is a Threat to Your Personal Privacy

April, 2019

I read with great interest an article titled Phone numbers are the new Social Security numbers (please see here) that highlights how "cellphone numbers have become a primary way for tech companies like Facebook to uniquely identify users and secure accounts, in some ways becoming a proxy for a national ID."

The article goes on to say that cellphone numbers are becoming Americans' latest national identification number as Congress mandated that consumers could take their phone number from one provider to another.

This means that consumers can have a de facto "cellphone number for life" system.

Think about how your cell phone number / smartphone is used as a personal computer to do your banking, watch movies, and more including the following:

 - Texting
 - Email
 - Social Media
 - Camera
 - Banking
 - Reading news
 - Online shopping
 - Checking the weather
 - WhatsApp
 - Watching videos on YouTube

Now think about how your smartphone is also a potential threat to your personal privacy. While you can install some privacy related apps, you still give up most of your privacy.

Here are some examples of how your personal privacy can be at risk through your smartphone:

 - Geotracking — a smartphone is able to locate itself via the integrated GPS chip. While disclosing location data may seem harmless, it is still an invasion of privacy. This data can be used to build a profile on you or a family member, which can subsequently be used for a phishing attack.

 - Wi-Fi tracking — as cellular connections often falter indoors, retailers have offered free Wi-Fi to their shoppers. While consumers click to accept the terms of service, an invasion of privacy is taking place as retailers can determine which departments the shoppers have visited and how long they spent there.

 - Microphone eavesdropping — every smartphone has a microphone, and it's another security risk. While the main concern for many of us may be someone eavesdropping on private conversations, microphones also can be used for data collection.

So let's conclude with your personal privacy risks related to your cell phone number.

The next time someone asks you for your cellphone number, remember that it is increasingly used to connect to private information maintained by all types of companies including financial institutions, retailers and social networks.

Your cell phone number can also be used to monitor and predict what you view and purchase online or even what you watch on television.

It is important to know that your cell phone number is not regulated and no companies are mandated to keep it private. Studies indicate that half the U.S. population no longer have a landline. Many consumers in the 20-30 year age bracket have never had a landline. Many young consumers have no credit history and therefore no link to their social security number.

On the other hand, most teenagers are equipped with a cell phone number at the average age of thirteen years old. That cell phone number often remains with them for decades providing a detailed digital identification system of information.

This detailed digital identification system of information applies to all of us, so be smart with your cell phone number and who you share it with.


Mark Pribish | Vice President and ID Theft Practice Leader

To learn more about these threats and how to protect yourself and your family from Identity Theft, you can read my past newsletters below.