By Eva Velasquez, President & CEO of the Identity Theft Resource Center
When the Identity Theft Resource Center (ITRC) conducted its annual review of data breaches for 2018, they analyzed over 1,200 data breaches that caused millions of people to have their personal identifying information exposed to hackers and thieves. Given that these statistics are from the reported data incidents and don’t account for those that went unnoticed or unreported, there is no telling just how many people were actually affected in 2018. There are four industries in particular that experienced major breaches last year including: social media, travel, financial and healthcare. Here’s what you need to know about how your data was vulnerable last year.
Over the years we have seen numerous social media platforms impacted by data breaches and 2018 was no different. Facebook, Google+ and app-based communities like MyFitnessPal were among the top breached entities in the social space. Facebook was in the spot light for months because of the Cambridge Analytica incident, and it was so bad it sparked investigations from the US and UK. Unfortunately that was not Facebook’s only offense, there was also the lapse in coding that left users using “tokens” vulnerable to hackers. Unauthorized individuals had access to profile information that might have been marked private including: employer, birthdate, phone number and relatives. These tokens kept users logged in automatically, meaning that those consumers who used their Facebook profile to sign into other platforms, like Instagram, had multiple accounts at risk.
Experiencing two breaches in 2018, 53 million Google+ users were impacted. A security bug allowed third-party developers to access profile data dating back to 2015. The compromise encompassed public and private data with email addresses, photos and places lived all being exposed. Quora, a question and answer community based website, was breached impacting 100 million users. Community-based app, MyFitnessPal, also fell victim to a data breach that impacted 150 million users. Both Quora and MyFitnessPal breaches included access to usernames, emails and passwords.
It’s worth noting that with stolen usernames and emails, thieves can use high-tech software to “guess” the passwords for all accounts associated with an email/username, in a method known as “credential cracking.” Once they’ve obtained these credentials, they can change the password, lock the person out of their account and possibly gain access to sensitive personal identifying information. When you use the same login information on multiple sites you are opening yourself up to even more vulnerability. For example, if your Facebook profile is compromised, hackers can use the username and password information to hack into other accounts created using the same login info.
TIP: By using unique usernames and passwords, and by limiting the number of accounts you sign up for using another account (commonly Facebook or Google), you can minimize your risk for identity theft.
The Marriot International data breach, which was widely covered in national news, exposed more than 383 million people’s personal information deeming it the largest breach in 2018. Sensitive personal information of people all over the world was exposed like passport details, payment information and date of birth. The unauthorized access could be dated back to 2014, and this breach affected other travel companies as well. Delta and Cathay Pacific were two airlines that experienced breaches disclosing the same types of personal information as Marriot International.
TIP: When booking hotels and airfare, you should always check to see how companies will store your data and for how long (usually in the Terms of Service). Likely the information collected is necessary to ensure the traveler is who they say they are, but the housing and disposure of this data should be handled with the utmost security.
Online shopping has opened up opportunity for scammers and thieves, and are often targets of breaches. Last year Hudson Bay, who owns Saks Fifth Avenue, Saks off Fifth, and Lord & Taylor stores, experienced a breach that outed credit card information for 5 million customers. Forty million users were exposed when the online textbook site Chegg was breached. Email addresses, payment information, and mailing addresses were all a part of the information obtained.
Third-party payment processing companies are also the target of data breaches. In 2018, even local government entities reported breaches from third-party payment software. Click2Gov and GovPayNow.com both had breaches, which affected 2,300 government agencies.
TIP: Monitoring your financial accounts closely is crucial to staying ahead of thieves. You should also look at your credit report frequently for any unusual jumps or declines. Reporting the fraud to your bank, and also the theft to local authorities, is critical to protecting your personal information.
The healthcare industry often houses the most sensitive personal identifying information, and therefore it’s one of the most concerning industries to experience a data breach. Social Security Numbers, date of birth, prescriptions, diagnoses and health history are all compiled in patient files. If breached, this data could be altered or used to scam patients in a multitude of ways. For instance, UnityPoint suffered from a phishing attack impacting 1.4 million patients and exposing sensitive information mentioned above and driver’s license numbers.
TIP: Educate yourself on the types of scenarios that require you to provide your Social Security number so that you can decide ahead of time whether or not you should provide it.
Consumer risk for data breach is often out of their control. With reputable companies falling victim to data breaches in 2018, it’s time for consumers to take as many proactive steps as possible in protecting their sensitive information. Consumers should take the initiative to create strong passwords, only hand over information to companies when it’s absolutely necessary and research vendor security policies. If you have been victimized by identity theft, you can contact the ITRC for free assistance from expert advisors.
About the Author: Eva Velasquez
Eva is the President/CEO of the Identity Theft Resource Center. She has a passion for consumer protection and educating the public about identity theft, privacy, scams and fraud, and other related issues and is recognized as a national expert on these topics.
CyberScout proudly provides financial support to the Identity Theft Resource Center.