Each week we look at the most recent events and trends related to data security and privacy. This is the first episode of our third season and a lot has happened since we last visited in late December. We are in the midst of another global cyberattack against an obscure, but near-universal software component known as Log4j. The Federal Trade Commission this week warned organizations it will take action if they fail to fix the flaw on a timely basis…similar to the $700M in fines and remediations aimed at Equifax following its 2017 security & data breach.
Happy New Year
Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for January 7, 2022. Our podcast is possible thanks to support from Experian. Each week, we look at the most recent events and trends related to data security and privacy. This is the first episode of our third season, and a lot has happened since we last visited in late December.
We are amid another global cyberattack against an obscure but near-universal software component known as Log4j. This week, the Federal Trade Commission (FTC) warned organizations it would act if they failed to fix the flaw from the Log4j cyberattack on a timely basis. It’s similar to the $700 million in fines and remediations aimed at Equifax following its 2017 security and data breach. So far, there have been no major data breaches reported due to the flaws in the Log4j cyberattack.
New T-Mobile Data Breach
Before the old year ended, an unknown number of T-Mobile customers received notices that their personal information and phones were compromised in a SIM swapping attack. That’s where criminals can take over a mobile phone, allowing them to intercept Multi-Factor Authentication (MFA) codes, among other actions. This was T-Mobile’s third data breach in 2021 and, unlike a data breach that impacted more than 50 million people, T-Mobile did not issue a public breach notice.
Broward Health System Data Breach
Starting off the new year on the wrong foot was a Florida health system that issued a news release and posted a notice on its website acknowledging a data breach. The breach included a significant amount of personal information on patients such as Social Security numbers (SSN), driver’s license, insurance information and medical data.
The Broward Health System issued that statement on Saturday, New Year’s Day. It, again, pointed to the increasing lack of transparency around data breaches. The weekend disclosure did not include how many individuals were impacted. However, due to state notice requirements in Maine, where at least one of the breach victims’ lives, we know that sensitive medical information on 1.3 million patients was compromised. The cybercriminals gained access to the data through an all-too-familiar path – a third-party vendor who had access to patient information. It is not believed to have the same level of cybersecurity as the hospital system.
The breach occurred in October 2021. While delaying data breach notices at the request of law enforcement is often a legitimate reason to hold off on notifying victims, issuing a breach notice on a Saturday that is also a major holiday – and then withholding important information – is not a best practice. That’s the kind of action that results in victims ignoring data breach notices.
Stolen Credentials Used to Launch Cyberattacks
This week we learned some news involving a trend we highlighted at the ITRC regularly in 2021: the use of stolen account credentials to launch cyberattacks. New York Attorney General Letitia James announced the results of an investigation that revealed 1.1 million online accounts at 17 well-known organizations were compromised using stolen logins and passwords. According to a news release from the Attorney General, each of the companies investigated the compromises after being alerted by her office and most of the attacks had not been detected.
The investigation also revealed that the stolen credentials were used in automated attacks known as credential stuffing. That’s where cybercriminals attempt to access accounts using lists of stolen credentials and automated, credential-stuffing software at a rate of hundreds of accounts per second.
These kinds of attacks only succeed because the criminals know our bad habit of reusing logins and passwords on multiple accounts. The ITRC’s research shows 85 percent of consumers admitted to reusing passwords on multiple accounts, although some adopted a still risky practice of using variations of the same password on different accounts.
ITRC 2021 Annual Data Breach Report
The ITRC will publish our Annual Data Breach Report on January 24 and present the findings at a virtual conference we’re co-hosting with the Better Identity Coalition (BIC). Stay tuned for more information.
Contact the ITRC
If you want to know more about how to protect your personal information, learn more about events like the Log4j cyberattack, or if you think you have been the victim of an identity crime, you can speak with an ITRC expert advisor. You can talk with an advisor on the phone (888.400.5530), chat live on the web, or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.
Thanks again to Experian for supporting the ITRC and this podcast. We will be back next week with another episode of the Weekly Breach Breakdown.
Also In Season 3
The Weekly Breach Breakdown Podcast by ITRC - Not Your Parents' FTC - S3E14Welcome to the Identity Theft Resource Center’s Weekly Breach Breakdown for May
The Weekly Breach Breakdown Podcast by ITRC - Selling Yourself - S3E13Welcome to the Identity Theft Resource Center’s Weekly Breach Breakdown for May
The Fraudian Slip Podcast ITRC - BiometricsWelcome to the Fraudian Slip…the Identity Theft Resource Center’s podcast, where
The Weekly Breach Breakdown Podcast by ITRC - The Nutmeg State - S3E12Welcome to the Identity Theft Resource Center’s Weekly Breach Breakdown for May