Second PayChoice breach in one month

Posted by Caitlin on October 19th, 2009

Earlier this month, PayChoice, a payroll processing firm, was breached by hackers. Last week, PayChoice was hacked yet again. The last hack was unusually complex, involving a data breach, phishing emails, malicious websites, and a Trojan horse. The latest attack hinged on a security vulnerability in PayChoice's online portal, OnlineEmployer.com. It appears as though hackers have exploited this vulnerability in order to steal customers' usernames and passwords. The stolen credentials were then used to add fictitious employees to customers' payrolls, in an attempt to have recurring payments made to fraudulent bank accounts.

PayChoice is a leader in the payroll services and software industry, with over 125,000 business customers. It shouldn't come as a surprise that hackers have targeted a company that facilitates so many financial transactions. But what is surprising is the hackers' persistance and creativity.

To defend yourself from cybercriminals, be sure to install Internet security software, and set it to update automatically. Since the end goal of the most nefarious attacks is usually the theft of personal information that can be used to open fraudulent accounts, you might also consider investing in identity theft protection, which is designed to prevent fraudulent accounts from being opened in your name.

• Data Breach Alert: 100 million possible victims in what may be the largest data breach ever
• Data Breach Alert: Eye center patients may see identity theft in their future
• Data Breach Alert: Hundreds of thousands of computers infected by Russian hackers
• America's largest retail pharmacy to offer LifeLock's identity theft protection services
• LifeLock selected as exclusive id theft prevention service for a variety financial firms

Phishers target PayChoice customers

Posted by Caitlin on October 5th, 2009

Hackers recently breached the online systems of PayChoice, a payroll processing firm. Shortly after the hackers accessed customer account information, including email addresses, login IDs, and partial passwords, PayChoice customers began receiving targeted phishing emails prompting them to download a plug-in. The emails, which  addressed recipients by name and referenced their usernames and passwords, explained that the plug-in was necessary for continued access to PayChoice's online payroll service at OnlineEmployer.com. But the download was actually malicious software designed to steal even more account information. The phishing emails also included links to malicious websites, which would attempt to exploit vulnerabilities in Internet Explorer, Adobe Flash, and Adobe Reader to install even more malware. Unlucky victims wound up with a Trojan horse program that attempted to download even more malware and disable security software. This particular Trojan horse slips under the radar of many anti-virus scanners. Security experts believe that this attack was primarily designed to steal online banking credentials.

PayChoice is still investigating the extent of this unusually complex attack. A data breach, phishing emails, malicious websites, and numerous malicious applications including a Trojan horse. All with the likely end goal of identity theft.

How can you defend yourself against such sophisticated hackers? The best course of action is to be wary when clicking on links or downloading files, to keep your browser and Internet security software updated, and to invest in identity theft protection.

• Data Breach Alert: Hundreds of thousands of computers infected by Russian hackers
• Malicious hack impacts 2.2 million shortened URLs
• Hackers gain access to sensitive data from 100,000 websites
• Type carefully when looking for a free credit report
• Facebook phishing scams increase risk of identity theft on the popular social network

How medical data breaches happen

Posted by Caitlin on September 30th, 2009

For the past three years, Tennessee doctors have been faxing patient information, including Social Security numbers and medical histories, to Bill Keith, an Indiana businessman whose fax number is similar to that of the disability determination section of the Tennessee Department of Human Services. Keith, who shreds the faxes, has contacted doctors, state officials, and even the governor's office, but the they keep coming, at a rate of five or more per week. This past Friday, the Tennessee Department of Human Services began contacting doctor's offices to inform them of the breach and request that they correct the fax number. Naturally, many doctors were concerned, to say the least, when they were told that they'd been faxing confidential patient information to the wrong number for years.

Identity theft expert Robert Siciliano blogged about the dangers of medical identity theft earlier this week. He described a new rule requiring health care providers to notify patients of any breaches of their medical information. But the fact is, many health care providers don't even realize when a breach has occurred, and in this case, continues to occur on a daily basis.

TrustedID, one of the identity theft protection services reviewed on NextAdvisor.com, monitors your medical records in order to detect medical identity theft. To learn more about TrustedID and other identity theft protection services, see our reviews and comparison chart.

• Data Breach Alert: Seven years of government medical data exposed
• Data Breach Alert: Poor website security puts untold number of Oklahomans at identity theft risk
• Data Breach Alert: Health insurer exposes personal information of 128,000 customers
• Data Breach Alert: Registration website exposes presidential primary voters to identity theft
• Data Breach Alert: Medicade computers stolen in Texas

163,000 Social Security numbers compromised in UNC data breach

Posted by Caitlin on September 28th, 2009

In July, a University of North Carolina researcher was unable to access a server containing information pertaining to a federally funded mammography study. That information included records on a total of 236,000 women, and Social Security numbers for about 163,000 of those women. Further investigation revealed that the system had been hacked as long ago as 2007. This past Friday, UNC began to notify the 163,000 women whose Social Security numbers were exposed. The delay occurred due to the need to investigate the extent of the compromise and determine which participants were affected.

Imagine being told that hackers have had access to your Social Security number for the past two years. Two years is more than enough time for an identity thief to open new credit accounts in your name, max them out with charges, and move on to the next victim. Meanwhile, unless you check your credit report regularly or subscribe to an identity theft protection service, you might be blissfully unaware of the debt that "you" have accumulated. At least, until you are denied a loan for a new house or car, or collection agents begin banging on your door. It's important that data breach victims be notified in a timely manner, but sometimes, as in this case, the breach isn't discovered until years later. The only way to immediately informed about any new, potentially fraudulent lines of credit in your name is to invest in credit monitoring or identity theft protection. A credit report monitoring service will alert you to any chances in your credit file, which will allow you to take action in response to any suspicious activity. An identity theft protection service will go beyond this basic level of protection to help prevent, detect and, if necessary, resolve cases of identity theft.

To learn more, see our reviews and comparison charts for credit report monitoring and identity theft protection services.

• Data Breach Alert: Western Carolina University exposes hundreds of social security numbers
• NextAdvisor.com credit report monitoring comparison featured in the Wall Street Journal Online
• Data Breach Alert: Stolen laptop exposes identities of 20,000 Kraft employees
• Data Breach Alert: Poor website security puts untold number of Oklahomans at identity theft risk
• Data Breach Alert: Harvard hack exposed more data than initially thought

Beware of phony debt collectors

Posted by Caitlin on August 12th, 2009

The Better Business Bureau has issued a warning about phony debt collectors. The BBB is concerned about the possibility of a recent mass data breach, since the scammers are already armed with victims' personal information, including Social Security numbers, old bank account and driver's license numbers, home addresses, employer information, and even names of friends and references. The scammers, who claim to be from the "Financial Accountability Association" or the "Federal Legislation of Unsecured Loans," demand that their victims pay as much as $1,000 by wire or credit card, and threaten arrest if victims don't comply. If you get a call like this, please do not provide or confirm any of your sensitive personal data. If you don't owe any money and the caller is harassing you, you should file a complaint with the BBB and the Federal Trade Commission. And if a caller already has some of your information, consider yourself at an increased risk for identity theft, and take appropriate precautions, such as freezing your credit or, if you haven't already, investing in identity theft protection.

• Identity Theft Restitution Act adds harsher federal penalties for identity thieves and hackers
• Is your state putting your identity at risk?
• NextAdvisor.com featured in Fortune Magazine
• Arizona identity theft protection guide: facts, trends and resources
• Data Breach Alert: Medicade computers stolen in Texas

Data Breach Alert: Web services provider hacked, 573,000 accounts compromised

Posted by Caitlin on July 27th, 2009

Network Solutions provides website hosting and payment processing services to online merchants. On Friday, the company announced a data breach that puts more than 573,000 customers at risk of identity theft. The breach was caused by hackers, who broke into the company's servers and installed malicious code that allowed them to intercept personal and financial information whenever customers made purchases at online stores hosted by Network Solutions. The stolen payment data includes transactions made between March 12 and June 8. Network Solutions has begun notifying the impacted merchants, and has offered to help notify impacted customers as well. Network Solutions spokesperson Susan Wade stated, "We feel terribly about it, to burden them with the notification process, which can be kind of tricky because there is no one federal data breach statute." The company is offering to pay for one year of TransUnion credit monitoring for any consumer whose financial data was compromised.

To learn more about credit monitoring services, see our reviews and comparison chart. You may also be interested in identity theft protection services, which take other measures to prevent and detect identity theft, in addition to credit monitoring.

• Data Breach Alert: Auto parts retailer exposes tens of thousands
• TJ Maxx parent company offers 15% off to victims of massive data breach
• Data Breach Alert: 100 million possible victims in what may be the largest data breach ever
• Data Breach Alert: Millions at risk for identity theft due to supermarket chain data breach
• Reports of TJ Maxx, Marshalls 15% discount related to massive data breach appear on the web

Early efforts to tighten medical data security

Posted by Caitlin on July 13th, 2009

A state law requiring California health care organizations to report suspected medical data breaches went into effect this past January. Since then, California officials have received more than 800 data breach reports. The California Department of Public Health expects to receive fewer reports once health organizations become more familiar with the reporting procedures. So far, 116 have been confirmed as actual breaches, most of which were unintentional. Offending organizations or individuals can be fined up to $250,000 per breach, depending on the nature of the breach and the extent of the harm caused. Kaiser Permanente Bellflower Medical Center in Los Angeles, for example, was fined the full $250,000 after hospital workers peeked at "Octomom" Nadya Suleman's medical records. California has been on the forefront of data breach notification laws. This medical breach notification law is the first in the nation, but health care providers have complained that it is too rigid.

Medical data security is still in its early stages, which makes medical identity theft even more difficult to prevent than other forms of identity theft. TrustedID is one identity theft protection service that does offer medical record protection. To learn more about TrustedID or other identity theft protection services, see our reviews and comparison chart.

• Data Breach Alert: Seven years of government medical data exposed
• Is your state putting your identity at risk?
• California identity theft protection guide: facts, trends and resources
• 25 million identities left unprotected in the UK
• Data Breach Alert: Health insurer exposes personal information of 128,000 customers

What to do with leftover customer data?

Posted by Caitlin on July 1st, 2009

Verified Identity Pass was a privately owned company that offered a service called Clear, which was designed to help air travelers get through airport security checks faster by vetting their identities and backgrounds in advance. On June 21, Verified Identity Pass announced that, for financial reasons, it would be ceasing operations. The abrupt closure has raised serious concerns about the customer data collected by the company. Stored information includes fingerprints, iris scans and digital images for roughly 260,000 customers. While this registered travel program was privately owned, it was authorized by the TSA, which required the service to record full legal names, home addresses, dates and places of birth, genders, heights, driver's license numbers, passport details and other information for all customers.

Bennie Thompson, the chairman of the House Committee on Homeland Security, has given the Transportation Security Administration until July 8 to explain how the agency plans to ensure the security of all this data. The TSA is in the process of putting together a response to this question, and in the meantime, claims that Clear is appropriately safeguarding the collected data. Verified Identity Pass assures customers that their information is being stored in conformance with the TSA's security and privacy requirements. But the data has yet to be deleted, leaving open the possibility that it could be sold or passed on to a third party, if the intention is to use it for another registered travel program.

As long as our personal information is out there, beyond our control, it is wise to invest in identity theft protection.

• T-Mobile denies data breach despite hacker claims
• Debunking the case against LifeLock
• Data Breach Alert: Hundreds of thousands of computers infected by Russian hackers
• Reports of TJ Maxx, Marshalls 15% discount related to massive data breach appear on the web
• If I install Identity Guard, will it automatically uninstall Norton?

Data Breach Alert: Stolen laptop puts Cornell students at risk

Posted by Caitlin on June 29th, 2009

Earlier this month, a laptop was stolen from Cornell University. The stolen laptop contained names and Social Security numbers for 22,546 current and former students and 22,731 faculty and staff members. In violation of Cornell's policy, the laptop was left in a physically insecure environment, and the names and Social Security numbers were not encrypted. New York State Police have launched an investigation to find the thief and recover the laptop. Cornell is offering free credit monitoring and identity theft restoration services to those whose identities have been compromised.

Lost or stolen laptops are a major cause of data breaches. Even if the missing computer does not contain a database of sensitive personal data, in the wrong hands, it can be scoured for useful information that puts the owner at risk. For tips on how to mitigate this risk, see our "How to deal with a lost or stolen laptop" guide. And see our reviews and comparison chart for more information about credit monitoring or identity theft protection services.

• Stolen laptop returned to lucky professor
• Data Breach Alert: Stolen laptop impacts Virginia school employees
• Data Breach Alert: Stolen laptop exposes identities of 20,000 Kraft employees
• Data Breach Alert: Seven years of government medical data exposed
• Data Breach Alert: Stolen laptop leaves thousands of Connecticut State students exposed

New security patch protects BlackBerry business users

Posted by Caitlin on June 10th, 2009

Research in Motion recently released a security patch to repair a vulnerability in the software on some BlackBerry smartphones. This particular vulnerability occurs in the PDF distiller program, and only impacts consumers that use BlackBerry Enterprise Server, versions 4.1 through 5.0. Unpatched, it could allow hackers to send BlackBerry users emails with specially crafted PDF attachments containing malware designed to steal data. The patch itself, along with further details, can be found on the BlackBerry support forum.

As smartphones become even more popular and increasingly powerful and complex, they will draw more attention from hackers and identity thieves. Until more robust security software is made available for smartphones, users should be vigilant when it comes to security patches like this one, and consider investing in an identity theft protection service.

• Your new Facebook friend just stole your identity
• Malicious hack impacts 2.2 million shortened URLs
• New Symantec discount coupon code for Norton Internet security
• Mobile VoIP developments run rampant in 2008
• Data Breach Alert: Over 10 million eBay Korea users impacted in massive hack