Your Kids Data Hacked: 45 Million Students and Teachers Records Exposed

/in , /by

The PowerSchool data breach, which occurred in late December 2024, involved the unauthorized access to sensitive information belonging to millions of students and teachers across the United States.

What Happened:

  • Compromised Credentials: The breach exploited a vulnerability in the PowerSchool SIS (Student Information System) platform, specifically through the “PowerSource” customer support portal.
  • Data Theft: Some reports say cybercriminals gained access to the system using stolen credentials, enabling them to extract significant amounts of data.
  • Data Impacted: The stolen data included a range of sensitive information, such as:
    • Student Information: Names, addresses, dates of birth, Social Security numbers, medical records, grades, and even disciplinary records.
    • Teacher Information: Names, addresses, contact information, and potentially other personal details.

How it Happened:

  • Vulnerability Exploitation: Other reports say the attackers likely exploited a security flaw in the PowerSource portal, potentially through a phishing attack or by obtaining legitimate credentials through other means.
  • Insufficient Security Measures: The breach highlights potential weaknesses in security infrastructure, such as inadequate password protection, insufficient monitoring, or lack of robust intrusion detection systems.

Impact on Personal Security:

  • Identity Theft: The exposure of Social Security numbers and other personal information significantly increases the risk of identity theft for both students and teachers.
    • This could lead to financial fraud, such as the opening of fraudulent accounts including credit cards.
  • Data Misuse: The stolen data could be used for various malicious purposes, including:
    • Targeted Phishing Attacks: Cybercriminals could use the information to launch highly targeted phishing attacks, increasing the likelihood of successful social engineering attempts.
    • Black Market Trade: The stolen data could be sold on the dark web, where it can be used by other criminals for various illicit activities.
  • Privacy Violations: The breach represents a serious violation of privacy for students, teachers, and their families.
    • This can erode trust in educational institutions and technology providers.
  • Psychological Impact: The data breach can cause significant anxiety and distress for individuals affected, particularly those whose sensitive personal information has been compromised.

Addressing the Impact:

  • Monitoring Credit Reports: Individuals affected by the breach should closely monitor their credit reports for any suspicious activity and consider placing a fraud alert or credit freeze.
  • Strong Passwords and Multi-Factor Authentication: Implementing strong, unique passwords and enabling multi-factor authentication on all online accounts is crucial to mitigate the risk of further compromise.
  • Be Vigilant for Phishing Attempts: Individuals should be highly vigilant for any suspicious emails, phone calls, or text messages, especially those that appear to be from legitimate sources.
  • Educate Yourself on Cybersecurity Best Practices: Understanding basic cybersecurity principles and best practices can help individuals protect themselves from online threats.

Freeze you and your child’s credit now. 

There are two ways to go about freezing your child’s credit. One is free, but it takes a lot of time, and the credit bureaus are very difficult to work with, and the second is fee-based, but it’s a lot less time and you have advocates working for you to make sure the credit freeze sticks. Read on. 

Freezing a child’s credit prevents anyone from opening new accounts in their name. Here’s how:

  • Contact Credit Bureaus:
    • You must contact each of the major credit bureaus: Equifax, Experian, and TransUnion.
    • Each bureau has its own process, often with online options and phone numbers. But don’t expect anyone to answer the phone. 
  • Provide Necessary Information:
    • You’ll need your child’s Social Security number, date of birth, and your own identifying information to verify your relationship.
    • You may also need to provide proof of address. Birth certificates, etc. 
  • Place the Freeze:
    • Each bureau will have a specific process, usually involving completing a form or making a phone call and sending in a ton of documentation. 
  • Obtain PINs:
    • Each bureau will assign a unique PIN or password.
    • You’ll need this PIN to temporarily lift the freeze if necessary (for example, to apply for a loan for college).

Important Notes:

  • Early Action: It’s best to freeze your child’s credit early on, even if they are very young.
  • Regular Monitoring: Regularly check your child’s credit reports for any unauthorized activity. And there shouldn’t even be a credit report, unless their identity was stolen. 
  • Consider a Credit Monitoring Service: These services can alert you to any suspicious activity on your child’s credit report.

Freezing your child’s credit is a proactive step to protect them from identity theft and potential financial harm.

I strongly recommend visiting the websites of the major credit bureaus (Equifax, Experian, and TransUnion) or contacting them directly for the most up-to-date and accurate information on freezing a child’s credit. Or… see below. 

Here’s another way to go about it and it’s not all that expensive and much more efficient: CreditParent (a company I have a stake in) helps parents freeze your child’s credit to prevent unauthorized accounts from being opened in their name.

Here’s the process for freezing your child’s credit with CreditParent:

  • CreditParent shows you how to gather your Childs information: You’ll provide details about your child and all the necessary documentation the credit bureaus need.
  • Via a secure and encrypted portal, CreditParent submits freeze requests on your behalf to all three major credit bureaus: Equifax, Experian, and TransUnion.
  • CreditParent then works with you to follow up with the credit bureaus to make sure that your child’s credit freeze has been established. Otherwise, the credit bureaus, sometimes just let your information sit there in a pile and do nothing with it. The credit bureaus aren’t efficient, at all. 

Here is me discussing the topic on Fox Boston:

https://youtube.com/watch?v=uTB3PCHtXBY%3Fsi%3DaWN6pdB-tvb9Rm2U

The PowerSchool data breach serves as a stark reminder of the critical importance of robust cybersecurity measures in protecting sensitive personal information. It underscores the need for continuous vigilance and proactive measures to safeguard individuals from the growing threat of cyberattacks.

Mobile Provider Data Breaches: Know Your Risks

/in , /by

Last week, AT&T reported the latest in a series of high-profile data breaches. The company announced that approximately 9 million customer records, including names, email addresses, phone numbers and account numbers, were stolen from a third-party marketing firm that had been given access to the data by AT&T.

How do these large-scale data breaches happen?

In several recent cases, criminals targeted marketing firms that provide advertising to mobile carriers or that develop campaigns for mobile users. In the AT&T case, it was noted that the stolen data included eligibility for phone upgrades, making it reasonable to assume that the data breach was related to customer marketing. AT&T gave its customer data to a marketing firm to sell upgrades. The marketing firm was breached.

In other cases, companies that display ads on mobile devices have suffered significant data breaches exposing millions of customer records. In all of these cases, criminals did not target the mobile provider itself, but the third-party agency. Mobile providers typically have strong cyber security practices; the third parties they share your data with may not, making you vulnerable.

What are the risks from mobile data breaches?

Mobile data breaches can carry a particular risk for customers. As reported by Axios, criminals can use personal data from these breaches to launch SIM-swapping attacks, where a criminal clones a SIM card and then uses it to steal multifactor authentication codes. Ordinarily, a criminal who steals your username and password cannot access your accounts if you have two-factor authentication that sends a confirmation code to your phone. If the criminal can clone your phone number with information stolen from a data breach, they can then get the code and access your accounts.

In other words, criminals can defeat two-factor authentication, log in to your accounts and steal or wreak havoc at will. If you see authentication code requests that you did not initiate, log in to the affected accounts immediately and change your password, because it could mean someone is trying to gain access.

A lower level of risk comes from the exposure of phone numbers and email addresses. These will be sold to criminals for spam emails and phishing attempts. If you are a high-value target for hackers, you need to change your passwords and your multifactor authentication method.

What should I do to protect myself from criminal misuse of my data?

Assume that some of your personal data has been compromised. More than 74 million personal records have been posted to the Dark Web so far in 2023, according to Cyble. Next, think like a criminal.

Criminals gather several types of personal information to carry out hacks and phishing attacks. They need your name, address, email and phone number to start. Any additional information they can gather, including passwords or usernames, makes it easier for them to launch an attack.

The best defense is to change your passwords frequently and to be vigilant. Set up two-factor authentication with immediate alerts to your mobile device. The safest way to do this is to have a separate email that you use only for authentication that you never share or use for any other purpose. Have alerts sent to you whenever there is an authentication request sent, rather than having text alerts sent directly to your phone. In many cases, this thwarts SIM swapping.

If you have significant concerns, you may need to get a new phone number, which renders information stolen from data breaches useless. This poses a significant challenge for most people. Acquiring a low-cost second phone that you use solely for authentication can solve the problem without requiring you to change your primary number.

Whenever you can, opt out of data-sharing programs with your mobile provider. They will attempt to discourage this, but doing so removes one avenue that criminals can use to compromise your cyber security.

Are you vigilant with your personal data? Are you vigilant with data on the job? Would you be able to stop a phishing attack launched by a phone call from a criminal? Explore our CSI Protection Certification to develop the skills you need to stop cyber criminals at home and on the job.

DoorDash Admits 4.9 Million Affected by Data Breach

/in /by

DoorDash has admitted that it has been the victim of a data breach, which has affected about 4.9 million merchants and people.

In a recent blog post, DoorDash announced that it noticed some odd activity early in September from a third-party service. After looking into it, the company found that an unauthorized third party was accessing user data from DoorDash on May 4, 2019. DoorDash immediately took steps to stop any future access and to improve security.

Those who were affected by this breach joined DoorDash on April 5, 2018 or before. Those who joined after that specific date were not part of this breach. The company said it will contact those customers who were affected.

This breach involved data including email addresses, names, order history, delivery addresses, phone numbers, and encrypted passwords. In some situations, bank account numbers and the last four digits of payment cards were also released. Additionally, the driver’s license numbers of approximately 100,000 delivery people were accessed. Bank account information and full payment card numbers were not compromised.

This data is called PII or Personal Identifying Information that could be used to open new accounts, take over existing or “socially engineer” you. Going forward, as with all data breaches be on the lookout for scammy emails and phone calls. Be suspect every time the phone rings and make sure unless you are 100% sure, you aren’t clicking links in emails even if you recognize the sender.

DoorDash also said that it has added additional layers of security in order to protect the data of its customers, and it has improved the protocols that are used to get access to this data. The company has also told customers that it is a smart idea to change their passwords, even if they were not affected.

ROBERT SICILIANO CSP, is a #1 Best Selling Amazon author, CEO of CreditParent.com, the architect of the CSI Protection certification; a Cyber Social and Identity Protection security awareness training program.

The “Mother of All Data Breaches?” It Could Be Here…

/in /by

You have probably heard of one data breach after another these days, but this is one that you should really pay attention to: more than 772 million unique emails, along with more than 21 million unique passwords, have been exposed.

data breach

Troy Hunt, who runs the website “Have I Been Pwned,” first reported this breach, and he says that a huge file (87 GB) was uploaded to MEGA, a cloud service. This data was then sent to a popular hacking site, and now hackers have access to all of these passwords and email addresses.

This data breach, known as “Collection #1,” is very serious. However, it could just be the tip of the iceberg. There are claims that there are several more “collections” out there, and it could be as much as one full terabyte worth of data. This could be the newest “mother of all data breaches” if this is found to be true.

So, what does all of this mean for you? It not only means that your information could be part of this breach, but it also could mean that these password and email combinations could be used in a practice known as “credential stuffing.” What is this? It’s when a hacker uses known email and password combinations to hack into accounts. Basically, this could have an impact on anyone who has used an email/password combination on more than one site.

This, of course, is concerning because this particular breach has about 2.7 billion email/password combinations. On top of that, around 140 million of the emails, and 10 million of the passwords, were brand new to the hacking database, which gives the hackers even more ammunition to wreak havoc. The big lesson to be learned here is that you should always use good security practices when you create accounts online. You should never use passwords from one account to another, and you should definitely use two-factor authentication if it is available. If you don’t have a password manager, you might want to set that up, too.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video

Second Hand USB’s Could Have Personal Info Still Inside

/in , , /by

An unsurprising study was recently released that found even when a portable USB drive is erased, not all of the documents and images are always removed. That, of course, is frightening.

Here’s how the research was done:

Researchers went online to sites like eBay, to second-hand shops, and even auction stores. They bought 200 used USB drives, half from the US and half from the UK. Almost 2/3 of the devices had data on them! This data was, for the most part, personal data, and it can also be used by cybercriminals to steal someone’s identity. On top of that, these USB drives can contain malware.

Removing All Data is Difficult

When someone tries to delete or remove data from a USB device, they rarely have success. In fact, of the 100 USB devices the researchers bought in the US, only 18 of them were totally wiped clean. The rest of them had data that had been deleted, but someone could certainly recover it. The UK devices were similar. What’s so surprising about this is that it is extremely easy…and free…for someone to fully delete their device. But most people just don’t put in the effort, and that could definitely hurt them in the future.

USB Devices Can Be Risky

Using these devices can be risky, not only for average people, but also for businesses. In 2017, for example, a USB device was lost, and it contained sensitive information about Heathrow Airport. The government investigated, and eventually fined the company. The information was not encrypted, nor password protected, and it was found on the street by a random passerby.

Because of these risks, some companies, like IBM, have banned the use of USB devices. Instead, employees must use the company’s cloud. Other companies still allow them, of course, but they could be going down a dangerous road. These devices are really cheap to buy, and people can save almost anything on them, but they are also very easy to lose.

There are other issues with USB devices too. First, of course, you have the data on these drives to deal with, but there is also the fact that potential malware could be on the devices. Most companies don’t have the same rules that IBM has, and most consumers don’t think of this at all. This makes people and small businesses very vulnerable. So, if you use USB drives, there is one very important step that you need to take: encrypt it.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

The Top Cyber Security Threats to Real Estate Companies

/in , , /by

Gone are the days when hackers would only target retailers. These days, the bad guys an target businesses in any industry, especially those that aren’t quite up on cyber security.

The real estate industry is one such group, and according to a recent survey, about half of businesses in the real estate industry are not prepared to handle a cyberattack. Federal law requires some industries, like hospitals and banks, to have some type of security in place for things like that, but the real estate industry is quite vulnerable. Here are some of the security threats you should look out for if you’re in the real estate industry:

Business Email Compromise (BEC)

A BEC, or business email compromise, is a type of cyberattack that tricks a business into wiring money to a criminal’s bank account. The hackers do this by spoofing email addresses and sending fake messages that seem like they are from a trusted business professional, such as the CEO or a company attorney. The FBI has found that multi-billions in business losses can be attributed to BEC.

That’s scary enough, but the FBI also says that real estate companies are specially targeted in these attacks and every participant in the real estate transaction is a possible victim.

Mortgage Closing Wire Scam
Prior to closing on the sale of a home, the buyer receives an email from their real estate agent, title attorney or other trusted service professional with specific details of the time, date and location of the closing. In this same email, there are detailed and urgent instructions on how to wire money for the down payment but to a criminal’s bank account. Within moments of the wire transfer, the money is withdrawn, and the cash disappears.

A report by the FBI's Internet Crime Complaint Center totals the number of victims of the mortgage closing wire scam ballooned to 10,000 victims, an 1,110 percent increase in the years 2015 to 2017 with financial losses totaling over $56 million, which is a 2,200 percent increase.

Ransomware

Another threat to real estate companies is ransomware. This is the type of malware that makes the data on your device or network unavailable until you pay a ransom. This is very profitable for hackers, of course, and it is becoming more and more popular. All it takes is one member of your team clicking on a link in an email, and all of your data could be locked.

Ransomware doesn’t just target computers though. It can target any device that is connected to the internet including smart locks, smart thermostats and even smart lights, which are gaining a lot of popularity in American homes. When digital devices get infected with ransomware, they will fail to work.

Generic Malware

Though most people hear about ransomware these days, there are other types of malware out there that hackers use, too. For instance, you have probably heard of Trojans a.k.a. Spyware or Malware, which is very much still around. These can be used by cybercriminals to spy on their victims and get a person’s banking information or even wipe out their accounts. Malware can also be used to steal personal information and even employee information, such as client data, credit card numbers and Social Security numbers. Again, real estate companies are not exempt from this type of attack and are now even bigger targets.

Cloud Computing Providers

If you are part of the real estate industry, your business is also at risk of becoming a victim thanks to cloud computing, which is more economical these days. A cyber thief doesn’t have to hack into a company to get its data; all they need to do instead is target the company’s cloud provider.

It might seem that by using a cloud company you are lowering the risk of your business becoming a target, but the truth is, the risk still lies with your company, how secure your own devices are and how effective passwords are managed. In most contracts with cloud computing companies, the customer, which would be your business, is not well-protected in the case of a cyberattack.

Protecting Your Real Estate Company from Becoming a Victim of a Cyberattack

Now that you know your real estate company is a potential target of cybercriminals, you might be wondering what you can do to mitigate this risk. Here are some tips:

  • Create New Policies – One of the things you can do is to develop new policies
    in your agency. For example, in the case of BEC scams, if you have a policy that
    you never wire money to someone based only on information given via email,
    you won’t have to worry about becoming victimized in this type of scam. Instead,
    you should talk to the person sending the email in person or via a phone call just
    to confirm. Make sure, however, that you don’t call a number from the suspicious
    email, as this could put you right in touch with the scammer.
  • Train Your Staff – Another thing that you should consider is better staff training.
    Most hacking attempts come via email, so by training your staff not to blindly
    open attachments or click on any links in emails, you could certainly save your
    staff from these scams. Check out our S.A.F.E. Secure Agent for Everyone
    Certification Designation course, which is a marketing differentiator that offers
    ideas and methods to promote proactive strategies to ensure incident-free
    results. Learn how to develop client-centered procedures customized for safety
    and security.
  • Train Your Clients – Mortgage closing wire fraud scams can be manageable if
    not preventable. Inform your clients that in the process of buying or selling a
    home, there will be many emails to and from your real estate agent and other
    service professionals including your attorney, mortgage broker, insurance
    companies and home inspector. Tell them: Call Your Agent: Under no
    circumstances and at no time in this process should the client or service
    professional engage in a money wire transfer unless the client specifically speaks
    to the real estate agent in person or over the phone to confirm the legitimacy of
    the money wire transaction. Email Disclosure: Clients should always look for
    language in the real estate agent’s email communications stating the above or a
    similar facsimile.
  • Back Up Your Systems – It is also very important that you always back up
    everything. This way, if your system does get hacked, you won’t have to pay a
    ransom, and you will be able to quickly restore everything that you need.
  • Better Your Cloud Computing Contracts – Since you know that cloud
    providers don’t really like to take on the responsibility in the case of a
    cyberattack, you might want to start negotiating with the company in question
    about what you can do about that. This might include getting better security or
    adding some type of notification requirements.
  • Consider Cyber-Liability Insurance – You also have the ability to get cyber-
    liability insurance. This could really help you to cut the risk to your real estate
    business. There are all types of policies out there so make sure to do your
    research, or better yet, speak to a pro about what you might need.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

How to Protect Fortnite Accounts

/in , , , /by

If you have tweens or teens, you are probably aware of the popular game Fortnite. Though it might say that it’s free, playing Fortnite can actually be quite expensive, and it could put player’s accounts at risk due to a security flaw.

A bug was recently discovered that allows hackers to obtain the login credentials of Fortnite users if they clicked on a link in a fake email. The company responsible for Fortnite, Epic Games, has acknowledged the bug but won’t say how many people were affected.

Not only could a hacker access a user’s Fortnite account, they could make in-game purchases using the person’s credit card, which is connected to the account. Hackers could also listen in to private chats!

How it Happens

You might wonder how players would actually click on these fake email links. Well, it happens all of the time. In this case, the users clicked on a link that took them to a site that promised to give them “V-Bucks,” which are the in-game currency for Fortnite. Once the players enter their information in, sometimes even asking for credit card information, the hackers have all they need.

Most games like this have an in-game currency, and Fortnite is no exception. Players can buy things like outfits for their players, better weapons, and even bonus items. So, even kids who don’t have their own credit cards will often sweet talk their parents into giving their credit cards, and once that info is in the game, you can use it whenever you want to make purchases.

Fortnite for Money Laundering

Hackers also known as “carders,” who specialize in stealing and selling stolen credit card numbers, are using Fortnite as a bank. They are using stolen credit card numbers to make V-Buck purchases and selling them to other players at a discount. When playing Fortnite in Battle Royale mode and earning “Photons” (a new form of cryptocurrency), it seems the hackers can set up a crypto wallet connected to their account to withdraw the stolen funds.

Protecting Your Card

 If you have given your kids permission to use your credit card for Fortnite, you are not alone, but you should take steps to protect it.

safr.me

Do your kids make digital purchases with you money?

The first thing you should do is set up a passcode, one that your kids can’t guess. This means they cannot buy anything in the game unless you approve it. You will have to do this on the gaming console you use. Xbox, for instance, allows you to set a code for the following actions:

  • Signing in when the console is turned on
  • Updating device settings
  • Making a purchase

Microsoft also advises its users against putting a credit card into the Xbox account of any child or other family member who you don’t want making any in-game purchases. This way, you can keep your family safe, and keep your money safe.

Beware of Phishing

Make sure your kid isn’t providing email addresses (theirs or yours) to anyone on Fortnite. If they do, there’s a strong possibility they might provide it to a criminal phisher. Once this happens, tricky phishing emails that look like they are coming from Fortnite designed to steal passwords are likely to hit your inbox.

Set up Two-Factor Authentication

Any and every account that is considered “critical,” which means it contains personal or sensitive information, should have two-step or two-factor authentication.

Fortnite provides this, and parents MUST enable it. Go to Logins, and open account settings at your username in the top right corner. Then, select password security. At the bottom, click on “two-factor” sign in.

The Master List of 2018 Breaches

/in /by

The Master List of 2018 Breaches

2017 was a record setting year for data breaches, but we might have to call 2018 “The Year of the Breach.”

According to Verizon, there have been more than 2200 data breaches across the globe, and about 68 percent of these breaches were not detected for months. This is not good news for any business or organization.

Here are some of the major breaches of 2018:

Facebook

Facebook is part of the list of 2018 breaches but NOT because of the Cambridge Analytica scandal. Instead, it’s because of the breach that occurred in late September, when about 50 million people had their data exposed. This hack took advantage of vulnerabilities in Facebook’s code, and hackers were able to control the accounts of
users.

Department Store Hacks

Several department stores were also hacked this year including Saks Fifth Avenue and Lord & Taylor, which were hacked in April. These stores had their customer payment cards compromised. Macy’s also was hacked. This time, it was the names and passwords of its customers that hackers obtained.

The Master List of 2018 Data Breaches Hacks Robert Siciliano Safr.me

Fitness Hacks

There were also hacks against fitness companies like Adidas and Under Armour. In the case of Adidas, hackers accessed the data of several million customers. In the case of Under Armour, the hackers targeted the brand’s app, MyFitnessPal, and were able to access the information from about 150 million users. In neither case were Social Security numbers, payment information, nor driver’s license numbers accessed.

Exactis Hack

The biggest hack of the year was also the one that most people don’t even know about. You probably don’t even recognize the name Exactis, but it is a marketing and data aggregation firm. In June, the company leaked the data of more than 340 million Americans. In this case, the company did not secure its database, and this left records
open to anyone who wanted them. Not only were people affected here, but so were businesses. Phone numbers, emails, addresses, and even interests of these people were exposed.

Marriott

Marriott also makes the list of the major breaches of 2018 (but it originated as early as 2014), and in this case, about 500 million people were affected. This hack was done through the Starwood Hotels guest database. It was later realized that the hackers who did this were very likely working for the Chinese government, which was trying to gather intelligence. China has denied being involved in the hack, but experts claim that the methods used in the hack and evidence found all point towards the Chinese government.

Google

There were a few other hacks that are worth mentioning too. Google, for instance, though not technically hacked, did expose data of its users thanks to a security bug. In this case, about 50 million accounts were compromised.

We hope, of course, that lessons were learned in 2018 so that 2019 looks a bit more promising, but as most security professionals know, hackers like to stay one step ahead. So keep your data as safe as possible.

What can you do? Move to Montana, find a cave, live in it. Toss your mobile, PC and credit cards and eat off the land.

Or…

Problems for Quora Keep Building

/in /by

Quora, the popular question-and-answer website, is the latest entity to be affected by a massive data breach. This time, it is estimated that 100 million people could be affected.

Adam D’Angelo, CEO of Quora, released a blog post that explained user account information (like email addresses and user names) as well as encrypted passwords and other data were accessed by the hackers. Additionally, he wrote that comments, public questions-and-answers and even direct messages could have been accessed.

D’Angelo stated that Quora is working quickly to get more information on the breach and that it is taking important steps to ensure that it prevents a breach from happening again.

Quora is a privately held company based in California. Users of the site can ask questions about almost anything, and other users answer these questions. The company claims that it has more than 300 million unique visitors per month. Although this data breach is not as devastating as others, such as the other recent breach announced by Marriott International, it is still concerning. The Marriott breach went on for several years, and more than 500 million people were affected. For about 327million, their passport numbers, birth dates and more were accessed.

The Quora breach was not as serious. The biggest concern for people affected by this breach is the possibility of falling for a phishing scam. Basically, these scams work by tricking people into clicking email links that allow the scammer to get personal info or installing malware onto the victim’s computer. This could be significant, however, as some of the data has come from networks like Facebook, which users can connect to their Quora accounts.

This is a really good reminder to anyone with social media accounts, or other online accounts, to consider a throwaway email account. This is an account that is neither connected to work nor your primary email account. This way, if it gets hacked, you can simply delete it.

To add some insult to injury, Quora also just announced that a “malicious third party”has accessed one of its systems. The company is currently investigating the issue, and it’s working with a security firm to get to the bottom of it. Quora is also in the process of notifying any users who might have been affected by this breach. They are also logging these people out of the site and forcing them to change their passwords.

Last thing: I’m a fan of Quora, and yes, this breach sucks, but it’s less sucky than others. Feel free to ask me a question on my Quora.

2017 Was the Worst year for Data Breaches EVER!

/in , , /by

It seems like 2017 broke records for all the wrong reasons…one of them being the worst year for data breaches in history.

According to reports, hacking was the most common way to collect this data, but almost 70% of exposures occurred due to accidental leaks or human error. This came down to more than 5 billion records. There were several well-known public leaks, too, including the Amazon Web Services misconfiguration. More than half of the businesses using this service were affected, including companies like Verizon, Accenture, and Booz Allen Hamilton. The scariest part of this, however, is the fact that the number of breaches and the number of exposed records were both more than 24% higher than in 2016.

Big Breaches of Big Data

Another interesting thing to note is that eight of the big breaches that occurred in 2017 were in the Top 20 list of the largest breaches of all time. The top five biggest breaches in 2017 exposed almost 6 billion records.

Part of the reason for the big numbers is because huge amounts of data were exposed from huge companies, like Equifax. There was also a huge breach at Sabre, a travel systems provider, and the full extent of the breach isn’t even known at this point. All we do know is that it was big.

When looking at all of the known 2017 data breaches, almost 40% of the breaches involved businesses. About 8% involved medical companies, 7.2% involved government entities, and just over 5% were educational entities. In the US, there were more than 2,300 breaches. The UK had only 184, while Canada had only 116. However, until now, companies in Europe were not forced to report breaches, so things could change now that reporting is mandatory.

What were the biggest breaches of all time?  Here they are, in order:

  • Yahoo (US company) – 3 billion records
  • DU Caller Group (Chinese company) – 2 billion records
  • River City Media (US company) – 1.3 billion records
  • NetEase (Chinese company) – 1.2 billion records
  • Undisclosed Dutch company – 711 million records

Though none of this is great news, there is a silver lining here: none of the breaches of 2017 were more severe than any other breach in history, and overall, the occurrence of breaches dropped in the fourth quarter.

Because of so many breaches occurring due to human error, it’s very important that businesses of all sizes enact security awareness training, including helping staff understand what makes a business a target and what type of info the hackers want.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.