The Weekly Breach Breakdown Podcast by ITRC - You Can't Handle The Truth - S4E6

Show Transcript

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for March 10, 2023. Each week, we look at the most recent events and trends related to data security and privacy. This week, we focus on February’s top data breaches, two of which highlight a troubling trend the ITRC continues to see involving a lack of information in data breach notices.

For those of you who have seen “A Few Good Men,” you probably remember Tom Cruise playing military lawyer Lieutenant Daniel Kaffee, who was investigating a case involving the murder of two Marines. Lieutenant Commander JoAnne Galloway suggested the Marines were acting on the order of their commanding officer. During the trial, Lieutenant Kaffee called on the commanding officer to question him, hoping to get the truth. The questioning led to the line that is the appropriate title of today’s podcast – “You can’t handle the truth!”

February’s Top Data Breaches

In February, the ITRC tracked 108 data compromises impacting 37 million people. A data incident at PeopleConnect, Inc. was responsible for over half of the victim total – 20.2 million people.

PeopleConnect Inc.

PeopleConnect, the owners of the TruthFinder and Instant Checkmate background services, says they suffered a data breach after hackers leaked a 2019 backup database containing information on millions of users. Impacted information includes names, email addresses, phone numbers, encrypted passwords, and expired and inactive password reset tokens.

Weee! Inc.

Online grocery delivery platform, Weee! Inc. suffered one of February’s top data breaches when delivery data of 11 million customers was leaked online. According to Cybernews, some logs include door codes couriers use to enter buildings. The threat actor claims the leaked database includes sensitive data, such as users’ first names, last names, emails, phone numbers, home addresses, delivery types, devices and dates. Weee! confirms the breach but says no customer financial data was exposed.

Regal Medical Group

Finally, Regal, a medical group, suffered a compromise that impacted just over three million people. In a data breach notice, Regal says malware was detected on some of their servers, which resulted in the threat actor accessing and exfiltrating data from their systems. Social Security numbers and personal health information is just some of the data that may have been involved.

Data Breach Notices Lack Information

While some information is available on each of these compromises, two of the three notices did not provide enough information to determine the attack vector details – other than that they were cyberattacks. In 2022, 66 percent of notices did not include victim and attack details. The lack of information puts consumers and businesses at higher risk of becoming the victim of an identity crime. We have discussed this trend at length and will continue to speak about it to encourage positive change.

Steps You Can Take

If you received a data breach notice for one of the top data breaches in February, or any compromise, follow the advice in the notice, update all your passwords to a long and unique passphrase (not just the impacted account), and watch for phishing attempts that claim to be from the breached organization.

ITRC Breach Alert for Business Coming Soon

Later this month, the ITRC will launch a beta test of a new service for businesses that want to ensure they receive a notification when a data breach at a vendor or partner is entered into the ITRC’s data compromise database. Stay tuned for more details.

Contact the ITRC

If you want to know more about how to protect your business or personal information, or if you think you have been the victim of an identity crime, you can speak with an expert ITRC advisor on the phone, chat live on the web, or exchange emails during our normal business hours (Monday-Friday, 6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.

We will be back next week with another episode of the Weekly Breach Breakdown.