Posts

I get these emails with some regularity. I’ve kept my same email address for about ten years now and so there are a lot of chances for my records to be exposed.

In this latest breach, over 22 million records were exposed. And unlike most breaches, it was more than emails and addresses. This included mobile phone numbers, CRM entries, records of real world interactions, summaries of legal briefs, and more.

In fact, at this point my email address and password have been exposed multiple times online. Yours have, too, you just don’t know it yet.

This is a huge part of why we agitate for:

  • Using multifactor authentication
  • Disallowing password re-use

Even though my data is out there, yet again, the combination of using multi-factor authentication and different passwords for different sites nearly guarantees that I won’t suffer a personal breach. In fact, both Microsoft and Google have reported that turning on multifactor authentication stops 99% of all breach attempts.

Next time we tell you that multifactor authentication needs to be turned on, you know why!

Yahoo! was hacked multiple times in the 2010’s. In the worse case, literally every single account was compromised. If you had opened a Yahoo! account before 2016 your info — including your password — is available on the Dark Web.

Yahoo! is working on winding down the class action lawsuit against it. For US and Israeli consumers with Yahoo! accounts during the hacked times 2 years of credit monitoring is available.

Breaches listed from the settlement notification:

  • 2012 Data Security Intrusions: From at least January through April 2012, at least two different malicious actors accessed Yahoo’s internal systems.  The available evidence, however, does not reveal that user credentials, email accounts, or the contents of emails were taken out of Yahoo’s systems.
  • 2013 Data Breach: In August 2013, malicious actors were able to gain access to Yahoo’s user database and took records for all existing Yahoo accounts—approximately three billion accounts worldwide. The records taken included the names, email addresses, telephone numbers, birth dates, passwords, and security questions and answers of Yahoo account holders. As a result, the actors may have also gained access to the contents of breached Yahoo accounts and, thus, any private information contained within users’ emails, calendars, and contacts.
  • 2014 Data Breach: In November 2014, malicious actors were able to gain access to Yahoo’s user database and take records of approximately 500 million user accounts worldwide. The records taken included the names, email addresses, telephone numbers, birth dates, passwords, and security questions and answers of Yahoo account holders, and, as a result, the actors may have also gained access to the contents of breached Yahoo accounts, and thus, any private information contained within users’ emails, calendars, and contacts.
  • 2015 and 2016 Data Breach: From 2015 to September 2016, malicious actors were able to use cookies instead of a password to gain access into approximately 32 million Yahoo email accounts.

Ars Technica and the BBC are reporting that the travel insurance and currency exchange company Travelex has been breached. Hackers have allegedly been inside the company’s network for 6 months and stolen customer information including:

  • Credit card info
  • Date of birth
  • Insurance numbers

These incidents are shockingly common yet only the big companies make the news. Data from Datto says that most small businesses either have suffered a similar attack or have been targeted by one.

How are you safe-guarding your clients’ data?

SunTrust Bank quietly announced Friday, April 20th, 2018 that a former employee was working with a “criminal third party” and may have passed along information from as many as 1.5 million client accounts.

Affected customers appear to be being notified by email with this message:

Dear <CUSTOMER>,

SunTrust cares deeply about your privacy and the security of your information. We became aware of potential theft by a former employee of information from some of our client contact lists, as we shared in a news release on Friday, April 20, 2018. We are still investigating in cooperation with law enforcement. We apologize that you are one of our clients who may have been affected, as your continued trust is critical to us.

Given this, we are proactively notifying you that certain information, including your name, address, phone number and certain account balances may have been affected. The contact lists did not include personally identifying information, such as your social security number, account number, PIN, User ID, password, or driver’s license number.

Your confidence is at the core of our purpose, and we want you to know that we have heightened our monitoring of your accounts and increased other related security measures. While we have not identified significant fraudulent activity, know that you will not be responsible for any fraud on your SunTrust accounts as a result of this incident.

At no cost to you, we recommend that you enroll in the IDnotify(tm) service provided by Experian(r) which includes:

*   A personalized Experian credit report at signup;
*   Experian Credit Monitoring for indicators of fraud;
*   Dark Web monitoring;
*   Identity Restoration specialists available for immediate help to address credit and non-credit related fraud; and
*   $1 Million Identity Theft Insurance reimbursement for certain costs associated with a stolen identity event, subject to the terms of the policy.

To enroll in IDnotify:

*   Log into your Online Banking account at www.suntrust.com and follow the instructions; or
*   If you do not have an Online Banking account, please visit https://www.suntrust.com/identity-protection and follow the instructions.

To best protect your information, we recommend you consider additional steps that can be found here<https://www.suntrust.com/fraud-and-security-department>. You also will receive more information from SunTrust in the mail.

Protecting your information is a top priority for SunTrust, and we appreciate the opportunity to serve you.

Mark A. Chancy
Vice Chairman

You can probably expect no to very little follow up on this, ever. As always, one of the best things you can do to protect yourself is to freeze your credit. In this case, we’d recommend checking your balance every day along with recent transactions as well.

Remember, ACH and checking fraud do not carry the same protections as credit cards. Also, while SunTrust says that personally identifying information was not leaked it’s nearly impossible to know after the fact, which this finding appears to be.