In the Scam of the Day for December 22, 2023 I first told you about the data breach involving all thirty-six million customers of Internet service provider Comcast Cable Communications which does business as Xfinity  in which usernames, hashed (encrypted) passwords, birth dates, security questions and answers as well as the last four digits of the Social Security numbers of its customers.  Some people might wrongly believe that having only the last four digits of their Social Security number in the possession of scammers does not put them in jeopardy, it most certainly does.  The first three digits of your Social Security number relate to where you live and is easily determined; the second two digits are group numbers that until 2011 were based on when you obtained your Social Security number and are even available on the Social Security website for years up till 2011, but even for numbers issued after that date, there are only 99 possibilities so it is not particularly difficult for an identity thief to determine your Social Security number with just the last four digits.  Armed with your Social Security number, a criminal can make you a victim of costly identity theft quite readily.

The data breach of Xfinity is an example of a supply chain data breach where cybercriminals hack makers of software used by many companies, individuals and government agencies and insert their malware into the legitimate software of manufacturers who have not taken proper security precautions in the development of their software.  Users of the software trust these companies and too often their trust is misplaced.

Now a class action against Comcast as well as Citrix Systems, Inc and Cloud Software Group who were the supply chain companies involved with the data breach has been preliminarily settled with Comcast agreeing to provide three years of free financial and credit monitoring and identity theft protection, plus either a reimbursement of out-of-pocket loses and lost time of up to $10,000 or an alternative cash payment of $50.A final approval hearing has been scheduled for July 7th.

TIPS

One important lesson is to limit the amount of personal information that you provide to companies and websites whenever possible.  For example, your doctor doesn’t need your Social Security number for his or her records and neither does your internet provider.

You should make sure that you have a unique password for each of your online accounts so that if one of your passwords is compromised in a data breach, all of your accounts will not be in danger.  If your information is compromised in a data breach, you should immediately change the password for that account.

If you have not already done so, set up dual factor authentication for each of you accounts where it is available. This will protect you from having those accounts stolen by someone who may have access to your password.  However it should be noted that the malware responsible for this particular data breach is able to bypass password requirements and dual factor authentication.

Freezing your credit is also something everyone should do.  It is free and easy to do.  In addition, it protects you from someone using your identity to obtain loans or make large purchases even if they have your Social Security number.  If you have not already done so, put a credit freeze on your credit reports at all of the major credit reporting agencies.  Here are links to each of them with instructions about how to get a credit freeze:
As for the significant threat of supply chain attacks, while there is little that we as individuals can do to protect ourselves, the Cybersecurity and Infrastructure Security Agency  (CISA) is working together with private industry released new best practices guidelines for companies to implement to reduce the threat of supply chain attacks.  While these best practice guidelines are not mandatory, it is hoped that companies will follow them.

If you are not a subscriber to Scamicide.com and would like to receive daily emails with the Scam of the day, all you need to do is sign up for free using this link. https://scamicide.com/scam-of-the-day/