Texas
Table of Contents
- Identity Theft Statistics
- Top Ten Report Categories
- Top Identity Theft Types
- Fraud & Other Reports by Metropolitan Area
- Texas’s Biggest Data Breaches
- What Should You Do if You Are in a Breach?
- Step-by-Step Process for Responding to a Data Breach
- Responsibilities of Companies that Have Been Breached
- Laws
- Resources
Cyber-attacks are intentional breaches of information systems. Cybercriminals often target employees to infiltrate computer networks. Motivations for attacks vary, but economic gain is a prevalent driver. In Texas, common attacks include phishing, identity theft, and ransomware. In 2022, the FBI received over 21,800 complaints about a business email compromise scheme. Around 1,900 of these complaints were from Texas, resulting in $260 million in losses. According to FBI data, this marked an increase from the roughly 1,600 victims in Texas reported in 2020.
Identity Theft Statistics
Reports
Reports
Losses
Top Ten Report Categories
Top Identity Theft Types
Texas' Biggest Data Breaches
Mr. Cooper Group
On October 31, 2023, Mr. Cooper (formerly Nationstar Mortgage) discovered suspicious network activity, leading to an immediate shutdown to protect data. An investigation revealed unauthorized access between October 30 and November 1, 2023. Personal information files were accessed, and the data of 14,690,284 individuals was affected. The breach was reported to the Office of the Maine Attorney General.
Allied Pilots Association
On October 30, 2023, the APA had a problem with its computer network. Bad actors used a type of cyberattack called ransomware, which could have exposed members' information. The attack started by shutting down the APA's servers. After that, the attackers disconnected the website from the secure member pages, accessing a lot of APA data while professionals tried to regain control. The attack was so severe that the APA had to tell members about it on social media because it couldn't use the website.
Harris Health System
On June 2, 2023, Harris Health System found out that it had experienced a data breach. During the breach, sensitive personal information and protected health data in its systems might have been accessed. The investigation revealed that an unauthorized party could have gotten hold of this sensitive information by exploiting a vulnerability in the MOVEit file-sharing platform used by Harris Health System on May 28, 2023.
MedStar Mobile Healthcare
A Texas ambulance service provider for 15 cities reported a ransomware breach to federal regulators. The Metropolitan Area EMS Authority, also known as MedStar Mobile Healthcare, disclosed the incident, affecting around 612,000 people. The breach occurred on October 20, involving unauthorized access to MedStar's network with personal health information at risk.
Baptist Medical Center
Based in San Antonio, Baptist Medical Center experienced a significant data breach, compromising 1,201,648 records due to a Business Email Compromise (BEC) attack. The incident, detected on April 20, 2022, led to the misdirection of information to a threat actor. The same day, the company issued a statement acknowledging the likelihood of compromised systems with malicious code.
Texas Department of Insurance
On January 4, 2022, the most severe data breach of 2022 occurred when the Texas Department of Insurance uncovered and successfully halted a cyber-attack. This incident is notable for compromising 1.8 million records, making it the highest number affected not just in 2022 but also since Texas started recording data breaches. It ranks among the most significant breaches, involving the theft of substantial amounts of sensitive personal information, such as names, phone numbers, Social Security numbers, and insurance claim details.
What Should You Do if You Are in a Breach?
Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.
Unfamiliar
Credit Card Charges
If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.
Calls from
Debt Collectors
Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.
New Credit Cards
or Loans in Your Name
A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.
Surprise Credit
Score Drops
Sudden credit drops with no obvious cause are a sign of suspicious activities.
Unusual Activity on Your
Social Security Account
The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.
Inability to
Sign-in to Accounts
If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.
Step-by-Step Process for Responding to a Data Breach
Contact Local Law Enforcement
As an individual or a business, report the incident to the police and file a police report.
Assess and Secure Compromised Areas
Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.
Contain the Breach
Isolate the affected system to prevent further damage.
Create New, Strong Passwords for All Accounts
This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.
Notify Affected Institutions
Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.
Update Security on Digital Accounts
Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.
Check for Malware
Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.
Freeze Your Credit
In cases of identity theft, contact all credit bureaus to freeze your credit.
Monitor Your Mail and Credit Reports
Keep an eye out for any unauthorized changes in your mail.
Engage Legal Assistance When Applicable
If you are a business, consider hiring a law firm experienced in handling data breaches.
Responsibilities of Companies that Have Been Breached
Section 521.053 of the Texas Business and Commerce Code now requires businesses to inform the Texas Attorney General of a data breach "as soon as practicable and not later than 30 days. However, the 60-day deadline for notifying residents remains unchanged.
A data breach extends beyond mere hacking of computers and devices; the notifications mandated by the Act can also be activated if an employee steals a customer's financial information. Additionally, the Act triggers notification requirements if Customer A mistakenly receives Customer B's information due to a coding error.
This requirement extends to any business that handles computerized data with sensitive personal information. As defined by the Act, sensitive personal information includes unencrypted data such as the following:
- Customer's Name
- Driver's License Number
- Social Security Number
- Healthcare Information and
- Financial Information (e.g.card details)
When businesses are preparing their notifications, they should be ready to provide a range of information, including:
- A detailed description of the nature and circumstances of the breach
- The number of residents affected by the data breach
- Steps taken in response to the data breach
- Planned measures your business intends to take following the notification
- Information on whether law enforcement officials will be involved in the investigation process
Laws
- The Texas Identity Theft Enforcement and Protection Act (Code 521.001) mandates reporting of data breaches affecting 250 or more Texans to the Office of the Texas Attorney General.
- Reports must be submitted as soon as practicably possible and by 30 days after discovering the breach.
- Businesses and organizations must notify affected consumers by 60 days. For data breaches impacting over 10,000 individuals, businesses must report the breach to consumer reporting agencies.
- Starting September 1, 2023, reports must be submitted electronically using the Data Breach Report provided by the OAG.
- The report to the A.G. must specify the number of Texans notified about the breach via mail or email.
- Entities or individuals obligated to issue security breach notifications must adhere to the following criteria:
- Complete the Data Breach Report web form only if you are an authorized agent of the affected business or organization, such as the owner, manager, officer, attorney, or a representative with submission authority. While at it remember:
- The web form does not have a save feature, so ensure you fill it out in one sitting.
- Avoid using the "back" button on your browser to prevent clearing your submission.
- Complete the Data Breach Report web form only if you are an authorized agent of the affected business or organization, such as the owner, manager, officer, attorney, or a representative with submission authority. While at it remember:
- If your business experienced multiple breaches, submit a separate Data Breach Report for each incident.
- For businesses providing supplemental or updated information on a previously reported breach, ensure the new report reflects the total number of affected and notified consumers to date, including all Personal Information involved.
- In case of submission errors, email screenshots of your completed report and the error messages to databreachnotice@oag.texas.gov