Privacy & Identity Theft

SAN FRANCISCO - Attorney General Kamala D. Harris is urging California T-Mobile customers and T-Mobile account applicants to immediately place fraud alerts on their credit records in the wake of the massive breach of T-Mobile customer data housed at Experian, one of the nation’s major credit reporting agencies. Placing a fraud alert on your credit records protects consumers from identity theft by requiring that businesses verify your identity before issuing credit.

Up to 15 million T-Mobile customers’ and account applicants’ Social Security numbers, names, addresses, dates of birth, and identification numbers (such as driver’s license, military ID or passport number) were exposed in the cyber attack on Experian. According to Experian, the breach compromised data that was used by T-Mobile in connection with credit checks of individuals who applied for T-Mobile services from September 1, 2013 through September 16, 2015.  In the wrong hands, it could be used for identity theft, particularly “new account fraud,” or opening up new accounts in the victim’s name.

Unlike credit monitoring, which notifies individuals when activity has occurred on their credit records, a fraud alert is a preventive measure. When a fraud alert is in place, a merchant or other credit issuer checking the credit history of someone applying for credit gets a notice that there is a fraud alert. This alerts the merchant to take extra steps to verify the identity of the applicant. A fraud alert lasts 90 days and can be renewed.

A longer-lasting protection is a security freeze, which prevents the opening of new credit accounts unless the consumer has taken steps to temporarily lift the freeze. A freeze costs $10 per credit bureau or $5 for Californians over 65; it is free to victims of identity theft.  For instructions on how to place a freeze on your account, please see “How to ‘Freeze’ Your Credit Files: Tips for Consumers” under “Helpful Links” below.   

You can place a fraud alert with all three major credit bureaus by calling just one of the toll-free fraud numbers below. You will reach an automated telephone system that allows you to flag your file with an alert at all three bureaus. You will also be sent instructions on how to get a free copy of your report from each of the credit bureaus.

Experian 1-888-397-3742

Equifax 1-800-525-6285

TransUnion 1-800-680-7289

Helpful Links:

T-Mobile Breach Notice: https://oag.ca.gov/ecrime/databreach/reports/sb24-58079

For additional information on “Breach Help: Consumer Tips from the California Attorney General”, visit:  http://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/cis-17-breach-help.pdf

For additional information on “How to ‘Freeze” Your Credit Files: Tips for Consumers”, visit: http://oag.ca.gov/sites/all/files/agweb/pdfs/idtheft/cis_10_credit_freeze_doj.pdf

LOS ANGELES - Attorney General Kamala D. Harris today announced a settlement with Houzz Inc., an online platform for home remodeling and design, to resolve allegations that the company violated California privacy laws by recording incoming and outgoing telephone calls without notifying all parties on the call that they were being recorded.

From March 2013 to September 2013, Houzz’s Irvine office secretly recorded calls that were intended for training and quality-assurance purposes.  Although most of the secretly recorded calls were with home improvement and remodeling professionals, Houzz also recorded customer calls and employees’ personal calls.  Houzz did not notify all parties or obtain consent, in violation of state laws against wiretapping and eavesdropping.  The proposed settlement, filed in Santa Clara Superior Court today, resolves Attorney General Harris’s allegations.

“Houzz violated the trust of its professionals, customers, and employees by recording calls without permission,” said Attorney General Harris.  “This settlement holds Houzz accountable for violating state privacy laws and ensures that the company will stop recording calls without permission.”

After being notified by the California Attorney General’s Office in September 2013, Houzz stopped recording calls and voluntarily cooperated with the investigation. 

The settlement, which is in the form of a stipulated judgment, will require Houzz to appoint an individual to serve in a Chief Privacy Officer capacity who will oversee Houzz’s compliance with privacy laws and shall report any significant concerns to the Chief Executive Officer and/or other senior executives. This is a significant step that is aligned with Attorney General Harris’ ongoing efforts to preserve California businesses’ ability to innovate while ensuring that consumers’ right to privacy is protected.

Under the settlement, Houzz must also conduct a privacy risk assessment addressing its efforts to comply with applicable privacy laws governing its U.S. operations. The privacy risk assessment will evaluate issues that are implicated by Houzz’s business processes, use of technology, and processes related to any business partners with whom Houzz shares personal information, as well as Houzz’s efforts to mitigate or avoid any adverse effects on individuals in the United States. 

Houzz is also required to secure the recordings and destroy them and pay $175,000.

Copies of the complaint and stipulated judgment are attached to the online version of this release at www.oag.ca.gov.

LOS ANGELES - Attorney General Kamala D. Harris today announced that the California Department of Justice, along with the California Public Utilities Commission, has reached a $33 million settlement with Comcast over allegations that Comcast posted online the names, phone numbers and addresses of tens of thousands of customers who had paid for unlisted voice over internet protocol (“VOIP”) phone service. 

As part of the settlement, Comcast must pay $25 million in penalties and investigative costs to the California Department of Justice and the California Public Utilities Commission. Comcast will also pay approximately $8 million in additional restitution to customers whose numbers were improperly disclosed.

“Publishing personal information that should have been unlisted is unlawful and a troubling breach of privacy,” Attorney General Harris said. “This settlement provides meaningful relief to victims, brings greater transparency to Comcast’s privacy practices and sends a message that violations of consumers’ privacy will result in significant penalties.”

As part of the stipulated judgment filed today in Alameda Superior Court, Comcast has agreed to a permanent injunction that requires the company to improve how it handles customer complaints and to strengthen the restrictions it places on its vendors’ use of personal information about customers.  The injunction will require Comcast to provide a simple and easy-to-read disclosure form to all customers that explains the ways in which it uses unlisted phone numbers and other personal information. 

Comcast is in the process of refunding all fees paid for unlisted service by the roughly 75,000 customers whose information was improperly disclosed over a two-year period, which total over $2 million.  Under the settlement, Comcast will pay each of these customers $100 on top of the refund, totaling an additional $7.5 million.  The settlement also provides for further monetary relief to individuals who have identified personal safety concerns related to the disclosure of their personal information, such as law enforcement personnel and victims of domestic violence.

Comcast’s existing customers will receive their restitution payment as a credit on an upcoming telephone bill.  Former customers will have their restitution payments mailed to their last known mailing address in the next few months.  For questions about restitution administration, please contact Comcast at 1-855-290-6262.

This settlement is part of a global agreement that also resolves related administrative actions filed before the California Public Utilities Commission. The Utility Reform Network (TURN) and the Greenlining Institute participated in those proceedings as well as the settlement negotiations and have approved the settlement terms.

Copies of the complaint and stipulated judgment are attached to the online version of this release at www.oag.ca.gov/news.

SACRAMENTO -- Attorney General Kamala D. Harris today issued a statement applauding Governor Jerry Brown’s signature of Senate Bill 676 (Cannella, R-Ceres), which she sponsored.

“Cyber exploitation is an insidious crime that is used to humiliate, degrade, and financially exploit innocent people,” said Attorney General Harris. “SB 676 will restore dignity to victims by providing California law enforcement with a powerful tool to seize and destroy cyber exploitation images and prevent future distribution. I commend Senator Cannella for authoring this important legislation and thank Governor Brown for signing it into law.”

“As technology evolves, unfortunately, so does the rate of cyber-crimes such as cyber exploitation,” said Senator Cannella. “I appreciate the work of Attorney General Harris in prosecuting those who commit these crimes and am glad that Governor Brown signed SB 676 into law to provide stronger protection to victims."

In April, Attorney General Harris announced an 18-year sentence for cyber exploitation operator Kevin Bollaert. This case was the first successful prosecution in the country of an operator of a cyber exploitation website. Bollaert operated ugotposted.com, which allowed the anonymous, public posting of private photographs containing nude and explicit images of individuals without their permission.

In addition to SB 676, Attorney General Harris is also sponsoring AB 1310 (Gatto, D-Glendale), which would allow search warrants to be issued for crimes related to cyber exploitation and allow for the prosecution of cyber exploitation cases in the county where the victim resides or in the county where the images were posted.

Attorney General Harris has convened a working group of 50 major technology companies, victim advocates, and legislative and law enforcement leaders to fight cyber exploitation through a public-private partnership. Specifically, the Attorney General’s working group on cyber exploitation is focused on four key areas: developing an industry statement of principles, education and prevention, law enforcement training and collaboration, and legislation and advocacy. The working group includes major tech companies such as Microsoft, Twitter, Google, Facebook, and Instagram.

Attorney General Harris created the eCrime Unit in 2011 to identify and prosecute identity theft crimes, cybercrimes, and other crimes involving the use of technology.

LOS ANGELES — Attorney General Kamala D. Harris today issued a consumer alert in response to the reported breach of UCLA Health, which has impacted up to 4.5 million people. The reported breach compromised the personally identifiable information and medical records of patients and providers at UCLA Health.

Individuals who believe they may have been impacted can contact UCLA Health at 877-534-5972 or visit http://www.myidcare.com/uclaprotection for more information and options to sign up for free services offered by UCLA.

This breach may pose a risk of sensitive information being compromised, including social security numbers (SSNs), separate health insurance IDs, diagnosis and treatment records, and payment information. Both SSNs and health insurance IDs create the potential for medical identity theft, which is the use of someone’s identity to obtain medical services or products or for financial gain. Medical identity theft can affect both the victim’s finances and medical records. Potentially impacted individuals should closely watch the Explanation of Benefits statements they receive from their health insurer. If the statement includes a service or product you did not receive, contact the insurer and ask for details. For more information, see First Aid for Medical Identity Theft: Tips for Consumers by clicking here. These Tips are also available in Spanish.

The Attorney General’s Breach Help: Tips for Consumers has simple instructions for consumers who have been affected by a breach and includes what to do in response to a Social Security number breach. Breach Help is also available in Spanish.

Steps for Responding to Social Security Number Breach: 

1. PLACE A FRAUD ALERT.

Contact the three major credit bureaus and place a 90 day “fraud alert.” This helps protect you against the possibility of an identity thief opening new credit accounts in your name. When a merchant checks the credit history of someone applying for credit, the merchant gets an “alert” that there may be fraud on the account.

Experian       1-888-397-3742

Equifax         1-800-525-6285

TransUnion  1-800-680-7289

You will reach an automated telephone system. You will also be sent instructions on how to get a free copy of your report from each of the credit bureaus. Order the reports.  

2. REVIEW YOUR CREDIT REPORTS.

Look through each one carefully. Look for accounts you do not recognize, especially accounts opened since December 2014, when the Anthem breach occurred. Follow the instructions in the report for disputing any questionable information.

3. CONSIDER A SECURITY FREEZE.

Placing a security freeze on your credit files offers longer-term protection. For information on how to do this, see “How to Freeze Your Credit Files” at www.oag.ca.gov/privacy/info-sheets

4. BE WARY OF PHISHING ATTEMPTS.

If you get an email or call from someone claiming to be from Anthem and asking for your personal information, do not provide it. Scammers often take advantage of breaches by offering to help and actually seeking to steal your information. Check with Anthem through the phone number you usually use or one from the phone book, if you want to confirm that such a contact is legitimate.

More consumer information from the Attorney General:

First Aid for Medical Identity Theft: Tips for Consumers
https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/cis_16_med_id_theft.pdf

En Español: Primeros auxilios para el robo de identidad médica: Consejos para los consumidores
http://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/cis_16_med_id_theft_sp.pdf

Breach Help: Tips for Consumers
www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/cis-17-breach-help.pdf?

En Español:  Ayuda en caso de robo de datos confidenciales
www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/sp-cis-17-breach-help.pdf?

How to Order Your Free Credit Reports
www.oag.ca.gov/sites/all/files/agweb/pdfs/idtheft/cis_11_free_annual_doj...

En Español:  Cómo encargar sus informes de crédito gratuitos
www.oag.ca.gov/sites/all/files/agweb/pdfs/idtheft/cis11spanish.pdf?

How to "Freeze" Your Credit Files
www.oag.ca.gov/sites/all/files/agweb/pdfs/idtheft/cis_10_credit_freeze_d...

Identity Theft Victim Checklist
http://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/CIS_3_victim_checkl...

En Español: Lo que deben hacer las víctimas de robo de identidad

Top 10 Tips for Identity Theft Protection
www.oag.ca.gov/sites/all/files/agweb/pdfs/idtheft/cis_1_top_10tips_doj.pdf?

En Español:  Los 10 consejos para protegerse contra el robo de identidad 
www.oag.ca.gov/sites/all/files/agweb/pdfs/idtheft/cis_1_top_10tips_doj_s...
 

SAN FRANCISCO — Attorney General Kamala D. Harris today announced that the operator of a cyber exploitation hacking scheme, who coordinated the hacking of over 300 email accounts, pled guilty to disruption of computer access in San Francisco Superior Court. Charles Evens, 26, will be sentenced on August 19, 2015.

“Evens is being held accountable for stealing victims’ most private and intimate images and profiting from this illegal activity,” said Attorney General Harris. “This case builds on our continued focus to prosecute perpetrators of cyber exploitation and to send a clear message that hiding behind a computer screen will not shield offenders from the full extent of the law.”  

An investigation conducted by Attorney General Harris’ eCrime Unit found that Evens utilized a social engineering scheme in which he tricked Gmail account holders into providing the recovery code – which is provided as an additional security measure to Gmail users – for their accounts to him by posing as a Facebook friend. Once in possession of the recovery code, Evens would then change the recovery email to one of three email accounts under his control, gaining access to the victim’s Gmail account and any other accounts associated with that Gmail account. According to public statements, Evens used this unauthorized access to steal intimate images and access other personal content, which he then sold to Hunter Moore to post on his cyber exploitation website for amounts up to $900.

Once in control of a victim’s Gmail account, he reached out to new victims through linked Facebook accounts, stating that he had lost control of his account and needed to receive a Google reset verification code to unlock it. Shortly after providing Evens with the information, each new victim found that they no longer had access to their own Google accounts. One victim found that Evens had changed her Facebook password and contacted 15 of the victim’s friends using the same scheme.

Evens is also currently pending trial on multiple federal charges of identity theft, computer fraud and abuse, and conspiracy for his role as an accomplice to Hunter Moore, the operator of the cyber exploitation website IsAnyoneUp.com. The federal case alleges that Moore instructed Evens to gain unauthorized access to victim’s email accounts in order to gain additional nude and explicit images for his site. Evens stole intimate images from those accounts and subsequently sold them to Hunter Moore to post on his cyber exploitation website for amounts up to $900.

Attorney General Harris created the eCrime Unit in 2011 to identify and prosecute identity theft crimes, cybercrimes and other crimes involving the use of technology.

In April, Attorney General Harris announced an 18-year sentence for cyber exploitation operator Kevin Bollaert. Bollaert operated ugotposted.com, which allowed the anonymous, public posting of private photographs containing nude and explicit images of individuals without their permission. This case was the first prosecution in the country of an operator of a cyber exploitation website. 

Earlier this month, Attorney General Harris announced a three-year jail sentence for Casey E. Meyering, 28, of Tulsa, Oklahoma, who operated a cyber exploitation website WinByState.com and the associated website TakedownHammer. He pleaded no contest to one count of extortion, three counts of attempted extortion, and one count of conspiracy and was sentenced on June 8, 2015 to three years in jail.

Attorney General Harris also reminds users of e-mail and social networking sites to never give out account information unless you can verify the identity of the person asking for this information. Always remember that legitimate companies and government agencies will never ask you for your password or other confidential information online or over the phone. Visit a company’s website directly to access your account information, rather than trusting an email or text message claiming to provide information about the status of your account, and don’t response to messages with a link suggesting your account will be closed or suspended if you fail to respond. 

A copy of the complaint submitted to the court can be found here. Please note that a complaint contains only allegations against a person and, as with all defendants, Charles Evens must be presumed innocent unless and until proven guilty.

###

As part of National Consumer Protection Week, Attorney General Kamala D. Harris is alerting Californians to the threat of tax-related identity theft and issuing tips on how consumers can protect themselves during the tax filing process.

Tax-related identity theft commonly occurs when thieves send phishing emails that appear to be from the Internal Revenue Service (IRS) or the Franchise Tax Board (FTB), asking for personal information or including links to official-looking web sites.  Thieves may also use stolen personal information to file tax returns in someone else’s name in order to obtain a refund.

Tax Season Safety Tips

• Beware of unsolicited phone calls, emails or texts from anyone claiming to be from the IRS or the California Franchise Tax Board. If in doubt, contact the agency using the contact information in the Resources section below.  
• Never open an email or a text message that says it is from the IRS or the Franchise Tax Board; they are always fraudulent. State and federal tax agencies never initiate contact with taxpayers by email, text message or social media to request personal or financial information or to send notice regarding audits or refunds.
• If you think you have a tax identity theft problem or receive a letter from the IRS or the FTB stating that someone has already filed using your information, contact the agency. See the contact information in the Resources section below.
• When preparing your tax return for electronic filing, be sure to use a unique strong password on your online filing accounts. A strong password is eight or more characters, including letters, numbers and symbols. Use a unique password for each of your tax filing accounts.
• Think beyond the password. For greater security, you can get an Identity Protection PIN (IP PIN) for your e-filing account with the IRS. A new PIN is provided each year by the IRS. See the Resources section for more information.
• Check on the availability of two-step authentication to protect your tax filing accounts (and other online accounts containing sensitive information, such as your email and social media accounts). Two-step authentication offers stronger protection than just a password and username. The process (also called login approval or multi-factor authentication) adds a second factor, such as a one-time use code that is sent to you by email, phone or text. You enter that code, along with your username and password, to get access to your account. For more on two-step authentication, see the Resources section below.

Resources

Internal Revenue Service

Identity theft:  www.irs.gov/Individuals/Identity-Protection, www.irs.gov/Individuals/Indications-your-identity-may-have-been-stolen-and-how-to-report-it-to-us. 1-800-908-4490

Tax scams: www.irs.gov/uac/Tax-Scams-Consumer-Alerts 

Identity Protection PIN: www.irs.gov/Individuals/Get-An-Identity-Protection-PIN

California Franchise Tax Board

Identity theft: www.ftb.ca.gov/individuals/id_theft.shtml  

ID Theft Resolution Coordinator Web information: 916-845-3669

California Attorney General

Identity Theft Protection and First Aid: www.oag.ca.gov/idtheft  

Two-Step Authentication 

www.stopthinkconnect.org/campaigns/details/?id=460

SAN FRANCISCO – Attorney General Kamala D. Harris today issued a consumer alert in response to the reported Anthem Inc. data breach, which has impacted up to 80 million people.

The Attorney General’s Breach Help: Tips for Consumers has simple instructions for consumers who have been affected by a breach and includes what to do in response to a Social Security number breach. Breach Help is also available in Spanish.

Steps for Responding to Social Security Number Breach: 

1. PLACE A FRAUD ALERT.

Contact the three major credit bureaus and place a 90 day “fraud alert.” This helps protect you against the possibility of an identity thief opening new credit accounts in your name. When a merchant checks the credit history of someone applying for credit, the merchant gets an “alert” that there may be fraud on the account.

Experian       1-888-397-3742

Equifax         1-800-525-6285

TransUnion  1-800-680-7289

You will reach an automated telephone system. You will also be sent instructions on how to get a free copy of your report from each of the credit bureaus. Order the reports.  

2. REVIEW YOUR CREDIT REPORTS.

Look through each one carefully. Look for accounts you do not recognize, especially accounts opened since December 2014, when the Anthem breach occurred. Follow the instructions in the report for disputing any questionable information.

3. CONSIDER A SECURITY FREEZE.

Placing a security freeze on your credit files offers longer term protection. For information on how to do this, see “How to Freeze Your Credit Files” at www.oag.ca.gov/privacy/info-sheets.

4. BE WARY OF PHISHING ATTEMPTS.

If you get an email or call from someone claiming to be from Anthem and asking for your personal information, do not provide it. Scammers often take advantage of breaches by offering to help and actually seeking to steal your information. Check with Anthem through the phone number you usually use or one from the phone book, if you want to confirm that such a contact is legitimate.

More consumer information from the Attorney General:

Breach Help: Tips for Consumers

www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/cis-17-breach-help.pdf

En Español:  Ayuda en caso de robo de datos confidenciales

www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/sp-cis-17-breach-help.pdf?

How to Order Your Free Credit Reports

www.oag.ca.gov/sites/all/files/agweb/pdfs/idtheft/cis_11_free_annual_doj...

En Español:  Cómo encargar sus informes de crédito gratuitos

www.oag.ca.gov/sites/all/files/agweb/pdfs/idtheft/cis11spanish.pdf?

How to "Freeze" Your Credit Files

www.oag.ca.gov/sites/all/files/agweb/pdfs/idtheft/cis_10_credit_freeze_d...? 

Identity Theft Victim Checklist

http://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/CIS_3_victim_checkl...?

En Español: Lo que deben hacer las víctimas de robo de identidad

www.oag.ca.gov/sites/all/files/agweb/pdfs/idtheft/sp_cis_3_vtm_checklist...?

Top 10 Tips for Identity Theft Protection

www.oag.ca.gov/sites/all/files/agweb/pdfs/idtheft/cis_1_top_10tips_doj.pdf?

En Español:  Los 10 consejos para protegerse contra el robo de identidad www.oag.ca.gov/sites/all/files/agweb/pdfs/idtheft/cis_1_top_10tips_doj_s...?

UPDATE: The breach may pose a risk of medical identity theft, which is the use of someone’s identity to obtain medical services or products or for financial gain. Affected individuals should closely watch the Explanation of Benefits statements they receive from their health insurer. If the statement includes a service or product you did not receive, contact the insurer and ask for details. For more information, see First Aid for Medical identity Theft: Tips for Consumers, https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/cis_16_med_id_theft.pdf

Anthem has stated that it is not calling members regarding the incident and is not asking for credit card information or social security numbers over the phone. Anthem will contact current and former members via mail delivered by the U.S. Postal Service with specific information on how to enroll in credit monitoring. Affected members will receive free credit monitoring and ID protection services.  For Anthem’s updates on the incident, go to www.anthemfacts.com/faqor call (877) 263-7995

SAN FRANCISCO – California Attorney General Kamala D. Harris today issued a consumer alert on location services used by mobile applications (apps).

With a tap on your smartphone or tablet, you can get a list of nearby restaurants, directions to a friend’s home or a local weather forecast.  Location services on your device make a variety of convenient apps work. Location services take your geographic information from satellites (GPS), WiFi and cell-tower networks. What you may not realize is that some apps can access your location all the time, even when you’re not using them. Your location might be “always on.”  

Broadcasting your location can sometimes expose you and your family to risk of theft or physical harm. For instance, you may be unknowingly revealing your location if your phone is “geo-tagging” your photos. When you take a photo, the location where it was taken may be inserted into the image file, along with the date/time stamp. If you post the photo online, you are revealing your location at a point in time. Sharing a “selfie” without disabling geo-tagging can be dangerous,  especially for victims of stalking or domestic abuse.

How mobile location services work may be technical, but you do not have to be an engineer to have more control. By adjusting the settings on your mobile device, you can control location services to  protect your  privacy on today’s “always on” frontier.

Android Phones and Devices

• Go to Settings, then Location and uncheck the boxes. When an app asks for access to your location, you can chose to grant it or not.
• To disable geo-tagging of photos, open the camera and then click on the gear icon and set location to “No.” You may have to click the gear icon on several screen layers.
• You can also choose how accurate you want your location reporting to be, whether it is determined based on GPS plus WiFi and cellular networks or just one or the other. The higher degree of accuracy uses more of your battery, so protecting your privacy will protect your battery life too. 

iPhones and iPads (iOS 6 and later)

• Go to Settings, then Privacy, then Location Services. You can turn it off. Or you can choose which functions and apps to give access to your location.
• To disable geo-tagging of photos, deny location access to the camera, in Location Services.
• You may get notifications from apps asking to use your location in the background. For privacy, select “Don’t Allow.”

For more mobile privacy tips, including how to control location information on other mobile platforms, see the California Department of Justice’s information sheets Getting Smart About Smartphones: Tips for Consumers and Getting Smart About Smartphones: Tips for Parents. For tips on safe social networking, see Staying Private in Public: How to Limit Your Exposure on Social Network Sites. All are available online at www.oag.ca.gov/privacy/info-sheets.