‣ Government Issued IDs Exposed
‣ Over 24,000 Affected by Breach
On June 3, 2022, Varsity Tutors, LLC, based in St. Louis, Missouri (“Varsity Tutors”), began notifying affected individuals about a data breach involving their government-issued photo identification. Over 24,000 employees or contractor tutors for the company may have been affected by this breach.
According to Varsity Tutors, in late October, 2021, the company was told by an independent cyber researcher that some information stored by Varsity Tutors may be publicly accessible. While Varsity Tutors says it corrected the problem, it conceded it was unable to rule out “unauthorized access or acquisition to certain files [. . . ] between November 1-6, 2021.”
In addition, according to Varsity Tutors, it completed its internal investigation around May 11, 2022, and that government issued photo identifications uploaded to Varsity Tutors’ system by tutors were impacted by this event. The personal information that may be at risk includes full name, address and driver’s license number or non-driver government identification card number.
The full notice provided by Varsity Tutors can be viewed here.
Varsity Tutors did not begin to notify affected individuals until almost eight months after they were notified about the exposed data. Varsity Tutors is now belatedly offering affected individuals one year of complimentary identity monitoring services through Equifax. The deadline to enroll in this service is listed in the Notice.
Special California Laws Protect You
California has laws that specifically protect your personal information.
- The California Customer Records Act (CCRA) requires businesses to put into place and maintain reasonable security procedures and practices to protect consumer’s personal information. Companies must also notify affected California consumers quickly and without unreasonable delay.
- The California Consumer Privacy Act (CCPA) contains many protections for personal information of California residents, including the implementation and maintenance of reasonable security procedures.
If certain types of personal information, like driver’s license numbers and names, are left unencrypted and are accessed, stolen, or hacked because a business didn’t fulfill its obligation to implement and maintain reasonable security, an affected California resident can sue to protect their rights under the CCPA and CCRA.
If you are a California resident and received a Recent Notice of Data Breach from Varsity Tutors and think you may have had your data improperly compromised, you may be entitled to between $100 and $750 or your actual damages, whichever is greater.
Participants in data breach lawsuits can recover damages, injunctive relief (to make sure that the business has reasonable security practices to protect consumer data from being leaked again), and anything else the court concludes is necessary to compensate data breach victims and prevent these harms from reoccurring.
As Electronic Personal Data Doesn’t Degrade, One Year of Identity Theft Services Offered by Varsity Tutors May Not Be Enough
Cyber-crimes present an attractive target for hackers: Data can be bought and sold anonymously, and the going rate per personal record is low (under $20 per record, depending on the type of information according to Privacy Affairs Dark Web Index of 2021).
Thieves may choose to wait years to capitalize on compromised personal data. The longer cyber thieves can go undetected, the more they stand to profit from their illegal activities. This is particularly true for numbers that can’t be easily replaced, like driver’s license numbers or Social Security numbers.
Once you know your data has been disclosed, it is reasonable to be concerned that your data will be used to cause you significant financial losses. Compromised data also increases the risk of hacking, phishing, and increased anxiety over future losses and identity theft.
Signs that your identity may have been stolen include:
- you see unfamiliar charges on your credit or debit cards
- claims are made by people using your driver’s license or ID card.
- you have bank account withdrawals that you can’t account for
- you are getting medical bills for services you didn’t get
- you are getting called by debt collectors for debts that aren’t yours
- shops won’t take your personal checks
- you stop getting bills that you usually get in the mail
- you get a notice from that IRS that (1) there is more than one tax return filed in your name or (2) you have income you failed to report and don’t recognize³
- your email address or phone number come up on http://haveibeenpwned.com/ as part of a data breach
Personal data is incredibly valuable, both to businesses and to criminals who want to sell that information on the dark web to identity thieves and other black marketeers. However, “it is clear that many organizations need to sharpen their security skills, trainings, practices, and procedures to properly protect consumers.” The stakes are high: Data breach victims are more likely to also be victims of additional fraud.
 Source: K. Harris, former Attorney General, California DOJ, California Data Breach Report 2012-2015 (2016).