AT&T is taking steps to end the sale of its customers’ location data to 3rd-party service providers. This January 10th announcement finishes the process that AT&T had already started in 2018— it had previously suspended data-sharing agreements with some “location aggregators” due to their misuse of AT&T customers’ location data. A Motherboard recent report identified misuses of customers’ sensitive information such as being resold without prior authorization from customers and/or AT&T and the AT&T 3rd-party partners.

In its January 10th announcement, AT&T said it’s going to terminate all of the remaining agreements —notwithstanding the usefulness of any of the remaining agreements (e.g., providing needed location information for stranded motorists).

This is an important step in helping protect the sensitive information of AT&T customers. Other U.S. wireless carriers should immediately do the same by ending their “location aggregator” agreements.

Yesterday (November 30th) Marriott International Hotels announced a massive database hack they’d just discovered. The Starwood database has been hacked since 2014 and could mean that the personal and financial information of 500 million guests has been taken.

I went to the Marriott site ( There’s a link at the top of the home page that takes readers to “” since Marriott is using the Kroll organization to investigate the hack.

Here are the basics: The message says the compromised information for 327 million Starwood guests could include their passport details, phone numbers, email addresses, Starwood Preferred Guest account information, date of birth, gender and other information. Marriott says that credit card information for an undisclosed number of guests could also have been stolen.

Marriott started sending out emails to the affected guests on November 30th. It will, obviously, take time for the millions of affected guests to be contacted.

There’s other information in the Marriott/”” including a customer service number guests can call with questions and the monitoring service being offered to affected guests (guests have to sign up for the latter — it’s not automatically provided).

These hacks are massive and it’s beyond baffling about why it went on undetected for 4 years!

Graham Cluley has reported that the British Airways hack that was announced last month has just gotten bigger (“British Airways hack is worse than originally thought”; October 26, 2018;

In September, British Airways announced that customer data and details of around 380,000 card payments had been stolen between August 21st and September 5th. Mr. Cluley unraveled British Airways latest update on its website — after doing so, he ascertained that an additional 185,000 customers’ payment cards were also likely stolen.

This hack impacts anyone who booked a British Airways flight between April 21st and July 28, 2018. British Airways claims there’s no indication that any of the stolen customer payment information has been misused.

However, that doesn’t mean that some customer financial information might not be misused in the future. Scammers and thieves know that people often become reassured if there are no immediate and obvious misuses of their personal and financial records following this kind of hack.

Anyone who booked a British Airways flight during the April to July 2018 period needs to be extra diligent about keeping close tabs on personal and financial records.



I’ve written before about credit freezes. These are freezes placed with Experian, TransUnion and Equifax so that no one can get credit or loans except the person who placed the freeze. They can be placed by going to the website of these credit rating agencies.

Why are credit freezes useful? Without taking further pro-active steps, any or all of your personal information could be used by identity thieves to open multiple new credit and other accounts, to get loans and ruin your credit. They’d not only use your personal information (e.g., SSNs, addresses) but might be using your name.

A credit freeze is more effective than simply buying credit monitoring or accepting such an offer from a company which has been hacked. Previously, consumers had to pay with each credit rating agency in order to place a credit freeze. Now thanks to recent legislation, consumers can place these freezes for free. Yes, a freeze has to be placed separately with each of the 3 credit rating agencies. And yes, consumers have to contact the credit rating agencies when they want to take out a loan or open a new credit card or financial account.

However, taking the time to create a credit freeze, and then doing a temporary “unfreeze” is a minor inconvenience in contrast to facing all the serious and cascading problems associated with identity theft.

Please share this information with others. There were  millions and millions of individuals whose personal and financial information was stolen by hackers during the breaches of Equifax, the Federal Government’s Office of Personnel Management or one of the seemingly endless number of breaches.

I received a very authentic looking email that purported to be from AT&T. The message was that I had until September 30, 2018 to let AT&T know whether I wanted to stop getting my paper mobile phone bill and go paperless. I was suspicious so spent time the other evening on the phone with various AT&T customer service representatives trying to find out if this was really a legitimate AT&T message.

This was an especially sophisticated spam message. Everything about the email made it appear to be legitimately from AT&T — the logo; the typeface; all the information about AT&T that’s usually contained in its messages (paper and electronic).

So what made me suspicious? The link that was included that would allow me to indicate that I wanted to keep getting paper bills. The link contained the word “Septmeber”. That single error made me very concerned as I knew/hoped AT&T wouldn’t be sending out emails with that kind of error.

I was right and this was a spam attempt to gain access to my personal information. The AT&T staff with whom I spoke checked my account and saw that no such email had been sent to me. One representative also said that this kind of bill payment decision would have to be generated by me, the customer, and that it would not be a forced decision by AT&T.

So beware and be suspicious if you get this, or similar, email that purports to be from AT&T — with or without a typo.  Call and confirm if it’s legitimate and do NOT click on any links until you’ve done so.

The phishing scams aimed at Apple users keep increasing and keep getting slicker.

The latest is a phishing scam that pops up as an “Apple Care” alert.  Delete it ASAP! Don’t open the email and absolutely DO NOT OPEN any links in the email.

Go to the Apple website if you want to check the authenticity of any Apple alerts or Apple emails that pop up on any or all of your mobile devices.

Just another time when “verify and confirm” is the best and safest approach.


The Washington Post included a blurb from Bloomberg News on June 16th about changes being made by Google. Google is going to provide consumers with more controls allowing them to opt out of certain banner ads as well as to a larger set of ads.

Consumers will be able to use Google’s expanded “mute” feature to do so. That feature, per the Bloomberg News blurb, will be accessed through a new Google online portal called Ad Settings.

I tried doing so and found the Google instructions somewhat confusing. Having said that, anything that helps consumers limit the ads targeted to them is a benefit and worth trying to implement.


Michelle Singletary published a column on May 30th titled “You can soon freeze credit at no cost, a potent tool in identity-theft fight”. Ms. Singletary has done consumers a terrific service by highlighting a provision in a recently passed law — a provision that will make it easier for consumers to put credit freezes in place.

As she reports, the free credit freezes will take effect by September 21st. Why is this such a significant change? Because up to now, consumers have had to separately pay each credit reporting agency (i.e., Experian, Equifax, TransUnion) a fee to place — and then lift — a credit freeze with each of them. These credit freezes have gained increased importance given the cascading number of major data breaches that have occurred over the last few years.

A credit freeze means that the credit reporting agency can’t release any information about a consumer without her express permission. So — in the identity theft context — this helps prevent identity thieves from opening new lines of credit using personal identifying information stolen from a consumer.

Ms. Singletary’s column contains all the key details about the upcoming changes. I urge consumers to read it and get ready to place these credit freezes if they haven’t already done so.

I’ve written about the about the European Union’s (EU) General Data Protection Regulation (GDPR) several times over the last few years. It makes sweeping changes in the way global companies have to protect consumers’ personal, financial and medical information. It goes into effect today so U.S. companies are scrambling to comply.

Why? Because one of the most significant changes is that the GDPR applies to U.S. based companied that meet the various outlined criteria. Why is this so important? Because these U.S. companies are now updating their privacy policies to try and meet the GDPR’s requirements — so the privacy updates will also apply to individuals in the U.S.

The good news is that this potentially means stronger protections for individuals in the U.S. who engage with these companies and/or their websites. The slightly bad news? It makes it even more essential that individuals read the new privacy policies that they are receiving via email or even hard copy.