All about how it happens and how you can keep it from happening to you.
February 2009 - Posts
The Federal Trade Commission’s annual report on fraud and
identity theft was just released and it’s full of discouraging if not
The Consumer Sentinel Network Complaint Data
Book shows 313,982 complaints in 2008, a 20% increase in reported
identity theft over 2007.
Among the other significant findings reported:
- Credit card fraud (20%) was the most common form of reported identity theft followed by
government documents/benefits fraud (15%), employment fraud (15%), and phone or utilities fraud (13%).
Other significant categories of identity theft reported by victims were bank fraud (11%) and loan fraud (4%).
documents/benefits fraud is now the second most common reported type of
identity theft after credit card fraud. Fraudulent tax return-related
identity theft, a subtype of government documents/benefits fraud, has
increased nearly six percentage points since calendar year 2006.
fund transfer-related identity theft continues to be the most
frequently reported type of identity theft bank fraud during calendar
year 2008, despite declining since calendar year 2006.
- Arizona is the state with the highest per capita rate of reported identity theft complaints, followed by California and Florida.
- Only 35% of those who filed identity theft complaints with the
FTC contacted their local law enforcement agencies. Those consumers who
did report their identity theft incidents to a local agency might have
experienced frustration; 73% of the time, the police didn’t take a
If your identity is stolen take the following steps:
your credit card companies, bank and any government agency that issued
stolen government documents—for instance if you discover that someone
is using your Social Security number for employment purposes, contact
the Social Security Administration.
- Contact all three credit
reporting agencies and place a fraud alert on your credit records.
Place a reminder in your calendar that the fraud alerts must be renewed
- Contact local law enforcement and insist that they make a report. Keep a copy of the report in your files.
A friend of mine has told me more than once how dangerous file sharing software is. I didn’t pay much attention because I don’t download music, so it didn’t make much of an impression on me. Sometimes I have to see it to believe it, but after what I was this morning, I’m a believer.
There was a segment on The Today Show this morning that featured a New York state family with two teenage girls who frequently downloaded and shared free music using the family’s PC. It’s such a common thing to do, the parents never made the association when their $2,000 federal income tax return was electronically intercepted and stolen last year.
Identity theft prevention expert and LifeLock CEO Todd Davis likened having those file sharing software programs on your computer to leaving the keys in an unlocked car … with the windows down.
Natalie Morales did some checking of her own and found that with that software she was able to find the family’s income tax forms online (think: Social Security numbers, dates of birth, bank account numbers, retirement account numbers …). Even more frightening, the files containing the family’s tax forms were found in four foreign countries, including Nigeria and Poland, known centers of organized identity theft rings.
Then she went a step further and, in the state of New York alone, was able to find 25,000 student loan applications and 600,000 credit reports.
Feelings get hurt when romantic relationships end; a little bit of drama is practically inevitable. Some people are better at avoiding drama at the end of relationships than others, though, and some people are really bad at it. Take Tracy Rankin, of Fargo N.D. for instance. She falls into the category of people who are really bad at it.
The former day care operator used two stolen identities to take out at least seven credit cards and run up a tab of more than $76,000.
One of the stolen identities was that of her former boyfriend, Arlen Tenold.
Rankin made an appearance in federal court today, and pleaded not guilty to five counts of mail fraud and two counts of identity theft.
Arlen Tenold was there too. He says the debt Rankin is accused of accumulating in his name has been financially devastating, and that that he nearly lost his house because of it.
It’s not uncommon for victims of identity theft to know the people who steal their identities. Tenold probably gave Rankin plenty of opportunities to gather the information she needed. Mail left lying casually around, openly sharing information like Social Security numbers, wallets left on the dresser, personal documents left in unlocked desk drawers—people make it easy for criminals to steal their identities.
Rankin will go to trial in May and her future will be determined then. If convicted, she could face as much as 20 years in prison and $250,000 in fines.
Tenold’s future probably holds a long string of girlfriends who just can’t get past his paranoia and financial problems.
Until now the most memorable lawsuit relating to coffee involved McDonald’s and a lady with a scalded lap. But there’s another lawsuit brewing in response to Starbucks second data breach. (I can only apologize for the puns; I can’t stop myself.)
One of the 97,000 employees whose information was contained on a lost laptop is steamed enough that she’s filed a class action lawsuit against the grande coffee purveyor. The lost information contained employees’ names, addresses and Social Security numbers—in short, all the information an identity thief needs to steal an identity.
The lawsuit accuses the company of fraud and negligence, and asks that Starbucks be made to offer five years of free credit monitoring and that they be made to submit to periodic security audits of their computer systems.
Though the plaintiff, Laura Krottner, has not become an identity theft victim as a result of this data breach, she has asked for unspecified damages. A precedent for payment of damages related to a data breach without identity theft was set in January when the U.S. Department of Veterans Affairs agreed to a $20 million settlement in a class action suit. The plaintiffs argued that the stress and anxiety of having their personal information stolen was damaging enough.
In 2006 Starbucks notified 60,000 current and former employees that their personal information was contained on two laptops that had gone missing.
University of Florida has suffered another huge data breach, the third in three months. In the most recent data breach, the personal information of more than 97,000 students, staffers and faculty members was compromised.
That any organization should lose control of their constituents’ information three times in three months is shocking, but that all three of the data breaches should be the result of successful attacks by hackers is outrageous. Even more egregious is the fact that if you look backward in time beyond these three data breaches, you’ll see that this is the sixth data breach of University of Florida information in the last 15 months.
Six data breaches in 15 months! Details are as follows:
- November, 2007: The information of 534 former UF students was inadvertently posted on a website. Social Security numbers were included in 415 of the students’ records.
- May 2008: An assistant professor of plastic surgery gave away a laptop that contained the photos, names, dates of birth, Social Security numbers and Medicare numbers of 1,900 of his patients.
- June 2008: The personal information, including names, addresses and Social Security numbers of 11,300 current and former students was inadvertently posted on a website.
- November 2008: Hackers accessed the personal information of 330,000 dental patients. The compromised information included names, addresses, birth dates and Social Security numbers of patients who had dental work done at the College of Dentistry as long ago as 1990.
- January 2009: The Social Security numbers of 101 “users” might have been accessed because of a directory service configuration error. The University data breach notice provides no further details such as who the “users” were, or what other personal information might have been accessed.
- February 2009: 97,200 students, staffers and faculty members placed at risk of identity theft because the University of Florida allowed hackers to access personal information for the third time in three months.
Esther Reed dropped out of high school, attended Harvard, Columbia University and California State University, Fullerton. She was a chess tournament champion and a valuable addition to the debate teams at CSU Fullerton and Harvard. She was widely regarded as being very intelligent, if a little “off.”
Natalie Bowman graduated from Harvard, and is currently a med student at Columbia. Bowman was also on the debate team at Harvard, but graduated before Reed arrived there.
Brooke Henson was a pretty girl who grew up in the small town of Travelers Rest, SC, got involved with a dangerous man and went missing in July 1999 and was never seen again.
Esther Reed used the identities of the other two women and many others to escape family dysfunction, and maybe herself, according to her attorney, Ann Fitz of Atlanta. Though Fitz’s theory might be on target, it didn’t work as a defense; Reed was sentenced last week in a South Carolina federal court to four years in prison for stealing their identities and receiving more than $100,000 in student loans in their names.
When Reed was arrested she was still using Henson’s identity. Her fraud was so complete she was even able to answer personal questions about her life in the Henson family, and convinced the New York police detective who interrogated her that she fled South Carolina to escape domestic abuse. Nonetheless, he contacted the Henson family to let them know that their daughter and sister was alive and well.
Lisa Henson, Brooke’s sister, recounted her family’s elation on hearing of Brooke’s well being, and their emotional devastation on learning the truth. She asked the judge to punish Reed with the longest possible prison term for the torture she put the Henson through. She attended Reed’s sentencing last week and after hearing the judge deliver a four year sentence she said didn’t think Reed had gotten a long enough sentence.
“She should be locked up and never see the light of day again for what she put us through,” she said.
Sometimes identity thieves are petty criminals, taking advantage of an opportunity that presents itself in the form of a lost wallet or carelessly junk mail. But often, identity theft is just part of wider criminal activity.
Stolen mail, credit card templates, methamphetamine and slot machines: that’s what investigators found a couple weeks ago when they busted a home nicknamed “the Castle” in San Francisco.
It’s not uncommon for criminals involved in identity theft to diversify their operations, using the proceeds from one arena of criminal activity to finance another. At the Castle, that meant taking stolen mail from drug addicts, and paying them off in methamphetamine. Money made from gambling at the small time, after hours casino no doubt contributed to the funds needed for the crime ring leaders to buy more meth.
Members of the Santa Clara County Rapid Enforcement Allied Computer Team found mail from at least 15 victims at the Castle. Apparently mailboxes belonging to the affluent residents of areas like Santa Clara and San Mateo counties were the favorite targets.
Personal and financial information—names, addresses and credit card account numbers—found in the stolen mail was then coded onto magnetic strips and embossed onto blank plastic credit cards. The fraudulent credit cards could then be used to purchase merchandise, which could then be sold to make more money.
The Castle and its residents were under investigation for roughly a year after police got information from informants about the illegal activity conducted there. Twenty-seven people were in the home when police made the arrests.
More than 10 million Americans became identity theft victims in 2008, according to the annual report released by Javelin Strategy and Research last week. That's a huge increase over the 8.1 million victims of 2007, and the first time Javelin has reported an increase in the number of victims since they began tracking ID theft in 2003.
The report also confirms findings from early surveys regarding the source of personal and financial information used by thieves. Among the 35% of respondents who are certain who stole their information and how it was obtained,
* 43% can trace the crime to a lost or stolen wallet, checkbook, credit card or other document.
* 19% know that the information was stolen while they were making purchases or other transactions.
* 13% knew the criminal as a friend, acquaintance or in-home employee.
Of the 10 million people who became identity theft victims last year, more than 1 million of them place the blame squarely on business or government institutions that lost information in data breaches.
Another 11% reported their information was stolen while they were online, mostly through the machinations of hackers, viruses or spyware. A few more of the victims admit to falling prey to phishing attempts.
It's nearly impossible to establish a causal relationship between the declining economy and increasing numbers of identity theft crimes, but there's certainly a correlation.
"The short story is that criminals are getting more desperate," said Jim Van Dyke, a Javelin spokesman.
Almost 600,000 people lost their jobs during the first week of February, the same week the report was released.
If there's any good news to be found in the report, it's that the average out of pocket loss for an ID theft victim is down to only $500.
And so it begins. It’s been less than a month since
Heartland Payment Systems revealed they’d been hacked and consumers’ data
stolen and already three class actions suits have been filed.
In the class action suits filed on behalf of consumers the
attorneys involved allege that Heartland failed to safeguard consumer data. In
another lawsuit filed by the Haverford,
PA law firm Chrimicles & Tilellis against Heartland on behalf of an individual
cardholder, the law firm asserts that the credit card transaction processing
company “made unreasonably belated and inaccurate statements concerning the
One of the class action suits has been filed by the Philadelphia law firm
Berger and Montague, a firm involved in a class action suit against TJX that
delivered a $200 million settlement for their claimants. To date, the TJX data
breach, formerly the largest breach on record, has cost the retail giant
somewhere in the neighborhood of $1 billion. In that hacking, 45.7 million
credit card accounts were compromised.
There is still a dearth of information when it comes to how
many credit card accounts were actually affected by the data breach, but it is
known that Heartland processes roughly 100 million credit card transactions
So far, more than 330 financial institutions say they’ve had
to reissue their credit cards because of fraud or the fear thereof. No word yet
on lawsuits on behalf of the banks, but it’s just a matter of time.
Three men in Tallahassee,
Fla. were arrested last week on
fraud charges related to the massive Heartland Payment Systems data breach that
came to light in January.
Timothy Johns, Jeremy Fisher and Tony Acreus are accused of
using credit card information stolen from Heartland, a credit card processing
company, to electronically encode Visa gift cards. They used the cards to buy
goods from Wal-Mart stores in the Tallahassee
area, and then sold the purchases for cash.
The arrests are the result of a three month investigation
conducted by the U.S. Secret Service, Tallahassee Police Department and the
Leon County Sheriff’s Office. The suspects have been charged with multiple
charges of grand theft and fraud. The investigation is continuing and will
likely result in more arrests and reveal losses much higher than the $100,000
Heartland Payment Systems processes credit card payments for
more than 4 billion credit card payments for more than 250,000 businesses
nationwide. Heartland has refused to disclose the number of credit card
accounts lost to the hackers, but security experts believe the total will
probably dwarf the TJX data breach which, till now, held the dubious
distinction of being the largest data breach in history with the account information
of 45.7 million credit and debit cards stolen.
Visa and MasterCard notified Heartland of suspicious
transactions last fall, but an internal investigation conducted by Heartland
failed to find the malware installed by the hackers.
Free money! Who can resist an unsolicited $10 check that just appears in the mailbox like manna? The answer is, anyone with young eyes or bifocals easily within reach; the fine print (and it is very fine and very faint) is the deal killer.
A recent example was found in a coworker’s mailbox. In this case, the fine print reveals that cashing the check automatically and immediately enrolls the endorsee in a yearlong membership in Great Fun, a discount program offered to “valued Travelers Advantage members.” Great Fun savings include deep discounts at restaurants, hotels and stores, PLUS 2% back on $5,000 worth of credit card purchases. What a deal!
Now, get out the bifocals. The annual membership begins with a free 30-day trial period, but members’ credit cards are automatically billed for an additional 11-month membership. And, at the end of that first year, an annual fee of $139.99 will be automatically charged to your credit card. And in all subsequent years, your credit card will be automatically charged at whatever the current rate is at the time.
To be fair, there is a limited opportunity for the “valued member” to cancel their Great Fun membership during the 30-day trial period by calling a toll free phone number. To be frank, the program is a product of Trilegiant, a corporation with a history of consumer complaints and class action lawsuits pertaining to unauthorized credit card charges and members’ enrollment in Trilegiant programs without informed consent.
If you have a credit card, expect a letter from Heartland Payment Systems soon. The New Jersey credit-card processor revealed that their computer network has been hacked in what is thought to be the biggest data breach ever.
Heartland counts more than 250,000 businesses as clients, and processes roughly 100 million transactions every month. Robert Baldwin, Heartland’s president and CFO said they don’t know yet how many transaction records were exposed.
The records that were accessed include the credit card numbers, expiration dates and internal bank codes. In short, the hackers now have everything from the cards’ magnetic strip, and everything needed to create duplicate cards.
Until now, TJX--parent company of TJ Maxx, Marshall’s and other retail stores—claimed the dubious distinction of having the largest data breach. Approximately 45 million card numbers were stolen in that case.
Visa and MasterCard officials notified Heartland last fall that they’d had a number of suspicious transactions, but an investigation conducted by Heartland didn’t corroborate the credit card companies’ findings.
A forensic investigator dropped the hammer last week when he discovered evidence supporting the earlier alerts from Visa and MasterCard. Baldwin described the malware used in the breach as being “light years more sophisticated” those commonly launched from the Internet.
The Identity Theft Resource Center recently announced that data breaches in 2008 reflect a 47% increase over the number of breaches disclosed in 2007.