All about how it happens and how you can keep it from happening to you.
May 2009 - Posts
It’s official: My husband and I are among the millions of bankcard holders affected by the ginormous Heartland Payment Systems data breach. In fact, I’m feeling doubly lucky after receiving notifications that my personal bank account at another bank was affected along with the joint account my husband and I share.
So, I’ve been watching our (locking) mailbox like a kid waiting for the birthday card from Grandma—the one with money in it. Except, in this grown-up version, I’ve been worriedly waiting for the first, second and third bankcards to arrive. And then more waiting for the first, second and third envelopes containing the PINs.
Ironically, the pre-set PINs are amazingly similar, something like 1234, 2234 and 3234. Like I’m going to keep that straight! (It’s a good day if I remember to charge my cell phone and put it in my purse. Today is not a good day.) Yesterday my card was declined at the grocery store because I failed to enter the correct PIN … three times. By then it was too late to offer it up for a credit purchase.
So now (because the whole freaking ordeal isn’t aggravating enough) I have to go to the bank to re-set at least one of the PINs for security’s sake. But until I do that, I’m passive-aggressively tempting the identity theft gods by carrying the numbers in my purse because I’m never sure which one I’ll be able to use.
Another dirty little confession: In the last three months my son and I have shared a nasty little, mysterious virus that has sent us to four medical care facilities. In the middle of all this our health insurance provider issued new cards. Yep. They’re in my wallet, too.
Hey! No one’s perfect!
There are identity theft rings and then there are IDENTITY THEFT RINGS.
Jasper Grayson and James Malloy did far more than create a crime ring with dozens of flunkies; they hired recruiters who, in turn, enlisted an army of 950 foot soldiers to deposit and withdraw thousands of counterfeit checks worth an estimated $2 million from roughly 500 identity theft victims, according to the Manhattan district attorney’s office.
So far, Grayson, Malloy and 16 others have been named in a 227-count indictment for crimes that occurred between October 2007 and February 2009 when Grayson and Malloy were arrested.
The supply chain began with bank tellers they enlisted to steal account information and photocopy payroll checks from the city’s Department of Education, Madison Square Garden, Cathedral Church of St. John the Divine and many other private individuals, corporations, religious institutions, schools and hospitals.
The tellers handed over the information to Malloy, Grayson or another check maker, who created the counterfeits. The bogus checks were then given to check cashers, or, as the leaders called them, “soldiers.”
Once enlisted, soldiers gave over their real names and addresses so checks could be made with the soldiers’ name as payees.
The group targeted nearly every bank in Manhattan, but JP Morgan Chase took a solid hit and lost $1.5 million. Other casualties include the New York Police Department, The Police Relief Fund, The New York City Department of Finance, the New York Housing Authority, The New York Transit Authority, Montefiore Medical Center, The Mount Sinai Hospital, Bed, Bath and Beyond, Harlem Children’s Zone, Diane Von Furstenburg and Liberty Mutual.
Your employer needs your Social Security number. And of course the Internal Revenue Service needs your Social Security number. But do your doctors? What happens if you follow the advice of the Social Security Administration and refuse to give it to them?
The Yakima Heart Center will refuse to provide the cardiac care that could make the difference between life and death.
Aram Langhans, a 58-year-old Yakima, Washington resident, was already hooked up to a portable heart monitor Monday to check out his irregular heart rhythms when a nurse at the Heart Center sent him to a restroom with instructions to remove the monitor and leave the premises.
The conflict arose because Langhans saw his Social Security number printed on a patient information printout as he was checking in, and asked a records clerk to remove it.
The Langhans take identity theft protection very seriously since their nephew’s identity was stolen from a credit application and used to fraudulently obtain credit cards and cell phone accounts. It took him a year to clean up the mess.
There’s already a “significant amount of evidence showing ID theft cases originate in medical offices,” according to a spokesperson for the nonprofit Privacy Rights Clearinghouse.
More than 350,000 records are known to have been exposed already this year because of data breaches originating in hospitals and medical practices, according to the Clearinghouse’s Chronology of Data Breaches.
The Social Security Administration recommends asking the following questions when anyone requests your Social Security number:
- What law requires that you divulge it?
- Why do you need it?
- How will it be used?
- How will it be protected?
- What happens if you refuse?
The FTC has finally come up with a tool to make Red Flags Rules more easily understood and small business compliance easier to implement.
Initially created in 2003, the FTC has repeatedly delayed enforcement of the rules for recognizing and responding to identity theft’s warning signs, largely because of confused interpretation of the term “creditor”.
In response, the FTC has developed a simple six-page, four-step outline for small and low-risk businesses along with guidelines for determining whether a business falls into this category. How can you tell if your business is at low risk for identity theft?
- Do you have few clients or customers whom you know by sight?
- Do you provide services in your customers’ homes?
- Is your line of business frequently linked to identity theft?
- Has your business ever been linked to an identity theft incident?
If you answered yes to the first two questions and no to the last two questions, chances are you have a low-risk business, and can easily meet Red Flag Rules requirements by using the simple form created by the FTC.
The Identity Theft Prevention Program designed by the FTC, available here, guides business owners, board members or senior managers through the process in four easy steps:
- Identifying relevant red flags
- Detecting red flags
- Responding to red flags
- Administering your program, including designating the employee responsible for implementation; training methods; identifying service providers that might detect ID theft; and deciding how to update your program and keep it current.
Identity thieves frequently come at their victims from the most unexpected quarters. For instance, it’s been well documented that many identity theft victims are targeted by people they know and trust: family members, employees and hired professionals such as accountants and real estate agents.
Add cops to that list.
Jonathan E. Kelly, a Palm Beach County schools police officer, is accused of stealing the identities of at least 20 teachers and students and was arrested yesterday.
His case isn’t helped by his February arrest on charges of breaking into cars, a method identity thieves frequently use to gain their victims’ personal information.
Assistant district attorney Al Johnson said he expects to find more victims of Kelly’s “impressive organized scheme.”
According to a Palm Beach County Sheriff’s report, Kelly used the district offices’ computers during his six years on the job to steal his victims’ personal information, opened credit card accounts and had the cards sent to empty houses in the gated community where he lives.
Kelly is also accused of stealing checks written to area high schools.
Daniel Farias Elisha, an associate of Kelly’s, told investigators he fenced goods Kelly stole in Palm Beach and Sarasota Counties, selling them on eBay or Craigslist, then wired thousands of dollars in proceeds back to Kelly.
Elisha also said he sold stolen credit cards he got from Kelly, and that they used at least one themselves.
Investigators who searched Kelly’s home and car found names, addresses, birthdates, Social Security numbers, bank routing numbers, email addresses, passwords, original checks and other identifying documents, according to the sheriff’s report.
Sometime between October 2008 and March 2009 the National Archives lost a hard drive with a terabyte of sensitive information from the Clinton-era White House, according to congressional officials.
The hard drive contained “an as-yet-unknown amount of personally identifiable information of White House staff and visitors,” according to a statement from the archives. A terabyte of data is the equivalent of millions of books.
Information on the hard drive includes names, addresses and Social Security numbers of White House employees and visitors, including one of former Vice President Al Gore’s three daughters.
The statement also said that the agency “takes very seriously the loss of an external hard drive that contained copies of electronic storage tapes for the executive office of the president of the Clinton administration.”
Though the breach of personal information is indeed very serious, of greater consequence is the loss of Secret Service and White House operating procedures, as well as logs of events, social gatherings and political records.
Rep. Darrell Issa of California said the hard drive had been stored in a secure area, but was moved to an unsecured workspace, presumably so the Clinton administration’s information could be converted to a digital records system, as asserted by an unnamed aide.
The archives inspector general said the door to the area was frequently left open for ventilation and at least 100 badge-holders, janitors, visitors, interns and anyone else on their way to the bathroom had access to the area according to Issa.
We’ve lived in our house for two years, and my 7-year-old and our mail carrier have become pen pals through an exchange of artwork and little notes my son tucks into our mailbox, and return greetings and sketches from the friendly man in the blue and white truck whom my son has never met.
Nothing would surprise me more than to learn this man was stealing my mail, and using my personal information to take out credit cards in my name. But that’s what seems to have happened to the residents of Carey, Ohio, a rural community of only 3,900.
After nearly 20 years of delivering mail to her neighbors Marsha Billock-Strahm was charged with stealing, not just her neighbors’ mail, but their identities. Billock-Strahm, 48, was indicted in federal court this week on one count of aggravated identity theft, five cases of identity theft, four counts of false credit card applications and one count of mail theft.
Billock-Strahm used credit cards and convenience checks to make transactions totaling more than $12,500. She intercepted the credit cards and subsequent statements to conceal the crimes, according to the indictment.
The burg’s mayor, John Rymer, described Cary as a tight-knit, Christian town, and said he expects that if the allegations turn out to be true, the residents will forgive their neighbor and former letter carrier.
More than 10 million people became identity theft victims in 2008 -- one every three seconds.
School will be out in just a few weeks, and if you haven’t already done it, it’s time to fill out those registration forms to get your kids into summer camp.
This year, take special care when completing those registration forms. Most summer camps ask for children’s birth dates and Social Security numbers, but—in most cases—they don’t really need them. And, every time those bits or identifying information are divulged and recorded, the child’s identity theft risk increases.
The Federal Trade Commission estimates that 500,000 children are identity theft victims every year, and the Identity Theft Resource Center discovered that more than half of those children are under the age of six; in fact, the younger the child, the more appealing a target he or she is for identity thieves.
Until people apply for credit, they have no credit file, but when that first application is submitted, a credit history is initiated, and whatever information—such as the birth date submitted by the applicant—becomes part of that file.
Most children and parents don’t discover the crime until the child applies for a job car loan, student loan or apartment lease. By that time the thief is long gone, and the victim’s credit record may show years of unpaid credit card bills, auto loans and even mortgages.
Worse still, the child could end up with a criminal history if the thief has used that stolen identity to acquire a driver’s license and been caught committing other crimes.
The first step in protecting your child’s identity is refusing to give out a birth date or Social Security number unless it’s absolutely necessary. So, when you fill out those registration forms for summer camp, sports programs, scouting, etc., leave those fields blank; chances are, nobody will notice. If they object, explain your reasoning. With any luck, they’ll not only let it go, but revise the forms to help protect the children they’re caring for.
Johns Hopkins Hospital has experienced a data breach involving more than 10,000 patients, including dozens of patients who have become identity theft victims as a result of the breach.
Donald Bradfield, Senior Counsel for the hospital, sent a letter to the Maryland Attorney General’s office detailing the discovery of the data breach. According to the April 3 letter, law enforcement agencies and identity theft victims who had been patients at the hospital notified Johns Hopkins of the problem in January.
An investigation conducted by local law enforcement, the U.S. Postal Service, the U.S. Secret Service and the Johns Hopkins Corporate Security Department lead to a hospital employee working in patient registration. Investigators believe the employee is part of a Virginia fraudulent driver’s license scheme.
Because of the nature of her job, the worker had access to patients’ names, addresses, phone numbers, birth dates, parents’ names, Social Security numbers, physicians’ names and patients’ insurance information. The suspect used a system that did not include patients’ medical information.
Johns Hopkins created the following three-tiered system to categorize the victims and services offered according to the victims’ identity theft risk:
- 31 individuals confirmed as identity theft victims and Johns Hopkins patients were offered two years of credit monitoring and fraud resolution services, educational material and access to a call center for more information. They are eligible for up to $30,000 of identity theft reimbursements.
- 562 Virginians whose information was accessed by the suspect were offered one year of the above listed services.
- Roughly 10,200 additional patients whose information was accessed by the suspect for what are thought to be routine purposes were not offered any services, but were notified of the data breach and advised to watch their accounts closely.
This is the hospital’s third reported data breach within a two-year period. More than 150,000 records have been compromised because of the hospital’s security lapses.
More than 50 people in Upstate South Carolina have been arrested in the past year for stealing mail to commit identity theft or mail fraud, according to an Upstate task force.
The South Carolina Upstate Financial Crimes Task Force is headed by U.S. postal inspector Jack Galvin and comprises federal postal inspectors as well as Anderson and Spartanburg law enforcement officers.
The inspectors involved in the arrest have some ideas about why stolen mail is such a big problem in the area.
Identity theft and mail fraud aren’t new crimes in the region, but postal inspector Keith A. Fixel attributes the large number of cases to current economic conditions and job losses in the area along the I-85 corridor. All financial crimes are on the upswing, he said.
Methamphetamine use has been linked to mail theft throughout the Pacific Northwest, and may play a part in the large number of cases in the Upstate area as well. Investigators said there are more methamphetamine users in the Upstate, and they aren’t sure why.
“This corridor has some unique problems,” Galvin said.
Many of the 53 people arrested by the task force are drug users who support their habits by stealing mail and committing ID theft and mail fraud, he said.
To protect yourself:
- Take outgoing mail to a public postal box.
- Use a locking mailbox at home to protect incoming mail.
- Never leave your mail in the box overnight.
- If you travel frequently, rent a mailbox at the post office.
UC-Berkeley is the latest data breach victim at an institute of higher learning. The notification letters and emails were sent out Friday to 160,000 current and former students to let them know records dating back as far as 1999 had been accessed by hackers thought to be based in Asia.
The source of the stolen records was the school’s health center, which retains extensive information, including Social Security numbers, health insurance information, immunization histories and the names of treating physicians. Student records involved include those of students who studied overseas, and 3,400 additional students from Mills College who were allowed to use the UC-Berkeley medical facility.
System administrators spotted the breach roughly a month ago, but were stunned on April 21 when they discovered the magnitude of the breach, which apparently took place over a period of several months.
The breaches initially appeared to be nothing more than routine system maintenance, but the hackers began leaving taunting messages for university employees.
Years ago, hackers and identity thieves were primarily young people working out of their basements, whose only motivation was the satisfaction of proving they could beat security.
These days, hackers are often players in sophisticated and far-flung cybercrime and identity theft syndicates. Asia, Eastern Europe and Nigeria are known to be especially active, according to John Mitchell, a Stanford University computer science professor.
The taunting messages might indicate the UC-Berkeley hackers are amateur kids.
An FBI spokesman said the Bureau was notified immediately, but wouldn’t divulge any further details. UC and FBI are working together as the investigation proceeds.
One of the many frustrations of becoming an identity theft victim is the never knowing how it happened. A new study might shine some light on the mystery.
Researchers purchased 300 used computer drives from eBay, other auction sites and flea markets and found 34% of them still contained confidential information, including hospital records and sensitive military information.
Among the discarded information they discovered:
- Network data and security logs from the German Embassy in Paris.
- Test launch routines for the Terminal High Altitude Area Defense (ground to missile defense system).
- Blueprints and personnel records—including Social Security numbers--from Lockheed Martin.
- Business plans of a well-known fashion company in the UK, including customer information and discount codes.
- Corporate design plans from a major auto manufacturer.
- Computers bought in the United Kingdom included patients’ medical records, X-rays and staff correspondence.
- In Australia, a disk from a nursing home contained patients’ personal information along with patients’ photos and those of their wounds.
- A disk from a US bank was still storing account numbers and detailed plans for a $50 billion currency exchange with Spain. Other information included details of transactions between the bank and organizations in Venezuela, Tunisia and Nigeria.
- Also on that disk was correspondence between Federal Reserve Board member and the unnamed banks indicated those deals were already being scrutinized by federal investigators and the European Central Bank.
The is the fifth year for the study jointly conducted by Longwood University in the United States, Edith Cowan University in Australia and University of Glamorgan in Wales. On an encouraging note, only 34% of the computers in this year’s study revealed personal, business and government secrets; in the first study roughly 50% of the used computers were still treasure troves of information.
A huge, well-known office building in Los Angeles was the target of burglars last weekend. The LA Police Department estimates as many as 80 businesses in the Chateau Office Building were robbed of scores of computers containing thousands of clients’ files.
Marshall Bitkower, an attorney and tenant, said he lost only three computers in the heist, but that the information stored on them was extensive, and included names, credit card information and emails.
The general consensus among the victims is that the thieves were after nothing more than the data the computers contained, because they left behind other valuable equipment such as monitors, servers, copiers and printers.
Accountant Richard Levy lost only one computer, but it held 800 clients’ tax documents. An unnamed businessman said 7,000 of his clients’ credit card information was stolen.
The thieves stole 25 computers from Anthony Muzichenko’s business, L.A. Management, a talent agency which represents actors, models, directors, producers and writers.
“We’re talking about computers with thousands of credit cards and files,” said Anthony Muzichenko, ”There are going to be thousands of victims.”
The three-story building’s security camera was disabled, and a guard was called away on an emergency call. Police Lt. Jay Roberts said investigators are looking at people familiar with the building and its security system.
There were no signs of forced entry, no damage to the building and no injuries, leading building manager Bruce Abrams to believe the thieves had a master key.
Remember when ransom notes were created with letters cut from magazines? No more. Now data kidnappers conduct “cryptoviral extortion.”
"ATTENTION VIRGINIA I have your sh**! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :("
The above is the content of a ransom note directed to the Virginia Department of Health Professions. The perpetrator demanded $10 million within seven days and posted the ransom note April 30 on WikiLeaks, a website created by Chinese dissidents and investigative journalists that publishes anonymous submissions of governmental, corporate or religious documents.
In return for the ransom, the hacker promised to return the information and provide the encryption password. If the ransom is not paid, the culprit threatened to “put this baby out on the market and accept the highest bid,” according to the note.
Virginia DHP, an agency that oversees medical practitioners’ licensing, is not responding to calls or emails requesting further information. They have, however, taken down much of their website, and posted their own vague message about the site’s limited accessibility: “… is currently experiencing technical difficulties which affect computer and e-mail systems."
Express Scripts, a prescription management company, received a similar ransom note last October from a data kidnapper who threatened to release millions of patient records.
Last September, a California man was arrested and accused of hacking a Maserati dealership’s site and attempting to extort money in return for the data.
I’m sure the state of Oklahoma is good at doing a lot of things, but protecting its citizens’ personal and financial information certainly isn’t one of them.
Last week the Oklahoma Housing Finance Agency notified officials that a laptop containing personal information of 225,000 Oklahomans was stolen from an employee’s home. Among the information lost in the data breach were the names, addresses, Social Security numbers, tax identification numbers and birth dates of clients of the Section 8 Housing Voucher Program.
If this were their first major data breach, forgiveness might come more easily, but these idiots have lost more than 1,226,560 records already this year, and there are only 3.5 million people in the entire state!
Other Oklahoma data breaches SO FAR this year:
- Oklahoma Department of Human Services
- 1,000,000 affected
- Data breach attributed to laptop stolen from state employee. Computer files included the names, Social Security numbers and birth dates of DHS services recipients.
- Oklahoma Department of Human Services
- Unknown number affected
- DHS child welfare worker left behind files when evicted from rental house. Information included names, Social Security numbers, contact information and details pertaining to child abuse investigations.
- Western Oklahoma State College
- 1,500 affected
- Computer breach exposed Social Security numbers and other information of library users.
In 2008, the state government lost or exposed the information of 85,597 constituents in three separate data breaches.
More Posts Next page »