Search This Blog

Wednesday, June 28, 2006

Identity Theft 101

Identity thieves are becoming much more sophisticated in their strategy. You could even say this is becoming a cottage industry since they have so many incompetent businesses and government agencies to work with. The kind that allow their employees to take laptops home with them crammed with personal data on just about every household in the U.S. Any person who would do this has to be working with a double-digit IQ in common sense.

In just the last couple of months, the following organizations have lost a laptop(s) containing combined sensitive information on almost 26.8 million individuals:

• Veterans Administration – 26.5 million
• Hotels.com – 250,000
• IRS – 291
• ING Financial Services – 13,000
• Equifax Credit Bureau – 2,500
• Federal Trade Commission – 110

In many cases the data included name, address, Social Security number, birth date, and credit card information. The perfect formula for ID fraud.

And then a computer server was stolen on March 31, from the Midwest office of insurance giant, AIG, containing 930,000 names, addresses, Social Security numbers and thousands of medical records. The data had been sent to AIG by 690 insurance brokers who were shopping their clients for medical coverage. A “server” seems like a strange thing to steal, unless you know what you’re getting. Read the story: “Stolen computer server sparks ID theft fears” on MSNBC.

That’s just the laptops and one server. There have been several others where hackers have broken into systems, but two are worth mentioning because of the unique methods used.

Somehow, 28,000 sailors and their families ended up on a civilian Web site. Included were names, birth dates, and Social Security numbers. Once again, just what the crooks need. In an MSNBC story, “Sailors’ personal data found on the Internet,” the Navy admits it has no idea how the information was stolen.

Then, one that could top the dunce responsible for the VA breach, a Humana insurance employee called up data on 17,000 Medicare beneficiaries through a hotel computer, and then failed to delete the file. In a Washington Post story by Kevin Freking, “Medicare Beneficiary Data Left in Hotel,” it was an auditor from the Department of Health Services, using the exact same hotel computer in Baltimore that caught the mistake.

If I recall correctly, in every incident, the statement was made: “There is no evidence that the information fell into the wrong hands and was misused.” This will probably end up being the quote of the century. Perhaps, one of the most famous disclaimers ever written, and it probably didn’t require a staff of legal experts.

And here’s why it’s so ludicrous. It’s what I call Identity Theft 101.

No, there is no evidence the thieves have used the private information yet, because they are smarter than the businesses and government agencies they lifted it from. When the inexperienced culprits who took it in the first place realize they can’t use the data, and because of the media attention—which, by the way, is justified—this petty thief will sell it to the next level of the more sophisticated identity swindler. This bunch will sit on it for a year and one day, when the credit monitoring has expired, and go for the gold. Yours, that is.

Eventually, the inexperienced, petty thief will graduate to Identity Theft 102, or higher, realizing that you can easily cut out the middle-person since data gatherers are focused squarely on profits, not consumer security. In this scenario, the students will excel in their field without ever graduating.

Wednesday, June 21, 2006

FEMA and ChoicePoint Deserve Each Other, but We Don't Deserve Either

According to the Government Accountability Office (GAO), poor information technology and lack of management controls is responsible for as much as $1.4 billion fraudulently paid out in hurricane relief funds by FEMA. Lack of management is FEMA’s specialty, but not securing the technology to access consumers’ personal data takes their incompetence to yet another level since every other governmental agency does it regularly. FBI, Homeland Security, Pentagon, NSA, Justice Department…the White House.

Michael Arnone writes in Federal Computer Week, that the GAO uncovered this figure through the same technology that FEMA should have used to catch the crooks: data mining and database matching techniques. His article, “FEMA pledges better disaster relief fund payouts,” quotes the GAO as saying that around 16 percent of the disaster assistance was questionable. Some of the millions of dollars even went to federal and state prison inmates.

So far nothing unexpected. However, then Arnone drops the bombshell. FEMA has hired data broker ChoicePoint to verify identities, using Social Security numbers for those applying for assistance. That’s the same ChoicePoint that led the charge in February of 2005, with 145,000 personal records stolen by ID thieves, an incident that was revealed only because of a new California law on identity theft.

Not satisfied with the original version, ChoicePoint goes for two sequels, one totaling 9,900 names and private information stolen September of 2005, another 17,000, November of the same year. That’s almost 172 thousand consumers who have had to run for cover, and sweat out the threat that their identities could be taken from them at any time. Maybe tomorrow, maybe next month, or even a year or two from now.

By the way, the Federal Trade commission reports that there have already been at least 800 cases of ID theft resulting from the ChoicePoint breaches.

According to an Information Week article by Thomas Claburn, titled “The Federal Information Tax,” the government has become one of ChoicePoint’s best customers. Based on the Privacy Act of 1974, there are major questions regarding what the feds can ask for from these data brokers, and also what private information they are allowed to maintain on American consumers.

This fact notwithstanding, the question is, after three data breaches by ChoicePoint, are they qualified to provide personal data on consumers for businesses or government? Privacy Activism, a non-profit organization reporting on privacy issues, isn’t sure. In an article, “Privacy Activism study finds new problems for ChoicePoint, Acxiom,”they found a majority of participants found errors in the most basic of biographical information: name, Social Security number, address, and telephone number.

But the shock of the day was that the background check reports (your private information) provided by ChoicePoint were inaccurate 73 percent of the time. By the way, the same Acxiom figure was 67 percent.

Are you ready to see the light and demand federal legislation to give you control over your name and personal data, and, pay you when it is sold? Let me hear from you.

Tuesday, June 13, 2006

British Consumers Aren't Stupid Either

No, consumers in the United Kingdom aren’t stupid; as we also agreed in my last post, neither are Americans. The big difference is that the Brits are doing something about it, and this country isn’t. By “country” I mean the Bush administration, congressional leaders on both sides of the aisle, and you, the consumer.

You can forget the Bush/Cheney duet when it comes to going to bat for the average individual. If neither business nor the moneyed elite profit in the transaction, there’s absolutely no interest on their part.

And then, while Washington flounders in a mass of mostly meaningless legislation on identity theft, the U.K. has had the Data Protection Act (DPA) since 1998, which seeks to strike a balance between the rights of individuals and the sometimes competing interests of business. Anyone processing personal information must notify the Information Commissioner’s Office (ICO) that they are doing so, unless their processing is exempt.

In my last post, “Is the American Consumer Stupid?,” I quoted from an article in junk mail industry publication, Direct, and an interview with Martin Abrams, executive director of the Center for Information Policy Leadership at Hunton & Williams in Washington. One of his points is that U.S. privacy laws are based on preventing harm, as compared to European law which is based on giving consumers control. Actually, Abrams was saying that American business has it easy, compared to the United Kingdom.

The Brits have taken control over consumers’ names and personal data with the requirement that business must inform the ICO of their use. Yes, there are exemptions, but this is the kind of balance we must strive for if we are to put a stop to the current identity crisis in the U.S. I would advocate that we take it one step further, and give the control to individual consumers, and pay them when their names and private information is sold.

But this won’t happen unless you speak up and tell your congressional representatives that you’re tired of this crap and won’t take it anymore. Contact your elected officials in the House of Representatives and in the Senate.Tell them you read about this in The Dunning Letter, and you want to know why we are eight years behind the United Kingdom.

On the other hand, the UK is having its own problems with compliance; naturally, in the business community. As late as November of 2005, that country’s Accountancy Age journal reported in the article, “Data protection disaster looms for thousands,” that less than half the profession’s companies had registered with the ICO, a requirement costing only £35, $64.48 U.S. Apparently the accountants aren’t the only non-compliers in Great Britain, but the ICO is threatening further action.

Which all goes to say that eight years after the enactment of the UK DPA, there are still problems that will probably take yet more time. But the U.S. Congress is currently muddling through several bills on the ID theft issue—most of which will not get the job done—which are really delay tactics to soothe us into believing they are working on our behalf. They aren’t.

If we don’t get serious about this today, tomorrow could pose an ID crisis for your family. Folks, there have been eighty-three data breaches since the beginning of 2006, and there were 8.9 million victims of identity fraud in 2005.

Take a look at the Chronology of Data Breaches, and the Javelin/BBB ID Theft Survey, both from Privacy Rights Clearinghouse, and if you can come away from that with indifference, and you are in the majority, we are on a fast track to George Orwell’s Big Brother.

Wednesday, June 07, 2006

Is the American Consumer Stupid?

I don’t think so, although government and business are steadfast in their efforts to convince us that we are not competent to manage our personal affairs. Like controlling our names and private information so that they don’t fall into the hands of ID thieves. Like government and business are better equipped to do this.

The latest major incident is the 26.5 million records lost by the Veterans Administration; some moron took it home with him where it was later stolen. The first occurrence was a theft from data broker, ChoicePoint, in February 2005, who revealed the loss only after being forced to by California law. There have been twelve more breaches since the VA abduction May 22, and you can see the whole sordid story at the Privacy Rights Clearinghouse site, “A Chronology of Data Breaches Since ChoicePoint.”

Total personal records lost or stolen as of this date: 84,797,096. It will probably increase even before I can post this article.

So back to my original question: Is the American consumer stupid? Since I’ll bet you agree with me that most of us aren’t, why are we being treated as if we are too dumb to regulate the use of our names and personal data? And why haven’t we, as an intelligent group, risen up and demanded to take command over this most valued possession? Actually, the second question answers the first.

Just as George Orwell’s citizens of Oceania were completely apathetic about the Party and Big Brother controlling their lives, today’s population is at an indifference level regarding their privacy that is alarming. With just over 9 million victims of identity fraud confirmed, and a huge media circus built around the data breach hullabaloo in 2005, an Experian/Gallup survey at the end of that year recorded an ID theft concern rate of a dismal 35 percent.

I don’t have to point to, nor even provide any specific quotes, as to how the government has contempt for our intellect. From Bush on down, we are being told that: 1)either things are not as bad as they seem; 2)that someone is looking into and analyzing the situation; or 3)that Congress is drafting legislation to solve the problem. Unfortunately, we’re batting zero on one, and two and three are very questionable.

From the standpoint of business, particularly junk mail and non-junk mail companies maintaining dossiers on every U.S. household, and including data brokers, I can speak with some authority. There is a high level of concern over potential privacy laws, but this bunch still chooses to stick their heads in the sand. Outwardly, they are exclaiming concern that consumers will get control over their names and private information, but inwardly, still convinced they own your data.
Kinda like 1984’s Doublethink.

A recent case in point is an article, “Bad Law Rising,” in a junk mail publication, Direct, by Ray Schultz, Editorial Director. Schultz is a good journalist and from past articles, has a high respect for consumer privacy. He talks with Martin Abrams, executive director, Center for Information Policy Leadership at Hunton & Williams in Washington. Also well respected in the industry.

The interview focuses on financial data, which is certainly one of the most important areas we want to protect. Abrams first statement is, “Privacy law in the United States is unstable.” For the most part, his remark refers to the effect on business, not the consumer, and he rightfully states that much of the fault lies in the advance of technology. What is downright frightening is that he feels any real change has to come from the top (not sure if this is government or business) and is three to seven years away.

By then, the identity crisis will have arisen to humongous proportions, a situation that could very well stop commerce in its tracks. At that point, it won’t matter who we are for the chaos will probably shut down both government and business.

More on this issue next time. How individual control over names and personal data works in the United Kingdom.

Thursday, June 01, 2006

It's Monday Morning. Do You Know Where Your Name Is?

When the junk mail industry—and that includes data brokers like ChoicePoint, Acxiom and LexisNexis—opens every Monday morning, there is already a flurry of data mining going on. Actually, the predictive modeling episodes have been in progress over the weekend, sort of a 24/7 event in this business. And your name and personal data? Always an integral part of the process.

During my tenure as a broker of mailing lists, I became interested, and eventually learned the technique of predictive modeling, primarily as a targeting means, to cut down on my clients’ “junk mail.” Most data mining/modeling companies work at the individual household level with their personalized data, something I refused to do. Working only with zip codes, it was possible for me to get acceptable results, while not encroaching on the privacy of individuals.

So what really happens when computer meets your private information in the process of data mining? First of all, there is a human being conducting the modeling procedure, who, by the way, is privy to all your personal data. Usually, there are assistants with the same access. The data arrives at the data mining company in a digital format. It is delivered by one of the services like UPS, who lost 3.9 million records of the Citigroup in mid-2005, including customers’ names, addresses, Social Security numbers, account number, etc.

Let’s say the data arrives securely, but then it must be logged in by a clerk in the tape library. In my 35 years experience in junk mail, this was where an alarming number of computer tapes housing your private information were lost. Just vanished. But in our hypothetical case it is accounted for and moves on to the people who analyze the data. Could be one or several, and each has entrĂ©e to all your private information.

Next, it reaches the human being doing the modeling, with advice from the analysts on how to crunch the data. Here’s where the fun part starts. Let’s say Sharper Image has a home humidifier/air purifier that sells for over $500, and they want to target households that both can afford the item, and have some underlying health issue need. This is where your personal data comes into play.

First, the modeler might determine if you own a home, moving next to your home value for verification, then to your income to substantiate your ability to buy the product. Other factors are marital status, children in household, whether you are a junk mail shopper, and your education level, the latter two confirming that you might carefully read the humidifier advertisement.

Our human being will want to know if there are any pets in the home, whether anyone is a smoker, who has what allergies or related ailments, and what medications are being taken, which further confirms these allergies. Other factors like your fitness level, what you buy from junk mail catalogs, and what you buy at the super market could be used.

All this data is fed into high technology software that will look at each item, determine its relevancy, evaluate its impact on the purchase of the humidifier, and spit out millions of qualified names and addresses. Sound simple? It is if you are experienced in data mining and have sophisticated programs at your disposal like neural networks (artificial intelligence).

So what’s the downside to this for the average consumer? Sharper Image determines who wants their humidifier, and you get a mailing you might just be glad to receive for a change. The answer is that nothing is wrong if you had control over your name and private information from the beginning. I am talking about my concept to pass federal legislation to give you this control, and pay you when it is sold.

This would have allowed you to say yes to the whole procedure, knowing your name and personal data was out there in junk mail limbo, able to target the breach immediately if it occurred. Believe me, the security level of your data would be significantly higher than it is now, if the junk mailers knew you had this control.

Folks, the alarming rate of stolen private information is only going to get worse. Your enlightenment is the sole purpose of this blog, and it is posts like this that point the need for individual control

There’s more to say about this in future posts. Encryption of data is one of the top levels of protection. Another possibility is anonymous separation of name and personal data. Something being used in the United Kingdom, and being explored in the U.S.