Search This Blog

Wednesday, June 28, 2006

Identity Theft 101

Identity thieves are becoming much more sophisticated in their strategy. You could even say this is becoming a cottage industry since they have so many incompetent businesses and government agencies to work with. The kind that allow their employees to take laptops home with them crammed with personal data on just about every household in the U.S. Any person who would do this has to be working with a double-digit IQ in common sense.

In just the last couple of months, the following organizations have lost a laptop(s) containing combined sensitive information on almost 26.8 million individuals:

• Veterans Administration – 26.5 million
• Hotels.com – 250,000
• IRS – 291
• ING Financial Services – 13,000
• Equifax Credit Bureau – 2,500
• Federal Trade Commission – 110

In many cases the data included name, address, Social Security number, birth date, and credit card information. The perfect formula for ID fraud.

And then a computer server was stolen on March 31, from the Midwest office of insurance giant, AIG, containing 930,000 names, addresses, Social Security numbers and thousands of medical records. The data had been sent to AIG by 690 insurance brokers who were shopping their clients for medical coverage. A “server” seems like a strange thing to steal, unless you know what you’re getting. Read the story: “Stolen computer server sparks ID theft fears” on MSNBC.

That’s just the laptops and one server. There have been several others where hackers have broken into systems, but two are worth mentioning because of the unique methods used.

Somehow, 28,000 sailors and their families ended up on a civilian Web site. Included were names, birth dates, and Social Security numbers. Once again, just what the crooks need. In an MSNBC story, “Sailors’ personal data found on the Internet,” the Navy admits it has no idea how the information was stolen.

Then, one that could top the dunce responsible for the VA breach, a Humana insurance employee called up data on 17,000 Medicare beneficiaries through a hotel computer, and then failed to delete the file. In a Washington Post story by Kevin Freking, “Medicare Beneficiary Data Left in Hotel,” it was an auditor from the Department of Health Services, using the exact same hotel computer in Baltimore that caught the mistake.

If I recall correctly, in every incident, the statement was made: “There is no evidence that the information fell into the wrong hands and was misused.” This will probably end up being the quote of the century. Perhaps, one of the most famous disclaimers ever written, and it probably didn’t require a staff of legal experts.

And here’s why it’s so ludicrous. It’s what I call Identity Theft 101.

No, there is no evidence the thieves have used the private information yet, because they are smarter than the businesses and government agencies they lifted it from. When the inexperienced culprits who took it in the first place realize they can’t use the data, and because of the media attention—which, by the way, is justified—this petty thief will sell it to the next level of the more sophisticated identity swindler. This bunch will sit on it for a year and one day, when the credit monitoring has expired, and go for the gold. Yours, that is.

Eventually, the inexperienced, petty thief will graduate to Identity Theft 102, or higher, realizing that you can easily cut out the middle-person since data gatherers are focused squarely on profits, not consumer security. In this scenario, the students will excel in their field without ever graduating.

No comments: