September 2008
Watching the watchdogs
A lingering mystery Donald Kelble spent years trying to clear his credit record. He’ll never know whether his problems stemmed from information
posted online by Ohio’s Franklin County Municipal Court.
Photo by Kevin FosterData breaches in which identity thieves deliberately seek personal information for fraudulent purposes pose the highest risk
of identity theft. But congressional investigators found that unauthorized use of data by government employees and stolen
laptops and computer storage devices were the most common sources of federal data losses.
A 2007 report from the Treasury Inspector General for Tax Administration revealed 24 incidents in which IRS laptops containing sensitive data for 480 taxpayers were lost or stolen because IRS employees put them in checked baggage at an airport, left them in unlocked cars, or lost them on trains or buses. Only one of the employees was disciplined in the data thefts.
Even the Federal Trade Commission, the agency that imposes fines on businesses for egregious data breaches, disclosed in June 2006 a computer-theft incident. Two of its laptops containing sensitive information for 110 people, including financial-account numbers and Social Security numbers, were stolen when two of the agency’s attorneys left them in a locked car.
Though the agency has received no reports of ID theft resulting from the incident, it has tightened data theft security, requiring all laptops to be encrypted and password protected. Portable computer storage devices are biometrically encrypted, requiring the user’s thumbprint to access data. "It was a learning experience for us all," says Betsy Broder, the FTC’s assistant director in the division of privacy and identity protection. "Someone may steal a laptop simply because they want the laptop, but the personal data it contains still can end up in the hands of someone who exploits it."
More insidious is data theft by an insider at a government agency. A prime case was revealed in June 2007, when Tustin, Calif., police detective Gentry Mayfield searched the apartment of Tae Kim after he had been suspected of trying to purchase jewelry with fraudulent credit cards issued in the name of the actor Marlon Wayans, among others. The computer in Kim’s apartment contained a hidden file listing the Social Security numbers of 186,000 U.S. military veterans, the district attorney charges. Each number has a potential black-market value of $500, according to the U.S. Secret Service, even though they weren’t linked to vets’ names.
The information had been downloaded from a database at the Department of Veterans Affairs, where Kim had been employed for
almost four years as an auditor. If VA officials had conducted a background check on Kim before hiring him, they would have
learned that he had a criminal history dating back at least 10 years. "We weren’t doing the job we should have as an organization
to ensure no one fell through the cracks, but we have a stronger system in place now for background checks," says James O’Neill
of the VA’s Office of the Inspector General. Kim is in jail awaiting a preliminary hearing with bail set at $1 million. His
attorney, Gary Laff, says he has pleaded not guilty to the charges.
"We see more and more hardened criminals going into white-collar crimes like identity theft because it’s so profitable, there’s less chance of getting caught, and even when they are, the penalty is much less than it is for armed robbery," Mayfield says.
A valid Social Security number has market value because a growing number of cases fall into a data theft category known as synthetic ID theft: An identity thief uses your number with a different name and address to open bank and credit accounts, or they are used by undocumented workers to help obtain a job. Even though the two of you are sharing your SSN, albeit without your permission, the new accounts will show up not on your credit report but on a separate report under the name the thief is using.
In the surreal Alice in Wonderland world of credit reporting, since the accounts are not listed in your name, you have no right to be alerted about them or view the other credit report that shares your SSN. That would violate the privacy of the other account holder, the one who stole your identity. You would be clued in only after the fraudster failed to make payments and you began to get harassing calls from debt collectors, according to Broder at the FTC.
Federal law limits credit cardholders’ liability for fraudulent charges to $50 per card. But they might still pay a heavy price by struggling for years to clear up their records with credit-reporting agencies and the government itself.
"Government agencies are among the worst offenders in weeding out data breaches because they have no financial incentive to look for them," says Avivah Litan, an analyst at Gartner Research, based in Stamford, Conn.
Joe Protain didn’t lose a dime as a result of the Franklin County data breach that led to $11,427 in fraudulent purchases and cash advances on four credit cards in his name. But he says he has invested at least 80 hours on the phone with Chase representatives trying to clear up his credit record since the data theft.
Even though Protain had filed a police report and fraud alerts at credit-reporting agencies as soon as he learned he’d become an ID-theft victim, Chase listed him as delinquent on $3,500 in charges he’d never made on a card that was in his name but billed to a different address. The credit problems caused him to be turned down initially for a credit increase to buy $25,000 worth of medical equipment needed for a new office.
"There were days when I’d spend four hours on the phone with Chase trying to straighten this out," Protain says. "Then they turned my account over to a debt collector, who called my father looking for me."
Finally, in May 2008, almost a year after his identity was stolen, Chase notified him that it would inform credit bureaus that the bank’s investigation indicated he was not responsible for the fraudulent transactions.
Chase spokeswoman Tanya M. Madison says for privacy reasons Chase cannot discuss customer accounts but adds, "In cases of fraud, we work closely with impacted customers as well as law enforcement to resolve the situation as thoroughly and quickly as possible."
For Donald Kelble, 57, of Payne, Ohio, the battle to clear his record after a data theft was even longer. He was a victim of ID theft in 2001, after a court record of a traffic accident was posted on the Franklin County Web site. Unlike Protain, he’ll never know for sure whether the county’s court site was the source of his leaked data.
After he’d discovered that identity thieves had taken out credit cards and even a mortgage in his name, Kelble was also surprised to receive a bill from the state of Virginia for income taxes.
"Even though I provided all kinds of documentation to prove I’d never lived or worked in Virginia and owed them nothing, they had a collection agency calling me at all hours," Kelble says, "including once at 3 in the morning." It was not until 2006, he says, five years after his troubles began, that the problem was resolved.
A 2007 report from the Treasury Inspector General for Tax Administration revealed 24 incidents in which IRS laptops containing sensitive data for 480 taxpayers were lost or stolen because IRS employees put them in checked baggage at an airport, left them in unlocked cars, or lost them on trains or buses. Only one of the employees was disciplined in the data thefts.
Even the Federal Trade Commission, the agency that imposes fines on businesses for egregious data breaches, disclosed in June 2006 a computer-theft incident. Two of its laptops containing sensitive information for 110 people, including financial-account numbers and Social Security numbers, were stolen when two of the agency’s attorneys left them in a locked car.
Though the agency has received no reports of ID theft resulting from the incident, it has tightened data theft security, requiring all laptops to be encrypted and password protected. Portable computer storage devices are biometrically encrypted, requiring the user’s thumbprint to access data. "It was a learning experience for us all," says Betsy Broder, the FTC’s assistant director in the division of privacy and identity protection. "Someone may steal a laptop simply because they want the laptop, but the personal data it contains still can end up in the hands of someone who exploits it."
More insidious is data theft by an insider at a government agency. A prime case was revealed in June 2007, when Tustin, Calif., police detective Gentry Mayfield searched the apartment of Tae Kim after he had been suspected of trying to purchase jewelry with fraudulent credit cards issued in the name of the actor Marlon Wayans, among others. The computer in Kim’s apartment contained a hidden file listing the Social Security numbers of 186,000 U.S. military veterans, the district attorney charges. Each number has a potential black-market value of $500, according to the U.S. Secret Service, even though they weren’t linked to vets’ names.
DID YOU KNOW You have NO RIGHT TO BE NOTIFIED if someone is using your SSN under another name.
Illustration by David Flaherty"We see more and more hardened criminals going into white-collar crimes like identity theft because it’s so profitable, there’s less chance of getting caught, and even when they are, the penalty is much less than it is for armed robbery," Mayfield says.
A valid Social Security number has market value because a growing number of cases fall into a data theft category known as synthetic ID theft: An identity thief uses your number with a different name and address to open bank and credit accounts, or they are used by undocumented workers to help obtain a job. Even though the two of you are sharing your SSN, albeit without your permission, the new accounts will show up not on your credit report but on a separate report under the name the thief is using.
In the surreal Alice in Wonderland world of credit reporting, since the accounts are not listed in your name, you have no right to be alerted about them or view the other credit report that shares your SSN. That would violate the privacy of the other account holder, the one who stole your identity. You would be clued in only after the fraudster failed to make payments and you began to get harassing calls from debt collectors, according to Broder at the FTC.
Federal law limits credit cardholders’ liability for fraudulent charges to $50 per card. But they might still pay a heavy price by struggling for years to clear up their records with credit-reporting agencies and the government itself.
"Government agencies are among the worst offenders in weeding out data breaches because they have no financial incentive to look for them," says Avivah Litan, an analyst at Gartner Research, based in Stamford, Conn.
Joe Protain didn’t lose a dime as a result of the Franklin County data breach that led to $11,427 in fraudulent purchases and cash advances on four credit cards in his name. But he says he has invested at least 80 hours on the phone with Chase representatives trying to clear up his credit record since the data theft.
Even though Protain had filed a police report and fraud alerts at credit-reporting agencies as soon as he learned he’d become an ID-theft victim, Chase listed him as delinquent on $3,500 in charges he’d never made on a card that was in his name but billed to a different address. The credit problems caused him to be turned down initially for a credit increase to buy $25,000 worth of medical equipment needed for a new office.
"There were days when I’d spend four hours on the phone with Chase trying to straighten this out," Protain says. "Then they turned my account over to a debt collector, who called my father looking for me."
Finally, in May 2008, almost a year after his identity was stolen, Chase notified him that it would inform credit bureaus that the bank’s investigation indicated he was not responsible for the fraudulent transactions.
Chase spokeswoman Tanya M. Madison says for privacy reasons Chase cannot discuss customer accounts but adds, "In cases of fraud, we work closely with impacted customers as well as law enforcement to resolve the situation as thoroughly and quickly as possible."
For Donald Kelble, 57, of Payne, Ohio, the battle to clear his record after a data theft was even longer. He was a victim of ID theft in 2001, after a court record of a traffic accident was posted on the Franklin County Web site. Unlike Protain, he’ll never know for sure whether the county’s court site was the source of his leaked data.
After he’d discovered that identity thieves had taken out credit cards and even a mortgage in his name, Kelble was also surprised to receive a bill from the state of Virginia for income taxes.
"Even though I provided all kinds of documentation to prove I’d never lived or worked in Virginia and owed them nothing, they had a collection agency calling me at all hours," Kelble says, "including once at 3 in the morning." It was not until 2006, he says, five years after his troubles began, that the problem was resolved.
