Identity Theft in the News
Around the country, researchers, business leaders and lawmakers are exploring identity theft and how to protect American citizens. Identity theft is a very real problem, and has caused headaches for millions and forced thousands into bankruptcy. Here's a summary of the latest identity theft research and prevention going on in the United States.
Click Here For a Free Bankruptcy Evaluation
Data Breach and Identity Theft News Updates for April 11, 2008
Sensitive Information on P2P Networks
A report by Information Week has indicated that peer-to-peer networks are filled with confidential documents that contain personal and business information that could be used for identity theft. A search of the Gnutella network uncovered spreadsheets, billing data, health records, internal audits, product specs and meeting notes of businesses. When installing popular P2P programs, the default installation often shares all documents in the "My Documents" folder of Windows. It's not likely that all of the sensitive information found on Gnutella was shared on purpose, but instead shared unknowingly because of default settings. With millions of P2P network users, there is an enormous amount of sensitive data readily available to identity thieves.
Hannaford Customers Victimized by Malware
Hannaford has released a statement indicating that they had met the compliance standards set by Visa and other credit card companies, but that the recent massive data breach was caused by malware installed on the computer servers of 300 of their stores. Malware is malicious software that is secretly installed on computers. The malware installed on the Hannaford servers was designed to steal the credit and debit card data of customers as they paid for purchases at the stores. The stolen data was then transferred to a server overseas. Hannaford's data breach potentially compromised the account numbers and expiration dates on all 4.2 million credit and debit card numbers used at its stores in six states between Dec. 7 and March 10. Approximately 2,000 cases of fraud in connection with the breach have been reported, according to a report by The Boston Globe. A breach in the company's firewall could have allowed the malware to be installed on the servers remotely. In a letter to customers, Hannaford said that they have replaced all of the hardware that the malware had been installed on.
LexisNexis Settles with FTC
The LexisNexis Group of British publishing giant Reed Elsevier Inc. has reached a settlement with the Federal Trade Commission over a 2005 data breach that compromised the personal information of thousands of Americans at its Seisint unit in Boca Raton. The Palm Beach Post reported that LexisNexis has agreed under the terms of the settlement to maintain a wide-ranging data security program that will be subject to periodic third-party audits. In the LexisNexis data breach, no credit reports were exposed and the company was able to avoid being fined.
Click Here For a Free Bankruptcy Evaluation
Man Heads to Court for Dumpster Diving At Bank
A man from Fairfield, Connecticut is headed to court on civil charges that he violated a restraining order that a bank had won against him. James Hastings had gone through the trash outside of People's United Bank branches in Fairfield County. He found bags of paperwork that included sensitive information, including customers' Social Security numbers and account information. The bank won a restraining order against him in March; the restraining order required him to not discuss the matter or distribute any of the information that he dragged out of the trash bins. The bank claims that Hastings is trying to extort cash from them and that he had asked to be hired as a fraud consultant. Hastings denies the allegation. The Associated Press reported that Hastings has been interviewed by the Connecticut Post since the restraining order was issued. Most of the documents have been turned over to the police, but Hastings says he has some of the documents in boxes and hopes to turn them over to state Attorney General Richard Blumenthal. The attorney general's office has declined to speak with Hastings until lawyers review the restraining order.
Data Breach and Identity Theft News Updates for March 28, 2008
Data Thief Sentenced to Prison
A former Compass Bank programmer who stole a hard drive that contained about 1 million customer records including names, account numbers and passwords has been sentenced to 42 months in prison. James Kevin Real used some of the information contained on the stolen drive to commit debit-card fraud. The Alabama District Court judge who sentenced Real also ordered him to repay more than $32,000 that he and accomplice Laray Byrd stole from customer accounts using counterfeit debit cards between May and July last year. This compromise of banking information is one of the largest bank-related data breaches ever revealed in terms of the number of customer's banking records that were potentially exposed. However, as Computerworld reported, the story was not picked up by the media until Real's recent sentencing.
Class Action Lawsuit against Hannaford
PR Newswire reported that on March 19, 2008 the law firm of Berger & Montague, PC filed a class action suit in the U.S. District Court for the District of Maine on behalf of all consumers in the United States whose credit card or debit card data was stolen during a computer network data breach at Hannaford Brothers Co. supermarkets. The lawsuit alleges that Hannaford was negligent because it failed to secure customer credit and debit card data. A computer hacker was able to steal 4.2 million unique credit and debit card numbers from Hannaford causing 1,800 cases of credit and debit card fraud so far. This massive data breach affected all of Hannaford's stores in the U.S. as well as Sweetbay stores in Florida.
Click Here For a Free Bankruptcy Evaluation
Man Arrested for Hospital Computer Theft
A former patient at the Roudebush VA Medical Center has been arrested and charged for the theft of a laptop computer, computer monitors and printers that were stolen from the facility last year. The Indianapolis Star reported that the hard drive of the stolen laptop contained the medical records of almost 12,000 patients. Police arrested 50-year-old Joseph A. Radican of Indianapolis and have charged him with one count of Class D felony theft in connection with the theft of the hospital compute equipment. He was identified through surveillance video as the person who took the equipment. Radican is scheduled to appear in Superior Court on April 15.
Certegy Proposes Settlement in Class Action Lawsuit
Certegy Check Services, the company that lost the personal financial information of millions of Americans last year in a data breach from within the company, has proposed a legal settlement in the class action lawsuit against the company. SCMagazine reports that security analysts are criticizing Certegy's proposed settlement for falling short of protecting the victims. The tentative settlement between Certegy and class action lawyers has been submitted to U.S. District Judge Steven D. Merryday in Tampa, Florida for review. The proposed settlement offers a limited amount of help to some of the 8.4 million customers whose personal data was stolen over a 5-year period by a Certegy employee. Under the agreement, Certegy would offer credit and bank account monitoring, identity theft reimbursement capped at $4 million, reimbursement of some credit monitoring fees, and enhanced security. The settlement also calls for one free year of credit monitoring for eligible consumers who were affected by the data breach. However, the proposed settlement limits the number of eligible consumers to about 1.25 million.
Data Breach and Identity Theft News Updates for March 21, 2008
FTC Settles Breach Complaint against Goal Financial
PC World reports that the U.S. Federal Trade Commission has recently settled a complaint it had filed against student lender Goal Financial alleging that the lender failed to safeguard personal data. According to the FTC complaint, Goal Financial allowed two employees to access the personal information of about 7,000 customers and take the data to a competing lender between 2005 and 2006. In 2006, the company also allegedly allowed an employee to sell a hard drive that contained the unencrypted personal information of 34,000 customers. In the complaint, the FTC charged that the company failed to protect personal information such as birth dates, Social Security numbers, and income and employment information. As part of the FTC settlement, Goal Financial must implement a complete and sophisticated information security program and be audited by an independent security professional every other year for 10 years. This was the 17th case the FTC has brought against companies for allegedly lax data security practices.
Encrypted Data Not Secure
In many situations personal data that could be used by identity thieves is encrypted. Many people believe that this is a secure way to store sensitive information and that in the instance that the computer hard drive, laptop computer or data storage devices is lost or stolen, the encrypted data would still be safe. However, McGrew Security recently reported that even encrypted data is not safe. A paper that was recently published by researchers at Princeton University explained the process of recovering encryption keys out of memory after a cold boot. The RAM inside a computer holds information that is not erased when the computer is powered down. After the encryption keys are recovered from the computer, an identity thief can access all of the information on the hard drive.
Click Here For a Free Bankruptcy Evaluation
State Data Breach Notification Laws Differ
As of this writing, 39 states and the District of Columbia have passed data breach notification laws. Iowa has a pending privacy breach notice and credit freeze bill. Each state law is a bit different. While some exclude mandatory data breach notifications for encrypted data, others exclude financial institutions and government entities. In addition to state laws having different requirements for data breach notification, each state seems to have different definitions of common terms so even states that have similarly worded laws could be drastically different. For example, some states have technical specifications of what the definition of encryption actually is, while other states use vague language. As far as what actually constitutes a data breach, the states also widely differ. Some states name specific situations that define a data breach, while others only give a vague description of what may constitute a data breach. In some states the breached data must be computerized, in others any type of data breach requires notification. Under some state laws, if the data is even password protected no notification is required. As far as specifically defining when consumers must be notified of a data breach, some states are very specific about when and how the notification must be made but others give little or no specific information of the notification requirements. In some states notification must be sent to the state Attorney General as well as to the consumers who may be affected. The bottom line is that there are no standardized rules for state data breach notifications and each state deals with the issue very differently.
Click Here For a Free Bankruptcy Evaluation
Data Breach and Identity Theft News Updates for March 6, 2008
UC Berkley identity theft theorist Chris Hoofnagle recently released a study on identity theft in major U.S. financial institutions. His findings point to a lack of understanding of the crime of identity theft, meaning that, since the crime is relatively new, no one has yet developed a standard for reporting and tracking identity theft statistics. He notes that consumers lose out, since businesses and lenders cannot compete for their business by demonstrating any real identity theft prevention edge over the competition. Hoofnagle recommends greater reporting of identity theft incidents and preventions - how many were affected, what products were targeted, how much money was lost/saved, etc. With such identity theft statistics, Hoofnagle believes, Americans will be better equipped to combat and eliminate this crime.
The Arizona Star reports that Arizona's legislature has recently voted to allow consumers to "freeze" and "unfreeze" their credit reports as they choose. Arizona residents can reportedly freeze their credit reports by contacting all three major credit reporting bureaus (Equifax, Experian and TransUnion) by mail and requesting the service. Sources indicate that the state has included provisions such as PIN-protected transactions and minimal five dollar fees (many states charge $10 for each freeze/unfreeze action). The service allows consumers to limit access to their credit reports, thus lowering their chances of being victimized by identity theft.
According to the Portland Mercury, a measure proposed by former Oregon state representative Kevin Mannix would require mandatory three-year jail sentences for first-time identity theft convictions. Interestingly, the measure would reportedly require the same sentence for crack dealers and felony property criminals, which shows how seriously lawmakers view the crime of identity theft. The measure is a long way from becoming law, but demonstrates a legislative awareness of the prevalence of identity theft.