Attorneys: Join Our Network

Identity Theft in the News

Around the country, researchers, business leaders and lawmakers are exploring identity theft and how to protect American citizens. Identity theft is a very real problem, and has caused headaches for millions and forced thousands into bankruptcy. Here's a summary of the latest identity theft research and prevention going on in the United States.

Data Breach and Identity Theft News Updates for June 27, 2008

Blackmailing Trojan Infects Computers

As if people don't have enough financial problems, a computer security company has discovered a new type of malware that is being used to hold computer owners' data for ransom. Computerworld reported that the "ransomware" encrypts all of the files on the infected computer and then displays a message demanding money for a key to unlock the data. The newest variant of the malware code encrypts 143 different file types, including .bak, .doc, .jpg and .pdf files and deletes the originals. After the damage is done, the trojan attempts to delete itself. A message then appears on the computer giving the user an email address to contact the hacker to purchase a decryptor key. Kaspersky Lab, a Moscow-based antivirus firm, is calling for all cryptographers, governmental and scientific institutions, antivirus companies and independent researchers to help crack the code that this trojan uses.

Data Breach Notification Laws Not Lowering Incidence of ID Theft

Although 43 states have enacted data breach notification laws over the past five years, researchers at Carnegie Mellon University have published a state-by-state analysis of data supplied by the U.S. Federal Trade Commission showing that the legislation has not reduced the incidence of identity theft. The statistics show no significant decrease in the number of reported identity theft cases before and after data breach notification laws went into effect, according to a report by the IDG News Service. The study did find that factors such as each state's population, gross domestic product and fraud rate did have an influence on the rate of identity theft.

Most IT Managers Say Data Breaches Should Not Be Revealed

According to a recent survey by content security specialists, Clearswift, 78 percent of IT managers in the United States said that the public should not be informed about company security and data breaches. Although the majority did not think the general public has any business knowing about exposed data, 95 percent did say that they thought that affected customers and partners should be informed. Only 42 percent of the IT professionals felt that industry regulators should be informed of data breaches and a mere 32 percent felt that calling the police was necessary. About 19 of the organizations that were polled had suffered a data breach or loss in the previous 12-18 months and 54 percent of the IT decision-makers who were polled were unaware of data breach disclosure laws.

Verizon Says 87 Percent of Data Breaches Are Avoidable

The Verizon News Center has issued a press release with the results of the 2008 Data Breach Investigations Report. The report spans more than four years and more than 500 forensic investigations involving 230 million records. Hundreds of corporate data breaches were studied, including three of the five largest incidents ever reported. The study found that almost nine out of 10 corporate data breaches could have been avoided if reasonable security measures had been in place. Most data breaches that were investigated were caused by external sources, but 39 percent were caused by business partners. The study found that a combination of events usually led to most of the data breaches, rather than a single slip-up. Sixty-two percent of the data breaches were caused by significant internal errors. Of the deliberate data breaches, 59 percent were caused by computer intrusions and hacking. A full 90 percent of known vulnerabilities exploited by hackers could have been easily patched, with the security fixes having been available for at least six months prior to the breach.

Data Breach and Identity Theft News Updates for May 20, 2008

17,000 Military Employees' Data Shopped Around by Contractor

Randall Craig, a former computer contractor for the U.S. Marine Corps, was accused of selling names and Social Security numbers of 17,000 military employees and has pleaded guilty to exceeding authorized access to a computer and aggravated identity theft,according to the U.S. Department of Justice. InfoWorld reported that Craig admitted to selling the information contained in a military database to a person who he believed represented a foreign government. The person who bought the data from Craig for $500 was actually an undercover FBI agent. While meeting with the undercover FBI agent, Craig revealed that he had also been in contact with other foreign countries to offer his data theft services. He will be sentenced on July 28.

Data Breach and Identity Theft News Updates for April 11, 2008

Sensitive Information on P2P Networks

A report by Information Week has indicated that peer-to-peer networks are filled with confidential documents that contain personal and business information that could be used for identity theft. A search of the Gnutella network uncovered spreadsheets, billing data, health records, internal audits, product specs and meeting notes of businesses. When installing popular P2P programs, the default installation often shares all documents in the "My Documents" folder of Windows. It's not likely that all of the sensitive information found on Gnutella was shared on purpose, but instead shared unknowingly because of default settings. With millions of P2P network users, there is an enormous amount of sensitive data readily available to identity thieves.

Hannaford Customers Victimized by Malware

Hannaford has released a statement indicating that they had met the compliance standards set by Visa and other credit card companies, but that the recent massive data breach was caused by malware installed on the computer servers of 300 of their stores. Malware is malicious software that is secretly installed on computers. The malware installed on the Hannaford servers was designed to steal the credit and debit card data of customers as they paid for purchases at the stores. The stolen data was then transferred to a server overseas. Hannaford's data breach potentially compromised the account numbers and expiration dates on all 4.2 million credit and debit card numbers used at its stores in six states between Dec. 7 and March 10. Approximately 2,000 cases of fraud in connection with the breach have been reported, according to a report by The Boston Globe. A breach in the company's firewall could have allowed the malware to be installed on the servers remotely. In a letter to customers, Hannaford said that they have replaced all of the hardware that the malware had been installed on.

LexisNexis Settles with FTC

The LexisNexis Group of British publishing giant Reed Elsevier Inc. has reached a settlement with the Federal Trade Commission over a 2005 data breach that compromised the personal information of thousands of Americans at its Seisint unit in Boca Raton. The Palm Beach Post reported that LexisNexis has agreed under the terms of the settlement to maintain a wide-ranging data security program that will be subject to periodic third-party audits. In the LexisNexis data breach, no credit reports were exposed and the company was able to avoid being fined.

Man Heads to Court for Dumpster Diving At Bank

A man from Fairfield, Connecticut is headed to court on civil charges that he violated a restraining order that a bank had won against him. James Hastings had gone through the trash outside of People's United Bank branches in Fairfield County. He found bags of paperwork that included sensitive information, including customers' Social Security numbers and account information. The bank won a restraining order against him in March; the restraining order required him to not discuss the matter or distribute any of the information that he dragged out of the trash bins. The bank claims that Hastings is trying to extort cash from them and that he had asked to be hired as a fraud consultant. Hastings denies the allegation. The Associated Press reported that Hastings has been interviewed by the Connecticut Post since the restraining order was issued. Most of the documents have been turned over to the police, but Hastings says he has some of the documents in boxes and hopes to turn them over to state Attorney General Richard Blumenthal. The attorney general's office has declined to speak with Hastings until lawyers review the restraining order.

Data Breach and Identity Theft News Updates for March 28, 2008

Data Thief Sentenced to Prison

A former Compass Bank programmer who stole a hard drive that contained about 1 million customer records including names, account numbers and passwords has been sentenced to 42 months in prison. James Kevin Real used some of the information contained on the stolen drive to commit debit-card fraud. The Alabama District Court judge who sentenced Real also ordered him to repay more than $32,000 that he and accomplice Laray Byrd stole from customer accounts using counterfeit debit cards between May and July last year. This compromise of banking information is one of the largest bank-related data breaches ever revealed in terms of the number of customer's banking records that were potentially exposed. However, as Computerworld reported, the story was not picked up by the media until Real's recent sentencing.

Class Action Lawsuit against Hannaford

PR Newswire reported that on March 19, 2008 the law firm of Berger & Montague, PC filed a class action suit in the U.S. District Court for the District of Maine on behalf of all consumers in the United States whose credit card or debit card data was stolen during a computer network data breach at Hannaford Brothers Co. supermarkets. The lawsuit alleges that Hannaford was negligent because it failed to secure customer credit and debit card data. A computer hacker was able to steal 4.2 million unique credit and debit card numbers from Hannaford causing 1,800 cases of credit and debit card fraud so far. This massive data breach affected all of Hannaford's stores in the U.S. as well as Sweetbay stores in Florida.

Man Arrested for Hospital Computer Theft

A former patient at the Roudebush VA Medical Center has been arrested and charged for the theft of a laptop computer, computer monitors and printers that were stolen from the facility last year. The Indianapolis Star reported that the hard drive of the stolen laptop contained the medical records of almost 12,000 patients. Police arrested 50-year-old Joseph A. Radican of Indianapolis and have charged him with one count of Class D felony theft in connection with the theft of the hospital compute equipment. He was identified through surveillance video as the person who took the equipment. Radican is scheduled to appear in Superior Court on April 15.

Certegy Proposes Settlement in Class Action Lawsuit

Certegy Check Services, the company that lost the personal financial information of millions of Americans last year in a data breach from within the company, has proposed a legal settlement in the class action lawsuit against the company. SCMagazine reports that security analysts are criticizing Certegy's proposed settlement for falling short of protecting the victims. The tentative settlement between Certegy and class action lawyers has been submitted to U.S. District Judge Steven D. Merryday in Tampa, Florida for review. The proposed settlement offers a limited amount of help to some of the 8.4 million customers whose personal data was stolen over a 5-year period by a Certegy employee. Under the agreement, Certegy would offer credit and bank account monitoring, identity theft reimbursement capped at $4 million, reimbursement of some credit monitoring fees, and enhanced security. The settlement also calls for one free year of credit monitoring for eligible consumers who were affected by the data breach. However, the proposed settlement limits the number of eligible consumers to about 1.25 million.

Data Breach and Identity Theft News Updates for March 21, 2008

FTC Settles Breach Complaint against Goal Financial

PC World reports that the U.S. Federal Trade Commission has recently settled a complaint it had filed against student lender Goal Financial alleging that the lender failed to safeguard personal data. According to the FTC complaint, Goal Financial allowed two employees to access the personal information of about 7,000 customers and take the data to a competing lender between 2005 and 2006. In 2006, the company also allegedly allowed an employee to sell a hard drive that contained the unencrypted personal information of 34,000 customers. In the complaint, the FTC charged that the company failed to protect personal information such as birth dates, Social Security numbers, and income and employment information. As part of the FTC settlement, Goal Financial must implement a complete and sophisticated information security program and be audited by an independent security professional every other year for 10 years. This was the 17th case the FTC has brought against companies for allegedly lax data security practices.

Encrypted Data Not Secure

In many situations personal data that could be used by identity thieves is encrypted. Many people believe that this is a secure way to store sensitive information and that in the instance that the computer hard drive, laptop computer or data storage devices is lost or stolen, the encrypted data would still be safe. However, McGrew Security recently reported that even encrypted data is not safe. A paper that was recently published by researchers at Princeton University explained the process of recovering encryption keys out of memory after a cold boot. The RAM inside a computer holds information that is not erased when the computer is powered down. After the encryption keys are recovered from the computer, an identity thief can access all of the information on the hard drive.

State Data Breach Notification Laws Differ

As of this writing, 39 states and the District of Columbia have passed data breach notification laws. Iowa has a pending privacy breach notice and credit freeze bill. Each state law is a bit different. While some exclude mandatory data breach notifications for encrypted data, others exclude financial institutions and government entities. In addition to state laws having different requirements for data breach notification, each state seems to have different definitions of common terms so even states that have similarly worded laws could be drastically different. For example, some states have technical specifications of what the definition of encryption actually is, while other states use vague language. As far as what actually constitutes a data breach, the states also widely differ. Some states name specific situations that define a data breach, while others only give a vague description of what may constitute a data breach. In some states the breached data must be computerized, in others any type of data breach requires notification. Under some state laws, if the data is even password protected no notification is required. As far as specifically defining when consumers must be notified of a data breach, some states are very specific about when and how the notification must be made but others give little or no specific information of the notification requirements. In some states notification must be sent to the state Attorney General as well as to the consumers who may be affected. The bottom line is that there are no standardized rules for state data breach notifications and each state deals with the issue very differently.

Data Breach and Identity Theft News Updates for March 6, 2008

UC Berkley identity theft theorist Chris Hoofnagle recently released a study on identity theft in major U.S. financial institutions. His findings point to a lack of understanding of the crime of identity theft, meaning that, since the crime is relatively new, no one has yet developed a standard for reporting and tracking identity theft statistics. He notes that consumers lose out, since businesses and lenders cannot compete for their business by demonstrating any real identity theft prevention edge over the competition. Hoofnagle recommends greater reporting of identity theft incidents and preventions - how many were affected, what products were targeted, how much money was lost/saved, etc. With such identity theft statistics, Hoofnagle believes, Americans will be better equipped to combat and eliminate this crime.

The Arizona Star reports that Arizona's legislature has recently voted to allow consumers to "freeze" and "unfreeze" their credit reports as they choose. Arizona residents can reportedly freeze their credit reports by contacting all three major credit reporting bureaus (Equifax, Experian and TransUnion) by mail and requesting the service. Sources indicate that the state has included provisions such as PIN-protected transactions and minimal five dollar fees (many states charge $10 for each freeze/unfreeze action). The service allows consumers to limit access to their credit reports, thus lowering their chances of being victimized by identity theft.

According to the Portland Mercury, a measure proposed by former Oregon state representative Kevin Mannix would require mandatory three-year jail sentences for first-time identity theft convictions. Interestingly, the measure would reportedly require the same sentence for crack dealers and felony property criminals, which shows how seriously lawmakers view the crime of identity theft. The measure is a long way from becoming law, but demonstrates a legislative awareness of the prevalence of identity theft.

Bankruptcy & Financial News

Get more information about finances and filing bankruptcy at Total Bankruptcy. Explore changes in state and federal laws that affect your finances and learn more about the bankruptcy process.


PAID ATTORNEY ADVERTISEMENT: This Web site is a group advertisement. It is not a lawyer referral service or prepaid legal services plan. Total Bankruptcy is not a law firm. The sole basis for the inclusion of the participating lawyers or law firms is the payment of a fee for exclusive geographical advertising rights. Total Bankruptcy does not endorse or recommend any lawyer or law firm who participates in the network. It does not make any representation and has not made any judgment as to the qualifications, expertise or credentials of any participating lawyer. The information contained herein is not legal advice. Any information you submit to Total Bankruptcy may not be protected by attorney-client privilege. All photos are of models and do not depict clients. All case evaluations are performed by participating attorneys. An attorney responsible for the content of this Site is Kevin W. Chern, Esq., licensed in Illinois with offices at 25 East Washington, Suite 510, Chicago, Illinois 60602. To see the attorney in your area who is responsible for this advertisement, please click here.

If you live in Alabama, Florida, Missouri, New York or Wyoming, please click here for additional information.

By an Act of Congress and the President of the United States, we are a federal Debt Relief Agency. Attorneys and/or law firms promoted through this Web site are also federally designated Debt Relief Agencies. They help people file for relief under the U.S. Bankruptcy Code. Disclosures Required Under the U.S. Bankruptcy Code.