Ernst and Young is the latest company to fall into the data breach spotlight due to a lost laptop. An E&Y laptop was lost which had the personal information of over 38,000 British Petroleum employees. BP officials began notifying their employees that their personal information may have been exposed and may put them at risk of identity theft. In this particular case, social security numbers were among the personal information on the laptop.

The UK IT Trade web site, The Register, had the following headline:

40,000 BP workers exposed in Ernst & Young laptop loss

Read the rest of this entry »

According to a Raleigh News & Observer article, North Carolina passed a law that allows people to freeze their credit reports to thwart identity thieves. Essentially, by freezing their credit reports, the person creates a shield around their credit report so that companies attempting to view their credit report are denied. Since creditors generally will not grant credit to people when they cannot access their credit report, this keeps identity thieves from applying for credit cards, loans, etc. under the victim’s name. This is one of 40 laws that North Carolina is enacting in order to combat a problem that carries a national cost of $48 billion a ear for businesses and $5 billlion for consumers.

Read more about this by accessing the N&O article here.

The fears and discussions of identity theft have increasingly flooded news sites and blogs in 2005, yet it is not always clear exactly what constitutes identity theft when data breaches and frauds are discussed. For example, the oft-discussed ChoicePoint data breach involved the fraudulent acquisition of over 145,000 people’s personal information, yet less than 1,000 individuals have been reported to have suffered any direct losses as a result. Back on February 18, Cox News Service reported that “the criminals collected enough financial data to begin buying everything from jewels to consumer electronics … at least 765 such crimes have come to light so far” (the article, “ChoicePoint boss keeps low profile amid crisis”, is available on Lexis/Nexis). So is it proper to say that 765 people were identity victims, or 145,000? The media has not particularly attempted to distinguish the 765 victims from the 145,000 exposed to risk. To the media, all have been victims of identity theft - is this an accurate claim?

Wikipedia defines identity theft as “the deliberate assumption of another person’s identity, usually to gain access to their finances or frame them for a crime.” The same Wikipedia entry goes on to quote Javelin Strategy & Research founder James Van Dyke as arguing for two separate terms:

• identity theft: unauthorized access to personal records;

• identity fraud: unauthorized use of personal records.

This distinction helps to explain how a data breach can lead to identity theft, which may or may not result in identity fraud for each victim. Given Van Dyke’s interpretation of identity theft and identity fraud, I think we can more accurately express the various elements of data privacy. A data breach, such as the one befalling ChoicePoint, has undoubtedly led to 145,000+ victims of identity theft, where at least 765 of those people also suffered identity fraud.

A recent AP article highlights how the term ‘identity theft’ has been “too broadly defined and often misunderstood.” The risk, according to the article, is that “lawmakers and companies might be misdirecting their anti-fraud energies” and that consumers end up overly fearing Internet activities. The biggest problem with the term ‘identity theft’ ends up with how the misuse of an existing credit card is classified. If a criminal simply getting your existing credit card number and embarking on a shopping spree is identity theft, then 40 million people were put at risk of identity theft by the CardSystems breach. If instead, we limit identity theft to the exploitation of personal information (more in line with the Wikipedia entry), then those victims become simply inconvenienced individuals. While they may face fraudulent charges on their account, U.S. citizens rarely have to pay up for those charges: there is a $50 limit on personal liability, regardless of the amount fraudulently charged. Instead, it is when criminals possess enough information to obtain a new credit card that we are victims of identity theft and threatened by identity fraud.

A recent study by Javelin Strategy & Research has found that in 26 percent of all ID theft cases, the victim knew the person responsible for the theft. The same study explains that online identity theft isn’t the largest threat. For those users who are afraid to make purchases online, you may be interested to know that you are more likely to be at risk from dumpster divers. Still, identity theft has tripled in the past couple of years, so make sure you continue to shred personal documents, give out your personal information sparingly, and regularly obtain your credit report.

Click here to read this article.

North Carolina Governor Mike Easley signed into law Senate Bill 1048, “The Identity Theft Protection Act of 2005″ on September 21, 2005. Under this bill, businesses are prohibited from using Social Security numbers to identify customers. The measure requires businesses not to print Social Security numbers on documents, such as health insurance cards. The bill also restricts businesses from selling or displaying SSNs to a third party without an individual

Security company Aladdin’s eSafe Content Security Response Team (CSRT) found that 15 percent of spyware threats succeed in copying a user’s passwords, usernames, hashes of an administrator’s passwords, instant messaging usage, email addresses and other sensitive information. The two-month analysis of top 2,000 known spyware threats shows that there is a growing amount of spyware specifically designed for identity theft. These spyware poses tremendous threats to both personal and commercial privacy, with potentially dangerous effects for large organizations in need of protecting proprietary information. Read a full article of this story.

Author’s recommendation:
For Windows users, please download ALL of the following three antispyware tools and run them once a WEEK on your personal computer. All these three tools are free for personal use:
Ad-Aware
Spybot Search and Destroy
Microsoft Windows AntiSpyware

The Identity Theft Resource Center reports 102 data breaches in the U.S. since Jan. 1, 2005, potentially affecting more than 56.2 million individuals. Most of the incidents could have been prevented with safe data handling practices, for example, sending postcards with Social Security numbers on them or requiring students to place name and SSN on rosters that are passed through classrooms or placed on papers or tests. See a most updated list of 2005 Disclosures of U.S. Data Incidents (PDF). An interesting observation is that a lot of these incidents happened in universities.

The reports of devastation and tragedy coming out of the areas affected by Hurricane Katrina have dominated the news for the past week and a half now. Many of the stories have centered around the outpouring of aid and personal efforts to rescue and restore survivors to some semblance of normalcy. Amidst these efforts, however, have cropped up some stories about the risk of identity theft and the efforts of some to defraud the victims of the storm.

Last week, experts (such as the FTC ID theft program head) were already warning the public of the high risk of identity theft tied to the hurricane’s aftermath. An AP story noted that “Social Security cards, driver’s licenses, credit cards and other personal documents are literally floating around New Orleans.” The risk of credit card fraud and identity theft is clear, as the information leakage was certainly not the first thought of survivors escaping their homes and being rescued from rooftops.

The same article notes that some 2,000 web sites popped up related to Hurricane Katrina relief efforts, but about a dozen are under investigation for potential fraud. Not only is there a risk from completely fraudulent web sites, but also from phishers spoofing major relief efforts such as the Red Cross or Salvation Army. This article notes the email scams already observed and the risk of such phishing attacks increasing in the coming weeks. According to the article, VeriSign has gotten involved in hunting down such phishing efforts and took down two such sites already as of last week.

Some unscrupulous individuals have already been arrested for attempted ID theft. Three people in Mississippi went to a shelter and posed as FEMA officials in an effort to obtain personal information - such as names, birthdates, and SSNs - from evacuees. The AP broke this story on Saturday.

The database at University of Southern California (USC) containing 2,70,000 records of past applicants was hacked. The database records included names and SSN’s of past applicants. USC learned about this breach on June 20 when it was tipped off by a journalist. USC has shut down the website and says it will restore it once new security measures are in place. As per the California law, the University has notified people whose names and social security numbers were in the database of the security breach.

Threats to personal information continue to mount; the latest reported risk to our personal privacy comes from companies selling cell phone records of consumers. For a significant fee, one simply needs to provide a person’s name, address, and cell phone number and can receive a record of that person’s outgoing calls for the past month. Details on several specific (online) companies and their offerings are discussed further in this Washington Post article.

While this sort of service appears to be generally illegal, companies are skirting the cell phone companies’ efforts to stymy the trade of such information. One expert interviewed by the Washington Post says that “information security by carriers to protect customer records is practically nonexistent and is routinely defeated” - a claim that carriers deny, despite the prevalence of companies advertising these services on the internet.