Group items tagged

The loss of personally identifiable information, such as an individual's Social Security number, name, and date of birth can result in serious harm, including identity theft. Identity theft is a serious crime that impacts millions of individuals each year. Identity theft occurs when such information is used without authorization to commit fraud or other crimes. While progress has been made protecting personally identifiable information in the public and private sectors, challenges remain. GAO was asked to testify on how the loss of personally identifiable information contributes to identity theft. This testimony summarizes (1) the problem of identity theft; (2) steps taken at the federal, state, and local level to prevent potential identity theft; and (3) vulnerabilities that remain to protecting personally identifiable information, including in federal information systems. For this testimony, GAO relied primarily on information from prior reports and testimonies that address public and private sector use of personally identifiable information, as well as federal, state, and local efforts to protect the security of such information. GAO and agency inspectors general have made numerous recommendations to agencies to resolve prior significant information control deficiencies and information security program shortfalls. The effective implementation of these recommendations will continue to strengthen the security posture at these agencies. Identity theft is a serious problem because, among other things, it can take a long period of time before a victim becomes aware that the crime has taken place and thus can cause substantial harm to the victim's credit rating. Moreover, while some identity theft victims can resolve their problems quickly, others face substantial costs and inconvenience repairing damage to their credit records. Some individuals have lost job opportunities, been refused loans, or even been arrested for crimes they did not commit as a result of identit

The loss of personally identifiable information, such as an individual's Social Security number, name, and date of birth can result in serious harm, including identity theft. Identity theft is a serious crime that impacts millions of individuals each year. Identity theft occurs when such information is used without authorization to commit fraud or other crimes. While progress has been made protecting personally identifiable information in the public and private sectors, challenges remain. GAO was asked to testify on how the loss of personally identifiable information contributes to identity theft. This testimony summarizes (1) the problem of identity theft; (2) steps taken at the federal, state, and local level to prevent potential identity theft; and (3) vulnerabilities that remain to protecting personally identifiable information, including in federal information systems. For this testimony, GAO relied primarily on information from prior reports and testimonies that address public and private sector use of personally identifiable information, as well as federal, state, and local efforts to protect the security of such information. GAO and agency inspectors general have made numerous recommendations to agencies to resolve prior significant information control deficiencies and information security program shortfalls. The effective implementation of these recommendations will continue to strengthen the security posture at these agencies. Identity theft is a serious problem because, among other things, it can take a long period of time before a victim becomes aware that the crime has taken place and thus can cause substantial harm to the victim's credit rating. Moreover, while some identity theft victims can resolve their problems quickly, others face substantial costs and inconvenience repairing damage to their credit records. Some individuals have lost job opportunities, been refused loans, or even been arrested for crimes they did not commit as a result of identit

The federal government has a key role to play in researching and organizing a national response to the problem of medical identity theft, authors of a government-funded study have concluded. Patients, providers, payers and other members of the healthcare community also must join in the effort to combat a problem that is serious, although as yet its scope is not fully known, the report stated. Contractor Booz Allen Hamilton released the report last week. It represents the final phase of the $450,000 study funded last year by the Office of the National Coordinator at HHS. The study consisted of three parts, the first being to review existing knowledge about medical identity theft as well as policies and practices to prevent it. Those findings were included in a research paper on the subject released last October. The second phase involved a public meeting Oct. 15, 2008, the same day the paper was released, to "open a dialogue about medical identity theft within the healthcare industry. The final phase, the 26-page report, includes 31 "potential actions," which are recommendations that could form a national policy on medical identity theft. While medical identity theft "may be categorized as healthcare fraud," according to the report, "there are unique and important distinctions of medical identity theft that need to become more commonly understood to address this issue effectively." One difference, the report authors noted, is that the primary motive behind healthcare fraud "is most often monetary gain, such as when fraudulent providers bill for more expensive services than those rendered. However, medical identity theft tends to be focused on the use of someone else's information to gain goods, services and healthcare." IT could hurt, help Therefore, undetected medical identity theft poses medical risks to its victims, since their medical records may contain inaccurate and potentially harmful information that may cause them not to be con

With the Federal Trade Commission (FTC) promising to begin enforcing the "Red Flags Rules" on May 1, the FTC launched on Thursday a website aimed at helping entities adhere to the requirements. The rules, designed to reduce identity theft, requires that creditors and financial institutions create and implement an identity theft prevention program. The website describes the entities covered by the rule and provides information, articles and guidance to help entitles develop ID theft prevention programs, the FTC said in a news release. One of the resources on the site is a how-to guide that provides tips for identifying and stopping ID theft. The rules became effective Nov. 1 but will not be enforced by the FTC until May 1. Last October, the FTC extended the original Nov. 1 enforcement deadline because many companies were not prepared to meet the original requirements, the FTC said. Eduard Goodman, general counsel and chief privacy officer for vendor Identity Theft 911, told SCMagazineUS.com Friday that the FTC has been tight-lipped about how the rule is going to be enforced -- likely because they don't want companies looking for ways to get around it. Goodman said that based on his conversations with those in the industry, the FTC will likely enforce the rule on a case-by-case basis. The FTC maintains a database that tracks all identity theft cases reported to the agency. If they hear of instances of identity theft associated with a company, the FTC may ask for a copy of the company's identity theft prevention program, if any, Goodman said. If the entity has a program in place, the FTC will make a determination of whether it's adequate. The May 1 enforcement deadline extension applies to entities under the FTC's jurisdiction, which includes state-chartered credit unions. The extension did apply to the the majority of the estimated 11 million businesses that must comply with the requirements, Goodman has said

On Monday two women from Fort Pierce were arrested for committing 300 different cases of Identity theft on the Treasure Coast and South Florida. The two women go by the names of Tychell Letrein Robinson, 33 and Patrice V. Johnson, 26. According to the Federal Trade Commission, in 2007 Florida took fifth place in nation with regards to the number of ID theft victims per 100,000 residents. The FTC also estimated that about 9 million Americans have their identities stolen every year. The Fort Pierce Police Department, the Port St. Lucie Police Department, the Sheriff's Office as well as the U.S. Postal Service worked together in a two year investigation in order to track down these two criminals. Law enforcement agencies discovered that the arrested had somehow managed to steal the personal information of several victims and open new accounts in their names. Authorities believe that the women bought a lot of their identifying information from accomplices. In a news conference on Monday afternoon, Sheriff Ken Mascara mentioned that criminal circles were well aware that the arrested would pay accomplices $50 in exchange for peoples sensitive information. Authorities discovered that the two women met while they were both under the employment of Liberty Medical. Apparently Robinson headed the criminal operation and taught Johnson all she needed to know with regards to making thousands of dollars every week through identity theft. The arrested managed to target victims in Florida from Orlando to Clearwater and even Palm Beach. The majority of victims were from St. Lucie County and the Treasure Coast. Unfortunately it is still not clear to law enforcements exactly how the women obtained all the stolen information. police.jpg It was in the early hours of Monday morning that the police arrived at the homes of the arrested with search warrants. Two vehicles, six computers and ledgers filled with victims sensitive information were confiscated by authorities, and the women w

The federal GLBA, HIPAA, FACTA and its Red Flags and Disposal Rules, state data Breach Notification Laws and many other federal and state laws and industry regulations like PCI-DSS are intended to protect the privacy and security of consumer's personally identifiable and financial information entrusted to businesses and other organizations. Many suchidentity theft, id theft, government security, government privacy regulations aim to prevent identity theft and privacy violations. While some businesses have been negligent in securing information, other businesses have been victimized by black hat hackers or "crackers" who operate ahead of the cybersecurity technology curve. Cybersecurity is an ongoing challenge for businesses and for government as discussed in the President's Cyberspace Policy Review. In the four-year period ending in 2008, 23% of all data breaches reported were attributed to hackers. For those data breaches involving more than one million profiles, hacking was identified as the cause in 66% of the breaches according to a recent research report on data breach risk factors.

The first sign that something was wrong seemed harmless: A new Dell credit card arrived in my mail one afternoon. More landed in the mailbox the next day. Macy's. Bloomingdale's. Crate and Barrel. Radio Shack. Then later: Visa Sony, Toys R Us and Lowe's cards turned up. I didn't request any of these cards. My first call to Dell revealed what I suspected. Someone had applied for a credit card using my name. I felt violated and vulnerable. Then, it hit me: I've become a statistic, a victim of identity theft. A thief had taken my name, my credit and my identity and managed to spend more than $8,000 (money that, I'm grateful, I didn't have to pay). I still don't know who the culprit was or how it happened. All I know is that if this happened to me - a Sun Sentinel consumer affairs and watchdog reporter - it can happen to anybody. Thieves move quickly Identity theft is the fastest growing crime in the United States, according to the Federal Trade Commission, which enforces identity theft laws. Experts estimate 10 million Americans become victims of identity fraud each year. Last year, businesses lost $56.6 billion to ID theft, the commission said. I've spent hours on the phone talking to fraud investigators, credit bureaus and bank staff as I've tried to sort out the mess that is now mine to clean up. I was exhausted every time a call ended. Individual investigations, conducted by fraud departments for each of the credit card companies that issued accounts in my name, took months to complete before concluding I was a victim of ID fraud. But there is a bright side to this story. I thought I knew how to protect myself. But what I've learned through this experience has taught me that you can never be too careful. I also learned some hard lessons along the way about how best to safeguard my personal information in the future - and respond, if my identity is targeted again.

Consumers, who become victims of identity theft through access to public records, do not have a clue as to how they became a victim. They cannot know unless the fraudster who "legally accessed" the public information is caught and confesses that they used or sold the information for identity theft. Most often end users of stolen identities are caught, not the kingpins. Illegal immigrants who purchase identities on the street sometimes for hundreds of dollars do not know the source. * What can an identity thief do with a name and SSN? Here is a short list. * Make a fake Social Security Card (see image below) * Make a fake Medicare Card and get medical treatment and Medicare benefits * Use the fake Social Security Card to get a driver's license or passport * Get a job and government benefits. * Get credit and open new financial accounts * Get housing, utilities and phone service * Get insurance * Thieves use fake ID to elude law enforcement by pretending they are you.

"A CEO who publicly posted his Social Security number on billboards and TV commercials as part of a campaign to promote his company's credit monitoring services was the victim of identity theft at least 13 times, a news report says. The Phoenix New Times reported that Todd Davis, CEO of LifeLock Inc., which is based in Tempe, Ariz., was victimized numerous times by identity thieves who apparently used his Social Security number to commit various types of fraud. Davis has previously admitted that he was the victim of an identity theft once in 2007, when a man in Texas used his Social Security number to take out a $500 loan which wasn't repaid and ended up being handled by a collection agency. The New Times reported that Davis has been a victim of similar ID theft at least a dozen more times."

Might not want to put much stock in Lifelock.

"Identity theft can happen to anyone," is the frequent refrain of government and advocacy groups warning consumers about bank fraud. What they don't add: The crime is far more likely when that "anyone" is a woman. A study released Monday by the fraud-tracking firm Javelin Research showed that women are 26% more likely than men to be the victims of identity theft. While 3.8% of men had their banking details stolen and used for fraud in the last year, 4.8% of women were victimized. And women took far longer on average to discover their financial identities had been compromised, leading to far greater risk of repeat fraud: Women took 83 days to detect they'd been targeted, compared with 45 days for men. The growing reason behind this disparity, argues Javelin President James Van Dyke, is an often-misunderstood trend: Digital commerce is making identity theft harder, rather than easier. Because men are statistically more likely than women to adopt newer technologies such as online banking and shopping, they more often have the benefit of high-tech safeguards, Van Dyke says. Women, because of their lesser use of Web banking and sales, suffer from more old-fashioned fraud caused by stolen credit cards or retail employees, he says. Fifty-eight percent of women, for instance, have never banked online, compared with 55% of men, according to Javelin's study. That means women are less likely to sign up for fraud protection programs like text message or e-mail alerts that warn of abnormal transactions. Twenty-three percent of men use e-mail alerts, compared with 15% of women; 8% of men receive text message warnings, compared with just 3% of women.

For the second time in the same case, law enforcement in Denver turned away a key component in hundreds of instances of identity theft. The first time, it was a box full of stolen documents found in a storage unit, turned away by a Denver Police officer. This time, it was the main suspect, turned away by the Denver Sheriff's Department. The Denver Sheriff's Department admits the man believed to be at the center of an identity theft operation, 46-year-old Paul Simmons, tried to turn himself in at the Denver City Jail 16 hours before police arrested him. A warrant had been issued for his arrest and was entered into the system at 10:15 a.m, according to Sonny Jackson, Denver Police Spokesman. Sheriff's spokesperson Capt. Frank Gale told 9Wants to Know Tuesday that Simmons walked into the Denver City Jail around 8 p.m. Monday night. The Denver Sheriff's Department runs the city jail. It is not staffed by the Denver Police Department. Gale says Simmons told a sheriff's deputy he had received a call from an investigator with Denver Police saying he was wanted for questioning in connection with the identity theft case featured on 9NEWS. Gale says the sheriff's deputy then told Simmons there was not a record of him being wanted in the computer, but sent Simmons to check in with the Denver Police Department housed in a separate building across the courtyard at 1331 Cherokee St. Gale said the deputy did not know if Simmons ever made it to the Denver Police building. Denver Police spokesperson Sonny Jackson said Simmons never did. "We really wish he would have taken the 50 steps across the courtyard and talked to us, that would have saved us a lot of time today." Jackson said. "If he [Simmons] really wanted to turn himself in we would have been more than happy to take him into custody."

SAN JUAN, Puerto Rico-An identity-theft ring that catered to illegal immigrants seeking to establish themselves in the U.S. stole the personal data of 7,000 public school children in Puerto Rico, officials said Tuesday. Members of the ring broke into about 50 schools across the U.S. island territory over the past two years to steal birth certificates and Social Security numbers to sell to the illegal immigrants, the FBI and other agencies announced at a news conference. The victims were largely unaware their information had been stolen-and likely would not have learned of the thefts until they became adults and tried to buy something on credit, said assistant U.S. Attorney Julia Diaz Rex. "A kid is going to have a perfect credit history," Diaz said. "They reach 18, 20 years of age. They go buy a car and their credit is damaged." The authorities did not disclose how they uncovered the ring but said seven people have been arrested and one more is being sought. At least some of them were illegal immigrants from the Dominican Republic. Investigators determined the birth certificates and Social Security numbers were sold as a package in a number of states including Texas, Alaska and California, for up to $250, authorities said. Two suspects are accused of possessing nearly 6,000 birth certificates and Social Security cards. One was accused of intending to sell 40 Social Security cards for nearly $3,000, while another was seeking the same amount for 12 cards. The suspects in custody were being held on charges that include aggravated identity theft and social security fraud and face up to 15 years in prison, said U.S. Attorney Rosa Emilia Rodriguez. One suspect had been previously arrested for the kidnapping of a Dominican man last year that led to the shooting of a police officer during an FBI raid, said Luis Fraticelli, special FBI agent in charge of Puerto Rico. It is unclear if other members of the ring are at large, and whether they received help from sch

"Consumers who have received a data breach notification letter are four times more likely than others to be the victim of identity theft, according to a survey released this week by Javelin Strategy and Research. Approximately 11 percent of U.S. consumers have received a data breach notification letter in the past 12 months with a third of the breaches involving Social Security numbers and 15 percent involving ATM PINs, according to Javelin's third annual survey of nearly 5,000 U.S. consumers, released Tuesday. Of those who have received a data breach notification letter in the past year, 19.5 percent said they were the victims of fraud associated with identity theft, compared to 4.3 percent who have not received a notification but were victimized. "It wasn't just a statistical anomaly," Robert Vamosi, a Javelin risk fraud and security analyst and the author of the study, told SCMagazineUS.com on Wednesday. "In 2007 and 2006, we saw a similar pattern, so this isn't a blip. This is something that has been going on for a while.""

A former IT analyst at the Federal Reserve Bank of New York and his brother were arrested Friday on charges that they took out loans using stolen information, including sensitive information belonging to federal employees at the bank. Prosecutors allege that Curtis Wiltshire, 34, took out student loans totalling US$73,000 using the stolen information. His brother, Kenneth Wiltshire, 40, is charged with using the identities of two federal employees to try and obtain a loan for a 2006 Sea Ray 340 Sundancer speedboat. The charges (pdf) come two months after federal investigators found two 2006 student loan applications on a thumb drive attached to the work computer of Curtis Wiltshire, who had worked at the Reserve Bank for nearly eight years as an information and technical analyst. According to court documents, that investigation was unrelated to the fraud charges. Wiltshire was dismissed soon after the drive was found on around Feb. 15, prosecutors said. The charges were filed in the federal court in Manhattan. The two men could not be reached for comment Friday and the names of their lawyers were not included in the court documents. Curtis Wiltshire had "access to computer files containing information about employees of the [federal bank], including their names, dates of birth, Social Security numbers, and photographs," U.S. Federal Bureau of Investigation Special Agent Cordel James said in an affidavit filed in the case. Curtis Wiltshire was charged with bank fraud and identity theft and faces more than 30 years in prison if convicted. His brother was charged with mail fraud and identity theft and faces a maximum of 22 years in prison.

There are four "high risk" areas that aren't getting the attention they deserve as financial institutions work toward complying with the ID Theft Red Flags Rule, says a leading industry compliance expert. Many institutions have already complied with the regulation and have done their risk assessment to identify covered accounts and determined what red flags they need to be monitoring. But there are areas that should be considered "high risk" and aren't getting the attention they deserve from institutions, says Sai Huda, CEO of Compliance Coach. The Red Flags Rule is a risk-based regulation. As such, Huda says, compliance should be approached from a risk management and not a purely technical perspective, and institutions should ask these questions: * Which accounts are more at risk to identity theft? * Which red flags represent higher risk? * Which detection and response procedures are commensurate with the risks? * Which service providers pose greater risk? * What controls exist to mitigate the risks? The big question that most institutions have at top of mind is "What about enforcement?" Huda says the federal banking regulators are taking a risk-based, top-down approach when assessing institutions. "They are first assessing whether the [institution] has implemented a risk-based program and how it is overseeing compliance," he says. "If the program is risk-based and sound, they will limit their scope. If not, then they will dig deeper."

Rogue employees and hackers were the most commonly cited sources of data breaches reported during the first half of 2009, according to figures released this week by the Identity Theft Resource Center, a San Diego based nonprofit. The ID Theft Center found that of the roughly 250 data breaches publicly reported in the United States between Jan. 1 and Jun. 12, victims blamed the largest share of incidents on theft by employees (18.4 percent) and hacking (18 percent). Taken together, breaches attributed to these two types of malicious attacks have increased about 10 percent over the same period in 2008. Some 44 states and the District of Columbia now have laws requiring entities that experience a breach to publicly disclose that fact. Yet, few breached entities report having done anything to safeguard data in the event that it is lost or stolen. The ITRC found only a single breach in the first half of 2009 in which the victim reported that the lost or stolen data was protected by encryption technology. "It is a dual problem here undeterred by law or common sense," said ITRC co-founder Linda Foley. "You would think if all these organizations have to notify, that they would take some steps to make sure their data doesn't get exposed in the first place."

"A New York computer technician has been charged with stealing the identities of more than 150 Bank of New York Mellon employees and using them to orchestrate a scheme that netted him more than $1.1 million, prosecutors said this week. Adeniyi Adeyemi, 27, of Brooklyn was indicted Wednesday on charges of grand larceny, identity theft and money laundering for crimes allegedly committed between Nov. 1, 2001 and April 30, 2009, according to a news release from Manhattan District Attorney Robert Morgenthau. According to prosecutors, Adeyemi, who was employed as a computer technician working at the headquarters of Bank of New York, stole the personal information of dozens of bank employees, primarily from individuals in the information technology department. He then used the identities to open bank and brokerage accounts, which served as "dummy accounts" to receive stolen funds. Adeyemi then stole money from the bank accounts of numerous charities and nonprofit organizations, and transferred the funds into the dummy accounts, which he later withdrew or transferred to other accounts, prosecutors said."

Canadians who travelled to the United States in 2008 are being advised to check their credit-card statements and watch for signs of identity theft after a massive security breach at a U. S.-based company that processes millions of credit cards. Canada's Privacy Commissioner said yesterday she was shocked to learn that New Jersey-based Heartland Payment Systems, which processes credit-card transactions for more than 250,000 businesses in the United States, had found "malicious software" in its operating system. "I'm amazed to see something this significant can still happen with the importance that not only privacy commissioners, but experts everywhere, are placing on security," Jennifer Stoddard said. "I was concerned to see this going on and the size of it." Tech experts say the hack could be one of the largest ever credit-or debit-card data breaches, and that Canadians should watch closely for signs of identity theft.

Johns Hopkins is alerting more than 10,000 of its hospital patients that they may have been victims of identity theft. An investigation suggests a former employee who worked in patient registration may have been linked to a scheme to create fake drivers' licenses in Virginia, according to this letter from Baltimore-based Hopkins to the Maryland attorney general's office. Most of the patients are at very low risk, the letter says - they're included because the former employee accessed their records in the course of her work. But a few dozen have already been identified as likely victims, and a few hundred who have Virginia mailing addresses and whose records were accessed by the former employee may also be at risk. Hopkins is offering those patients credit monitoring, fraud resolution and identity-theft reimbursement for certain expenses.

U.S. authorities announced what they believed to be the largest hacking and identity theft case ever prosecuted on Monday in a scheme in which more than 130 million credit and debit card numbers were stolen. Three men were indicted on charges of being responsible for five corporate data breaches in a scheme in which the card numbers were stolen from Heartland Payment Systems, 7-Eleven Inc and Hannaford Brothers Co, federal prosecutors said in a statement. The suspects also hacked two unidentified corporate victims, the U.S. attorney's office in New Jersey said in the statement. Prosecutors allege Albert Gonzalez, 28, of Miami, and two unnamed Russian coconspirators targeted large corporations by scanning the list of Fortune 500 companies and exploring corporate websites before setting out to identify vulnerabilities. The suspects would seek to sell the data to others who would use it to make fraudulent purchases, the statement said.

Monster.com is advising its users to change their passwords after data including e-mail addresses, names and phone numbers were stolen from its database. The break-in comes just as the swelling ranks of the unemployed are turning to sites like Monster.com to look for work. The company disclosed on its Web site that it recently learned its database had been illegally accessed. Monster.com user IDs and passwords were stolen, along with names, e-mail addresses, birth dates, gender, ethnicity, and in some cases, users' states of residence. The information does not include Social Security numbers, which Monster.com said it doesn't collect, or resumes. Monster.com posted the warning about the breach on Friday morning and does not plan to send e-mails to users about the issue, said Nikki Richardson, a Monster.com spokeswoman. The SANS Internet Storm Center also posted a note about the break-in on Friday. USAJobs.com, the U.S. government Web site for federal jobs, is hosted by Monster.com and was also subject to the data theft. USAJobs.com also posted a warning about the breach. Monster.com has been checking for misuse of the stolen information but hasn't yet found any, it said. It has made changes since discovering the break-in but won't discuss them because it doesn't discuss security procedures publicly and because it is still investigating the incident, Richardson said. She also would not disclose the volume of data stolen, but said the company decided it would be prudent to alert all of its users via its Web site.