Underground market for stolen IDs thrives
Jon Swartz and Sandra Block
USA Today
Mar. 3, 2005 10:39 AM
SAN FRANCISCO - When Andrew Sullivan discovered his name, address and
Social Security number might be in the hands of identity thieves, he got
mad. Then he got scared.
"It's sobering when you think of all the people who might have
access (to my data) over the Internet," says Sullivan, 34, an
Internet services manager from San Francisco.
Sullivan is one of 145,000 people whose digital data records were
exposed to criminals in the largest known security breach of a data
broker. But Sullivan's problems with Choice Point, a spinoff from
credit-reporting agency Equifax, may be just a glimpse of the headaches
he and millions of others face. ChoicePoint stores an estimated 19
billion public records and functions as a sort of intelligence service
for business and government clients.
The incident underscores the trove of personal digital data floating in
cyberspace and the thriving underground market for stolen IDs,
law-enforcement officials and security experts say. It also highlights
the conundrum of data brokers, who collect and sell personal information
about virtually every U.S. resident but are not federally regulated.
"Crooks are getting better at hacking, scamming and breaking down
doors," says privacy expert Linda Goldman-Foley. "And one of
their biggest targets are data brokers."
That has complicated the jobs of privacy advocates and security experts,
who already face a rise in profit-motivated hackers and sophisticated
computer viruses designed to filch personal information. Now, they must
increasingly cope with paper records stolen from offices and dumpsters
that are quickly spread over the Internet.
9.3 million victims
According to the Better Business Bureau, 9.3 million Americans were
victims of ID theft last year. That figure could rise as more data are
available online, security experts say. About 80 percent of 2,000
consumers surveyed say they are concerned about ID theft online, says
security firm Entrust.
It is difficult to find statistics on the theft and trading of digital
data, but anecdotal evidence and recent events indicate a surge in
activity, law-enforcement officials say. For example:
Bank of America last week said it lost computer data tapes for 1.2
million federal employees, including U.S. senators. The missing tapes
contain customer and account information, including some Social Security
numbers, from a federal government program using Visa cards for
government travel and procurement. The tapes were lost in late December,
during shipment to a backup data center. Federal law-enforcement
officials were notified immediately.
Bank of America has "found no evidence to suggest the tapes or
their content have been accessed or misused, and the tapes are now
presumed lost," spokeswoman Alexandra Trower says.
Privacy advocates, however, warn that the lost data could expose people
to identity theft.
Social Security numbers and addresses for nearly 5,000 people were
potentially exposed by a flaw in an online service of payroll-processing
firm PayMaxx. The company has temporarily closed the service.
Personal data from celebrity Paris Hilton's cell phone/organizer/camera
circulated over the Internet last month. It isn't clear how it wound up
there, but the incident may be linked to an earlier hack that
compromised data for hundreds of T-Mobile USA customers.
Wells Fargo officials concede much of its customer data entrusted to
business partners may be vulnerable, according to an internal Dec. 30
memo obtained by the San Francisco Chronicle. The bank has been hit by
the theft of computers containing sensitive data.
Wells Fargo spokeswoman Janice Smith had no comment on the memo but said
there is no tangible proof of ID theft at the bank.
"It's no secret crooks covet and successfully target digital
data," says Robert Dix, an executive at Citadel Security Software.
"What I fear is an Exxon Valdez of privacy."
Lucrative currency
Personal information has become the currency of choice for criminals
because the credit system allows anyone with an ID to set up lines of
credit until fraud is detected.
"The bad guys would rather steal your future than what's in your
wallet," says Tom Kellerman, senior data-risk management specialist
for the World Bank.
Compromised data are routinely bought and sold by individuals and
organized crime through Internet chat rooms, electronic-payment systems
and online casinos. The data can pop up anywhere - from Russia, where
credit card numbers are ripe for the picking on Web sites, to the Middle
East, where terrorist groups finance operations through ID theft, and
South Central Los Angeles, where street gangs do the same.
In some cases, gangs burglarize homes to steal personal data and leave
jewelry untouched, says Jeff McGrath, a deputy district attorney for the
Los Angeles County District Attorney's office, which is investigating
ChoicePoint. "It's better than gold," McGrath says.
The scale of ID theft rings can be staggering. In October, 28 people in
seven countries were arrested, charged with buying and selling nearly 2
million stolen credit card numbers on Web sites. As many as 4,000 crooks
used the sites, which had apparent ties to organized-crime groups in
Eastern Europe, Argentina and Sweden, says the United Kingdom's National
Hi-Tech Crime Unit.
The break-in at ChoicePoint has rekindled calls for regulation of data
brokers with access to vast personal information. And it has raised the
ire of U.S. senators, several of whom were burned by the Bank of America
episode.
"I'm absolutely furious they would be so negligent with the private
records of so many people," says Sen. Patrick Leahy, D-Vt., whose
personal information was lost. Leahy is calling for tighter regulation
of data brokers. The Senate could hold hearings this month.
Terrorist risks?
Sen. Bill Nelson, D-Fla., and Rep. Bennie Thompson, D-Miss., plan to
request today that Homeland Security and the Government Accountability
Office investigate terrorist risks posed by ChoicePoint and other data
brokers.
The Los Angeles Times reported that ChoicePoint was the victim of a data
leak five years ago, when confidential data for at least 7,000 people
were exposed, resulting in more than $1 million in losses. In a
statement, ChoicePoint said it notified law-enforcement officials about
the incident.
As lawmakers focus on whether more protections are needed, they're
expected to consider mandatory notification of consumers whose data may
be compromised, and letting consumers "freeze" access to their
credit reports.
Currently, California is the only state that requires data brokers to
notify consumers if their personal information is compromised. Sen.
Dianne Feinstein, D-Calif., has introduced a national version of that
law.
California also lets consumers block access to their credit reports and
scores. Texas, Louisiana and Vermont have similar laws that will take
effect later this year. Allowing individuals to freeze access to credit
reports would prevent identity thieves from opening fraudulent accounts,
consumer advocates say.
John Ford, chief privacy officer for credit-reporting agency Equifax,
says consumers who block their reports lose the ability to buy a car
during their lunch hour or apply for instant credit. That's a trade-off
many consumers are unwilling to make, he says.
"Consumers do want more control, but the genie is out of the
bottle," he says. "They don't want to give up the ability to
pre-qualify for a mortgage in 15 minutes over the telephone."
Record keeping
Privacy advocates say the Choice Point case illustrates gaps in
federal law that allow some data brokers to avoid the Fair Credit
Reporting Act, which regulates the use of consumers' financial
information.
The three main credit-reporting agencies - Equifax, TransUnion and
Experian - are covered by the law, says Marc Rotenberg, executive
director for the Electronic Privacy Information Center, a
public-interest research center. But, "a lot of ChoicePoint's
products have escaped any kind of federal regulation," he says.
EPIC was raising concerns about data brokers even before the Choice
Point break-in, Rotenberg says. In December, it asked the Federal Trade
Commission to investigate whether ChoicePoint was developing products to
avoid federal consumer protections.
"These large information brokers are having an enormous influence
on who gets hired, who gets insurance, who gets a federal
contract," Rotenberg says. "We don't want to say information
shouldn't be available, but there should be more accountability and more
transparency."
ChoicePoint officials counter that the company is subject to a host of
federal and state regulations. And while the Fair Credit Reporting Act
doesn't apply to all of ChoicePoint's products, "We treat all of
our products as though they're covered," spokesman Chuck Jones
says.
The Fair Credit Reporting Act is "the Bible for the
credit-reporting industry," Ford says. It specifically defines the
purposes for which a business can buy a credit report, such as an
application for a loan, insurance or a government benefit, he says.
Equifax has a "rigorous process" to ensure customers are
legitimate businesses, and it periodically conducts random inspections
of customers to make sure they're following the law, Ford says.
Those measures can't protect credit-reporting agencies from third-party
insiders with criminal intent. In January, a help-desk worker for a Long
Island, N.Y., software company was sentenced to 14 years in prison for
selling passwords and codes used to download consumer credit reports.
His employer, Teledata Communications, provided banks with computerized
access to credit-information databases.
The government has estimated that the scheme involved thousands of
victims and caused $50 million to $100 million in losses. U.S. District
Judge George Daniels said the case "emphasized how easy it is to
wreak havoc on people's financial and personal lives," according to
the Associated Press.
It might take only a minute for a thief to steal data but months for
victims to clean up the mess. "By the time an ID theft issue is
resolved, Joe Public could lose his small business, house and his kids'
college funds," Leahy says.
That's what most troubles Sullivan. He doesn't know if or when his
stolen ID might be used.
"I'm afraid of getting a late-night call from a collection
agency," says Sullivan, who is considering suing ChoicePoint.
"And why? Because these guys sold my information to someone they
didn't bother to do a background check on. I tell you, our data is ripe
for the picking."
Sandra Block reported from McLean, Va.
|
In
the News
