It is a fact of life that packages are sometimes lost or stolen while in transit. In most situations, however, the loss is confined to the value or contents of the package itself.
Unfortunately, when the missing "items" are Social Security numbers, bank records, and other personal data on millions of individuals, the potential for widespread identity theft makes the loss far more significant and yet another example of just how easy it is for anyone to have their most sensitive personal information compromised through no fault of their own.
YesterdayÃs announcement by Citigroup that United Parcel Service had "misplaced" a box of computer tapes containing personal data on approximately 3.9 million Citigroup customers served to demonstrate once again the highly vulnerable nature of such information once it is "entrusted" to banks, credit card companies, schools, stores, and data collection services. It also emphasized the fact that even the most secure organizational databases are at risk.
Identity theft has reached epidemic proportions with thieves no longer satisfied in targeting one individual at a time. They now engage in bulk identity theft stealing personal information on tens or hundreds of thousands of people at the same time. Corrupt employees are also willing to steal and then sell sensitive information. In some cases the thief may even target shipments of computer tapes being sent to storage facilities or other financial institutions or credit reporting services. There is also the possibility that massive amounts of data will turn up in the wrong hands after being lost in transit.
The common theme in all of these situations, however, is the adequacy of security. Whether the information is stolen directly, bought from a dishonest employee, or lost through negligent handling, inadequate security practices are at the heart of the problem. These ongoing security lapses are leading lawmakers to push for tighter rules for U.S. data aggregators. The following is a brief recap of recent high-profile security breaches and other news relating to identity theft or lost or stolen personal information which, when added to the latest loss of 3.9 million records brings the total of identities at risk to over 5,800,000 since the beginning of 2005 alone.
March 2005: A security breach at LexisNexis; an information broker database containing addresses, driverÃs licenses, and Social Security numbers- allowed outsiders to access personal data files of as many as 310,000 people.
Just prior to the LexisNexis breach, there was a security breach at ChoicePoint Inc., a company which sells access to personal databases. A con artist was able to call the company and gain access to the personal data of thousands of people. Information on nearly 145,000 people nationwide was no longer protected and authorities said that 750 people were defrauded.
April 2005: British financial giant HSBC PLC notified at least 180,000 people of a scam involving General Motors-branded MasterCards. Apparently, when these cards were used to make purchases at Polo Ralph Lauren, criminals obtained access to their credit-card information.
February 2005: Bank of America reported that a small number of backup tapes containing records of the personal financial information of government employees were lost in a shipment to their backup center.
April 2005: Time Warner Inc. reported that a container of computer tapes containing information on 600,000 current and former employees was lost during a truck ride to a data storage facility. Foul play has not been ruled out.
March 2005: An eBay scam set up by "phishers" used a coin collectorÃs eBay account to sell about $780,000 worth of coins, many of which never existed. Fees for the fraudulent action had been financed with $300 from the coin collectorÃs personal PayPal account. His eBay identity was stolen and while the victim was able to change his credit card numbers, he has yet to recover some of the online fees charged by the phishers to his account as well as the $7,500 worth of merchandise that he had purchased but the phishers has shipped to a different address in order to steal them.
April 2005: A former Blockbuster Video store employee was indicted on charges of stealing customersÃ identities and then using them to buy more than $117,000 in trips, electronics, and even a new Mercedes-Benz. The former employee was able to steal credit card numbers, Social Security numbers and other private information from 65 customers in 2003 using the storeÃs online database. He was then able to open up new retail store and credit card accounts and make outlandish purchases. According to the indictment, the man had one accomplice and is now facing 47 to 51 months in prison if convicted.
April 2005: Administrators at the University of California, Berkeley, disclosed that a computer laptop containing the names and Social Security numbers of nearly 100,000 people had been stolen. Just three days earlier, Northwestern University reported that hackers broke into the computers at the Kellogg School of Management and potentially gained access to information on more than 21,000 students, faculty and alumni.
April 2005: A man in Hackensack, New Jersey, was accused of conducting a massive scheme to steal 500,000 bank accounts and personal information and sell it to bill collectors. His accomplices included branch managers and employees from some of New Jersey’s biggest banks, including Bank of America, Wachovia and Commerce Bank. All are accused of selling bank account numbers and balance information for $10 per customer. In some cases, the bank employees printed out entire customer computer screens and turned them over to the ringleader.
While a spokesperson for United Parcel Service claimed the company is "proud of its record in service and reliability," he declined to discuss what security measures had been taken to protect the sensitive package which has now been missing for several days. Citigroup released a statement that it would soon start to send data electronically in an encrypted form and that it had "no reason to believe this information has been used inappropriately." It is clear, however, that Citigroup cannot possibly ensure that the 3,900,000 million missing Social Security numbers will not be used to fraudulently obtain credit cards, loans, and other indebtedness in the names of CitigroupÃs customers.