Friday, March 28, 2008

The value of one Social Security Number in ID theft

People need to understand how valuable that simple 9 digit social security number really is to an identity thief.

A Chicago area man racked up just under under $300,000 in debt with one womans Social Security number. His purchases included a Range Rover and a home.

Apparently this has been going on since June 2005.

An unfortunate event like this points out how far one person can go with one very crucial piece of information. While most studies point out that losses are generally much smaller, those numbers are averages and will be meaningless to this victim.

She is left picking up the pieces of this man's crime spree. Will she be out the $300,000? Definitely not, but she will be required to file numerous complaints and documents to prove she was not involved or had nothing to do with this crime. She has to exonerate herself first before any financial institution will release her from these debts.

She will spend many hours with various agencies clearing the debris from this. In the end it will cost her time, energy, anxiety, and frustration. She will likely need to take time off from work to handle certain situations.

Will she be out any money? To a large extent no, but what about time from work especially if she is self employed, gas money to travel to a police station to file an affidavit, a trip to a attorneys office, possibly a bank visit, cost of parking an so on. It can add up. Every step of the way will be filled with anger and frustration that she has to go through all this for something that she had nothing to do with.

What she should realize somewhere along this journey, is that people can do things to either avoid this, or prevent it from getting out of control.

This thief obtained her number from somewhere. The fact that he used this one for so long indicates it was likely the only one he had and found it somewhere, either in the mail, trash, on an old document, maybe in a wallet he found or stole.

Where she went wrong was allowing this to go on for 30 months. If she had been actively checking her credit reports, or had a credit freeze placed on her accounts, or fraud alerts put in place, much of this would have been avoided. She should also reflect back on where she may have provided her SSN or lost any personal information.

A little bit of prevention or mitigation would have gone a long way. It is up to you to defend your identity. This unfortunate circumstance with one person and one SSN is why.

Thursday, March 20, 2008

HealthNow New York Shows How to Mishandle a Data Loss

Healthow a healthcare claims provider in upstate New York has earned a spot on our office identity theft "Wall of Shame" this month for totally blowing how to handle a data loss then offering a service they will do next to nothing and the high cost will ultimately be passed on to their employers or members directly.

Last week the Buffalo, New York claims provider sent letters to 40,000 members alerting them to a possible loss of personal information. An employee downloaded patient information and then apparently lost the laptop. Apparently this happened many months ago and they first “spent an exorbitant amount of time” to try and locate the laptop, which they still believe is in the company’s building.

This company is responsible for keeping track of medical and health records of thousands and they want people to believe that they are just sitting on a laptop they cannot find. Maybe when they clean their room it will turn up. What are they, a 10 year old? It does not give me much confidence and points to pure lack of control on their part.

Then they make a second attempt at pacification by stating they are not even sure what information it contained. Teenagers deploy keyloggers, governors get their text messages exposed, malware can track every click of a mouse, and parents can track and view everything a child does on a computer for $39, but a healthcare organization of this magnitude has not a clue what their employee downloads from their database.

The employee is now a former employee but apparently they are still in contact with him. Another vote of confidence.

And the final nail in the coffin is this statement: “With all of the factors and orchestrating credit monitoring, we do believe our response time has been reasonable. Reasonable? For who? Around 4 months has passed and any chance of giving the people a heads up to potential fraud is all but vanished.

If you read between the lines....the laptop has sensitive information on it, they know it, that is why they looked for it for months. Better to not have to be exposed. The former employee who left for another job, fired within a week of the loss or theft. That laptop with sensitive information is long gone, they know it. Now, backed into a corner and options have run out, time to air the dirty laundry.

And to throw out a useless bone, free credit monitoring for a year. When you get alerted by the agency that someone tried to open an account in your name, you'll sleep better knowing a stranger definitely has your personal information and is trying to use it. Credit monitoring will alert you right away that a thief has opened up and used $10,000 of credit in your name. That way you can start the mop up and recovery process.

But wait, the thief may not be done with your information. They will use it for draining existing bank accounts, or for a criminal arrest and then the patient or victim get s warrants issued against them for not appearing in court. It will be useful when medical services are provided to the thief, or prescriptions are obtained then sold illegally on the street. It is handy for a disability claim , or sell to an illegal immigrant to get a job. So much for the monitoring bone, won't help with any of this.

There are pro-active ways to defend yourself against many of these pitfalls, but knowing about them in a timely manner is key.