Tuesday, August 12, 2008

Chapter One, where does all that stolen info come from?

As we begin to close in on a discussion of lowering the value of data to identity thieves and illegal data brokers it is important to look at the sources of data loss and theft. Remember also that the term Identity Theft means that someone has stolen your identity, not simply your credit card numbers. A person who has sublimated their own identity and assumed your information to pose as you is an identity thief. Now, let’s look at some of the major sources of data theft and breaches as I have attempted to define them.


First and the most familiar to most consumers is personal theft. The theft of wallets, and purses can result in a thief getting your credit cards, your Social Security card, Drivers License, checkbook, and so forth. Perhaps you have an unpaid bill or other document that has banking information, SSN, or other useful information in your car that can be stolen in an instant. Another easy place for this kind of theft is outgoing mail left unattended, or at the receptionists desk at work.
This kind of theft often results in quick attacks on your bank accounts, and new accounts being opened. The long-term effect is having the stuff sold on the open data market, which results in many forms of ID theft, often over the course of several years.

The next most familiar but least understood forms of identity theft take place over the internet. What generally comes to mind is scams like "phishing" and "pretexting" which take the form of legitimate websites but in reality are simply gathering your personal information for illegal use. Internet ID theft however is a much larger subject and involves your very right to privacy.

Workplace theft. That’s’ right, another big source of data is company records of employee and customer data. There was a statistic out last year that said that over 65% of all lost personal data from businesses was the result of an employee spiriting the data out for profit or even for retribution. Nearly every day errors in judgment occur that compromise your personal information at work. Mistakes such as E-mails, internet postings, and un-shredded trash containing employee and customer sensitive info happen daily due to lack of training. Another source of workplace theft is the loss of laptop computers or flash drives containing important information.


Your college or university and local school districts. This has become a major issue within the past several years. About once a week in the U.S. there are notices of schools being hacked of tens of thousands of student, former student, and faculty records containing personal and financial information, or losing the information altogether.


Hospitals and clinics. Medical records and especially health insurance information are a goldmine for thieves. One source is underpaid medical clerks that establish a source of revenue from stealing records for profit. Medical and insurance records can be used to create a new identity, file false insurance claims, and receive medical services, for example.

Public records (city, county, and state). We have seen in the first six months of 2008 alone the loss of nearly 100,000 data records by way of theft and the wrongful posting of personal information by local governments across the country.


Retail databases. TJX, need I say more about that. The single biggest known theft of personal information in U.S. history. Just recently an international ring of thieves were charged in that case for stealing over 41 million identities. And that is only one of hundreds of similar cases since these records have been tracked starting in 2005.


Public databases like ChoicePoint, Lexis Nexis, the credit bureaus, etc. Called Specialty Databases these comprise the largest databases in the world and to date in total have been compromised to the tune of 50 to 60 million records in the past 3 years. In 2005 ChoicePoint accidentally sold personal data to thieves posing as a legitimate business.


Tax and financial planners. I heard a story recently of a financial planner who had the server containing all of his clients’ records literally stolen from the rack in his office. I believe he had just installed anti-hacking software prior to the server theft. A lot of good that does when the thieves have the hardware.

War driving is a provocative scheme where ID thieves drive by businesses, hospitals, and other sources of data and simply log onto unsecured networks from the comfort of their car. I am amazed at the number of unsecured networks in industrial parks and office buildings everywhere. Thieves can pull into a parking lot, and in just a few minutes find an unsecured network, and download personal and company data.


This list is far from complete and could go on. Look at the Data Based You graphic at the bottom of this column for more sources. The point I’m trying to make here is that everywhere records are kept, from our desk at home to our workplace to everything we have ever done that leaves a record is a potential source for stolen data. It is important for each of us to fully understand this fundamental and inescapable fact, and that this is the real price of data convenience. Nothing about the above is theoretical. I am talking about losses that have already occurred. Where is the trend going? One thing is certain, it is on the increase. Just how much is the subject of speculation. On the low side some say as little as 10% per year nationally. On the high side estimates are as much as a 20 fold increase within the next 24 months! No matter how you look at it there is no end in sight to data theft. As long as there is a market, there will be data theft.