The Identity Theft Report

An incomplete compilation of news reports related to identity theft.
If you don't think it can happen to you, the more likely it will.

Brought to you by companies you trusted to collect your personal data. They abused that trust. They abused their power to sell it. They didn't secure it. Now, it is your problem. They sold you out.

Think about it. What could someone do if they used your identity for even a short while? And who would pay the consequences? Happens all the time. Happened to me. I was lucky. Some guy with a foreign name for supercalifragilisticespialadocious used my SSN to rent places in Utah. Boy, was I surprised that my credit record showed that I was evicted from sevaral places in Utah for not paying the rent. I know I've driven through Utah a few times. Maybe stopped to get gas. Didn't go to Woodstock so I think I'd remember if I'd ever lived in Utah.
At least he didn't get to my bank accounts.
Now that some states are passing consumer protection laws (because Congress only passes laws that protect the companies that lose your data) mandating that credit bureaus offer free annual credit reports (it's about time) to consumers, isn't it time you check into the lifetime of info they
(Equifax, Experian and TransUnion) have collected about you?
Write your Congessmen or elect new ones. Why? Because Congress has been drafting law to override state laws and the Congressional version basically states "that anyone who leaks personal data should NOT be required to notify those whose data was breached, or be required to notify anyone else about the breach." Got the best Congress money can buy.

Other Links: Data Breach Blog
May 2008

Dave and Buster's restaurant chain.

Someone got into their computers and stole at least 5,000 credit card numbers. After someone stole around $600,000 using those card numbers the law finally noticed. There's no word as to how many identities were stolen. It was probably in the 100 of thousands. The three guys arrested were from Turkey, the Ukraine and Miami. The Ukrainian guy was arrested in London (identity theft isn't a crime in the Ukraine). Turkey (like the UK) does however consider this a crime and cooperated with the US authorities. These guys were selling the info to identity thieves for some time. They were only nailed once they decided they could use the info themselves to buy 100's of thousands of dollars of stuff using the identities they had stolen. So we'll never know what the extent of this breach was and how many it affected.

May 2008

Former U.S. military contractor pleads guilty to exceeding authorized access to a computer and aggravated ID theft after being accused of selling names and Social Security numbers of 17,000 military employees.

Randall Craig, 41, of Houston, pleaded guilty to both counts of an indictment returned in April by a grand jury in U.S. District Court for the Southern District of Texas. Craig acknowledged selling information contained in a military database to a person he believed to represent a foreign government, according to the U.S. Attorney's Office for the Southern District of Texas and the FBI. Turns out it was an FBI frontman.

Story goes on but what is note-worthy is that the contractor is never named. My guess is that the gov is protecting Halliburton. I could be wrong though. Article link

March 2008

Hannaford Bros (owned by Belgium-based Delhaize Group SA), a major retailer with 271 stores on the east coast finally admitted that hackers had gained access to their systems and had stolen 4.2 million credit card numbers. So far 1800 cases of fraud have been detected from the use of the stolen data which was first reported by MasterCard and Visa. Credit unions in Maine expect to reissue at least 100,000 new cards as a result. Hannaford is still claiming that their security measures meet or beat industry standards. Maybe tomorrow they will.

February 2008

Tenet Healthcare, Dallas. A former bill processing employee pleads guilty to fraud after using customer information for profit. Tenet is notifying 37,000 members that their identities may have been compromised.

U.K. Probes Thefts of Military Laptops LONDON -- The U.K. Ministry of Defence last week launched an inquiry into the loss of two laptop computers containing unencrypted personal details. The ministry discovered the loss of the two laptops during an investigation into the theft earlier this year of a laptop from an officer in the Royal Navy. That laptop contained information on 600,000 people.
January 2008

Horizon Blue Cross Blue Shield of New Jersey loses laptop containing unencrypted personal information on 300,000 members.

Georgetown University in Washington loses computer disk containing names and SSNs of 38,000 faculty and students from the 1998-2006 time period.

Financial Management company T. Rowe Price loses laptop containg financial info on 35,000 investors.

Fallon Community Health Plan, a Worcester, Mass.-based medical provider and insurer loses laptop containing personal info of 29,800 members.

Fort Worth, Texas-based OmniAmerican Bank is reissuing 40,000 credit cards after hackers broke in and stole data from their databases. OmniAmerican states that the intrusion was done by international cyber-criminals.

Penn State reports that a laptop was stolen which contained personal information of 677 students.

Georgia based Choice-Point pays $10 million fine in class action suit for a 2005 data breach which exposed the data of 160,000 people. Two years earlier they paid a $10 million fine to the FTC for violations of the Fair Credit Reporting Act. This is the same company that provided Katherine Harris (remember Florida 2000?) the personal information of thousands of people in Democratic counties who were then purged from the voter registration lists. Choice-Point, not only your source for election fraud but your source for fraud in general. The penalties they paid were nothing more than a slap on the wrist compared to the money they made selling the personal information of others. The Republican Congress talked about it but never did anything to stop them so they continued "to sell" for a profit, information that criminals wanted.
Missed a month
Dec. 2007 - There were so many data breaches and so much identity theft I couldn't even keep up.
Nov., 2007 - First reported that the data on 46 million credit card transactions had been stolen.
Well, the missed a few. Now it's over 90 million. The magnetic strip on the back of those credit cards contains a lot more than people know about. TJMax collects it all, and then it was stolen due to shoddy security that allowed hackers to access their databases for over a year.
Navy data on website, again
July, 2006 - Naval officials reported that the SSNs and other personal information of 100,000 Naval and Marine personnel were posted on a public Naval website.
Also, 1,100 discs with the same information had been distributed to various places. They are trying to track down the disks.
Navy data on website
June, 2006 - The Navy reported it found names, birthdates and SSNs on 28,000 personnel and their families on a civilian website.
No known illegal uses of the information at this time but we recommend you freeze your credit for the next 90 days with the credit bureaus.
VA loses data on 26.5 million Americans
May, 2006 - To really screw up big takes the government. For some reason a VA employee took home a laptop and disks containing the names, SSNs, addresses, medical and other financial data on 26.5 million Americans. Then the laptop and the disks were reportedly stolen.
Fidelity an HP
March 2006 - Fidelity Investments reported a laptop containing the names, SSNs, accounts and compensation info, of 196,000 current and former HP employees, had been stolen. The data was not encrypted.

Why is this special? Think about it. Fidelity is managing peoples' nest-eggs, bank accounts and payroll info. All a hacker has to do is forge a few transactions to get a large chunk of money transferred to a foreign bank account. Let's say the average HP employee has anywhere from $25k to maybe $200k in there retirement account. If a con artist gets enough info and can pull off a small percentage if transfers to his account into a foreign country, he probably has enough US dollars to retire.
And don't count on your financial institution to help. If the money went to a UAE or other unfriendly country's bank, it's gone. There's no cooperation from many countries.
And by the time people start noticing that their retirement accounts have been drained, the con-artist has shut down his websites and email accounts that were opened under a false name. Good luck finding them in Bahrain.
BOA, WaMu and First Bank
Febuary, 2006 - Somehow, someone got into their credit card network and captured the card and PIN numbers for over 100,000 shoppers. More info as it develops.
January, 2006 - Personnel data on 19,000 people who were employed at Honeywell in 2003 was discovered posted on a website. No one seems to know how long it has been there or how the data was acquired.
H & R Block
December, 2005 - The company sent out demos in the mail of their TaxCut software. The bad part? Social Security numbers were printed on some of the labels. H & R Block won't say how many of these went out but claims they have sent letters to it's customers telling them to start monitoring their own credit reports.
Marriott International
December, 2005 - Disclosed that they lost backup tapes containing Social Security numbers and credit card information on more than 206,000 time-share owners.
October, 2005 - The company acknowledged that someone broke into one of their California branches and stole a laptop computer containg the complete credit history records of 3,600 U.S. citizens. time-share owners.
Military Identity Theft
AUGUST 19, 2005 - The U.S. Air Force is notifying more than 33,000 officers that their personal data has been breached by a malicious hacker, the Air Force said today.
The hacker used a legitimate user's ID and password to access personal information on the officers contained in the Assignment Management System (AMS), an online program used for assignment preferences and career management, the Air Force said. That data included career information, birth dates and Social Security numbers.
The breach was discovered in May or June and is being investigated.
Outsourcing to India
British newspaper, The Sun, reports that they bought information on more than a thousand U.K. bank accounts from a contact within a New Delhi call center.
In April, 2005, 12 people including 3 call center employees of Mumbai-based Mphasis BFL Group, were arrested in India for allegedly defrauding four Citibank account holders in New York of more than $300,000.
According to executives at several Indian firms, U.S. clients have NOT requested additional controls or security measures.
August 2005 Update: As a follow-up, a news agancy called up several Indian outsourcing agencies to see if they had taken additional security measures. Their response: As long as foreign companies aren't complaining, they see no need to take further steps to secure the data they handle.
This is disgusting. As long as companies, like banks, are saving a few dollars, they don't really care if their customers become victims of identity theft. Besides, if they did complain it might draw attention to their bad decisions.
Mastercard and Visa
On June 17th they announced that CardSystems Solutions, which handles over $15 billion in credit card transactions for them and others discovered a security breach where the data on an estimated 40 million credit card customers' may have been exposed. The perpetrator(s) simply installed a trojan program that performed keylogging and provided a back door. Did CardSystems run anti-virus? Did they run anti-spyware? Did they run a firewall? NO!!!
They didn't want to waste the money to protect their systems from intrusions.
CardSytems' security was breached for at least six months without their knowledge. What a bunch of idiots. That's who MasterCard is entrusting your identity data to.
They employ 10's of thousands of people. They outsourced their HR services to Affiliated Computer Services Inc. In June they anounced that two ACS laptops containing the names, SSNs and other personell data of Motorola employees were stolen (or disappeared).

What else are they saying? Nothing! They refuse to disclose the amount of employee data stolen nor do they admit publicly, any responisibility of notifying those who may be affected.
BJ's Wholesale Club
After credit card data for thousands of customers was used to make fraudulent purchases in other stores, BJ's Wholesale Club Inc. has agreed to implement a comprehensive data-security system and undergo biannual security audits for the next 20 years under a settlement with the Federal Trade Commission.
After more than 18 months and an undisclosed number of fraudulent loans, the FDIC notified 6,000 of it's present and former employees that their names, SSNs and other data were breached last year. The FDIC will not say how it happened.
In May of 2005, they admitted that they shipped out tapes containing data on 4 million customers. They sent the tapes UPS? I've never seen a company use UPS to ship sensitive data. This boggles me. I guess they were trying to save a buck. The tapes containing the unencrypted data dissappeared. Who has them now?
DSW Shoe Stores
Credit card and checking account information on 1.5 million customers was stolen from Nov. 2004 thru Feb. 2005. It wasn't discovered until a credit card company put two and two together and discovered a pattern. DSW customers would buy shoes and then their credit cards and checking account info was suddenly used in a surge of other fraudulent buying activity.
Bank of America and Wachovia Corp
notified over 670,000 customers in May that their account information was stolen by a man posing as a collection agency. Bank officials say the number of accounts affected may top one million.
ChoicePoint Inc.
said in February that thieves using stolen identities had created 50 dummy businesses that pulled data including names, addresses and Social Security numbers on as many as 145,000 people.
LexisNexis Inc.
in March, disclosed that hackers had commandeered a database and gained access to the personal files of as many as 32,000 people.
Stanford University
On May 11, 2005, someone hacked into the university computer system and gained access to Social Security numbers, financial info, government data and resumes on 10,000 students.
Virgina George Mason University
In January, 2005, someone hacked into the university computer system and gained access to Social Security numbers, financial info and other data on more than 30,000 student and faculty members.

George Mason University is also the home of the Information Security Institute, the Lab for Information Security Technology and the Center for Secure Information Systems.
UCLA Los Angeles
A laptop stolen from the university in 2004 contained the SSN's and other info on 145,000 students and faculty members.
Georgia Tech
University of Texas student, Christopher Andrew Phillips hacked into their systems and stole the SSNs and other information on 55,000 students. 55,000 seems to be a magic number for Phillips. That is the estimate of the number of identites he stole from the University of Texas in Austin in a prior 2003 hacking spree.
Unknown - No reporting Laws - From ZDnet News
In February 2003, a data processing center in Nebraska revealed that 8 million credit card numbers had been stolen from its servers and the University of Kansas acknowledged that online attackers had snagged the records of 1,400 international students.
California - Another 55,000 - February 2004
The California Employment Development Department has begun warning some current and former household workers that their information may have been accessed by an intruder, CNET has learned. The agency sent a letter, dated Feb. 11, notifying people of the breach and offering information about how to reduce the risk of identity theft. Approximately 55,000 employees were affected, EDD spokesman Kevin Callori said in an interview. The agency said the database in question contained names, Social Security numbers and wages.
Contacting The Big Three
Equifax at
Experian at
TransUnion at
Consumers are permitted to get one free credit report a year (depending upon the laws in your state) from each of the three major reporting agencies. To get yours, call (877) 322-8228 or visit

Did I miss some? Send them my way.

My Contents Page