Underground market for stolen IDs thrives

Jon Swartz and Sandra Block
USA Today
Mar. 3, 2005 10:39 AM

SAN FRANCISCO - When Andrew Sullivan discovered his name, address and Social Security number might be in the hands of identity thieves, he got mad. Then he got scared.

"It's sobering when you think of all the people who might have access (to my data) over the Internet," says Sullivan, 34, an Internet services manager from San Francisco.

Sullivan is one of 145,000 people whose digital data records were exposed to criminals in the largest known security breach of a data broker. But Sullivan's problems with Choice Point, a spinoff from credit-reporting agency Equifax, may be just a glimpse of the headaches he and millions of others face. ChoicePoint stores an estimated 19 billion public records and functions as a sort of intelligence service for business and government clients.

The incident underscores the trove of personal digital data floating in cyberspace and the thriving underground market for stolen IDs, law-enforcement officials and security experts say. It also highlights the conundrum of data brokers, who collect and sell personal information about virtually every U.S. resident but are not federally regulated.

"Crooks are getting better at hacking, scamming and breaking down doors," says privacy expert Linda Goldman-Foley. "And one of their biggest targets are data brokers."

That has complicated the jobs of privacy advocates and security experts, who already face a rise in profit-motivated hackers and sophisticated computer viruses designed to filch personal information. Now, they must increasingly cope with paper records stolen from offices and dumpsters that are quickly spread over the Internet.

9.3 million victims
According to the Better Business Bureau, 9.3 million Americans were victims of ID theft last year. That figure could rise as more data are available online, security experts say. About 80 percent of 2,000 consumers surveyed say they are concerned about ID theft online, says security firm Entrust.

It is difficult to find statistics on the theft and trading of digital data, but anecdotal evidence and recent events indicate a surge in activity, law-enforcement officials say. For example:

Bank of America last week said it lost computer data tapes for 1.2 million federal employees, including U.S. senators. The missing tapes contain customer and account information, including some Social Security numbers, from a federal government program using Visa cards for government travel and procurement. The tapes were lost in late December, during shipment to a backup data center. Federal law-enforcement officials were notified immediately.

Bank of America has "found no evidence to suggest the tapes or their content have been accessed or misused, and the tapes are now presumed lost," spokeswoman Alexandra Trower says.

Privacy advocates, however, warn that the lost data could expose people to identity theft.

Social Security numbers and addresses for nearly 5,000 people were potentially exposed by a flaw in an online service of payroll-processing firm PayMaxx. The company has temporarily closed the service.

Personal data from celebrity Paris Hilton's cell phone/organizer/camera circulated over the Internet last month. It isn't clear how it wound up there, but the incident may be linked to an earlier hack that compromised data for hundreds of T-Mobile USA customers.

Wells Fargo officials concede much of its customer data entrusted to business partners may be vulnerable, according to an internal Dec. 30 memo obtained by the San Francisco Chronicle. The bank has been hit by the theft of computers containing sensitive data.

Wells Fargo spokeswoman Janice Smith had no comment on the memo but said there is no tangible proof of ID theft at the bank.

"It's no secret crooks covet and successfully target digital data," says Robert Dix, an executive at Citadel Security Software. "What I fear is an Exxon Valdez of privacy."

Lucrative currency
Personal information has become the currency of choice for criminals because the credit system allows anyone with an ID to set up lines of credit until fraud is detected.

"The bad guys would rather steal your future than what's in your wallet," says Tom Kellerman, senior data-risk management specialist for the World Bank.

Compromised data are routinely bought and sold by individuals and organized crime through Internet chat rooms, electronic-payment systems and online casinos. The data can pop up anywhere - from Russia, where credit card numbers are ripe for the picking on Web sites, to the Middle East, where terrorist groups finance operations through ID theft, and South Central Los Angeles, where street gangs do the same.

In some cases, gangs burglarize homes to steal personal data and leave jewelry untouched, says Jeff McGrath, a deputy district attorney for the Los Angeles County District Attorney's office, which is investigating ChoicePoint. "It's better than gold," McGrath says.

The scale of ID theft rings can be staggering. In October, 28 people in seven countries were arrested, charged with buying and selling nearly 2 million stolen credit card numbers on Web sites. As many as 4,000 crooks used the sites, which had apparent ties to organized-crime groups in Eastern Europe, Argentina and Sweden, says the United Kingdom's National Hi-Tech Crime Unit.

The break-in at ChoicePoint has rekindled calls for regulation of data brokers with access to vast personal information. And it has raised the ire of U.S. senators, several of whom were burned by the Bank of America episode.

"I'm absolutely furious they would be so negligent with the private records of so many people," says Sen. Patrick Leahy, D-Vt., whose personal information was lost. Leahy is calling for tighter regulation of data brokers. The Senate could hold hearings this month.

Terrorist risks?
Sen. Bill Nelson, D-Fla., and Rep. Bennie Thompson, D-Miss., plan to request today that Homeland Security and the Government Accountability Office investigate terrorist risks posed by ChoicePoint and other data brokers.

The Los Angeles Times reported that ChoicePoint was the victim of a data leak five years ago, when confidential data for at least 7,000 people were exposed, resulting in more than $1 million in losses. In a statement, ChoicePoint said it notified law-enforcement officials about the incident.

As lawmakers focus on whether more protections are needed, they're expected to consider mandatory notification of consumers whose data may be compromised, and letting consumers "freeze" access to their credit reports.

Currently, California is the only state that requires data brokers to notify consumers if their personal information is compromised. Sen. Dianne Feinstein, D-Calif., has introduced a national version of that law.

California also lets consumers block access to their credit reports and scores. Texas, Louisiana and Vermont have similar laws that will take effect later this year. Allowing individuals to freeze access to credit reports would prevent identity thieves from opening fraudulent accounts, consumer advocates say.

John Ford, chief privacy officer for credit-reporting agency Equifax, says consumers who block their reports lose the ability to buy a car during their lunch hour or apply for instant credit. That's a trade-off many consumers are unwilling to make, he says.

"Consumers do want more control, but the genie is out of the bottle," he says. "They don't want to give up the ability to pre-qualify for a mortgage in 15 minutes over the telephone."

Record keeping

Privacy advocates say the Choice Point case illustrates gaps in federal law that allow some data brokers to avoid the Fair Credit Reporting Act, which regulates the use of consumers' financial information.

The three main credit-reporting agencies - Equifax, TransUnion and Experian - are covered by the law, says Marc Rotenberg, executive director for the Electronic Privacy Information Center, a public-interest research center. But, "a lot of ChoicePoint's products have escaped any kind of federal regulation," he says.

EPIC was raising concerns about data brokers even before the Choice Point break-in, Rotenberg says. In December, it asked the Federal Trade Commission to investigate whether ChoicePoint was developing products to avoid federal consumer protections.

"These large information brokers are having an enormous influence on who gets hired, who gets insurance, who gets a federal contract," Rotenberg says. "We don't want to say information shouldn't be available, but there should be more accountability and more transparency."

ChoicePoint officials counter that the company is subject to a host of federal and state regulations. And while the Fair Credit Reporting Act doesn't apply to all of ChoicePoint's products, "We treat all of our products as though they're covered," spokesman Chuck Jones says.

The Fair Credit Reporting Act is "the Bible for the credit-reporting industry," Ford says. It specifically defines the purposes for which a business can buy a credit report, such as an application for a loan, insurance or a government benefit, he says.

Equifax has a "rigorous process" to ensure customers are legitimate businesses, and it periodically conducts random inspections of customers to make sure they're following the law, Ford says.

Those measures can't protect credit-reporting agencies from third-party insiders with criminal intent. In January, a help-desk worker for a Long Island, N.Y., software company was sentenced to 14 years in prison for selling passwords and codes used to download consumer credit reports. His employer, Teledata Communications, provided banks with computerized access to credit-information databases.

The government has estimated that the scheme involved thousands of victims and caused $50 million to $100 million in losses. U.S. District Judge George Daniels said the case "emphasized how easy it is to wreak havoc on people's financial and personal lives," according to the Associated Press.

It might take only a minute for a thief to steal data but months for victims to clean up the mess. "By the time an ID theft issue is resolved, Joe Public could lose his small business, house and his kids' college funds," Leahy says.

That's what most troubles Sullivan. He doesn't know if or when his stolen ID might be used.

"I'm afraid of getting a late-night call from a collection agency," says Sullivan, who is considering suing ChoicePoint. "And why? Because these guys sold my information to someone they didn't bother to do a background check on. I tell you, our data is ripe for the picking."

Sandra Block reported from McLean, Va.