If you're new here, you may want to subscribe to my RSS feed or get new posts via email. Thanks for visiting!
One nice thing about identity theft (though not so nice for the victims), is that there is always something to write about. There were a lot of cases reported, as well as one of the worst data breaches I have ever heard of. There was also the first Identity Thoughts video (and it won’t be the last). Here are some of the best posts from May (in my opinion):
Since this is such a new identity theft blog, I’d love any and all feedback. What sort of information would you like? Do you prefer the “how-to” articles or more current events. Are you interested in videos? A podcast? Please leave a comment or email me atbd@identitythoughts.com.
I don’t really remember what I was up to at 15 years old, but I am pretty sure it was not breaking into my school’s computer files and accessing personal information.
However, that is exactly what an enterprising young lad from Downington, PA did on May 9.
Officials discovered (how is not released yet), that the kid had gained access to teachers’ Social Security, addresses, and their actual W2 forms (yikes).
All in all, there were 71 teachers that were impacted, but there was also apparently Social Security Numbers and other information for “thousands of school district taxpayers”.
What kind of system could this kid have gotten into that has that kind of information?
So far there has been no reports of any identity theft activity, but the student did share the info with some other classmates. Even though the flash drive that the information was on has been recovered, who knows where this stuff has ended up.
How could a school be so lax as to allow a 15 year old to get this kind of information? A comment on the Breach Blog post about this case is interesting:
I can personally attest that the schools technology administration is incompetent, i met with the asst. director of techology and he knew absolutely nothing pertaining to information technology, the kid in question accesed files that were UNPROTECTED and the administration now must lie to save themselves. its really sad they are telling the teachers and people that he “hacked” he just accesed the unprotected information. the administration should be prosecuted. people need to know the real story.
Obviously who knows if this guy is legit, but interesting nonetheless.
As a former cub scout, I always think you should be prepared. Obviously Crystal Star Wright of Tempe Arizona believes in that too, because she was prepared for any event.
On March 18, Wright was arrested at a Wal-Mart in Tempe for picking up $1,250 worth of stuff that she had ordered using a stolen identity - one she had stolen via tax documents from someone’s mailbox.
The depressingly quick-thinking Wright did what any seasoned identity thief would do - she pulled out ANOTHER stolen identity and gave that to police. The Nightmare Begins
That is where Peggy Farnsworth’s nightmare went from bad to worse.
Two months before that, her purse was stolen and she had been battling to fix up $12,000 in fake purchases and $8,000 in fines. She faced all the classic identity theft hassles.
But this time, there was some added fun. A friend noticed in the paper that Peggy Farnsworth was listed as having been arrested on suspicion of identity theft.
So now, not only was she out a whole bunch of money and time, she (or Wright posing as her) had an arrest record!
Because the crime was relatively minor (tell that to Peggy Farnsworth!), the police let Wright (aka fake Peggy) go. Trying Times For The Real Peggy Farnsworth
From that time in mid-March until late May, Farnsworth had to live with the fact that her identity thief was out there.
“She will get her just reward. … Everyone that knows her knows they can’t trust her, and if they don’t they’re fools not to. … She thinks that because it’s all paper, there’s no (harm).”
Farnsworth’s words came to a stumbling halt, and she said she couldn’t explain her feelings. But then she found the words:
“It’s a lot of anger, a lot of anger I don’t usually carry.”
Finally Taken Down
Finally, in late May, Wright was picked up on a probation violation, and then they realized who they had (for real this time!). She’s now in jail and has accused of forgery, identity theft, providing false info to authorities, and a bunch of other charges.
Stolen ID or not, it just seems incredible to me that she was able to pass herself off as Farnsworth when the police actually had her. Hopefully the charges will stick and she will be put away for quite some time.
Normally when a politician starts stirring things up about a current issue I get annoyed because more often than not they are just trying to score political points. However, this time Governor Jodi Rell of Connecticut has my full support.
In mid-May, Bank of New York Mellon notified clients that some of their personal information including name, address, Social Security Number, and date of birth had been lost. The problem? This loss had actually occurred back on February 27th. The impact? Only about 4.5 million customers.
Where’s The Tape?
What we know is that on February 27, BNY Mellon gave 10 backup tapes to Archive Systems Inc for storage. We also know that only 9 of those tapes made it to the facility. What happened to the tape isn’t known.
You would think that a bank the size of BNY Mellon would have strict procedures around data encryption, but… not so much. Incredibly, that tape was not encrypted and therefore the personal information of 4.5 million Americans is out there somewhere.
Not Just BNY Mellon
It doesn’t look like it’s just Mellon data on those tapes. The People’s United Bank of Bridgeport, Webster Bank, and Wachovia also had data on there that BNY Mellon had collected.
Why did BNY Mellon have those other bank’s customers’ information? To offer them investment products of course!
The Governor Gets Involved
The Governor of Connecticut has come out swinging with respect to this data breach. Aside from outrage about the breach itself, Rell is particularly concerned with the lag time between when the tapes were lost and when customers (and the other banks) were notified.
“The disastrous effects of identity theft are virtually instantaneous in today’s computerized world, and the lag time between the theft and the notification only aggravates what is an already outrageous situation,” Governor Rell said. “For a major financial institution such as Bank of New York to lose such a massive amount of customer data is utterly unacceptable. To delay reporting the loss to appropriate authorities and potential victims for more than three months is not only irresponsible but shows a callous disregard for customers.
“These key pieces of personal information – names, birthdates and Social Security numbers – are exactly the pieces of information that identity thieves need most,” the Governor said. “Consumers should have been notified immediately so they could take steps to protect themselves.”
Aside from blustering, the Connecticut government appears to be taking action. They have subpoenaed BNY Mellon, People’s United, Webster Bank, and Wachovia. They have come straight out and said that they are investigating what state laws (if any) have been broken, especially with respect to reporting data breaches in a timely manner.
Poor Response By BNY
The Connecticut Attorney General, Richard Blumenthal, correctly points out that the response to customers by BNY is particularly weak. All they are offering is 1 year of credit monitoring. Credit monitoring?? At the very least they should be offering fraud alert from somewhere like LifeLock or LoudSiren or better yet a credit freeze from TrustedID or something similar. A year of credit monitoring is not going to help the situation.
What’s your opinion of all this? Is this the sort of thing state governments should wade into? Do you think BNY’s response is adequate? Sound off in the comments.
Somehow Kansas City seems to be a hotbed of identity theft. First the Kenyan id theft ring, and now a KC man has finally been sentenced to a massive identity theft ring that was busted in 2006.
Carlton Strother has been sentenced in federal court to 19 years 6 months in prison and ordered to pay $580,225 to his victims.
You have to be pretty good to be the leader of a ring that at one point had up to 50 suspects.
Strother wasn’t your run-of-the-mill identity thief doing dumpster diving for preapproved card offers. He used computers and holograms to make fake drivers licenses.
He and his buddies then got credit and went on spending sprees. There were at least 100 victims of this particular ring.
They got some local businesses into the act too. One particular car dealership had a crooked employee that was supplying financial information on customers.
“They would go and buy high quality electronics, big screen televisions, computers, different things like that, and then they would bring them back and then they would either have them sold off, take them in payment for making the false ID or other things. We’ve actually seen them transferred from car to car,” Green said. “We approximate about $5 million worth of losses just in this particular area and this group.”
It’s nice to see someone getting a relatively stiff sentence for this sort of thing. Too often it’s just a slap on the wrist. I am sure the people who got $4,000 phone bills are thrilled. It doesn’t sound like Carlton is taking too much personal responsibility for this though:
Addressing the judge, Strother apologized to his family and suggested that he wasn’t capable of the crimes of which he had been convicted.
Wow, this is quite possibly the worst data breach I have ever heard of.
FayerWayer.com (translated “FireWire”) is a popular technology blog in Chile. Normally topics range from iPods, iPhones, Wiis, software, and gadgets.
This is what one of the site editors expected to see when he checked the site at 2am and read this post.
In one of the comments, a user calling himself “Anonymous Coward” (a Slashdot user I guess?) attached 3 files.
When the editor opened them up, he got quite a surprise. Those 3 files contained the Taxpayer Identification Number (like a SSN), names, addresses, phone numbers, and academic history for 6 million residents of Chile.
The fast-acting FayerWayer editor removed the files right away and contacted the police. Of course, the Internet being what it is, those files have spread like wildfire popping up on blogs and other file sharing sites.
It appears that the information was pulled off of an Education Ministry server via an anonymous proxy.
Why did he do it?
In a note accompanying the files, Anonymous Coward said he posted the databases to draw attention to the poor data protection measures in the country of 16 million people.
I would submit that the smarter thing to do would have been to contact the media and say that he had the files rather than post them for everyone to see, but either way his goal was accomplished. This case and data security in general is front page news all over Chile.
One person caught up in this drama is the President’s daughter. The data apparently shows that she is on the list to get subsidized transit passes, even though technically the president’s income should be too high to qualify.
So far there haven’t been any reports of identity theft coming out of the release of this data, but you know it’s only a matter of time for that.
To that end, I put together this video going through the privacy settings on Facebook. I mean most of the protection is there; people just don’t know about it or how to do it.
Hopefully this video tour will help. Let me know what you think.
If there is some sort of world record for identity theft speed, James Hartman has to be up near the top. In 3 months, he spent $3.2 million on vehicles and real estate. More incredibly, he did this with a photocopy of his brother’s drivers license and Social Security card. A photocopy!
If there is any case that demonstrates why identity theft is such a problem nowadays, this is it.
Spending Spree
How do you rack up $3.2 million? Lets count:
In June of 2006, James Hartman bought five vehicles from Christopher’s Dodge World.
On June 5, he bought a pickup truck for $48,000.
On June 10, he bought another pickup truck for $49,000.
On June 14, Hartman bought two Dodge Durangos for $77,000.
And on June 24, he bought a Dodge Viper for $94,000.
In his May, June and July 2006 spending spree, Hartman signed agreements to buy five vehicles, two ATVs, a toyhauler, two houses and mountain property, all totalling $3.2 million.
Brotherly Love
The most entertaining part of this story is the he-said he-said of the two brothers. In one corner we have the convicted identity thief:
“Did I go overboard in buying a few vehicles. Probably did,” Hartman told 9Wants to Know from the Jefferson County Jail. “But it wasn’t identity theft. My brother approved of all of it. I didn’t have the credit. He did. So we used his driver’s license and Social Security number to make the purchases.”
Now, I love my brother, but if he comes to me and asks for my credit to rack up $3 mil, it’ll be an unpleasant conversation in the Duncan house. Let’s see what the victim has to say:
James’ brother, Ed says he didn’t know about any of the purchases until he got a call from Jessicca McKeown of Xtreme Performance Center in Longmont.
Ed calls his brother a “thief, crook and slime ball.”
Whatever the truth, James ended up pleading guilty and was sentenced to 8 years in jail.
Be Smart
Aside from the family issues, its crazy that he was able to do all of this with only a photocopy of the drivers license and SSN. Doesn’t anybody check these things?
Finally someone did. Hartman tried to buy $20K worth of ATVs from a store and they would not accept the copy. They got suspicious and contacted both the brother and Weld County Sheriff’s Department.
Scott Storey, the District Attorney, sums it up best:
“If part of their credit application process is to verify identity through a driver’s license and they have an out-of-state photocopy of a driver’s license, that’s probably not the wisest thing to do and they’re not doing their due diligence,” said Storey.
A while ago, we posted about a data breach at Hannaford Bros. grocery stores. Now another store has been used by thieves to steal customers’ personal information. The Lunardi’s supermarket in Los Gatos, California was caught up in a debit card skimming ring and thieves have been having a hey-day hitting customers’ bank accounts.
I was having a conversation with a friend the other day where I was saying that I hate using my debit card and use it as little as possible. Situations like this are precisely why.
In the Lunardi’s case, a payment machine was actually swapped out at one of the checkout lines. If you were unlucky enough to choose that lane, your card number and PIN were recorded.
Once the recording was done, thieves could then make a fake card and have complete access to your bank account.
To date, $225,000 has been stolen as a result of this scam. Police have arrested (and subsequently released on bail of course) 2 men involved in the case. Unfortunately, it was the Orange County police that did the arresting. By the time Los Gatos police found out about it, the men were already cut loose.
This sounds like the sort of thing that would be an inside job, but so far there hasn’t been any indications that that is the case.
George Silvestri, an attorney for Lunardi’s, said the chain has replaced the payment devices at all seven of its Bay Area locations with machines that are locked onto the checkout stands. The South San Francisco-based attorney added that Lunardi’s employees with access to these devices have been trained in security procedures recommended by law enforcement and banking authorities.
If you were one of the 222 victims of the Lunardi’s breach, or have been a victim of some other ATM or debit scam, you do have some protection. We did a post a while ago about how to recover from debit card fraud.
Do cases like this make you more hesitant to use your debit card instead of cash or credit?
Aside from being the home of Warren Buffet, Omaha was also the home of a identity theft bust that involved 2 police officers, a pregnant woman, a broken vase, and a man getting shot in the chest.
It All Started At A Church
At a church outside Omaha’s city limits, a woman left her purse in the car (people still do that?). The car was broken into and her cash, ID, and credit cards were stolen.
It looks like at that point the suspect, Jason Galle, and an unidentified pregnant woman took the stolen card and checked into the Marriott in downtown Omaha.
Wise Hotel Employees
When the pair checked in, hotel employees became suspicious so they phoned the name on the credit card. The person who answered, presumably the identity fraud victim, confirmed that the card had been stolen.
At that point, the hotel staff did the right thing and called police.
Like A Movie
What happened next was like a scene from NYPD Blue (minus the shower scenes). Two police officers attended the scene and went to the suspects’ room. In the hallway, they came across Galle and the pregnant woman leaving the room. Galle had a rolled up pair of jeans under his arm.
When the officers confronted Galle, a struggle ensued and the jeans fell and out rolled a .22 pistol.
During the fight which involved handcuffing the pregnant woman, Galle hit one of the officers in the head with a large vase, causing a 4 inch gash in the back of his head. At that point, it was time to stop messing around and out came the deputy’s service revolver.
Galle was shot once in the chest and was taken to hospital in critical condition (he is expected to recover),
Identity Theft Ring Busted
After all this went down, the police found out (maybe from the pregnant woman?) that the 2 were actually headed up to the 8th floor of the same hotel:
Additional deputies arrived at the hotel. Authorities headed to the eighth floor, where they found two men in a room with a copy machine and other instruments used for making false identification, Dunning said.
“I’m really having a good feeling that this will lead to the closing of an identity theft ring,” he said.
Hard to believe that all of this started with a purse left in the car outside a church. By the way, by all accounts the pregnant woman is fine.
June 15, 2008 
Posted in Uncategorized 
1 Comment » 
On March 18, Wright was arrested at a Wal-Mart in Tempe for picking up $1,250 worth of stuff that she had ordered using a stolen identity - one she had stolen via tax documents from someone’s mailbox.
In mid-May, Bank of New York Mellon notified clients that some of their personal information including name, address, Social Security Number, and date of birth had been lost. The problem? This loss had actually occurred back on February 27th. The impact? Only about 4.5 million customers.
Carlton Strother has been sentenced in federal court to 19 years 6 months in prison and ordered to pay $580,225 to his victims.
content rss
Recent Comments