Next month:
August 2007

13 posts from July 2007

A Conversation with IBM (Part 1)

A prior blog entry discussed the letter I sent to Barbara Brickmeier, IBM's Vice President of Human Resources, since Mrs. Brickmeier's office sent the data breach notification. On July 16, Windall White, a representative at IBM's North Carolina facility called me. During a 75 minute phone conversation on July 18, Mr. White and I discussed my letter, question by question. Mr. White described himself as an IBM retiree, now working in IBM's Human Resources department, as part of IBM's focus on the data breach. IBM's answers to each of my questions are listed below:

How exactly did IBM verify that I was the correct person in their records?

I asked this question since IBM's letter was a surprise, because I have never worked for IBM. Mr. White verified that IBM acquired my personal data when IBM purchased Lotus Development Corporation in 1995. So, Lotus kept my personal data for about 4 years; and IBM kept my personal data for another 12 years. (For nostalgia, visit the Lotus Museum.)

I also asked this question because I was curious exactly how IBM located me, since I moved my residence twice since I worked at Lotus 16 years ago. Mr. White explained that IBM hired the Kroll risk consulting company both for IBM's corporate investigation needs and as a credit-monitoring service for former IBM employees affected by its data breach. Mr. White explained that Kroll searched through public records databases to find former employees like me. He added that since the "lost" data tapes were backup tapes, IBM had to reconstruct the list of affected former employees. I asked whether Kroll used my SS# to do this search. Mr. White never answered that question. I interpreted his silence as a "yes."

While I appreciate IBM's diligence to locate and notify former employees affected by their data breach, I can't ignore the implications. First, IBM pursued an internal policy where it archived my personal data for at least 12 years. The data IBM had about me was 16 years old; old address information. Second, IBM pursued a data breach notification process where IBM updated its files with the current personal data for former employees. So now IBM had my current address information.

Third, both IBM and Kroll have my current personal data. In its efforts to protect itself from risk, IBM shared my personal data with another company without my knowledge or consent. If I hadn't asked IBM, I would have known any of this. I wonder how many other former IBM employees affected by IBM's data breach know where IBM shares their personal data. I do know that some former IBM employees are hesitant to trust Kroll since they were reccomended by IBM, who lost the data tapes which caused the problem. Fourth, if I use Kroll's credit monitoring service, will Kroll acting in my best interests? Consider: IBM pays Kroll for one year of free credit monitoring services for former employees who choose this option; and IBM pays Kroll for investigation projects. How objective can Kroll be?

What is the current status of IBM's investigation into the data tape "loss?"

I received IBM's data breach notification in May. It's now July... 2+ months later. I hadn't received any more correspondence from IBM since the data breach notification. Perhaps the tapes were found or the thieves caught; especially since IBM offered a reward for return of the "lost" data tapes. Or maybe IBM was now ready to disclose details about how the data tapes were "lost."

Mr. White was quite clear and unhelpful. According to Mr. White, IBM's position is still not to disclose details about the investigation, since it is an on-going investigation. He consistently referred to the incident as a "data tape loss." When I challenged Mr. White about "lost" versus "stolen," he mentioned two items, a) the vendor did not know the tapes' contents, and b) he didn't want to speculate as there wasn't any evidence that the tapes were stolen or the personal information was used by ID theft thieves.

Hmmmmmm.

IBM's response is very frustrating and unhelpful because it will likely be us former IBM employees and ID-theft victims who bear the ID-theft risk and bear the burden to continually check our credit reports. It will be us, not IBM, who will notice first on our credit reports the attempts by identity thieves to abuse our personal data. I guess then, when we tell IBM, IBM will know that the data tapes were "stolen" and not "lost."

Sounds to me like we are doing a job IBM should be doing.

Mr. White added that IBM did not disclose the details mentioned in the Computerworld article; that the Computerworld article was based on an Associated Press reporter's story, not information supplied by IBM. I found that I had to listen very closely to Mr. White's words. It was like talking with a lawyer. Mr. White didn't dispute the story as inaccurate. Mr. White just emphasized that IBM didn't release any details about the data tape "loss." To me, when I hear a statement like that it's an in-direct implication that the Computerworld news article was inaccurate.

Well, clear it up IBM! Release some details about the data breach incident. A good start would be the number of employee records stolen. Almost all other companies with data breaches release information about the number of records stolen. A good start would be the status of the vendor and some detail about the status of the investigation.

I also reminded Mr. White that since IBM has my personal data, I need to feel confident that IBM is doing everything IBM can to protect my data and retrieve the data tapes. Again, Mr. White didn't offer any details about IBM's data breach or IBM's investigation. He did confirm that IBM reported the incident to law enforcement. It felt like I was talking to a brick wall. This was frustrating, since IBM's "loss" of the data tapes created the problem which was now inconveniencing me. Mr. White was very polite about acknowledging my concerns, but at the same time unhelpful with providing any kind of details.

Does IBM still do business with the vendor that "lost" the data tapes?

An answer here was important to me for several reasons. First, you lose an umbrella or a hat. You don't "lose" data tapes with thousands of records with sensitive employee personal data. Second, the details have implications. You hire a transportation vendor to deliver items from one location to another. A trustworthy vendor should be able to explain in detail any problems; but there shouldn't be any delivery problems. A trustworthy vendor should do criminal background checks on its employees. There are one set of implications if IBM's vendor didn't follow established IBM data security policies. There are a different set of implications if the vendor followed established IBM data security policies (meaning IBM's data security policies are deficient in some manner).

Third, news items which reported that the data tapes "fell off the back of the truck..." didn't inspire confidence in IBM's ability to protect my personal data. Mr. White explained that the vendor did not know the contents of the "lost" data tapes. Again, Mr. White didn't offer any details (e.g., vendor's name, whether or not IBM still uses this vendor, etc.) except vague, general statements that IBM has dedicated lots of resources to the problem and IBM doesn't want this to happen again.

In my view, vague statements aren't enough. Mr. White did confirm that the data tapes were backup tapes in transit from IBM's headquarters in Armonk, New York to an undisclosed location as part of IBM's data archive and disaster recovery process. Mr. White said IBM would never disclose the location of IBM's remote data backup facility. I didn't expect that, but I did expect some details about the status of the investigation about the vendor.

Based on these vague assurances, I still have no confidence that IBM will sufficiently protect my personal data. During the phone call, I felt that Mr. White was assigned to the data breach incident to "handle" callers like me. Mr. White kept a calm voice, acknowledged my concerns, but rarely offered in details. I guess IBM hopes that former employees like me will just go away and be happy with vague assurances.

What procedures has IBM put in place so that a data tape "loss" during transit doesn't happen again?

Assuming IBM decides to continue to archive my personal data, I need to know that IBM has made some type of effort so this incident doesn't happen again. Once again, I heard vague statements from Mr. White about IBM devoting lots of resources to the data breach incident. No details... no amounts... no numbers of employees assigned.

And unfortunately this gets worse. An upcoming blog entry will cover more about my questions and IBM's answers.

Next entry: How to destroy a hard drive in 5 seconds


Identity Theft Legislation in Massachusetts

Since I live in Massachusetts, any state legislation about Identity Theft is important. About 35 states have laws requiring companies to inform citizens of a data breach, but Massachusetts does not. About 25 states have laws providing their citizens with a Credit Freeze tool. Massachusetts is not on this list either. No matter where you live, you should check both lists to see how seriously your state government considers Identity theft.

Thankfully, change is underway in Massachusetts. And it is long overdue. An Identity Theft bill in Massachusetts has been passed by the state House and is under consideration by the state Senate. I haven't read the actual legislation yet. When I do, I will comment about the legislation and if it goes far enough with strong enough identity theft protections.

Some background: a Credit Freeze is a critical and powerful tool for consumers to protect against Identity theft. With a Credit Freeze, a company or a creditor cannot access a consumer's credit file unless the consumer provides consent. Today's U.S. financial system allows the national credit bureaus (and other companies) to freely share your credit information with creditors (good or bad)... even after you've placed a Fraud Alert on your credit file. As you might expect, the national credit bureaus oppose state legislation with the Credit Freeze tool.

If Massachusetts offered a Credit Freeze option, I would have used it immediately when IBM notified me of their data breach. As I mentioned in an earlier blog entry, the U.S. financial system is heavily tilted towards companies making money by freely sharing consumers' credit information, and tilted away from strong protections and notifications for consumers. In my case, IBM was a prior employer and not a retailer I'd purchased products from.

One reasons why I started this blog is to raise consumers' awareness of the identity theft problem, particularly where employers lose personal data about prior employees. And everyone has one or more prior employers. I believe we can fix this tilted system. As you might expect, the national credit bureaus view the Credit Freeze tool as a burden and oppose legislation with it at the state level. Surprisingly, there is a discussion about whether or not consumers should be notified about data breaches.

To me, consumer notification should be required of all companies, especially when that company is a prior employer who has chosen to archive personal data for an extended period. Consumer notification should be required for all data breaches. And, the Credit Freeze tool should be available to all consumers nationwide. These are two critical tools for protection against identity theft.

Next entry: a conversation with IBM (part 1)


To Shred or Not to Shred

We all have received in our snail mail pre-screened offers for credit cards, loans, and insurance. The offer typically says, "You have been pre-approved for..." What do you do with yours? Most people throw them in the trash. Some tear them up by hand into little pieces. That's safe, right?

Wrong.

Pre-screened offers are gold for "dumpster diving" identity thieves. All a thief has to do is search through your paper trash (easier if you sorted it in a recycle bin), complete the pre-screened form with your name on it, change the address, mail it in, and they are happily on their way to wrecking your credit and your finances. But don't take my word for it. Read the Torn Up Credit Card Application web site.

A consumer, Rob Cockerham, did just that. He tore up a credit card application by hand, taped it back together, completed the application with a different street address, and mailed it in the bank's prepaid envelope... just like an identity thief would. Most people think that the bank would have rejected the scotch-tape-reassembled credit card application, right?

Wrong. Credit card application accepted.

MSNBC's Red Tape Chronicles blog also reported on Cockerham's site and documented the bank's flimsy excuses about why they accepted the obviously suspect credit card application. More importantly, the Red Tape Chronicle stated:

"So each of those 5 billion pre-approved applications that carpet bomb American consumers every year is an identity theft ticking time bomb. Cockerham drives this point home with a sledgehammer. An application stitched together with Scotch tape?"

Me? I shred everything and have done so for many years; especially all pre-screened offers. I don't trust the credit card companies and banks to adequately screen applications for fraud. I use a Fellowes PS80C-2 shredder. It's a cross-cut shredder and shreds up to 5 sheets at a time, plus expired credit cards, medical cards, loyalty-program cards, and drivers licenses.

If you are unsure what to do to minimize your risk of identity theft, read a prior blog entry about ways to protect yourself. The July 1, 2007 issue of the Wall Street Journal has an excellent article about how experts protect themselves from identity theft. We consumers can use the same prevention tips that the experts use.

Next entry: Identity theft legislation in Massachusetts


Questions for IBM

On July 5, 2007 I sent a letter to Barbara Brickmeier, VP of Human Resources at IBM, seeking clarification and answers about IBM's data breach incident. IBM's notification letter and FAQ page lacked detailed answers in several areas. My questions for IBM:

  • How exactly did IBM verify that I was the correct person in their records? IBM's letter was  a surprise since I never worked for IBM. I did work for Lotus Development (until 1991), which IBM bought in 1995. Maybe this was the answer, but I'd changed jobs and residence several times since I'd left Lotus.
  • What is the current status of IBM's investigation into the data tape "loss?" It's been over 2 months since IBM first contacted me in May 2007. A lot could have happened since: the tapes found, the thieves caught, or IBM explained exactly how it "lost" their data tapes.
  • Does IBM still do business with the vendor that "lost" the data tapes? IBM refers to the incident as, "data tapes were lost while being transported by a vendor" and didn't identify their vendor. You lose an umbrella or a hat. You don't "lose" data tapes with thousands of records with sensitive employee personal data. News items which reported that the data tapes "fell off the back of the truck...," didn't inspire confidence in IBM's ability to protect the personal data of employees and former employees.
  • Does IBM still maintain archived data tapes with my personal data? After this data breach, I need to know whether or not IBM plans to continue to archive my personal data.
  • What processes is IBM using to protect my personal data? Assuming IBM continues to archive my personal data, I need to feel confident that my personal data is safe at IBM. Given the nature of IBM's data breach, I don't feel confident in IBM protecting my data.
  • What procedures has IBM put in place so that a data tape "loss" during transit doesn't happen again? Assuming IBM continues to archive my personal data, I need to know that IBM has made some type of effort so this incident doesn't happen again.
  • How long does IBM plan to archive my personal data? Assuming IBM continues to archive my personal data, there seems to be a point of diminishing usefulness. My data is 16+ years old and largely inaccurate. Destroying the data seems ideal, since it would eliminate the risk to IBM of future data breaches, and would reduce the risk to me.
  • Why does IBM archive records with personal data of former employees? It seemed odd for IBM to archive my personal data since I do not have a pension plan or retirement account with IBM. Nor am I on IBM's payroll, so there aren't any tax reasons to archive my personal data. The reasons IBM stated in their FAQ sheet ("...retains records of past employees for a variety of legal, tax, and other reasons, as well as to verify IBM employment when needed.") seemed vague and irrelevant to my situation. Plus, 16+ year-old data can't be very useful (or accurate) to verify employment.
  • Why did it take IBM 2.5+ months to notify me of their data breach? The data breach occurred in February 2007. IBM notified me in May. The 2+ month period was plenty of time for identity thieves to cause damage. I'd like to feel confident that in the future IBM will notify me in a timely and prompt manner.

Maybe readers of I've Been Mugged have questions for IBM. If so, it'd be great to hear your questions. If you have already discussed your questions with IBM, I'd love to hear both your questions and the answers you received from IBM.

Next entry: to shred or not to shred


Protecting Yourself

After IBM informed me about their data tape loss/theft with sensitive personal data, I've spent many hours educating myself about identity theft. I've probably visited about 15 - 20 blogs and as many web sites. Whether you are an ID theft victim or not, there are actions all consumers must do to protect ourselves. (Future blog entries will cover what companies should do to protect personal data.)

For me, it was important to first learn about the variety of ways thieves steal personal data. A thief with your SS# can do a lot more damage than a thief with your credit card number. I realized that I needed to do several things to protect my identity. (For examples: shredding snail-mail alone is not enough. Credit-monitoring alone is not enough.) Some actions I'd already taken. Others I started doing. I've found that some actions don't cost a thing except my time and a mild change in habits.

With any Google search, you'll probably find plenty of sites and blogs with recommendations about how to protect your identity. I like these sources because they provide clear, easy-to-read instructions with easy-to-follow lists for the first-time reader:

Next entry: Questions for IBM


IBM's Offer

A prior blog entry discussed how IBM had lost data tapes containing the personal data for thousands of current and former employees. What was IBM's offer for the affected employees? One year of free credit monitoring. While a Fraud Alert is free, consumers can pay anywhere from "$50 to $200 per year" for a credit monitoring service.
I really do appreciate IBM's offer of free credit monitoring service for one year. Credit monitoring is wise because the 2003 FTC Identity theft survey found that consumers who monitor their credit tend to lose less money to identity theft and spend less time and money fixing the problem. About.com has a page that clearly explains the benefits of a credit monitoring service. However, a credit monitoring service has its limitations.
First, credit monitoring is like any other service. Some consumers like it, some say the value isn't there, and others prefer stronger protection. A recent BBB and Javelin study found that credit monitoring services uncovered about 11% of fraud. A credit monitoring service won't protect you against all types of identity theft, just the scams where the thief applies for credit, a loan, or a product purchase where the company checks with one of the three national credit bureaus for your credit data. An example, a credit monitoring service won't protect you when an identity thief gives law enforcement your stolen identity during a traffic stop or a crime.

Second, while credit monitoring is strongly recommended, paying for a credit monitoring service isn't for everyone. The Identity Theft Resource Center advises the following after a data breach:

Place a fraud alert with each bureau (asking companies to contact you prior to issuing credit) and request your free copy of the credit report. It is free because your information was breached. If asked, you are a potential victim of id theft... Check your report carefully for any irregularity...Use the annual credit reports system to monitor your credit report over the next year. Stagger them out by ordering one every four months.

According to the Security Breach Guide at the Privacy Rights Clearinghouse site:

"Every consumer, whether or not a victim of identity theft, can receive one free credit report every 12 months from each of the three national credit bureaus. This is over and above the free credit report that you can request upon establishing a fraud alert. See the Resources at the end of this guide for information on how to order your free report. In addition, laws in several states give individuals other opportunities to obtain free credit reports."

So, you can order your free annual credit report from all three national credit bureaus at once, or stagger when you receive them over several months.

Third, if you already have credit monitoring, then another offer of free credit monitoring is really minimal or no help at all. When IBM notified me, I had already established a credit monitoring service through my Discover Card 4 or 5 years earlier. At worst, IBM's offer is no help because it duplicates an existing credit monitoring service. At best, IBM's offer is an opportunity for me to compare over time two credit monitoring services and cancel the poorer service at the end of the year. What I did learn is this: make sure that whatever credit monitoring service you use, a)provides real-time alerts about inquiries into your credit file; and b) monitors all three national credit bureau services. My service monitored one, but it provided a free upgrade to all three credit bureaus. Obviously, I happily upgraded.

Fourth, IBM's offer of free credit monitoring for one year could be seen as a slick effort to shift focus and responsibility from IBM to the consumer and his/her credit monitoring service. IBM still has a duty to protect the personal data for all current and former employees, to inform us of IBM's processes to protect our data (e.g., through various required  correspondence, IBM now has my current personal data), and to inform us of the results of its investigation about the data tape loss/theft. The credit monitoring service is not and should never be an excuse for any company to avoid responsibility for protecting the personal data it stores.

Fifth, IBM's offer of free credit monitoring for one year doesn't address the fact that the risk period of identity theft extends far beyond one year. IBM created this risk when their subcontractor lost (or stole) my personal data. Smart identity theft thieves can just sit on the data for 2 years or longer, and then use (or sell) the stolen data. Or it may take more than a year for the thief to sell the data and for a buyer to use the stolen personal data.

In my opinion, the length of the free credit monitoring service should match the risk period. IBM lost my personal data. There has to be a consequence when a company doesn't adequately protect personal data. If the free credit monitoring period doesn't match the risk period, then IBM has unfairly shifted the burden from themselves to the ID theft victim. In the instances where a victim already has a credit monitoring service, the company should reimburse the consumer for that risk period.

Moreover, IBM's offer is like giving me the sleeves from a vest. It does not solve the problem that led to the data tape loss/theft. It does not address IBM's internal process and policies, or lack of enforcement, which led up to an IBM contractor losing (or stealing) the employee data. It does not address IBM's responsibility to inform victims and to protect the personal data consumers have entrusted it with.

Next entry: protecting yourself


Fraud Alerts

After IBM informed me that IBM had lost data tapes with my personal data, one of the first things I did was contact the three credit bureaus in the USA. These thieves didn't have to do any dumpster-diving, or break into my snail-mail-box, or hack into IBM's computers, since the data tapes fell off the back of the truck.

A Credit Bureau is a company that compiles and distributes credit and personal information about consumers to creditors. This credit information may include payment habits, the number of (existing and prior) credit accounts, the balance for those accounts, and the length and place of employment. There are three credit bureaus in the USA: Equifax, Experian, and TransUnion. The Identity Theft Victims Guide lists the phone number, mailing address, and web site for all three credit bureaus.

Creditors are the companies that loan money or sell goods "on credit" to consumers. A variety of companies contact a credit bureau for the credit data of a consumer applicant. For example, when you apply for a loan (with a bank, auto company, or finance company) or apply for a wireless phone plan, that company (or bank) will contact a credit bureau to learn more about your habits with money. The company's goal is to learn enough to decide if you are a good credit risk or not. Consumers deemed a good credit risk receive the loan and pay less for the same goods; typically a lower interest rate. Consumers deemed a poor credit risk won't get the loan, or if they do will pay a higher interest rate.

One scam is when identity thieves pretend to be somebody else to apply for a loan, mortgage, or buy a large dollar-value item. The thief uses the identity victim's good credit and, of course, doesn't pay off the loan or pay for the product. Then, the creditor seeks the identity theft victim to pay for the loan or purchase that the victim never made. So, anything that makes it difficult (or impossible) for identity thieves to access credit information is a good thing.

One tool to make it difficult is a Fraud Alert. A Fraud Alert is a "flag" or indicator on a consumer's credit file that the individual may be a victim of identity theft. The Fraud Alert requires the creditor to contact the consumer via phone before issuing credit.

Consumers have a choice of a fraud alert for 90 days (my choice) or seven years. At the end of the period, the consumer can extend the alert by contacting the credit bureaus.

To place a Fraud Alert on your credit file, you simply contact any one or all three credit bureaus. (I left nothing to chance and contacted all three by phone.) Each credit bureau will inform the others of your Fraud Alert request. All credit bureaus will send a written confirmation of your Fraud Alert. The Equifax confirmation included this:

If you are a victim of fraud, the first step in protecting your credit information is to add a fraud alert to each of the credit files maintained by the three national credit reporting agencies. Adding a fraud alert may aid in the prevention of further fraudulent activity. We were successful in adding an alert to your Equifax credit file.

The TransUnion confirmation included this:

"We have received a request and added to your credit report an initial Fraud Alert. The alert will remain on your file for 90 days, as specified by the expiration at the end of the statement, and will be provided to anyone who receives a copy of your credit report. The alert will inform all credit grantors to take precautionary measures to verify the identity of the applicant before extending credit."

The confirmation also stated:

"As TransUnion is a credit-reporting agency, your credit report may be released to credit grantors who are active members of our agency. In order for the credit grantor to view the Initial Fraud Alert on your file, the credit grantor must first access your credit report."

As I read all three confirmations, I began to understand that the system is tilted to allow all three national credit bureaus to continue to distribute my credit file with my fraud alert appended. A careless credit bureau could still pass personal data to a thief pretending to be a valid creditor, and the identity thief could still take advantage of my (and your) good credit. This has happened to one data aggregator! See any news story about ChoicePoint at C/Net or PRC or InfoWorld or Consumer Affairs.

Definitely not a bullet-proof system. I felt a slightly better. Not great, but slightly better. A little protection, but not bullet-proof. I like bullet-proof.

This is one reason why I believe that the U.S. commerce system is tilted away from consumers and towards companies - to facilitate profit-making and lending credit. By sharing consumers' credit information, companies can make more money, but both the companies and the consumers incur risk. If I am going to participate in a system where I incur risk, I want rewards for my risk. Conversely, if companies want to benefit from sharing my personal data, then they'd better adequately protect my personal data. If they can't protect it, don't use my personal data and delete it!

If you feel this way (or not), I'd love to hear from you and why. In my opinion, the system needs to be balanced between companies and consumers, with stronger protections for consumers who typically have less resources than a corporation.

The TransUnion confirmation also stated:

"Under federal law, you are entitled to request a free copy of your credit report within the next 12 months."

This was good news at a time when I was receiving plenty of bad news. It's always good to get something for free... especially when you need it.

Next entry: IBM's offer


“Apparently [the data tapes] fell off the back of a truck...”

I described in a prior blog entry the notification I received from IBM in May 2007. One of the first things I did was search the Internet for news stories about IBM's data tape loss/theft. The more I read, the more discomfort I felt. The news item in ComputerWorld summed up IBM's data tape loss quite well:

"IBM Contractor Loses Employee Data In Transit: Apparently fell off the back of a truck, more or less literally"

When this article says things like, "The data tapes require a tape drive to be read..." it indicates that some, or all of IBM's data tapes, were not encrypted. The article in CIO magazine makes it clear that the lost/stolen data tapes contained personal data of mostly former IBM employees. Why weren't these tapes encrypted? Why such lax data security for personal data about former employees? Does IBM still do business with the contractor? Apparently, yes. Is anyone being held accountable about this incident? I have not received any communication from IBM with answers about these and similar questions. And as I read the news stories, it's unclear if the incident was a data tape loss or theft.

A May 2007 news article in informationWeek pretty much reflected the same story line:

"(Missing) Without a Trace; The IBM Tapes"

Fell off the back of a truck? How could this happen? With annual revenues exceeding $90 billion dollars in 2006, IBM is one of the world's leading computer companies, if not the leading computer company, providing hardware, software, and services to companies worldwide. You may remember the TJX identity theft incident. Hackers broke into various TJX companies' computer systems over a two-year period and stole the personal data for over 45 million records/people. (I didn't shop at any TJX brand stores so I wasn't affected by this data breach.) Who did TJX hire to help them repair their systems? IBM!

In its 2006 Annual Report, IBM emphasizes its strategy around innovation:

IBM’s lines of business work together in a model defined by innovation and global integration, the twin imperatives that we believe are reshaping business and society in the 21st century. This ability to both innovate and integrate — and do so in ways that are truly global — is unique to IBM, and sets us apart from our competition. Last year was in many ways the culmination of our repositioning of IBM as an innovation company. Its most visible manifestation was our marketing and communications campaign around the theme, “What makes you special?”

Various IBM technicians write research papers, technical papers, and participate in conferences about information security. IBM also markets its white papers (example: this one is about security) through online distributors. At its web site, you can read plenty of case studies about how IBM security solutions benefit companies and governments. Heck... IBM even has an ethical hacking service where IBM technicians will hack or break into a client company's computer systems to test the client's information protection systems. In my opinion, being truly innovative means practicing what you preach, or walking the talk. It means employing the information security processes internally which you sell to other companies. There was nothing special or innovative about IBM's data tape loss in February 2007... an event where IBM's carelessness or negligence now inconveniences me (and other former employees) both with time and money.

For a company specializing in computing innovation, I expect far more. For a company emphasizing security solutions, I expect far more. And I have a right to expect far more because IBM has decided to continue to store my personal data.

So, how did IBM's data tape theft/loss happen? In my opinion and based on IBM's legacy businesses, IBM ought to know better about data security. Wait... let me revise that... IBM does know better about how to protect sensitive personal data. So why wasn't it done for records about former IBM employees? I wonder if either IBM didn't care about protecting the data of prior employees, or cared but didn't enforce its own information security processes internally. Either way, it stinks.

It is shocking to me -- and I hope to you -- that IBM has not held anyone accountable for the data tape loss, still does business with this unnamed (and still undisclosed) contractor, and hasn't communicated to people affected (me and other former employees) about what IBM is doing to protect our sensitive personal data so this doesn't happen again. Think of it this way... since this data breach happened at IBM, consider how many of your former employers aren't sufficiently protecting your personal data.

IBM seems rather tight-lipped about the whole identity loss/theft incident. The reason given in the news articles by an IBM spokesperson, McNeese, is for security reasons. That's a convenient rationale if your employees (or your contractor) have dropped the security ball in a big way. It's also after the event... our personal data is out there for patient thieves to use.

IBM's actions so far haven't made me to feel confident about their intent to protect my personal data. In future blog entries I will discuss in more detail IBM's actions, proposed solution for the data tape loss/theft, communications (or lack thereof), and the questions I have submitted to IBM. We'll see if IBM responds to my inquiry, and if so, how quickly and with what level of detail.

Next entry: fraud alerts


What is the personal data you should protect?

In its July 1, 2007 issue, the Wall Street Journal has an excellent article about how various experts protect themselves from identity theft. The article covers techniques we consumers can use, too. Now on to the main topic of this blog entry.

Since IBM informed me that IBM had lost data tapes with personal data about me and thousands of other current and former employees, I've visited a lot of web sites and blogs to educate myself about identity theft. I wrote earlier how IBM's carelessness was one reason why I started this blog. While surfing the Internet, I've noticed that most identity theft sites seem to have lots of useful tips and advice about prevention and how to repair the damage post-theft, but few seem to list the precise personal data we consumers must protect.

So, I've started a list of the personal data items you should protect:

  • Full, legal name
  • Residential address
  • Residential telephone number (land-line or cellular)
  • Birth date / birth place / birth certificate
  • Mother's maiden name
  • Credit card numbers (and any associated PIN numbers)
  • Bank account numbers (checking, savings, 401-K, retirement, brokerage, mortgages)
  • Usernames and passwords for online accounts (Internet Service Provider, banking accounts, brokerage account, credit cards, etc.)
  • Bank ATM/Debit card number and PIN number
  • Health insurance / prescription / dental card and account numbers
  • Driver's license number
  • Professional licenses (e.g., nurse, doctor, etc.)
  • Passport, Visa, immigration papers and account numbers
  • Supermarket cards with check cashing
  • Military ID card
  • Renewable long distance telephone card
  • Health club or school ID cards (especially if they have your Social Security number on them)
  • Medical history and medical records
  • Additionally, if you are a parent you'll need to protect the personal data for your children
  • Additionally, if you are caring for an elder parent, you'll need to protect the personal data for your parents

The Ask the Advisor blog has some useful information about which of your personal data items are more sensitive than others. The Identity Theft Resource Center maintains a good list of personal data. Once you have a clear understanding of the personal data you must protect, it is easier to determine all of the places this data is stored at... both in your home and elsewhere. Reminder I am not a data security professional or a financial planner. The right column of this blog lists professional sources you can and should use.

Next entry: “Apparently [the data tapes] fell off the back of a truck...”


How consumers respond to identity theft crime

My last entry discussed identity theft frequency, amounts lost, and time/money spent fixing the problem from the results of the 2003 Identity Theft survey by the U.S. Federal Trade Commission. How we consumers respond (or don't) to identity theft is just as important. Basically, vigilance matters.

The consumers who monitor their credit and discover problems sooner, lose less money and spend less time and money fixing the problem. Survey results summaries:

"When the misuse was discovered within 5 months of its onset, the value obtained by the thief was less than $5,000 in 82% of cases (including all forms of ID Theft). When victims took 6 months or more to discover that their information was being misused, the thief obtained $5,000 or more in 44% of cases."

"No out-of-pocket expenses were incurred by 67% of those who discovered the misuse of their personal information within 5 months of the time the misuse began. Where it took 6 months or more to discover the misuse, only 40% of victims incurred no out-of-pocket expenses."

"New accounts were opened in less than 10% of cases when it took victims less than a month to discover that their information was being misused. New accounts were opened in 45% of cases when 6 months or more elapsed before the misuse was discovered."

"76% of victims who discovered the misuse of their information within one month spent fewer than 10 hours resolving their problems, while in only 20% of cases where it took more than 6 months to discover the misuse were victims able to resolve all of their problems in less than 10 hours."

And, consumers seem to be lax about both monitoring their credit and reporting crimes to the police:

"Only about 25% of victims who participated in the survey said that they had reported the crime to local police. Even with the more serious “New Accounts and Other Frauds” form of ID Theft, only 43% of victims said that they had reported their experiences to local police."

"Only 22% of ID Theft victims said that they had notified one or more credit bureaus about their experiences. Even among those who suffered from the “New Accounts & Other Frauds” type of ID Theft, only 37% contacted a credit bureau. Of those victims who contacted credit bureaus, 62% asked to have a “fraud alert” placed on their credit reports."

Where consumers are somewhat lax, thieves aren't. They are persistent, determined, and will misuse your personal information for a long period of time. From the same survey:

"13% of victims reported that their information was misused for 6 months or more. (For “New Accounts & Other Frauds” ID Theft, 27% of cases involved the misuse of the victim’s information for at least 6 months.) On the other hand, in 26% of all cases of ID Theft the misuse was limited to a single day. (Misuse was limited to a single day in 36 % of cases that only involved the misuse of existing credit cards or card numbers.)"

Next entry: what is the personal information you should protect?


What’s The Big Deal About Identity Theft?

In September 2003, The U.S. Federal Trade Commission issued the results of its identity theft study which estimated that 27.3 million people were identity theft and fraud victims with:

“... [2002] identity theft losses to businesses and financial institutions totaled nearly $48 billion and consumer victims reported $5 billion in out-of-pocket expenses.”

The FTC found about the frequency of identity theft:

"1.5% of survey participants: their personal information had been misused to open new credit accounts, take out new loans, or engage in other types of fraud, such as misuse of the victim’s name and identifying information when someone is charged with a crime, when renting an apartment, or when obtaining medical care."

The FTC calls this “New Accounts & Other Frauds’ ID Theft. Projected to the entire population, this result suggests that almost 3.25 million Americans were victims during the past year. Also:

"2.4% of survey participants: the misuse of one or more of their existing credit cards or credit card account numbers, during the past year."

The FTC calls this “Misuse of Existing Credit Cards or Card Numbers.”

And:

"0.7% of survey participants: the misuse of one or more of their existing non-credit card accounts during the past year. Examples: checking account, savings accounts, or telephone accounts."

The FTC calls this “Misuse of Existing Non-Credit Card Accounts or Account Numbers."

For all types of identity theft combined, 4.6% of survey participants were identity theft victims during the past year. The FTC estimates that almost 10 million Americans were identity theft victims. The FTC found that the rates were higher when a longer time period was considered:

"4.7 percent of survey participants reported that they had discovered that they were victims of “New Accounts & Other Frauds” ID Theft during the previous 5 years. 6% said that they had discovered that they were victims of the “Misuse of Existing Credit Cards or Card Numbers,” while 2% indicated that they were victims of the “Misuse of Existing Non-Credit Card Accounts or Account Numbers.” In total, 12.7% of survey participants reported that they had discovered the misuse of their personal information within the last 5 years.”

The cost of the theft to consumers varies by the specific type of identity theft

"On average, victims of “New Accounts & Other Frauds” ID Theft indicated that the person or persons who misused the victim’s personal information had obtained money or goods and services valued at $10,200 using the victim’s information."

"Combine results from “Misuse of Existing Credit Cards and Credit Card Accounts Only” ID theft, “Misuse of Other Existing Accounts” ID theft, and “New Accounts & Other Frauds,” and the cost of “this crime approaches $50 billion per year, with the average loss from the misuse of a victim’s personal information being $4,800.”

“Looking at all forms of ID Theft, victims estimated that they had spent $500 on average to deal with their ID Theft experience. Victims of the “New Accounts and Other Frauds” type of ID Theft estimated that they had spent almost $1,200 on average.”

“Victims of ID Theft also spend a considerable amount of their own time resolving the various problems that occurred because of the misuse of their personal information. On average, victims reported that they spent 30 hours resolving their problems. On average, victims of the “New Accounts and Other Frauds” form of ID Theft spent 60 hours resolving their problems.”

15% of ID Theft victims said that thieves misused their personal information in non-financial ways. Examples: presented the victim’s name and identifying information during a traffic stop; during an arrest or charged with a crime.

The FTC has distributed 1.2 million copies of the booklet “Identity Theft: When Bad Things Happen to Your Good Name” in English or Spanish between February 2000 and September 2003. Since then, newer materials available at the FTC's Identity Theft web site.

Next entry: how consumers respond to identity theft crime.


IBM, Me, And Identity theft

About May 2, 2007, I received a letter from IBM Corporation. It read in part:

"We are writing because of an incident that has resulted in the loss of information relating to your IBM employment, as we wanted to inform you about what happened and explain steps IBM is taking to help protect you."

This letter was startling because technically, I never worked for IBM. During the late 1980’s, I’d worked for a company, Lotus Development Corporation, which IBM later bought during the mid 1990’s after I’d left Lotus. So, before reading the letter I was wondering why IBM’s Vice President of Human Resources had written to me.

The letter also read:

"Recently, data tapes were lost while being transported by a vendor. Those tapes contained primarily archival IBM employment-related information, including Social Security numbers."

Yikes! The letter sent a chill through my spine. IBM had lost my most sensitive and valuable information including my Social Security number! I hadn’t heard anything about this in the news on TV or online. Now, despite my best efforts somebody else had lost my personal information, which was lost out there available to thieves!

Was I angry? You bet! The feeling is that I am now inconvenienced due to nothing I did, but due to the carelessness of somebody else. My attitude was (and still is), “You lost my data. Find it! And if you can’t, make it right somehow.”

After I calmed down, I continued to read the rest of the materials in the package IBM had sent. There was an application for pre-paid credit monitoring. (More about that in a future blog entry.) The package also contained a list of questions and answers. One item in particular stuck out:

"When were the tapes lost? February 23, 2007."

Why did it take IBM more than two months to contact me? the letter didn't say anything specific beyond a vague description about "taking several weeks to investigate the incident." I can't imagine why it took IBM about 2 and a half months to investigate the theft and to notify me. My personal information could have been used during this long period. IBM's slowness with communicating affected my ability to protect myself against identity theft.

More questions for IBM. When I receive an answer I will post it on this blog.

Next entry: what's the big deal about identity theft?


Welcome

Welcome to my I’ve Been Mugged blog. I started this blog to chronicle my experiences and learnings about identity theft. I am not an identity theft professional. Like most people, I am a regular working person with a 9-to-5 job, a bank account with hard earned savings, and credit cards that I know must be protected. Like most people, I am busy with my day job and my family, but I want to do what I should to protect my valuables.

Like many people, I've heard about and read news stories about identity theft. I will chronicle in this blog my experiences with identity theft, actions I've taken to protect myself, and broader issues that affect most people: new resources of identity protection, new threats from scammers, my research findings about identity theft issues, and governmental laws related to identity theft. My promise to my blog readers is that I will use plain English to explain issues that are often clouded in technical, legal, or financial terminology.

Because the Internet is a constantly (and rapidly) changing thing, this blog will cover ways we consumers can (and should) protect our personal information, plus whether or not we consumers are getting the help we expect from companies and government. My personal belief is that governmental laws and activities are tilted far to favor corporations and profit-making, and lack sufficient protections for consumers with this constantly changing tool called the Internet. My personal belief is that while most corporations are responsible about protecting the personal information they maintain, too many corporations aren't responsible enough, and we consumers incur the risk and expense. I am sure that my blog's readers will add comments, links, and research findings about this.

Along the way, I will use my experiences with IBM Corporation to illustrate certain points about identity theft, identity protection, and corporate responsibility. I have I.B.M. to thank since they lost my personal information which triggered my increased interest in identity theft issues and this blog.

Next entry: IBM, me, and identity theft.