« RSS Explained (Simply) | Main | Identity Theft Humor »

Monday, August 20, 2007

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00e008d035db883400e39820a0c48833

Listed below are links to weblogs that reference Kroll's Offering From IBM Deserves Scrutiny:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

tf

I signed up for the service when I got my letter from IBM a couple of months ago. After not hearing from them for a few months, I called them a couple weeks ago. A human answered the phone and was very helpful. She determined that the e-mail address I registered was entered incorrectly.

Sure enough, a couple of days later I got an email from someone at 'marshpm.com' with instructions on setting up my account. The instructions called for me to sign into yet another domain, "idinsights.net". None of my research could link each of these domains, but I'm sure someone out there can find out.

Today, I finally signed in to reset my password. I am waiting for my renewal confirmation.

p.s. The e-mail account that I gave them is a hidden account and has been free from spam for many, many years. It may be coincidence that I started getting spam at this address shortly after I called to correct my e-mail.

George

Dear TF:
Sorry to hear about your troubles. I can't answer all of your questions, but I wil answer what I can.

I am familiar with the idinsights.net web site address. I get mail from Kroll with it. I agree with you... it is a little confusing. I too expected a web site with kroll.com or something similar.

My guess -- and this is purely a guess == is that Kroll set up the idinsights.net web site address for their arrangement with IBM. If true, then IBM "lost" a very large number of employee records.

You probably should call Kroll via phone and tell them of your confusion/difficulty... and see if they can help. I have not seen the marshpm.com web site address. If you got mail from there, it might have been a phishing scam. Again, ask Kroll. Maybe a Kroll rep will post a reply here. I'll see what I can do to make that happen, since I am starting to compile a list of questions for Kroll.

While Kroll seems legitimate, it appears that IBM has arranged a watered-down version of Kroll's services for us, which seems so far marginally beneficial. Good luck and let us know what happens.

Adele

I am very happy to find this blog. I am also affected by this tape disappearance but I am somewhat different that others I have read about on this blog. I live outside the US. I used to live in the US as an IBM Assignee. And I am still employed by IBM in my home country. I received a letter in August 2007 offering me Kroll's ID TheftSmart Enhanced Identity Theft Restoration service.

However, I have no way to determine what my US credit history is because I do not have a US address. I do however have a US Social Security Number and I have no way of knowing if anyone is trying to use it.

I called Kroll and they said I had to monitor my own affairs and if I suspect an identity theft, they will help me. But they will not 'monitor' my credit history or get it for me

I am totally dissatisfied with this approach. If any others watching this blog are 'international' and have a vehicle to check US credit history or do US credit monitoring I would appreciate knowing about it.

In the meantime, since I am still an IBM employee, I intend to ask my personnel department to get me my US Credit history and monitoring. I will monitor my affairs in my home country but it is a 'different' number than a social security number.

I appreciate any and all input.

Adele

Name Withheld

I tried to log into idinsights.net. Could not remember my name and password so tried to get it reset but the site would not let me. Horrible service. Typical for IBM though. And now they've compromised my personal identity security and offer this nonsense as a solution?

Mary

I was referred to Kroll Inc.'s ID TheftSmart services through a letter sent to me by a company I deal with. This company sent me a Membership number to enter. (The company had their computers stolen with personal information about their clients in their data base. TI guess that is why they sent me the member number.
However, when I went to the idintegrityalerts.com website, I was asked a lot of personal information including social security number. naturally, this information would probably be necessary, but, like a previous commentor, I was taken back by the fact that the name Kroll was not on the site and that the site was rather simply designed. I did not finish my application.
Noting that the envelope I got this information from is a plain envelope and anyone with a computer can type a letter and set up a plain website to obtain private information.
I am waiting for a call from the company who referred me - before continue.
Perhaps this is a bit 'over-cautious' but, I do not give out my social security number that freely. Any comments.

George

Mary:

Thanks for writing. When an employer, prior employer, or retailer has had consumers' sensitive personal data lost or stolen, it is very understandable to be a bit over-cautious. I felt the same way as you.

From my research, Kroll is a reputable company. Kroll's strength is credit/identity restoration. When IBM had a data breach, it hired Kroll to provide one year of credit restoration. You will probably want to use another service for credit monitoring, since that does not seem to be Kroll's strength.

I have not looked at the idintegrityalerts.com site you mentioned above, so I cannot comment on that site. All of my comments are based on my experiences and interactions with Kroll through the service arranged by IBM. Yes, Kroll doesn't always place its name on the site -- that seems to be driven by the agreement between the company that had the data breach and Kroll. In my experience, Kroll = IDTheftSmart.

In 2007, I was interviewed by the American Banker publication for an article it published about which types of services were best for breach victims. I argued for credit monitoring while IBM argued for credit restoration. The article with that interview has been available on Kroll's site; and there are posts about it in this blog.

You should feel free to search this site for prior posts about Kroll, IBM, and ID Theftsmart. The search wideget is at the top of the column on the right.

About your observation that "the site was rather simply designed," I think that it is important to remember this. When a company has a data breach, part of the usual response is to provide free credit monitoring for one or 2 years to the breach victims -- usually consumers. The company's primary goal is to minimize the damage from the breach and to minimize its post-breach costs; and not necessarily provide consumers with the absolute best, most comprehensive credit monitoring service available.

Most states require notification of consumers after a breach, but few states specify exactly what must be in the "credit monitoring services" provided. So, some companies focus on providing restoration services to breach victims, while other companies focus on providing credit report monitoring to its breach victims.

Sometimes, companies' post-breach response has errors. Some companies don't know exactly what data was stolen/lost. Often the breach victims have moved their residence -- especially if the stolen data included prior employees. So, companies will often hire private investigators to find breach victims that have moved. This happened to me with IBM's breach.

You didn't mention the specific company that had the breach affecting you, so I can't reply about that.

It's your job as a consumer to evaluate the free credit monitoring (or restoration) services offered and determine whether or not that free service benefits you -- serves your needs. You can say "no thanks" and sign up for another credit monitoring service. There are plenty out there and I've reviewed some of them in this blog.

Either way, there are plenty of posts in this blog that may help. You can search the blog using the search widget or the tag cloud; both are in the right column. Good luck and let us know what you decide.

George Jenkins
Editor
http://ivebeenmugged.typepad.com

Russell

Signed up for IDTheftSmart after receiving letter from IBM many years after my employment with IBM. I enrolled immediately and not only received an initial detailed hard copy credit report, which was very helpful, but regular monthly email alert/updates. These were helpful and accurate as well. I called to extend the service after the initial anum gratis, but decided that the monthly fee was a bit much for me.

I actually only utilized IDTheftSmart for monitoring. Any of the restorative actions I took, of which there were several during that year of enrollment, I carried out on my own. That is how I roll. As a free service, I can't complain.

Bur Goode

It has been a long time since this post, but I would like to ask whether anyone has experienced Identity Theft as a result of this IBM security breach ("data tape fell off the back of a truck").

I discovered in January 2010 that I am a victim of identity theft, and I am still trying to find out how the thieves got my name and social security number.

At first, I suspected it was a bank security breach. I had received an apology letter from my bank saying that an affiliate bank had lost their customers' personal data. My bank had offered me, and I accepted, two years' free subscription to Experian Triple Alert, a credit monitoring service. It was from Triple Alert that I received an email notification of a bill collector placing adverse information on my Experian credit file. However, I was surprised to learn that the fraudulent account had been opened in January 2008, before my bank's reported security breach.

Next I suspected AT&T Inc, because in August 2007 I had received an apology letter saying that a consultant had reported a lost laptop computer with unencrypted data files containing personal information of former employees of AT&T Corp (those who worked for AT&T Corp before it was purchased by SBC in 2005). Of course, AT&T had offered a credit monitoring service to those former employees who had been affected, and I had subscribed to the Equifax credit monitoring service they offered. Both of those credit monitoring services assured me that there was nothing wrong with my credit files for two years, until January 2010.

After I had spent 70 hours cleaning up my credit files and reporting to the FTC, I sent a three-page letter to the AT&T Chairman complaining that unencrypted personnel files should not be given to contractors. Three months later I received a letter from the AT&T V.P. of Privacy, commenting on each of my points but basically denying that my identity theft could be related to the stolen AT&T laptop, since no-one else had complained that their identity theft could be related to that incident. She said they continued to believe that the laptop had been stolen for the hardware, and not for the data it contained.

Recently I remembered that IBM had notified me in May 2007 about the data tape that fell off the back of the truck. I was among those who were offered Kroll ID Theftsmart service. I pondered whether that was a good offer, since it said specifically that the offer only applied to identity theft resulting from the IBM tape loss. How would you know? Do the ID thieves tell you where they got your personal data? How would I prove to Kroll that my problem in January 2010 was due to the IBM tape loss in February 2007? Wouldn't Kroll deny responsibility, just as AT&T denied responsibility?

Incidentally, I would add that the credit monitoring service do not help fix the problem. They only alert you to the issue on your credit file. After that, credit repair is your responsibility. And that is very time consuming.

George

Bur:

Sorry to hear of your troubles. For some of the reasons you point out, this is why some consumers believe credit monitoring services are a ripoff (e.g., difficult to prove which breach led to the fraud, doesn't stop fraud and it just helps you watch it happen).

So far, IBM has been my only breach experience and it has not led to any fraud. IBM had contracted with Kroll, but that free service was only for 12 months. Besides, I made a very cautious response and placed a Security Freeze on my credit reports. I use strong passwords on my online financial accounts and change them every 90 days.

Kroll and a couple other services focus on the credit resolution portion. That's my advice to any consumer: get a credit monitoring service that has strong credit resolution features. Most people are new to identity theft, so the monitoring features help. The resolution portion is important if you have been a breach victim... which you have.

This blog has reviews of several credit monitoring services. Several reviews include comments from subscribers of that service. Both the review and reading others' experiences can help with picking a service that meets your needs.

George
Editor
http://ivebeenmugged.typepad.com

Credit Repair Services

Sometimes, companies' post-breach response has errors. Some companies don't know exactly what data was stolen/lost. Often the breach victims have moved their residence -- especially if the stolen data included prior employees. So, companies will often hire private investigators to find breach victims that have moved.

George

Credit Repair Services:

Yes. That is how IBM found me. Through an investigator. Companies have an option to hire a computer forensic investigator, to determine what was on the lost/stolen data tapes. So, companies have options. They may not want to do the work or spend the money, as they see the downside -- the consequences -- aren't steep. That is the problem.

George
Editor
http://ivebeenmugged.typepad.com

Credit Repair Services

remember that IBM caused the problem in the first place by exposing personal data for an undisclosed number of employees.they should respect the employees..

Betty

I recently received a letter saying a tape had been lost. There was no reference to the name of the company who had my info, but stated it had something to do with healthcare. Our health insurance is through a local company, and we do not deal with a Canadian broker. I believe this is a total scam and would never fill out a form giving someone all the info they need FOR identity theft.

George

Betty:

Thanks for your comment. In valid breach notification letters I have read, the notification clearly states the company name, the date of the breach, what data items were exposed during the breach, what the company is doing about it, and what you should do next. The breach notification I received from IBM Corporation was a printed letter sent via postal mail and NOT an email message.

If the breach notification (postal mail or email) doesn't mention the company's name, it could be a fraudulent phishing letter to try and trick you into disclosing your sensitive personal information. If you live in the USA, I suggest that you contact the Attorney General office in the state where you live. Many AGs' websites have sections about identity theft and what to do. Your state may also have a Consumer Protection agency, which you should also contact. You could also contact the Postmaster at your local Post Office.

If you live in Canada, I am not sure what options are available to you. You probably should check with your local government first. Good luck and let us know what happens.

If you want to type in portions of the letter you received, feel free to use the comment mechanism below, but mask out any personal information.

George
Editor
http://ivebeenmugged.typepad.com

Credit Repair Services

review and reading others' experiences can help with picking a service that meets your needs,and its good that there are sites like this atleast we have some guides..very useful information..

chris

I just got a letter from one of my credit card companies (Pentagon Federal Credit Union) claiming a breach had occurred and they were offering me 2 free years with Kroll's ID TheftSmart, which includes 3 current credit reports, continuous credit monitoring and enhanced identity theft consultaion and resoration. After reading here, it sounds like a good deal and I am going to now go and sign up. Thank you for all the good information here, now I feel confident I am making a wise choice.

Deb

What website URL am I supposed to enter to post. A message?

George

Deb:
I cannot advise you on how to contact Kroll. To contact this blog, go tot he About page and click on the link to send an email message.

George
Editor
http://ivebeenmugged.typepad.com

Rae Gibbs

Deb:
I can help.. visit my site.. do the research.. http://www.legalshield.com/idt/rgibbs

jeux casinos

You probably should contact Kroll via cellphone and tell them of your misunderstandings and see if they can help.

The comments to this entry are closed.

Follow

  • Updates via E-mail RSS Feed Updates via Twitter Updates via Facebook

About

  • Proud Elder Blogger
  • George Jenkins, author of the I've Been Mugged Blog

..

  • © 2007 - 2014. George Jenkins. All Rights Reserved.