What To Do When Your Debit/ATM Card Number Is Stolen

Every few weeks, I get an e-mail from a somebody who has had their personal data stolen. When the stolen data includes a bank account number, the identity thief usually attempts to empty the victim's bank account.

Recently, a coworker (Scott) had his debit card number stolen. When I saw Scott, he was rushing to his bank to discuss and fix the problem. Scott had that frazzled look of "oh crap, what do I do now?" on his face. A couple days later, I contacted Scott via instant messaging (im) to see what had happened. Our instant messaging thread:

George: how did it go the other day at the bank?
Scott: hey George! they were very cool about it
Scott: it was obvious by looking at my transaction activity that something funky was going on

George: did u file a police report?
Scott: i didn't
George: u should

Scott: should i do it here in Boston or in Baltimore where the purchases were made?
George: first, do it here. it will help should the thieves do more damage
George: second, call one of the credit bureaus and place a Fraud Alert on your credit report
Scott: i def will... hadn't even thought about it. think i was more concerned bout the bank
Scott: great suggestions

George: they charged stuff to your credit card, right?
Scott: debit/credit
George: sh--
Scott: a [bank name suppressed] bank account
George: def file a police report. now that the thieves know your debit/checking acct number, they can do more damage
George: did the bank give you a new checking acct number?
Scott: yea
George: third, change all of your passwords on your bank accts
Scott: i'm in there now, so i'll do it right away
George: remember to use a strong password: mix of caps and lower case... mix of numbers and text
Scott: covered

George: leave work today and go file a police report at the police station closest to where you live... ask them how to handle the balt location
Scott: you got it...
Scott: thanks for the suggestions. i'll call one of the credit bureaus too
George: now that the thieves know your debit and bank information, they may try to a) reroute your snail mail, b) break into your online accts, c) try to apply for credit in your name
Scott: oh man
George: d) create a phony ID and visit your bank branch to try to get the bank to disclose your SSN or other personal data
George: so, be alert that you get all of the mail you expect
Scott: for sure

George: yes, this sucks. welcome to identity theft in 2008. check my blog for tips
Scott: i certainly will
George: click on one of the right column categories to learn more about that subject (e.g., fraud alerts, credit monitoring services). u should check your credit reports at all 3 credit bureaus... that is your first line of defense should somebody try to apply for credit in your name

Scott: if i call one of the credit bureaus will all 3 somehow be notified or do i have to call all 3?
George: for a Fraud Alert, if u call one, it notifies the other 2. For a Security Freeze, you have to contact each credit bureau independently
George: my blog explains the difference between a Security Freeze and a Fraud Alert

George: Last... DON'T shop with your debit/ATM card. It doesn't give you the same protections as a credit card. I only use my debit/ATM card at my bank's ATM machines. I have a blog post about why shopping with an debit/ATM card is a bad idea
George: call or im me if u have more questions

George: but do the police report today
Scott: will do. thanks for all the great info
George: call and place the Fraud Alert today
Scott: totally appreciate it
George: u r welcome

[Editor's note: I should have also advised Scott to file a complaint with the Federal Trade Commission.]

Unsecure Sign-in Pages At Web Sites

In a prior post, I listed my personal data New Year's Resolutions for 2008. One of my resolutions is to contact companies I do business with online that have gaps in their data security. Earlier today I contact NetFlix about their customer sign-in page:

"I would like to inform you that the NetFlix Sign-In page is unsecure. That is, it is http:// when it should be https:// . This is very important since credit card information is attached to my account and to my sign-in information. The work-around I have used todate has been to click the "Continue" button since your site currently serves up a secure (e.g., https://) Sign In Error page. Then I enter my sign-in information.

While I am generally a satisfied NetFlix customer, this unsecure sign-in page is a big problem. I blog about identity theft and I'd hate to see NetFlix get hit by hackers or identity thieves who might harvest customers' sign-in information from an unsecure sign-in page."

I also sent a similar e-mail to TypePad, the producer of this blogging software. TypePad has a similar problem with an unsecure Member Log-in page. You might want to check the web sites you sign into. While banks and financial institutions are good about providing secure sign-in pages, retailers don't seem to do as good a job.

Also, I've found that the web-savy companies respond quickly to e-mail inquiries. We'll see how soon TypePad and NetFlix respond to my inquiry.

Sears Exposes Customers' Purchase Information

A prior post explained the data privacy problems at the Sears.com and Kmart.com sites. In his blog, Harvard Business School professor Ben Edelman documented customer pruchase information is exposed by the Sears "Manage My Home" community portal.

There are smart ways to create a community portal for customers. This is not one. Not even close.

It is a particularly bad implementation because it makes it easy for scammers to abuse Sears consumers. And, it makes it easy for thieves to case homes online to decide which homes have the most valuable items to steal. How? Thieves can get a consumer's name, phone number, and address from any online (or print) telephone white page directory.

Also, the ComputerWorld publication reported:

"US retail giant Sears Holdings has taken part of its Managemyhome.com Web site offline following revelations that the site was making customers' purchasing histories publicly available. Sears disabled the site's "Find your products" section on Friday following criticism from privacy advocates, who said that fraudsters could use information provided by the site to scam Sears customers."

Want to learn more? Read about Sears spyware and poor consumer disclosures.

Sears: Bringing You The Softer Side of Spyware

A friend, Lisbeth, sent me the link to a very interesting post at the Ars Technica blog by Jacqui Cheng about Sears and Kmart:

"Sears and Kmart are places you might go when you need a new air conditioner filter or a lawnmower; they're not generally thought of as havens for spyware. But that's what the two stores have become, at least online, where their web sites were found to be installing software to track users' every online move—all without their knowledge. Security researchers are now hammering Sears (the owner of both Sears.com and Kmart.com) for the move, despite Sears' claims that users were notified adequately beforehand."

Cheng's post is a must-read, whether or not you shop at Sears or Kmart. Cheng describes in detail how the Sears.com and Kmart.com sites install spyware on community users' computers without their permission; and how Sears.com presents duplicitous privacy policy information. While the privacy policy should be consistent for all users, the web site presents different policies to different users... all without any upfront and clear warnings.

In many ways this may be worse than the Facebook Beacon program debacle since the spyware tracks all computer usage, and not just usage at Sears.com and Kmart.com sites. It's another example of how companies are not honest, direct, and clear about how they collect, archive, and protect customer information online. In my opinion, senior managers at Sears should go to jail as a result.

I also checked the TRUSTe.org site to see if Sears was listed there. It wasn't listed -- and shouldn't be listed since TRUSTe.org maintains a list of companies that properly handle and disclose to consumers their company's and web site's data privacy and opt-in methods.

When companies like Sears treat consumers and customers in this manner, it ensures that I won't shop there. And I hope that you won't shop there either. Or even better: write to Sears and tell them you won't shop there until they stop this practice. I did.

Chase Harasses A Credit Card Fraud Victim

This post at the Consumerist blog is a worthwhile read. Brandon's story highlights how a company can harass an identity theft victim instead of working with the victim to resolve the fraud. Brandon's story:

"In January 2007, I was traveling in Mexico and was mugged, having my wallet and passport stolen. By the time I got back to the hotel and began calling my credit card companies to cancel, the criminal had charged close to $3,000 on my CHASE Circuit City Visa card. I explained to CHASE that the charges were fraud, and they sent me a fraudulent charge affidavit to complete and have notarized. As I couldn't take care of this until I returned from my trip, and had more important things like a passport to worry about, I waited a few weeks before completing the paperwork and during those weeks received those weeks received about 2 calls a day from CHASE urging me to send the documents."

According to the post, Brandon did a lot of things correctly. He completed the necessary documents and communicated with Chase in writing. The post includes a copy of Brandon's correspondence. But, Chase continued harass him for payment.

The best advice (from the Consumerist) is at the end of the post:

"You called and reported the fraud the day of, and yet they're still trying to collect. Under federal law, you have no responsibility for unauthorized charges after reporting loss or theft of a credit card. That you waited a few weeks to send in the papers doesn't matter. Worst case scenario, your maximum liability is $50. Have you sent them a "drop-dead" letter? Or a letter of dispute? Include the information in the preceding paragraph in your letter. You could also try kicking it up to Chase executive customer service: 1-888-622-7547 - extension 4350 or 847-488-6833, or 888-622-7547 x 6833."

Put Home Depot On the Wood Pile of Laptop Data Breaches

Thanks to Jonathan Feeley for the alert about this Boston Business Journal article:

"... a laptop containing the personal information of thousands of Home Depot employees is missing after it was stolen from a Massachusetts worker's car... the Atlanta-based home improvement retailer said it is confident that the personal information was not the thief's target."

Network World reported that the data breach affected 10,000 Home Depot employees. Apparently, the laptop was stolen from a car while parked at a residence. The Home Depot has not disclosed the city or town where the data breach occurred. Was the employee fired? I hope so but the company hasn't disclosed that either. I guess that neither the company nor this dumb-a$$ employee studied the Data Breach Analysis flow.

Seriously, companies need to do more about data security when employees store massive amounts of sensitive data on a laptop which they bring home, on vacation, and leave in a highly insecure location like a parked car. It's very easy to find the long list of companies, universities, accounting firms, medical plans, hospital, and government agencies that have suffered data breaches via laptop theft. Here's a partial list of laptop only breaches with the date and number of records stolen/exposed:*

• Univ. of California at Berkeley: March 2005: 98,400
• MCI: April 2005: 16,500
• California Department of Health Services: April 2005: 21,600
• Oklahoma State Univ.: April 2005: 37,000
• Colorado Health Dept.: May 2005: 1,600
• U.S. Department of Justice: May 2005: 80,000
• Kent State University: June 2005: 1,400
• Eastman Kodak: June 2005: 5,800
• Bank of America: June 2005: 18,000
• Ohio State Univ. Medical Center: June 2005: 15,000
• Univ. of Florida Health Sciences Center: August 2005: 3,851
• J.P. Morgan Chase & Company: August 2005: undisclosed
• Bank of America; September 2005: undisclosed
• Univ. of Tennessee Medical Center: November 2005: 3,800
• Boeing: November 2005: 161,000
• First Trust Bank: December 2005: 100,000
• Ameriprise Financial; December 2005: 260,000
• Univ. of Washington Medical Center: January 2006: 1,600
• Ernst & Young (UK): February 2006: 38,000
• Mount St. Mary's Hospital: February 2006: 17,000
• University of Northern Iowa: February 2006: 6,000
• Metropolitan State College: March 2006: 93,000
• Verizon: March 2006: undisclosed
• Ernst & Young (UK): March 2006: undisclosed
• Fidelity Investments: March 2006: 196,000
• Boeing: April 2006: 3,600
• Aetna: April 2006: 38,000
• Mercantile Potomac Bank: May 2006: 48,000
• M&T Bank: May 2006: undisclosed
• Ernst & Young (UK): June 2006: 243,000
• Buckeye Community Health Plan: June 2006: 72,000
• YMCA (RI): June 2006: 65,000
• Union Pacific: June 2006: 30,000
• ING: June 2006: 13,000
• Equifax: June 2006: 2,500
• Armstrong World Industries: July 2006: 12,000
• Toyota (TX): August 2006: 1,500
• PSA HealthCare: August 2006: 51,000
• U.S. Dept. of Transportation: August 2006: 132,470
• Chevron: August 2006: undisclosed
• Williams-Sonoma: August 2006: 1,200
• Diebold: August 2006: undisclosed
• General Electric: September 2006: 50,000
• Camp Pendleton Marine Corps Base: October 2006: 2,400
• T-Mobile: October 2006: 43,000
• Gymboree: October 2006: 20,000
• Starbucks: November 2006: 60,000
• Notre Dame Univ.: January 2007: undisclosed
• North Carolina Dept. of Revenue: January 2007: 30,000
• St. Mary's Hospital (MD): February 2007: 130,000
• Los Angeles County Child Support Services: March 2007: 243,000
• Caterpillar: April 2007: undisclosed
• Pfizer: June 2007: 17,000
• Verisign: August 2007: Undisclosed
• Connecticut Dept. of Revenue: August 2007: 106,000
• AT&T (TX): August 2007: undisclosed
• Gap: September 2007: 800,000

Dig deeper into thses breaches and you'll learn that often a company employee, subcontractor, or accounting firm employee had a laptop stolen off company premises. There are so many data breaches to learn from. It seems silly to store massive amounts of sensitive data on a single laptop. (Note the repeat offenders in the above list, too.) You'd think that companies would learn from the mistakes of others and tighten their data security processes and increase employee training!

Learn more about the sensitive data companies archive about customers, employees, and former employees.

* Source: Privacy Rights Clearinghouse

Does Your Employer's Computer Liquidation Process Create Data Breaches?

Recently, a friend who is an IT (Information Technology) professional told me how much they enjoyed my prior post about How To Destroy a hard Drive in 5 Seconds. We agreed that identity theft and data security are huge problems. Then, my friend shared an unsolicited story about a data security incident at my friend's company. I am not disclosing any names. The point is not were this happened, but what happened and how many other companies have the same security issues.

Pat (not my friend's real name) shared this story... Pat's employer uses a computer liquidation service to liquidate (e.g., recycle, resell, or destroy) used computer equipment that's at the end of its useful life: laptops, desktops, servers, printers, and such. The computer liquidator erases any data on hard drives and liquidates the computer equipment. Pat's employer uses a separate shipping vendor to transport the computer equipment from their offices to the computer liquidator's location. This sounds simple enough.

Anyway, a security guard in the building where Pat works, pulled Pat aside one day to see a used laptop the guard had acquired. Pat looked at the laptop, powered it up, and quickly noticed that the laptop was equipment from Pat's company that should have been liquidated. The laptop contained both data and software, including LAN/intranet access software. The security guard explained that a driver from the shipping company gave the laptop as a gift in return for a favor.

Pat notified the IT management at Pat's employer. Management's solution to this data breach was to fire the shipping vendor and hire another vendor.

Wow!

It's stories like this one that reinforces my impression that many companies do not take data breaches seriously -- and do not do enough to protect the sensitive data they choose to archive, nor train their staff adequately.

I'm not a data security professional, but since I've started writing I've Been Mugged I've learned enough to spot several problems with how Pat's company mismanaged their data breach:

1. There was no clear recognition that a data breach had occurred. The security guard had access to data on the laptop which the guard shouldn't have had access to -- the definition of a data breach
2. Pat's company did not investigate the extent of the data breach. What other computer equipment had the shipping vendor already distributed as gifts prior to this event? What sensitive data did this equipment contain?
3. Pat's company doesn't seem to demand any security or background checks of drivers for the shipping vendor.
4. Why wasn't the laptop retrieved from the security guard?
5. Pat's company doesn't seem to perform any validation or checks with the computer liquidator that the manifest of computer equipment sent was actually received and data was erased.

I wonder how many companies have the same computer equipment liquidation process... data security holes, data breaches, and all. Thank God I don't work at Pat's employer.

More Analysis of TJX's Offer To Its ID-Theft Victims

The Truston Identity Theft blog has an interesting analysis of TJX's actions. The post covers two important points. The first is what I call "yield:" the number of ID-theft victims that opt-in for a company's free credit monitoring offer:

"They (TJX) offer credit monitoring to just 10% of the total breach number (455,000) and then announce a retail sale at the same time. If they require the victims to opt-in and order the monitoring to get it, then they will likely only have to pay for around 20–30% of the 455,000 they are offering it to. That’s a rule of thumb in the industry for the typical number of people that opt-in for free victim support for credit monitoring. So, 45 million accounts are breached and maybe TJ Maxx ends up paying for services for 90,000–135,000 people."

Wow! What a slick move to minimize responsibility. In my opinion, total sleaze.

Now the second point: synthetic ID-theft. This is when the identity thief mixes one person's SS# with another person's name in an attempt to evade detection. The Truston blog references Ed Dickson's Fraud, Phishing, and Financial Misdeeds blog:

"One thing that concerns me is that the settlement offer states that one of the requirements to receive compensation will be that the identification number compromised has to match their Social Security number. I guess that TJX and their affiliates don't want to address the rising phenomenon of synthetic identity theft? When synthetic identity theft is committed different parts of a persons identity are crafted to create a new one."

Ed also provides some good background on the shady world of re-selling personal data:

"In the identity theft world -- which is what the concern about this data breach is all about, when a SSN or SIN (in Canada) is compromised -- the criminal compromising the information has all the information necessary to complete a full identity assumption. In the dark world of Internet forums that sell this information, a complete identity (SSN, or SIN included) is often referred to as a "full." The complete information on a person is simply worth a little more money to the criminals purchasing it."

Lovely, eh?

Canadian Officials Criticize TJX's Data Security

More about TJX from yesterday's Daily Business Update:

"Retailer TJX Cos. failed to put in place adequate security safeguards to protect customer information, the privacy commissioner of Canada said today."

TJX operates the Winners and HomeSense retail chains in Canada. The news article explained further:

"A joint investigation by Canada's commissioner of privacy and Alberta's privacy commissioner was launched after TJX, the Framingham-based operator of such chains as T.J. Maxx and Marshalls, disclosed in January that its computer system had been breached, resulting in the theft of millions of credit card and debit card numbers..."

Perhaps most importantly:

"The company collected too much personal information, kept it too long, and relied on a weak encryption technology to protect it - putting the privacy of millions of customers at risk..."

Do you still want to shop at Marshalls, HomeGoods, and/or TJ Maxx? First, read this background about TJX's out-of-court settlement. Then, read a January 2007 TJX press release about how TJX was improving its data security:

"[TJX] immediately engaged General Dynamics Corporation and IBM Corporation, two leading computer security and incident response firms. TJX has been working aggressively with these firms to monitor and evaluate the intrusion, assess possible data compromise, and seek to identify affected information. These firms have assisted TJX in further securing its computer systems and implementing security upgrades."

Yep! That's the same IBM that suffered its own data breach in February 2007 and lost an undisclosed number of records with sensitive personal data about its employees and former employees.

Last, the N.H. Department of Justice web site posts copies of all data breach notification letters it receives. I checked the site this morning and noticed that TJX hadn't updated their January breach notification letter, portions of which contain old and obsolete information.

TJX's Offer To Its ID-Theft Victims Deserves Scrutiny

At the Javelin Strategy blog, Mary Monahan analyzes TJX's announcement and settlement offer to its ID-theft victims:

"Late Friday night, after sundown on Yom Kippur to be exact, TJX made the announcement of the settlement agreement for their customer class action suits. In retail delivery, timing is critical and TJX has taken that message to heart. Tired of the constant negative PR, TJX decided to slip this announcement in at a time when it would get the least notice and press play."

I really like this part:

"... TJX has come to a settlement: three years of credit monitoring to those consumers whose personal information such as driver’s licenses and Social Security numbers were stolen in the breach (455,000) and a $30 TJX voucher for those clients who can show that they lost time and money due to its data breach (e.g., those whose credit card numbers were breached, namely, 45.7 million consumers), and $6.5 million to the attorneys."

Three years of free credit monitoring is a solid step in the right direction, and a longer period than most other companies' credit monitoring offer. More importantly, Monahan does an excellent job of shining a spotlight on TJX's marketing:

"A voucher to get millions of customers into its stores to shop. How neat and clean for TJX. And with a voucher, either money is left on the table, or consumers end up spending more money in the store to realize the full value of the certificate. Some lucky consumers will even get two vouchers if they can prove their costs exceed $60."

A voucher is good only if you plan to shop at a TJX brand store. If you are one of the thousands of former TJX customers who vow to never shop at a TJX-brand retail store again, the voucher is worthless. It's like giving somebody the sleeves off a vest. This is not responsible corporate citizenship. If TJX is going to pay its ID-theft victims, then pay them! Cash is always good. And if they can pay the lawyers in cash, they can pay their customers in cash, too.

The Javelin Strategy blog adds:

Vouchers to clear up lawsuits are frowned upon by consumer rights advocates because they can drive up sales; even while class action attorneys accept them eagerly because they pocket larger fees as a result. Note that attorney fees are not paid in vouchers; if they were, we’d quickly see an end to this settlement practice... this is a merchandising company who knows how to milk a data breach for every sales dollar."

I strongly encourage you to read the complete Javelin Strategy blog post... and boycott TJX brand stores. I already do. Here's the list of retail stores owned by the TJX:

• A.J. Wright
• Bob's Stores
• HomeGoods
• HomeSense (Canada)
• Marshalls
• TJ Maxx
• TK Maxx
• Winners (Canada)

To learn more, also read the TJX Settlement Agreement online and read this prior TJX post.

Pfizer's Third Data Breach Confirmed

I listed in an earlier post companies facing data-breach-related lawsuits where personal data was lost or stolen. Well, there's more regarding Pfizer.

Earlier this week in his FTP Planet blog, Hugh Garber quoted a CSO news article:

"Pfizer Inc. appears to be having an especially hard time of late keeping its employee data secure. The company today confirmed that as many as 34,000 of its employees may be at risk of identity theft after a former employee illegally accessed and download copies of confidential information from a Pfizer computer system without the company’s knowledge. The compromised information included, names, Social Security numbers, dates of birth, phone numbers and bank and credit card information."

Geez. You'd think that Pfizer would have learned after their first data breach. Obviously not. Pfizer's employees and former employees should receive free credit monitoring and credit restoration for life.

Also, I agree with Hugh's conclusion:

I believe that it is the obligation of a company to protect the confidentiality and privacy of customer & employee data at all times. A big part of this responsibility is to ensure that files and data are secured and only authorized people have access to it. On an FTP server, this job falls to the network administer who can set up specific permissions to allow certain people to access certain folders and data (and thus blocking everyone else from accessing that same data).

Peter Rost titled one of his blog posts the best: "Quote: The clowns at Pfizer clearly have no way of keeping confidential data safe"

All of this should give the Louisiana lawsuit more ammunition. You can bet I'd never go to work for Pfizer givent heir poor data security history.

TD Ameritrade's Data Breach Highlights Online Brokerage Security

I've written several posts about the missteps companies make after a data breach. Here is an example of one company communicating well with its customers to prevent data breaches.

This morning, I received an e-mail message from E-Trade titled "Tips to Protect your Identity." I was not surprised to receive this message, given E-Trades prior security e-mails and TD Ameritrade's recent data breach. E-trade's e-mail:

"Identity theft is a serious issue, no matter how it originates. The vast majority of online fraud is a result of a compromised personal computer - when a consumer knowingly or unknowingly discloses identifying information like their user name and password. By exercising caution and following some basic guidelines, you can reduce your chances of falling victim to online identity theft."

1. Be suspicious of ANY email that asks for sensitive personal information, even if the sender seems to be familiar.
2. Never open attachments or click links in spam or unsolicited emails.
3. Avoid filling out forms contained in an email message or pop-ups, even if they appear to be from a legitimate company with whom you do business.
4. Run the latest version of a proven anti-virus software program on your computer.
5. If you have logged on to a Web site, log off when you are finished and close your browser completely.

"At E*TRADE FINANCIAL we protect every asset and transaction you make with our Complete Protection Guarantee, providing complete fraud coverage, payment and privacy protection. In addition, we've introduced the Digital Security ID(1) to help our customers protect their identities by making unauthorized account log on virtually impossible."

"Rest assured, E*TRADE deploys advanced protection solutions to ensure our systems are secure. Our strict physical, electronic and procedural safeguards are designed to exceed industry standards and safeguard customers' non-public information. We encourage you to take an active role in protecting your identity. Visit www.etrade.com/onlinesecurity for more details on these services as well as additional security tips. If you suspect that you have received a fraudulent email from E*TRADE, please contact Customer Support at 1-800-838-0908.

Sincerely,
Tom Roberts
Vice President,
E*TRADE Financial Corporate Services, Inc.

It's always a good business practice to issue prompt, timely communications that, a) remind your customers of good security habits, b) reinforce the company's e-mail and security policies, and c) provide customers with multiple channels of communication. I hope that TD Ameritrade customers receive something similar.

Inside Job at TD Ameritrade's Data Breach?

While many seem to be accepting at face value the spam claim by TD Ameritrade about their data breach, SC Magazine is asking one of the tough questions. In his article, Jim Carr writes:

"Was TD Ameritrade, which revealed on Friday that contact information for 6.3 million customers was stolen from one of its databases, victimized by an attack from an insider?"

Carr quotes Phil Neray, Vice President at Guardium, who asserts:

"This has all the signs of an inside job... I would say it's highly likely that is was done by a privileged administrator within Ameritrade."

My point: the hard questions have to be asked and answered. And this is one of them. I learned this from my experience with IBM's data breach. When companies experience a data breach, they have to be forthcoming with answers to the tough questions to give their customers (and investors) some assurances of data security. In my experience, IBM didn't and my confidence with IBM declined as a result.

Avoidance or reluctance to answer the tough questions means there's effectively no accountability... no oversight about the internal investigation. This leaves ID-theft victims wondering if anyone is telling them the truth, or the whole truth.

Is TD Ameritrade Doing Right By Its Customers After Its Security Breach?

In his Between the Lines blog, Larry Dignan discussed TD Ameritrade's data breach and his experience as one of 6 million Ameritrade customers affected. TD Ameritrade has hired ID Analytics, Inc. "to investigate and monitor for potential identity theft." According to Larry's blog, TD Ameritrade stated that:

• "Assets are safe since user IDs, personal identification numbers and passwords were kept in a separate database;"
• "Email addresses, names, addresses and phone numbers were taken. This fact explains why TD Ameritrade was investigating a bunch of spam complaints;"
• "Account numbers, date of birth and Social Security numbers were in the breached database but not taken."

Is TD Ameritrade doing right by its customers?

After a data breach, companies seem quick to declare the "there's no evidence... sensitive data was used" line. Just  because Ameritrade claims there was no evidence of sensitive data taken (e.g., SS#, DOB) doesn't mean it wasn't taken. The lack of evidence doesn't mean a theft didn't occur, couldn't have occurred, or won't occur.

I call this "lawyer speak" and I wonder how often it is used to downplay the severity of a data breach or limit their liability. Lawyer speak can mislead ID-theft victims to believing the data breach isn't as serious as it really is. I encountered this lawyer speak with IBM, especially when IBM repeatedly made the same statement (no evidence of theft) and described the personal data as "lost" and not stolen.

Any time sensitive data is exposed, there is the risk it'll be used criminally. In my mind, the risk period is very long... basically the rest of the ID-theft victim's life.

Also, this lawyer speak seems to be the first step at shifting the burden of the data breach from the company to the ID-theft victims. As long as Ameritrade claims that the breach was spam, it's no big deal and probably not worthy of more aggressive actions... like providing Ameritrade customers with free credit monitoring and credit restoration services for the next 2 years. The burden today is on the ID-theft victims to monitor their accounts and find any evidence (beyond spam) of theft or fraud.

Fortunately, we've discussed on I've Been Mugged many of the issues confronting Larry and Ameritrade customers:

1. Timely communications of information: Ameritrade should have a web site or site section dedicated to informing affected customers... with regular updates... not just a PDF of a press release in its investor relations site. Don't do what IBM has done: IBM hasn't updated tits data breach site since their original announcement.
2. Status of the data breach investigation: Ameritrade claims that sensitive data (e.g., DOB, SS#) was exposed but not stolen. Huh? Identity thieves know the value of personal data. Ameritrade needs to provide clear evidence supporting this claim as 100% accurate, or abandon it. If Larry doesn't get this evidence, then he has to assume the worst and act accordingly to protect his identity.
3. TD Ameritrade is required by law in many states to disclose the data breach. ID-theft victims should know their rights; some are state-specific. Good starting resources are the ID theft Resource Center and the Privacy Rights Clearinghouse. Links to more resources are in the column on the right
4. Understand the best features in a credit monitoring service (which TD Ameritrade should offer Larry since their data breach created the ID-theft risk). Learn from the concerns with IBM's credit monitoring offer. Ameritrade probably won't offer ID-theft victims a credit monitoring service as long as they cling to the "no evidence that sensitive data was taken" claim and treat the data breach as a spam-only issue
5. Understand the need t monitor credit reports and the limits of the Fraud Alert tool offered by the credit bureaus

If I were Larry, I wouldn't be so quick to accept TD Ameritrade's statement at face value. Why? First, identity thieves know the value of personal data. DOBs and SS#'s are far more valuable than e-mail addresses for spam. Second, the fact that hackers placed unauthorized code on Ameritrade's computers shows an intent to steal, to be stealth about it, and to steal continually. Third, this isn't Ameritrade's first data breach.

I suggest that Larry talk with Ameritrade about the data breach, as I did with IBM. I'd demand details about TD Ameritrade's data breach investigation, as I did with IBM. If Larry doesn't get satisfactory answers, he should move his accounts to another brokerage. I wish that I had that option with IBM. I didn't because IBM was a prior employer, and I didn't have a customer relationship with them.

Data Breaches and Lawsuits

After IBM notified me of their data breach, I've started reading about lawsuits against companies with data breaches which exposed the personal data of employees and former employees -- and not just data breaches affecting a company's customers.

NetworkWorld reported that, Girad Gibbs, a California law firm, has filed a class-action lawsuit against Fidelity National Information Services (FIS) and a subsidiary, Certegy Check Services, for the data breach which potentially compromised the personal data of 8.5 million Fidelity consumers. The suit charges both companies with, "negligence, invasion of privacy and breach of implied contract."

Earlier this year, the Massachusetts Bankers Association filed a class-action lawsuit against TJX Companies, Inc. for its massive data breach where the credit card and debit card information of more than 45 million customers data was compromised. The banking group seeks tens of millions of dollars to recover costs since its member banks were forced to cancel and reissue thousands of debit cards. Some experts estimated the cost to be at least $25 per re-issued debit card. The Connecticut Bankers Association and the Maine Bankers Association have joined this lawsuit. During the data breach, thieves first hacked into TJX's computer systems in 2005 stealing data from as far back as 2003.

The American Federation of Government Employees (AFGE) filed a lawsuit against the Transportation Security Administration (TSA) after a TSA data breach exposed the personal data and employment records for 100,000 employees. The AFGE represents workers in the Department of Homeland Security. The "lost" computer hard drive contained names, SS#'s, birth dates, payroll, and bank account information. The lawsuit charged, "that by failing to establish safeguards to ensure the security and confidentiality of personnel records, TSA violated both the ATSA (Aviation and Transportation Security Act) and the Privacy Act of 1974."

In June 2007, a former employee filed suit against Pfizer, the world's largest drug company, claiming that the data breach caused "fear and apprehension of fraud, loss of money and identity theft." The data breach exposed the personal information (e.g., names, SS#'s, addresses, home and wireless phone numbers, and payroll bonus information) of over 17,000 former employees and employees. According to the news reports, Pfizer offered its ID-theft victims a $25,000 identity theft policy and one year of free credit monitoring. Others were concerned about Pfizer's delayed data breach notification.

I can definitely understand the feelings of apprehension. What about you?

Next entry: skepticism about IBM's data breach notice

Mistaken for a Car Thief, ID Theft Victim Jailed

The Atlanta-Journal Constitution newspaper reported in an August 8 news story that a, "stolen wallet led to a Cobb County man's being jailed for a crime he didn't commit." The news story quoted Chamblee Police Chief Marc Johnson as saying, "the worst example of what can happen with identity theft."

The ID-theft victim was Andrew Garrett, a 26-year-old Kennesaw State University student. The police arrested Garret at his parents' home and charged him with auto theft. Even though the arrest warrant described Garrett as African-American, the police arrested Garret, who is Caucasian, anyway. Garrett was taken to DeKalb County jail and was unable to post bail because auto theft is a felony warrant. According to the newspaper report:

"Unbeknown to Chamblee police, Andrew Garrett's wallet had been stolen earlier in the year. And when a woman reported that her son's friend had stolen her rental car, she gave police the ID information that her son's friend had given her — Garrett's name, license number and address."

The charges were dismissed after a police investigator took Garrett's booking photo to the woman, who told him that Garrett wasn't the car thief.

What to make of this? I see several implications:

1. This is a good example of how criminals can use stolen identities during a crime for non-financial purposes. Not all identity theft includes breaking into financial accounts to steal money.
2. Don't blame the police for arresting Garret. They acted according to a judge's directions.
3. Garrett was lucky. Even though his situation was very scary, it was resolved fairly quickly. And it happened in the USA. The same situation in another country where distance, language, the availability of witnesses, and local laws are different could have resulted with a longer jail time and an extended nightmare.
4. This story is an excellent example of how the Credit Freeze, Fraud Alert, and mandatory data breach notification laws cannot protect consumers from certain types of identity theft. Hence, it is imperative for companies and government agencies to prevent data breaches in the first place by using current and effective data security methods to protect the sensitive data of employees, former employees, and customers.
5. It is important for ID-theft victims to complete a police report when your identity is stolen.

Next entry: identity theft and you

Identity Thieves Operate Quickly

Many of my coworkers know I write this blog. Matt, a coworker in my employer's New York City office, shared his identity theft story with me. When Matt and I first traded e-mails on July 16th, I gave him the link to I've Been Mugged. Portions of Matt's e-mail message highlighted how quickly identity thieves operate:

I’m neck deep in this BS and the number of places an individual could have obtained the info they have is extremely (dare I say frighteningly) limited. My info isn’t publicly available, but this person somehow got hold of my SS#, too. By the time you’d sent your note, I’d only known about the theft for roughly ten days but had contacted every financial institution and credit granting and reviewing agency under the sun."

"But that wasn’t enough. Despite having had the security alerts placed, the person still managed to open up a bank account in Chicago (complete with checking, debit and credit cards and a massive line of credit), obtain a credit card from Radio Shack and another one from a company I’ve never heard of. Thankfully, they’ve also been denied at another half dozen places so the pseudo helpful protection measures work to a limited extent. It’s been an incredibly time consuming nightmare. Thanks again for the [I've Been Mugged] link!"

When I read a story like this, it confirms with me the need for timely and fast notification by companies (especially prior employers) of data breaches; including when that company was merged or bought by another company. A 2-month delay for breach notification is far too long (do you hear that IBM and TJX?).

Next entry: RSS Explained (Simply)