Kroll's Offering From IBM Deserves Scrutiny
Monday, August 20, 2007
In a prior blog entry, I discussed IBM's data breach which affected an undisclosed number of current and former IBM employees. IBM offered its ID-theft victims one year of free credit monitoring with Kroll. This offer seemed attractive since prices range from "$50 to $200 per year" for a credit monitoring service. I signed up for Kroll's service in June to judge what Kroll provides -- and what IBM arranged.
Other ID theft victims are judging Kroll, too. DCG wrote the following comment about the credit-monitoring service IBM arranged with Kroll:
"I'm an EX IBM'er also. I enrolled in this service.. It's a negotiated down version that's specific to IBM. They normally provide you with copies of your credit report from all 3 agencies. The deal with IBM does not provide this. Once you enroll, they need to "baseline" your credit - that means that they need to establish what lines of credit exist right now. If your ID is stolen already, you're screwed. It'll take 1-3 months from the date of enrolling before "Theftsmart" will start generating reports. There is zero data in my account right now.. Lovely service, eh?"
When I checked my Kroll account, I noticed that mine was empty, too. When I compared my Kroll account to another credit monitoring service I've had since 2004, Kroll's service seems (so far) insufficient with far less information. For example, my other credit-monitoring service provides the full text of my credit reports from the three national credit bureaus, plus a lot more detailed information about my credit status. My Kroll account doesn't.
If DCG's comments are true, then IBM has taken a huge shortcut -- the cheap route by arranging a watered-down version of Kroll's services. I am trying to keep an open mind... to continue comparing my two credit monitoring services. In a future blog entry, I'll share my findings.
For a different opinion, a reader at radioAe6rt posted these comments about Kroll:
"You’re lucky that IBM chose the best IMHO. If you check out [Kroll's] coverage, I believe that you will find that it also is a UNIQUE restoration coverage, in addition to having a monitoring benefit. In a data loss of non public information, IBM or any other company or organization, is liable for your losses plus fines under FACT. If a financial fraud is not contested within 60 days of the bill being mailed, then under FTC Regulation E, you owe that amount, even if it was mailed to a fake address. The average financial identity theft is over $93,000 and under FACTA, the company or organization is liable for that loss if the NPI data loss cause your identity theft. The few bucks they might save on a cheap MONITORING ONLY coverage, is minor compared to losing almost $100,000 per person. (Otherwise Penny wise, pound foolish)"
I will verify this reader's comments in future blog entries. More importantly, I get the impression that IBM's offer of free credit monitoring makes it easy for IBM to shift the liability for its data breach to the data breach victim. The logic: we've given you credit monitoring... if the victim doesn't check their credit, then it's their fault. I find this insulting... let's remember that IBM caused the problem in the first place by exposing personal data for an undisclosed number of employees.
This reader also wrote:
"To large companies they [Kroll] offer a coverage similar to what we offer to individuals. Kroll is the only company which I know of that offers a TRUE “RESTORATION” coverage which does virtually all the work to RESTORE your identity or your spouse or significant other. The next best thing is a “RESOLUTION” coverage which is often advertised to sound like a “restoration” coverage. The next best thing gives you advise, but the victim does all the work for an average of OVER 600 hours of a trial and error that can turn into a nightmare. Almost 1/3 (27%) of those who do-it-themselves FAIL and never get their identity fixed, even after 5, 10, or more years. A restoration coverage has experts do virtually all the work to restore your identity by you just giving them a limited power of attorney to do the WORK FOR YOU, if a ID theft is discovered. The victim will still need to file a police report and maybe appear in court."
And:
"Kroll’s EXPERTS include former FBI and CIA agents, former law officers, forensic accountants, lawyers, etc. They are a 34+ year old publicly traded company with over 4,000 employees worldwide. They have been fighting identity theft for many years before the public became aware of it for the big corporations which are being hit. Then they decided they need to help those on the family side of identity theft. Most of the Identity theft services out there are only “monitoring” service either owned directly by the three main credit repositories (aka credit bureaus), or an affiliate who is reselling the services of these 3 companies. They may be offering the service under another name. I can send you more details about why restoration is the ONLY wise choice, and it can cost less than just a simple monitoring service. Ironically, a monitoring service can cost you DOUBLE what you can get the best KROLL coverage for at a discount, if the monitoring service charges full price to monitor each person in a couple."
Is this reader a Kroll employee or a paid consultant? I wonder.
Anyway, I can tell you this: I do not work for, nor am I affiliated with any computer manufacturing, software development, credit bureau, credit investigations, credit attorney, credit monitoring, or credit-consulting companies. You can rely on the fact that I've Been Mugged is independent. I've Been Mugged operates independently so my blog entries aren't tainted by corporate interests or hired consultants.
Like most other ID theft victims, I'm just an individual consumer trying to navigate a complicated ID-theft landscape which is full of potholes and detours. I am willing to ask the hard questions. I hope that you are, too.
What do you think of Kroll's services? If you are an IBM data breach victim, have you signed up for Kroll? Why or why not?
Next entry: Identity Theft Humor
I signed up for the service when I got my letter from IBM a couple of months ago. After not hearing from them for a few months, I called them a couple weeks ago. A human answered the phone and was very helpful. She determined that the e-mail address I registered was entered incorrectly.
Sure enough, a couple of days later I got an email from someone at 'marshpm.com' with instructions on setting up my account. The instructions called for me to sign into yet another domain, "idinsights.net". None of my research could link each of these domains, but I'm sure someone out there can find out.
Today, I finally signed in to reset my password. I am waiting for my renewal confirmation.
p.s. The e-mail account that I gave them is a hidden account and has been free from spam for many, many years. It may be coincidence that I started getting spam at this address shortly after I called to correct my e-mail.
Posted by: tf | Monday, August 20, 2007 at 06:37 PM
Dear TF:
Sorry to hear about your troubles. I can't answer all of your questions, but I wil answer what I can.
I am familiar with the idinsights.net web site address. I get mail from Kroll with it. I agree with you... it is a little confusing. I too expected a web site with kroll.com or something similar.
My guess -- and this is purely a guess == is that Kroll set up the idinsights.net web site address for their arrangement with IBM. If true, then IBM "lost" a very large number of employee records.
You probably should call Kroll via phone and tell them of your confusion/difficulty... and see if they can help. I have not seen the marshpm.com web site address. If you got mail from there, it might have been a phishing scam. Again, ask Kroll. Maybe a Kroll rep will post a reply here. I'll see what I can do to make that happen, since I am starting to compile a list of questions for Kroll.
While Kroll seems legitimate, it appears that IBM has arranged a watered-down version of Kroll's services for us, which seems so far marginally beneficial. Good luck and let us know what happens.
Posted by: George | Monday, August 20, 2007 at 07:05 PM
I am very happy to find this blog. I am also affected by this tape disappearance but I am somewhat different that others I have read about on this blog. I live outside the US. I used to live in the US as an IBM Assignee. And I am still employed by IBM in my home country. I received a letter in August 2007 offering me Kroll's ID TheftSmart Enhanced Identity Theft Restoration service.
However, I have no way to determine what my US credit history is because I do not have a US address. I do however have a US Social Security Number and I have no way of knowing if anyone is trying to use it.
I called Kroll and they said I had to monitor my own affairs and if I suspect an identity theft, they will help me. But they will not 'monitor' my credit history or get it for me
I am totally dissatisfied with this approach. If any others watching this blog are 'international' and have a vehicle to check US credit history or do US credit monitoring I would appreciate knowing about it.
In the meantime, since I am still an IBM employee, I intend to ask my personnel department to get me my US Credit history and monitoring. I will monitor my affairs in my home country but it is a 'different' number than a social security number.
I appreciate any and all input.
Adele
Posted by: Adele | Monday, September 03, 2007 at 04:56 PM
I tried to log into idinsights.net. Could not remember my name and password so tried to get it reset but the site would not let me. Horrible service. Typical for IBM though. And now they've compromised my personal identity security and offer this nonsense as a solution?
Posted by: Name Withheld | Saturday, November 10, 2007 at 12:02 AM
I was referred to Kroll Inc.'s ID TheftSmart services through a letter sent to me by a company I deal with. This company sent me a Membership number to enter. (The company had their computers stolen with personal information about their clients in their data base. TI guess that is why they sent me the member number.
However, when I went to the idintegrityalerts.com website, I was asked a lot of personal information including social security number. naturally, this information would probably be necessary, but, like a previous commentor, I was taken back by the fact that the name Kroll was not on the site and that the site was rather simply designed. I did not finish my application.
Noting that the envelope I got this information from is a plain envelope and anyone with a computer can type a letter and set up a plain website to obtain private information.
I am waiting for a call from the company who referred me - before continue.
Perhaps this is a bit 'over-cautious' but, I do not give out my social security number that freely. Any comments.
Posted by: Mary | Monday, March 09, 2009 at 03:22 PM
Mary:
Thanks for writing. When an employer, prior employer, or retailer has had consumers' sensitive personal data lost or stolen, it is very understandable to be a bit over-cautious. I felt the same way as you.
From my research, Kroll is a reputable company. Kroll's strength is credit/identity restoration. When IBM had a data breach, it hired Kroll to provide one year of credit restoration. You will probably want to use another service for credit monitoring, since that does not seem to be Kroll's strength.
I have not looked at the idintegrityalerts.com site you mentioned above, so I cannot comment on that site. All of my comments are based on my experiences and interactions with Kroll through the service arranged by IBM. Yes, Kroll doesn't always place its name on the site -- that seems to be driven by the agreement between the company that had the data breach and Kroll. In my experience, Kroll = IDTheftSmart.
In 2007, I was interviewed by the American Banker publication for an article it published about which types of services were best for breach victims. I argued for credit monitoring while IBM argued for credit restoration. The article with that interview has been available on Kroll's site; and there are posts about it in this blog.
You should feel free to search this site for prior posts about Kroll, IBM, and ID Theftsmart. The search wideget is at the top of the column on the right.
About your observation that "the site was rather simply designed," I think that it is important to remember this. When a company has a data breach, part of the usual response is to provide free credit monitoring for one or 2 years to the breach victims -- usually consumers. The company's primary goal is to minimize the damage from the breach and to minimize its post-breach costs; and not necessarily provide consumers with the absolute best, most comprehensive credit monitoring service available.
Most states require notification of consumers after a breach, but few states specify exactly what must be in the "credit monitoring services" provided. So, some companies focus on providing restoration services to breach victims, while other companies focus on providing credit report monitoring to its breach victims.
Sometimes, companies' post-breach response has errors. Some companies don't know exactly what data was stolen/lost. Often the breach victims have moved their residence -- especially if the stolen data included prior employees. So, companies will often hire private investigators to find breach victims that have moved. This happened to me with IBM's breach.
You didn't mention the specific company that had the breach affecting you, so I can't reply about that.
It's your job as a consumer to evaluate the free credit monitoring (or restoration) services offered and determine whether or not that free service benefits you -- serves your needs. You can say "no thanks" and sign up for another credit monitoring service. There are plenty out there and I've reviewed some of them in this blog.
Either way, there are plenty of posts in this blog that may help. You can search the blog using the search widget or the tag cloud; both are in the right column. Good luck and let us know what you decide.
George Jenkins
Editor
http://ivebeenmugged.typepad.com
Posted by: George | Monday, March 09, 2009 at 03:49 PM
Signed up for IDTheftSmart after receiving letter from IBM many years after my employment with IBM. I enrolled immediately and not only received an initial detailed hard copy credit report, which was very helpful, but regular monthly email alert/updates. These were helpful and accurate as well. I called to extend the service after the initial anum gratis, but decided that the monthly fee was a bit much for me.
I actually only utilized IDTheftSmart for monitoring. Any of the restorative actions I took, of which there were several during that year of enrollment, I carried out on my own. That is how I roll. As a free service, I can't complain.
Posted by: Russell | Tuesday, January 19, 2010 at 03:32 PM
It has been a long time since this post, but I would like to ask whether anyone has experienced Identity Theft as a result of this IBM security breach ("data tape fell off the back of a truck").
I discovered in January 2010 that I am a victim of identity theft, and I am still trying to find out how the thieves got my name and social security number.
At first, I suspected it was a bank security breach. I had received an apology letter from my bank saying that an affiliate bank had lost their customers' personal data. My bank had offered me, and I accepted, two years' free subscription to Experian Triple Alert, a credit monitoring service. It was from Triple Alert that I received an email notification of a bill collector placing adverse information on my Experian credit file. However, I was surprised to learn that the fraudulent account had been opened in January 2008, before my bank's reported security breach.
Next I suspected AT&T Inc, because in August 2007 I had received an apology letter saying that a consultant had reported a lost laptop computer with unencrypted data files containing personal information of former employees of AT&T Corp (those who worked for AT&T Corp before it was purchased by SBC in 2005). Of course, AT&T had offered a credit monitoring service to those former employees who had been affected, and I had subscribed to the Equifax credit monitoring service they offered. Both of those credit monitoring services assured me that there was nothing wrong with my credit files for two years, until January 2010.
After I had spent 70 hours cleaning up my credit files and reporting to the FTC, I sent a three-page letter to the AT&T Chairman complaining that unencrypted personnel files should not be given to contractors. Three months later I received a letter from the AT&T V.P. of Privacy, commenting on each of my points but basically denying that my identity theft could be related to the stolen AT&T laptop, since no-one else had complained that their identity theft could be related to that incident. She said they continued to believe that the laptop had been stolen for the hardware, and not for the data it contained.
Recently I remembered that IBM had notified me in May 2007 about the data tape that fell off the back of the truck. I was among those who were offered Kroll ID Theftsmart service. I pondered whether that was a good offer, since it said specifically that the offer only applied to identity theft resulting from the IBM tape loss. How would you know? Do the ID thieves tell you where they got your personal data? How would I prove to Kroll that my problem in January 2010 was due to the IBM tape loss in February 2007? Wouldn't Kroll deny responsibility, just as AT&T denied responsibility?
Incidentally, I would add that the credit monitoring service do not help fix the problem. They only alert you to the issue on your credit file. After that, credit repair is your responsibility. And that is very time consuming.
Posted by: Bur Goode | Friday, July 09, 2010 at 04:16 PM
Bur:
Sorry to hear of your troubles. For some of the reasons you point out, this is why some consumers believe credit monitoring services are a ripoff (e.g., difficult to prove which breach led to the fraud, doesn't stop fraud and it just helps you watch it happen).
So far, IBM has been my only breach experience and it has not led to any fraud. IBM had contracted with Kroll, but that free service was only for 12 months. Besides, I made a very cautious response and placed a Security Freeze on my credit reports. I use strong passwords on my online financial accounts and change them every 90 days.
Kroll and a couple other services focus on the credit resolution portion. That's my advice to any consumer: get a credit monitoring service that has strong credit resolution features. Most people are new to identity theft, so the monitoring features help. The resolution portion is important if you have been a breach victim... which you have.
This blog has reviews of several credit monitoring services. Several reviews include comments from subscribers of that service. Both the review and reading others' experiences can help with picking a service that meets your needs.
George
Editor
http://ivebeenmugged.typepad.com
Posted by: George | Saturday, July 10, 2010 at 11:49 AM
Sometimes, companies' post-breach response has errors. Some companies don't know exactly what data was stolen/lost. Often the breach victims have moved their residence -- especially if the stolen data included prior employees. So, companies will often hire private investigators to find breach victims that have moved.
Posted by: Credit Repair Services | Friday, July 30, 2010 at 08:15 AM
Credit Repair Services:
Yes. That is how IBM found me. Through an investigator. Companies have an option to hire a computer forensic investigator, to determine what was on the lost/stolen data tapes. So, companies have options. They may not want to do the work or spend the money, as they see the downside -- the consequences -- aren't steep. That is the problem.
George
Editor
http://ivebeenmugged.typepad.com
Posted by: George | Friday, July 30, 2010 at 01:01 PM
remember that IBM caused the problem in the first place by exposing personal data for an undisclosed number of employees.they should respect the employees..
Posted by: Credit Repair Services | Wednesday, August 18, 2010 at 10:02 AM
I recently received a letter saying a tape had been lost. There was no reference to the name of the company who had my info, but stated it had something to do with healthcare. Our health insurance is through a local company, and we do not deal with a Canadian broker. I believe this is a total scam and would never fill out a form giving someone all the info they need FOR identity theft.
Posted by: Betty | Thursday, August 19, 2010 at 11:58 PM
Betty:
Thanks for your comment. In valid breach notification letters I have read, the notification clearly states the company name, the date of the breach, what data items were exposed during the breach, what the company is doing about it, and what you should do next. The breach notification I received from IBM Corporation was a printed letter sent via postal mail and NOT an email message.
If the breach notification (postal mail or email) doesn't mention the company's name, it could be a fraudulent phishing letter to try and trick you into disclosing your sensitive personal information. If you live in the USA, I suggest that you contact the Attorney General office in the state where you live. Many AGs' websites have sections about identity theft and what to do. Your state may also have a Consumer Protection agency, which you should also contact. You could also contact the Postmaster at your local Post Office.
If you live in Canada, I am not sure what options are available to you. You probably should check with your local government first. Good luck and let us know what happens.
If you want to type in portions of the letter you received, feel free to use the comment mechanism below, but mask out any personal information.
George
Editor
http://ivebeenmugged.typepad.com
Posted by: George | Friday, August 20, 2010 at 12:51 PM
review and reading others' experiences can help with picking a service that meets your needs,and its good that there are sites like this atleast we have some guides..very useful information..
Posted by: Credit Repair Services | Monday, August 23, 2010 at 08:25 AM
I just got a letter from one of my credit card companies (Pentagon Federal Credit Union) claiming a breach had occurred and they were offering me 2 free years with Kroll's ID TheftSmart, which includes 3 current credit reports, continuous credit monitoring and enhanced identity theft consultaion and resoration. After reading here, it sounds like a good deal and I am going to now go and sign up. Thank you for all the good information here, now I feel confident I am making a wise choice.
Posted by: chris | Saturday, January 15, 2011 at 12:03 PM
What website URL am I supposed to enter to post. A message?
Posted by: Deb | Monday, September 12, 2011 at 12:01 PM
Deb:
I cannot advise you on how to contact Kroll. To contact this blog, go tot he About page and click on the link to send an email message.
George
Editor
http://ivebeenmugged.typepad.com
Posted by: George | Tuesday, September 13, 2011 at 12:01 PM
Deb:
I can help.. visit my site.. do the research.. http://www.legalshield.com/idt/rgibbs
Posted by: Rae Gibbs | Friday, March 30, 2012 at 11:29 AM
You probably should contact Kroll via cellphone and tell them of your misunderstandings and see if they can help.
Posted by: jeux casinos | Friday, March 30, 2012 at 01:45 PM