What would you do if you received an e-mail from a police department in another country claiming that your personal and financial information had been stolen? This happened last week to my friend, Beth (her name has been changed upon request). Beth lives in Boston received the e-mail message below:
From: Calgary Police Service
Date: Wed, Aug 3, 2011 at 4:31 PM
Subject: Police Inquiry - Identity information recovered
[Beth's personal information removed for security reasons.]
I am a constable with the Calgary Police Service (CPS) in Calgary, Alberta, Canada. The CPS recently executed a search warrant at a Calgary residence and one of the items seized was a sheet of paper bearing the personal information of 144 people; this information included credit cards, expiry dates, full names and addresses. The above information, accompanied by your e-mail address was listed. It is my intention to charge the suspect with unlawfully possessing credit card and identity information. In order to prosecute, I require confirmation that the above information is (or was) correct.
Your personal information appears to have been compromised. Therefore, I am recommending that you notify the bank that issued your credit card to have it cancelled immediately. I would also encourage you to contact your local credit reporting bureau and check to ensure that your personal information has not been used to obtain any other banking services or products.
This is a legitimate law enforcement inquiry and my credentials can be verified via the Calgary Police Service website at www.calgarypolice.ca. If you are unsure of the legitimacy of this e-mail, please present it to your local law enforcement agency, so they might assist in this investigation.
Cst. K Grier #4572
District 3 GIU
Break and Enter Detail
Calgary Police Service
First, I would like to thank Constable Grier and the CPS for catching and prosecuting identity-theft criminals. It is always good to see local law enforcement in action.
I spoke with Constable Grier about her e-mail. Since most of the identity-theft victims in this case were from other countries outside Canada, CPS notified banks and took the added step of notifying theft victims directly, when possible. Constable Grier suspected that the credit card information was either stolen from a website or accounts were hacked. Like all law enforcement, CPS appreciates the assistance the public and breach victims can provide.
This case has several implications. First, it highlights the fact that identity-theft criminals often commit other types of crimes -- in this case, burgulary. While pursuing a burgulary suspect, CPS discovered the credit card thefts. So prosecuting and jailing identity-theft criminals can also stop other crimes.
Second, this case highlights potential gaps in cross-border breach notification laws. While local law enforcement in another country may promptly notify breach victims' banks, my understanding is that there is no guarantee of data breach notice to U.S. citizens across country borders. I did some light reading and the current Red Flag Rules do not apply to breaches at bank branches located outside the USA (PDF document). Perhaps some legal scholars can expand and clarify on international laws regarding cross-border breach notification.
Third, it highlights the need for breach victims to take action. I am sure many readers want to know what to do should you receive an e-mail like the one above. Beth found this situation scary as she had never visited Calgary. She wondered if the above email was real or a scam.
Since there are so many online scams and phishing e-mail messages, I advise consumers to first verify the e-mail via an alternate method. By "alternate method" I mean an independent, different method than the format of the suspect message. Don't disclose any more personal information until you have verified that the message is real. Example: If the suspect message is an e-mail, don't press the "Reply" button. Instead, independently verify it via the phone (or an in-person visit to your local law enforcement). Example: if the suspect message is a phone call, independently verify it via e-mail or the Internet. Or, ask your local police department for help with verification of an inquiry from another police department.
In this case, verification was easy. I performed a Google search to independently find the CPS website, since I didn't want to rely on the contact information in the e-mail. At the CPS website, I found the main phone number for District 3, and called to verify that Grier is a Constable there.
I shared all of this with Beth, who started to feel better. Later she contacted Grier. The thief had stolen credit-card information for an account Beth had already closed a long time ago. While consumers may ignore the situation because credit-card theft liability is small and often limited to US $50, helping law enforcement is important. As this case highlighted, identity theives often commit other types of crimes. So, prosecution for identity theft can stop other types of crimes, too.
The Calgary Police Service Identity-theft page has advice for consumers to both avoid becoming identity-theft victims, and for identity-theft victims. If you are an identity-theft victim, CPS advises:
- File a report with your local police department and obtain a case number.
- Notify all creditors by phone and in writing about the crime.
- Keep a log of all your contacts.
- Use a credit bureau sample dispute letter.
- Look at the crime before & after the event to learn how it happened. This will often help to lead investigators to multiple crimes.
- Prepare to complete an ID Theft Affidavit.
- Learn as much as you can!!