Over 20,000 Wyndham Customers at Risk of Identity Theft

Adding to the many data breaches reported at the end of 2008, Wyndham Hotels & Resorts announce a data breach that may have put 21,000 guests at risk of identity theft. Wyndham reported the data breach to the Florida attorney general's office back in December and said they contacted the customers whose data had been compromised during the unauthorized access.

The data accessed included customer names and credit and debit card information. So far, Wyndham does not think that any of the compromised customer data has resulted in identity theft. However, the Florida attorney general still encourages consumers to alert and report any suspicious charges on their bank or credit card accounts. Those affected by the data breach should place fraud alerts on their credit reports and follow the advice in Wyndham's letter.

Review your credit card and bank statements carefully. You will also want to continue monitoring you credit by requesting a copy of your credit report twice a year. It is possible to minimize the affects of identity theft on your credit by catching and reporting it early.

Data Breach Affecting Kaiser Permanente Employees

While data breaches continued last year, Kaiser Permanente has announced one that took place last year. While no customers were affected, the private information (names, addresses, dates of birth, Social Security numbers) of nearly 30,000 Kaiser employees in northern California has been compromised.

The person illegally possessing the information, Mia Garza, was arrested in late December, and she is now facing two charges of forgery, two counts of receiving stolen property, and two counts of identity theft. At this point, investigators don't know how she obtained the computer files, and the original source of the breach is still unknown.

While only a few are known to be victims of identity theft from this breach, Kaiser Permanente recommends that employees place fraud alerts on their credit lines, and Kaiser is also offering one year of free credit monitoring to the northern California employees affected.

Once again, data breaches continue to haunt us. When large companies like Kaiser are hit, it serves a grim reminder that even companies of this size that can afford the resources to keep security tight are still vulnerable. Feel free to check out Kaiser's comments on the breach.

University of Indianapolis Experiences Data Breach Affecting 11,000

The University of Indianapolis information technology staff along with outside security experts are investigating a data breach that reportedly occurred on September 18. A hacker gained access to the university's computer system and the personal information (including Social Security numbers) of 11,000 students, staff, and faculty. According to the university, the compromised records were at least two years old, and they are unsure whether or not anything was done with the information but that it was compromised.

The university president, who is among those whose information was compromised in the data breach, said that those affected would be notified by mail as well as email. The school is also offering victims one year of free credit monitoring. Investigators are sure the compromise originated from outside the University of Indianapolis and believe it may have originated outside the United States since a foreign language was discovered embedded in programming code.

While the University of Indianapolis is not the first educational institution to experience a data breach this year, this one definitely puts thousands of people at risk of identity theft. This data breach involves information that dates back to when the university used Social Security numbers to keep track of students, faculty, and staff, a practice the school no longer uses. But the damage has already been done. Perhaps many institutions' transition from the use of Social Security numbers should have began much earlier. While we cannot change the past, we can learn from these mistakes and move on. The use of one's Social Security number should be limited.

Identity Theft in a Sluggish Economy

So what is the reason for the spike in identity theft and data breaches in 2008? We can offer any number of reasons. After all, ID theft has been on the rise for years, but it seems like every time we turn around we're hearing about a major data breach or identity theft case (like the TJX case back in August). Part of the reason is the obvious fact that ID theft is getting easier to commit as technology advances, and we need to make sure our security measures are equal to the task of protecting private data. Certain agencies posting private consumer data on the Internet doesn't help either.

But what is motivating people to do this? A press release by MyPrivateCredit has offered at least one possible indirect cause. The sluggish U.S. economy of 2008 may be at least part of the cause of the rise in identity theft and data theft. When economic conditions decline with people either out of work or the paycheck not going as far, many will seek additional sources of income. And not all of these income sources will be legal. Identity theft might seem like an easy answer for those who are capable of pulling it off. After all, ID theft is profitable. Even if someone isn't actually using the data they steal, they can sell it to those who will.

While this press release definitely offers some interesting points, it by no means tells the whole story. Yes, the sluggish economy may inspire some to turn to fraudulent income streams, but that doesn't explain why identity theft has been steadily on the rise even when the economy was not in such a sad state. As identity theft becomes easier, we need to become more cautious about protecting our private data, and companies need to increase their security as well, including the human element.

Read over the link I provided above. After all, it does raise some interesting points, and by all means, protect your identifying data, especially if the temptation some to commit identity theft is looming larger than usual.

Forever 21 Reports Thousands of Cards Compromised in Data Breach

It appears another company has been affected in the TJX security breach that was reported back in August. Nearly 99,000 payment cards used at Forever 21 stores may have been compromised during data thefts beginning back in 2004. The company released a statement saying that they discovered the thefts after being notified by the U.S. Department of Justice on August 5. They did not, however, say why they waited over a month to announce this.

Forever 21 was notified that they were among the companies victimized in the TJX data breach that lead to the arrest of 11 suspects. They received a disk containing the potentially compromised data. Later forensic evidence revealed that more than 98,000 credit and debit card numbers had been illegally accessed.

Forever 21 pointed out that nearly half of the illegally accessed card numbers are either inactive or expired. While this may be true, this doesn't explain why Forever 21 waited so long to disclose this information when other companies involved in the breach announced it back in August.

Bank Data Breach Could Affect More Than 12 Million Customers

Last week, the Bank of New York Mellon reported that a data breach discovered earlier this year may affect more customers than they originally anticipated. The bank reported back in May that back-up storage tapes from Bank of New York Mellon shareowners service had been "lost," exposing millions to potential identity theft, and notifications were sent to the 4.5 million people whose information was believed to be on the back-up tapes. After further investigation, the bank announced that the number of individuals affected may be as high as 12.5 million.

The bank has taken steps to enhance security and has instituted stringent new standards for the transport of personal data, but this is probably no comfort for those whose data has been compromised. The Bank of New York Mellon is offering affected customers two years of free credit monitoring through Experian as well as identity theft insurance and reimbursement for the placement and removal of a credit freeze on credit reports.

Affected customers can find more information at a website that the Bank of New York Mellon has dedicated for the purpose of informing customers of the data breach and what they are doing about it. Those concerned about the breach and possible identity theft should visit the website and contact the bank if you have more questions.

Banking Information of More Than One Million People Sold on eBay

Here's an interesting twist on recent data breach news. Forbes reports that a computer containing the banking security information of more than one million people has been sold on the popular auction site eBay. The Royal Bank of Scotland announced that a computer, which belonged to an archiving company called Graphic Data and contained information from credit card applications of some of the bank's customers as well as data from other banks, was inappropriately sold to a third party. The data on the computer included passwords, account numbers, cell phone numbers, and signatures.

A former employee of Graphic Data apparently sold the computer server on eBay without wiping the hard drive first. The breach became known when the buyer, Andrew Chapman, found the data on the hard drive and contacted authorities. The incident is currently under investigation.

All right, I'm not a regular eBay user or an IT expert, but I know that just deleting files is not enough to make sure your data is completely gone from the computer. The hard drive needs to be formatted and the operating system reinstalled before you sell or give away a computer. Now if a general user like me knows this, the person who sold the computer must have know this (at least, we hope these companies are employing competent people). Whether this was deliberate or not remains to be seen, but I will definitely keep an eye on this.

U.K. Government Loses Personal Data of 4 Million in One Year

While most of my identity theft "news" posts tend to be geared toward U.S. readers, the general information and advice can be used or adapted by anyone in the world concerned about identity theft. However, that doesn't mean that I think only we here in the U.S. are dropping the ball and everyone else is safe, so I'll try to incorporate more international posts to try to give an accurate picture. This particular post is for our friends in the U.K.

This Computerworld article discusses several incidents where the U.K. government "lost" the personal information of millions of citizens. This involved everything from medical insurance claims to personal ID information. Now, not all of these incidents included data being compromised (in some cases it was just carelessly handled), and not all of these breaches will result in identity theft. But the numbers are still disturbing. The frequency and overwhelming numbers involved make it clear that perhaps we (globally) need to start looking into better efforts to securing data. This will involve cooperation from both governments and private citizens.

Now, before we criticize the U.K. government, keep in mind that the U.S. government is just as guilty of exposing citizens to potential identity theft.

Dominion Enterprises Discloses Data Breach

Once again, it looks like the hackers are making news. According to recent a recent report, Dominion Enterprises announced that a computer server of InterActive Financial Marketing Group, a division of Dominion Enterprises, was hacked into and accessed by an unknown party. The breach took place between November 2007 and February 2008, and the result was the potential exposure of personal information (names, addresses, birth dates, Social Security numbers, etc.) of more than 90,000 applicants.

Dominion Enterprises is currently mailing letters to those whose information was illegally accessed. The company is also providing one year of credit monitoring service as well as other resources to help consumers protect themselves against identity theft.

While the company has taken immediate steps to enhance the security of their computer systems, the damage may already be done. Obviously, they have no way of knowing at this point of the breach has resulted in identity theft.

Wells Fargo Reports Data Breach

Wells Fargo & Co. has reported that the personal information of about 5,000 people may have been seen when someone used a bank access code illegally. The bank is notifying the people whose names are on the list and offering them free one-year membership to Identity Guard, an identity theft protection service.

Wells Fargo was alerted to suspicious activity in early July and contacted law enforcement immediately. It appears the illegal activity occurred in May and June. This is not the first time Wells Fargo has this type of breach. The company had two data breach incidents in 2006.

Whether or not this data breach has resulted in identity theft for any of the bank's customers remains to be seen. Wells Fargo has recommended that anyone affected should alert the credit bureaus and go over their accounts carefully to watch for suspicious activity. Those fearing identity theft because of this incident should monitor their credit reports or take advantage of the credit monitoring services offered by the bank.

Government Is a Major Source of Data Breaches

If you don't trust the government to protect your personal and financial information, then you shouldn't be surprised or disappointed with this recent report. According to a Consumer Reports investigation, the government is one of the biggest sources of ID leaks. Consumer Reports analyzed data reported by the nonprofit Privacy Rights Clearinghouse. They found that more than 230 security lapses of federal, state, and local government resulted in the exposure or loss of more than 40 million consumer records (the data covers dates from 2005 to mid-2008).

Unfortunately, it seems that few of these data breaches get publicized because there is no financial incentive to do so. The number of data breaches that result in identity theft is unknown because consumers don't usually know that their information has been compromised or the thief may not use the stolen information right away.

The full report can be read in the September issue of Consumer Reports or can be bought from ConsumerReports.org. While we are all responsible, to a certain extent, for protecting our own personal financial information, we should be able to trust our government not to expose our information, making us possible identity theft victims.

Data Breaches Up 69% From 2007

Consumers should always be vigilant when it comes to keeping private information private, but as we all know, we can't completely prevent identity theft ourselves because we can't control how the companies and people we work with handle our information. Data breaches are primary examples of situations beyond the consumer's control. And according to the Identity Theft Resource Center, it's a growing problem. The ITRC Data Breach Report for 2008 reached 342 (between January 1 and June 27), which is 69% higher than the same period in 2007. The number may actually be higher since some companies don't report breaches and some single breaches affect more than one company.

The list is further broken down into subcategories such as government/military agencies, educational institutions, general businesses, health care companies, and banking/credit/financial services. The Identity Theft Resource Center has made its data breach reports available in pdf format for consumers to read.

Obviously, when companies report these breaches, they don't know whether or not the information has been used for identity theft or not. If a company you do business with announces a data breach, it would be a good to monitor your credit reports for several months just in case your information has been used fraudulently.

Could data breaches be prevented?

According to a report by Verizon Business, almost nine out of ten corporate data breaches could have been prevented if appropriate security measures been taken. The 2008 Data Breach Investigations Report covers a span of four years and over 500 forensic investigations, including three of the largest data breaches ever reported.

Some of the findings include the fact that only 18 percent of data breaches come from insider threats while most came from outside sources. Third parties discovered 75 percent of the data breaches, not the organizations that were victimized, and they can go undetected for a lengthy period. The study goes on to not only give statistics and insights behind these data breaches, but also goes on to offer companies recommendations for prevention of data theft.

While not all of the information turned up in the Verizon Business study will be surprising, prevention is key to companies looking to protect customers and associates from identity theft, and the information revealed in this study can provide guidelines for protection of private data in the future.

Ameritrade Data Breach: Identity Theft Possible

Online brokerage TD Ameritrade Holding Corporation announced Friday that one of its databases containing customer contact information was hacked. The company has since discovered how the information was stolen and changed their computer code.

Ameritrade insists only contact information was stolen and that even though information such as Social Security numbers, account numbers, and dates of birth were in this database, they found no evidence of it being accessed or taken. Ameritrade says there is no evidence that identity theft has resulted from this data breach.

While the fact that only contact information appears to have been taken from this Ameritrade database doesn't seem to be such a big deal. Identity theft is still possible. Ameritrade customers should be aware of scams that could result from this including callers claiming to be a credit card or bank representative or phishing scams they can receive through email.