Over 20,000 Wyndham Customers at Risk of Identity Theft

Adding to the many data breaches reported at the end of 2008, Wyndham Hotels & Resorts announce a data breach that may have put 21,000 guests at risk of identity theft. Wyndham reported the data breach to the Florida attorney general's office back in December and said they contacted the customers whose data had been compromised during the unauthorized access.

The data accessed included customer names and credit and debit card information. So far, Wyndham does not think that any of the compromised customer data has resulted in identity theft. However, the Florida attorney general still encourages consumers to alert and report any suspicious charges on their bank or credit card accounts. Those affected by the data breach should place fraud alerts on their credit reports and follow the advice in Wyndham's letter.

Review your credit card and bank statements carefully. You will also want to continue monitoring you credit by requesting a copy of your credit report twice a year. It is possible to minimize the affects of identity theft on your credit by catching and reporting it early.

New Phishing Scam Uses IRS Form

As I've mentioned in my last post, tax season is an ideal time for identity thieves. After all, there is a wealth of private financial information floating around. Tax documents show up in mailboxes, and refund checks as well. The option of a direct deposit of your tax refund requires submitting bank account information. What's wrong with this? I mean, a lot of trust is required during tax time, right? After all, many of us hire someone else to prepare our income tax forms. True, but make sure the people you are dealing with are, in fact, working for the IRS.

A current phishing scam disguises itself as an e-mail from the IRS requesting information. The e-mail claims to be from the Internal Revenue Service and has two attachments. One claiming that the recipient is a non-resident alien and the other is an actual IRS form the recipient is asked to fill out, most likely to prove that he or she is not an "non-resident alien." The form requests a Social Security number, bank account information, and even a photocopy of a drivers license to be faxed to a provided number. This is an identity theft scam, not an actual e-mail from the IRS.

The IRS does not request private information in an e-mail. Any e-mail claiming to be from the Internal Revenue Service and asking for a reply with private information is an attempt at identity theft. Don't become the next victim. If you receive one of these e-mail messages, forward it to phishing@irs.gov.

Identity Theft During Tax Season

I can think of many reasons why people dread tax season, especially those of us business owners who know it's not a matter of whether or not you owe, but how much. If that's not reason enough, identity theft can also be a problem during tax season. While most problems can be avoided by only working with a trustworthy, reputable accounting firm, trusting your personal financial information with yet another person is not the only identity theft problem you can face during tax season.

Tax season can also be the time of year when people discover that they've been victims of identity theft when the IRS lets them know they can only file once (that someone has reported income and possibly collected a refund in his or her name). This is what happened to one man who had his taxes done at Memphis branch of H&R Block. He received a call from H&R Block one morning saying that the IRS contacted them regarding his return. Apparently, someone filed using his name and Social Security number in New York.

This is not an isolated incident either. The IRS opened a special office last year to handle the identity theft cases involving tax returns. For more information, visit irs.gov or call (800) 908-4490.

Tax season is stressful no matter what, but finding out that you are an identity theft victim can turn it into a nightmare. If you are unfortunate enough to discover that you are among those hit by identity theft, be sure to immediately take the steps to report it. Only then can you stop the abuse of your name and finances and begin recovery.

Data Breach Affecting Kaiser Permanente Employees

While data breaches continued last year, Kaiser Permanente has announced one that took place last year. While no customers were affected, the private information (names, addresses, dates of birth, Social Security numbers) of nearly 30,000 Kaiser employees in northern California has been compromised.

The person illegally possessing the information, Mia Garza, was arrested in late December, and she is now facing two charges of forgery, two counts of receiving stolen property, and two counts of identity theft. At this point, investigators don't know how she obtained the computer files, and the original source of the breach is still unknown.

While only a few are known to be victims of identity theft from this breach, Kaiser Permanente recommends that employees place fraud alerts on their credit lines, and Kaiser is also offering one year of free credit monitoring to the northern California employees affected.

Once again, data breaches continue to haunt us. When large companies like Kaiser are hit, it serves a grim reminder that even companies of this size that can afford the resources to keep security tight are still vulnerable. Feel free to check out Kaiser's comments on the breach.

Most Companies Don't Properly Delete Sensitive Data

In a previous post, I emphasized that simply deleting a file from a hard drive before disposing of it or selling it is not enough. If the file is not securely wiped from the hard drive with digital shredding software, the file may be retrieved if it falls into the hands of someone tech savvy enough. This may not seem like a big deal, but with people doing their banking and making purchases on their computers or storing tax records, it is extremely important that your data is securely removed before the computer or hard drive changes hands. Otherwise, the information you leave on the machine can be used to make you an identity theft victim.

This is even more important for companies that use computers to store credit card numbers, insurance information, or medical records. Companies that upgrade must be sure that old data is securely wiped before the machine is given away or sold. According to ScienceDaily, the number of second-hand hard drives that have been securely wiped has fallen to 33%. This puts the customers with information on those machines at risk of identity theft.

I'm not sure whether to be disappointed or extremely concerned. Granted, companies don't need to upgrade their computer hardware everyday, but the fact that we have second hand computers out there containing credit card or insurance information isn't exactly encouraging. After all, more and more people are acquiring the technical skills that would help them retrieve this information, especially kids growing up in this information age.

Keep your data safe and wipe those hard drives before getting rid of them. It's a small price to pay to prevent identity theft.

State Department Announces 400 at Risk of Identity Theft

The State Department announced that it has notified nearly 400 passport applicants of a security breach that may have put them at risk of identity theft. Most of the applicants at risk are in the Washington, D.C. area, and their passport applications may have been illegally accessed and used to open fraudulent credit card accounts. The applications contained identifying information, including Social Security numbers. More potential identity theft victims may be notified as the investigation continues.

Most of the people contacted have not become identity theft victims at this point, but they have all been offered free credit monitoring for a year. The breach was discovered when a man was arrested with 19 credit cards in different names and eight completed passport applications. While the State Department declines to comment on how he obtained these applications, it was confirmed that one State Department employee has been fired as a result of this breach.

The department has since stepped up its security for passport records management. While specifics about the method of this security breach have not been disclosed, it is no less disturbing. We don't know how many people were involved, but it's definitely possible that many of these people may already be victims of identity theft and not even know it.

Low-tech Methods Still Used for Identity Theft

With all of the news of data breaches and identity theft committed by hackers, many are concerned with electronic security, and they are right to do so. However, while we seek to protect ourselves online and companies seek to protect their employee and customer information, we must not forget that there are identity theft methods that require little or no access to a computer or the Internet.

According to a study from the University of Ithaca's Center for Identity Management and Information Protection (CIMIP) on closed ID theft cases, identity thieves still rely on low-tech old-school methods such as dumpster diving and mail theft. Thieves also gained information on potential victims through public records. The Internet or technological devices were only used in about half of the examined identity theft cases. In fact, the Internet was the sole method used in less than 10 percent of the cases. Granted these numbers are a few years old (2001 to 2004), and the use of technological methods has probably risen. Also, this data relies on the cases of identity theft that were reported and closed, and many cases go unreported either because they are undetected until the thief is long gone or because the victim knew the thief and decided not to report a friend or family member.

While this study obviously cannot tell the whole story, it can serve as a reminder that identity theft can be committed in many ways. While you want to protect your electronic data, you want to protect yourself on other fronts as well. These low-tech methods will continue to be used to commit identity theft because they do not require knowledge or access to hi-tech devices.

Identity Theft at the Gas Pump

Just as Americans start to see relief from skyrocketing gas prices and the prices drop, a new concerning the purchase of gasoline arises: identity theft. During the past few months, Texas cities like Dallas, Fort Worth, and Plano are seeing increasing reports of identity theft at automated gas pumps where the consumer can pay at the pump. It appears to be a new updated version of what is considered common technology for the identity thief.

Card skimmers often used in retail and restaurant settings to collect credit card information and at ATMs are finding their way to gas pumps. While for a long time skimmers can be detected by the vigilant consumer looking for suspicious devices, newer versions of this device have become more efficient. They are smaller and can be attached to card readers without being noticed and not interfering with the transaction. This is disconcerting whether you are paying for gas at the pump, withdrawing cash at your ATM, or paying for groceries at a self-checkout station. As devices become smaller, the easier it will be for scammers to use them for identity theft and other crimes.

So far, the reports seem to indicate this is becoming a problem in Texas with some earlier incidents reported on the West coast. However, don't expect it to remain isolated. With new technology making identity theft more efficient, the consumer needs to be extra careful. If you are at a pump something looks suspicious with its payment device, go inside and report it to the attendant and pay inside. It may be an incovenience, but a few minutes talking to an attendant at a gas station could save you and possibly others thousands of dollars by preventing identity theft.

New Phishing Scams Prey on Consumers' Economic Fears

A recent wave of phishing scams and other identity theft scams seek to take advantage of people's fears regarding the economy. With so many banks having trouble, the Identity Theft Assistance Center (ITAC) and the Federal Trade Commission are warning consumers in a press release about emails claiming to be from an institution that recently acquired the consumer's bank, mortgage, or savings and loan company.

Obviously, many of us are not strangers to the phishing scam since we've seen many of them before. However, these recent ones are taking advantage of many consumers' insecurities regarding the current economic situation. These scammers hope that some worried consumers will fall for their fraud and provide important information, like passwords, account numbers, and Social Security numbers. They will use this information to commit identity theft.

ITAC and the FTC are also anticipating an increase in credit-related scams. Be on the look out for phony refinancing offers, equity loan schemes, and other credit-related scams. Thoroughly investigate the validity of an offer before agreeing to anything and avoid giving your account numbers or Social Security number to anyone who contacts you by email or phone. Being so free with your information can make you the next victim of identity theft.

While many struggle during difficult economic times, scammers seem to thrive by taking advantage of the fears and concerns of others. Do not be fooled by these emails. It's just another phishing scam from another fraudster looking to commit identity theft. By being smart, you can avoid becoming a victim.

NFCC to Lauch Protect Your Identity Week

With everything that is being done to punish identity thieves, identity theft is still a major problem. While companies and governments can take precautions to protect consumers, we all need to be doing our part to protect our own identities. The best way to do so is education regarding how identity thieves work and how we can keep our information out the hands of those who will us it fraudulently. The National Foundation for Credit Counseling (NFCC) is looking to provide the resources and education to increase consumer awareness of identity theft.

The NFCC is launching the Protect Your Identity Week October 19-25, 2008. Member agencies across the U.S. will be offering credit report reviews, shredding events, and identity theft workshops as well as other education focusing on preventions of ID theft. All events will be free and open to the public.

The NFCC has also launched a new Web site to tell you about PYIW events near you and provide information about protection and recovery for identity theft victims. Education is the best way to let people know what they may be doing on a daily basis to make themselves more vulnerable to identity theft. Making it national week will definitely help, but this education and protection should be available. I've added the web site to my list of resources. Hopefully they will expand it with more information that consumers can use all year round.

University of Indianapolis Experiences Data Breach Affecting 11,000

The University of Indianapolis information technology staff along with outside security experts are investigating a data breach that reportedly occurred on September 18. A hacker gained access to the university's computer system and the personal information (including Social Security numbers) of 11,000 students, staff, and faculty. According to the university, the compromised records were at least two years old, and they are unsure whether or not anything was done with the information but that it was compromised.

The university president, who is among those whose information was compromised in the data breach, said that those affected would be notified by mail as well as email. The school is also offering victims one year of free credit monitoring. Investigators are sure the compromise originated from outside the University of Indianapolis and believe it may have originated outside the United States since a foreign language was discovered embedded in programming code.

While the University of Indianapolis is not the first educational institution to experience a data breach this year, this one definitely puts thousands of people at risk of identity theft. This data breach involves information that dates back to when the university used Social Security numbers to keep track of students, faculty, and staff, a practice the school no longer uses. But the damage has already been done. Perhaps many institutions' transition from the use of Social Security numbers should have began much earlier. While we cannot change the past, we can learn from these mistakes and move on. The use of one's Social Security number should be limited.

Update for Identity Theft Enforcement and Restitution Act

As a brief update, according to this article from The Washington Post, President Bush did, in fact, sign the Identity Theft Enforcement and Restitution Act. This will make it easier for prosecutors to go after cyber criminals. It will also allow identity theft victims to not only be compensated for their direct losses from identity theft, but also their indirect losses (like time spent restoring credit or possible job denials as a result of ID theft) once their identity thieves are brought to justice.

Keep in mind the victim is only compensated for the indirect losses caused by identity theft if those responsible are brought to justice. Most identity thieves are never caught, so this will not help many identity theft victims.

Identity Theft in a Sluggish Economy

So what is the reason for the spike in identity theft and data breaches in 2008? We can offer any number of reasons. After all, ID theft has been on the rise for years, but it seems like every time we turn around we're hearing about a major data breach or identity theft case (like the TJX case back in August). Part of the reason is the obvious fact that ID theft is getting easier to commit as technology advances, and we need to make sure our security measures are equal to the task of protecting private data. Certain agencies posting private consumer data on the Internet doesn't help either.

But what is motivating people to do this? A press release by MyPrivateCredit has offered at least one possible indirect cause. The sluggish U.S. economy of 2008 may be at least part of the cause of the rise in identity theft and data theft. When economic conditions decline with people either out of work or the paycheck not going as far, many will seek additional sources of income. And not all of these income sources will be legal. Identity theft might seem like an easy answer for those who are capable of pulling it off. After all, ID theft is profitable. Even if someone isn't actually using the data they steal, they can sell it to those who will.

While this press release definitely offers some interesting points, it by no means tells the whole story. Yes, the sluggish economy may inspire some to turn to fraudulent income streams, but that doesn't explain why identity theft has been steadily on the rise even when the economy was not in such a sad state. As identity theft becomes easier, we need to become more cautious about protecting our private data, and companies need to increase their security as well, including the human element.

Read over the link I provided above. After all, it does raise some interesting points, and by all means, protect your identifying data, especially if the temptation some to commit identity theft is looming larger than usual.

Business Identity Theft

Most of the posts on this blog deal with data breaches that may lead to ID theft and scams leading to personal/individual identity theft. However, this is by no means the limit in regards to identity theft. A business can have its “identity” stolen just like an individual can. In fact, for the identity thief, targeting a company rather than an individual can be much more profitable. After all, a business will have a higher credit limit since a company will need to make more large purchases than one consumer would. Needless to say, identity thieves sophisticated enough to pull it off will be targeting this bigger payoff.

Scammers are more likely to target small businesses that will not have the budget or resources to protect its accounts and sensitive customer information that a larger company will. But since even a small company will have a high enough credit limit to be worth a thief's time, fraudulent charges will be more likely to blend in with other company purchases, especially if the scammer is purchasing software or other products that would not look unusual to an accounting department. A scammer can also steal a business's identity by posing as that company and ripping off customers.

Like individual ID theft, business identity theft can be devastating to a company as well, but for different reasons. Obviously, identity theft will affect the business financially, but it can also do major damage to the company's reputation, especially when the fraud is being committed in the company's name. Recovering from identity theft is a difficult process, whether you are an individual consumer or a company.

Identity Theft and Treatment of Applications

We've all had to fill out an application at some time or another. In fact, with applications required for loans, leases, college, and many jobs, many have probably lost track of how many applications they have completed. Do you know how the company taking your application stores it until it is reviewed? What do they do with them after they review them? How do they store or dispose of them? Think about the information most applications require: full name, Social Security number, date of birth, possibly employment or educational history. If this document falls into the wrong hands, you have provided someone with more than enough information to commit identity theft.

Since identity theft is a growing problem, many applicants are more hesitant to disclose sensitive information. And who can blame them? This New York Times article discusses a few Manhattan firms' handling of the customer applications for the purchase of condos. These companies goes to great lengths to keep the applicants' sensitive information out of the wrong hands and require secure storage before the applications are reviewed and careful destruction of the documents afterward. Are the companies you do business with handling your information in a secure manner? If not, they are making you an easy target for identity theft.

Next time you complete an application, find out before hand what they will do with the information and what will be done with the document afterward. If you have concerns about identity theft, do not hesitate to express them, and don't be afraid to ask questions. It's better to take your business elsewhere if you have doubts than to pay the price as an identity theft victim later.

Identity Theft and Hurricane Relief

While no one will find scammers a particularly endearing bunch, certain types of fraud repulse me more than others. These include those who target children and senior citizens. I'm adding to the list identity thieves who target disaster victims. I mentioned in an earlier post that hurricane season is a time when those who need to evacuate because of a tropical storm or hurricane are at risk of identity theft since their identifying documents could be stolen while they evacuate or when they are at a shelter.

A press release from the Federal Trade Commission warns that in the aftermath of Hurricane Ike, people need to be cautious of different types of fraud that spring up disguised as disaster relief. Among these, as you may have guessed, is identity theft. People recovering from losses caused by a natural disaster like a hurricane will need to provide their personal information in order to receive disaster relief. This gives identity thieves opportunities to acquire information to commit identity theft by claiming to be a government official or a volunteer representing a charity. Make sure you confirm who is asking for your information before giving it.

The press release also warns of other types of fraud to watch for following a major hurricane. One of them, charity fraud, takes advantage of those looking to donate money to help hurricane victims. The Federal Trade Commission offers advice regarding donating to charities without being scammed. The others, home repair scams, target those who are looking to rebuild after seeing their homes lost or damaged after the hurricane. Check identification and references carefully before hiring a contractor and read the FTC's website carefully to avoid being scammed. While these are not identity theft, they are still fraud, and you will need to be on your guard against multiple types of fraud.

Beware of Voter Registration Fraud and Identity Theft

With the presidential election approaching, many will be registering to vote. Identity thieves take advantage of this time to gain personal information from new voters who may not be knowledgeable of the registration process. If you are registering to vote, be aware of these methods thieves may use to make you an identity theft victim.

Email
The phishing scam has proved to be an effective identity theft tool in other situations, so why would identity thieves pass up a chance to scam a new voter? These emails may ask you to click on a link to register to vote or to resolve an issue with your voter registration.

In Person
Registration drives will have volunteers go door to door or set up tables in public areas to recruit new voters. Obviously this offers opportunities for any identity thief to set up a table with forms to collect some useful private information. Make sure the volunteer can provide proof as to which organization he or she is with. Also, look over the form carefully. Some states may require your Social Security number on the form, but none will ask for a credit card number. Avoid being an identity theft victim by refusing to complete suspicious looking forms.

By Telephone
Pretexting does not need to be done via email as a phishing scam. As we all know, many scammers will contact potential identity theft victims by phone. Be suspicious of anyone calling to claim there is a problem with your voter registration and asking you to confirm some identifying informtation. Voter registration problems are not resolved in this manner.

It's sad that we can't trust people these days. While most people we encounter are who they say they are, we need to excercise a little extra caution to protect ourselves from identity theft. Be extra cautious when you register to vote that you are not giving private information to someone who will use it fraudulently. Check out the Federal Trade Commission and other resources for further information on protecting yourself from identity theft.

Time Warner Customers Targets of Recent Phishing Scam

Millions of people in the United States depend on Time Warner for cable television, Internet, or both. While Time Warner customers may not be surprised by the occasional email from their cable company and Internet service provider, an email claiming to be from Time Warner is targeting the company's customers is asking people to provide their personal information or risk losing their cable service.

Now, most people by now will recognize this as a phishing scam, but it might hit home for some customers, especially those who may depend on Time Warner's Internet services for business purposes. I know I'd be set back a great deal if I lost my Internet access for an extended period of time. But remember that Time Warner, like most legitimate companies, will not ask for this type of information in an email. This is an identity theft tool used to gain private information that you would otherwise be reluctant to share. If you suspect their is a problem with your cable account, call the company directly with the phone number provided on your monthly bill. Do not fall for this phishing scam. It could cost you a lot of time and money fixing the problem later.

However, even if you don't fill in the information, it is recommended in the article reporting this story not to click on the link. Even that could give an attacker access to your computer that would help him/her commit identity theft. The site might download a cookie onto your computer, which will help the attacker keep track of your surfing habits including online purchases. The best thing you can do with this or any other phishing scam email is delete it.

House Passes Identity Theft and Restitution Act! But Will the President Sign It?

The Senate and House of Representatives have passed the Identity Theft and Restitution Act. This bill offers more flexibility to identity theft victims, such as allowing them to seek restitution for indirect losses like time and money spent rebuilding credit. Currently, the identity theft victim is only compensated for direct losses (charges on a credit card or money taken from a bank account).

The other provisions are more computer related and refer specifically to cyber crimes, particularly those that result in identity theft. For example, it enables prosecution of those who steal personal information from a computer when the victim's computer is in the same state as the identity thief's computer (now there can only be prosecution when the thief uses interstate communication). There are other provisions involving the use of keyloggers and damage to a victim's computer.

The Senate and House have already passed it, and it awaits President Bush's signature. While this bill has some good provisions to help identity theft victims recover and law enforcement punish thieves, this will not necessarily slow down the rate of ID theft much. After all, many identity theft crimes are not reported, and most identity thieves are never caught. Punishment will not deter a crime if the thief knows he is not likely to get caught.

Identity Theft and the Deceased

As with many other crimes, with identity theft nothing is sacred. You do not have to be alive to have your identity stolen. Just like burglars who search the obituaries so they can rob homes of grieving families during funerals, there are identity thieves who use information on death certificates to steal the identity of the deceased. Sound impossible? It takes a while for businesses to remove someone who has died from their lists (my mother was receiving sales calls for my father several months after he passed away), so if someone steals and completes a preapproved credit card form or applies for credit online in the name of the deceased, the company may not have it in their records that the person has died and will not find it suspicious.

How can this be stopped when death certificates are public record? Anyone can request one, and now some counties make them available to be viewed online. However, identity theft has become such a big problem in Arizona that one county has decided to remove them from their website.

While this may slowdown the problem, it will not stop it. But this is by no means new. People have been crime victims beyond the grave for centuries, and what can be easier than taking advantage of someone who has died? They aren't going to be checking credit reports or reviewing credit card statements. That makes identity theft so much easier. The surviving family members may eventually discover the problem when they start receiving bills and notices from debt collection agencies.