Neiman Marcus Data Breach Worse Than Originally Thought
The theft of consumer data from Neiman Marcus appears far deeper than had been disclosed originally, with the luxury retailer now saying that hackers invaded its systems for several months in a breach that involved 1.1 million credit and debit cards.
The malware installed on terminals in Neiman Marcus stores seems to be the same malware that infiltrated Target’s systems and exposed information from as many as 110 million customers, according to a person briefed on the investigations who spoke on the condition of anonymity and is not authorized to speak publicly about the attacks.
Investigators have not revealed whether the same cybercriminals are suspected in both breaches, although investigators and security specialists have described a loose band of hackers from Eastern Europe as the likeliest suspects in the Target theft. Security specialists working with the authorities have said that the hackers were considering several major retailers as potential targets.
In a statement posted on its website Wednesday night, Neiman Marcus said that the malware had been “clandestinely” put into its system and had stolen payment data off cards used from July 16 to Oct. 30. MasterCard, Visa and Discover have told the company that about 2,400 cards used at Neiman Marcus and its Last Call outlet stores have since been used fraudulently.
Target data breach affects at least 70 million customers
The data breach at Target Corp over the holiday shopping season was far bigger than initially thought, the company said today, as state prosecutors announced a nationwide probe into the second-biggest retail cyber attack on record.
Target said an investigation has found that the hackers stole the personal information of at least 70 million customers, including names, mailing addresses, telephone numbers and email addresses. Previously, the No.3 U.S. retailer said the hackers stole data from 40 million credit and debit cards.
The two sets of numbers likely contained some overlap, but the extent was not clear, according to Target spokeswoman Molly Snyder. She also noted that some of the victims did not shop at Target stores during the period of the breach between November 27 and December 15, and their personal information was stolen from a database.
10 things you should know about identity theft
Identity theft is often in the news, but there are a lot of misconceptions swirling around about how to best protect yourself.
While some identity thieves focus on getting your credit cards and maxing them out before you even realize they're missing, an increasing number are using one piece of information about you -- often a credit card number -- in order to steal your entire identity.
Though many folks worry about keeping their credit card information secure when shopping online, the top methods that identity thieves use to steal personal data are still low-tech, according to Justin Yurek, president of ID Watchdog, an identity theft-monitoring firm. "Watch your personal documents, be careful to whom you give out your data over the phone, and be careful of mail theft," he says.
Medical Identity Theft: What it is and How to Protect Yourself
While it's the fastest-growing type of identity theft, a new Nationwide Insurance survey reveals few people know what medical identity theft is or how devastating it can be to your credit and your health.
The national telephone survey commissioned by Nationwide Insurance was conducted by Harris Interactive in February among 2,001 adults with health insurance. It found only 1 in 6 (15%) of insured adults say they are familiar with medical identity theft. Of that 15% only one in three (38 percent) could correctly define "medical identity."
"A stolen medical identity has a $50 street value -- whereas a stolen social security number, on the other hand, only sells for $1*," said Kirk Herath, Nationwide Chief Privacy Officer. "However, while most people are very careful with their social security number to protect their credit and personal information, they tend to be less careful when it comes to their medical information."
What is "Medical Identify Theft?"
Medical ID theft occurs when one person steals another's medical information to obtain or pay for health care treatment. It's a crime that can have a serious impact on your personal, financial and medical well being.
According to the World Privacy Foundation, medical identity theft has affected 1.5 million Americans at a cost of more than $30 billion.
If someone steals your medical information they illegally can use your health care insurance to obtain medical care, buy prescription drugs or submit false insurance claims in your name, all of which can lead to devastating financial results or potentially hazardous changes to your medical records.
The three most common ways your medical identity could be compromised are:
-- Financial medical identity theft -- Someone is getting medical help using your name and/or other information.
-- Criminal medical identity theft -- You are being held responsible for the actions of another's criminal behavior.
-- Government benefit fraud -- Your medical benefits are being used by another person.
Devastating Consequences, Difficult Recovery
According to a Nationwide Insurance survey, more than half (56%) of insured adults said it's likely that their credit card or credit card number would be stolen, while only one-third (32%) say they expect their medical identification to be stolen.
About one in five (22%) believe the most likely consequence would be that their health insurance could be cancelled, when in reality hazardous changes could be made to their medical records compromising their health.
"These are warning signs that should not be ignored," Herath said. "The cost and time associated with cleaning up a medical account is sizeable."
The personal expense of resolving a medical identity theft is about $20,000, according to actual victims. The same victims also said they had spent four to six months resolving the theft**.
More than half of the study participants underestimated how long it would take to restore their medical identity. Nineteen percent or about 1 in 5 said it would take less than two weeks. And more than half underestimated or didn't know how much it would cost.
When it comes to taking proactive measures to review their medical records for errors, 75 percent or 3 of 4 study participants "trust" that their medical records are correct.
"Blind faith in a medical record is risky behavior," Herath said. "Nationwide Insurance recommends being as knowledgeable about your medical records as you are about your financial reports."
Tips to protect your Medical Identity
Here are a few things you can do to safeguard your medical identity:
-- Closely monitor any "Explanation of Benefits" sent by health insurers
-- Pro-actively request a listing of benefits from your health insurers
-- Request a copy of current medical files from each health care provider
-- If you are victim, file a police report
-- Correct erroneous and false information in your file
-- Keep an eye on your credit report
-- Request an accounting of disclosures
Merchant personal data may have been stolen from Global Payments
Hackers might have stolen the personal information of individuals who applied for a merchant account with card payment processor Global Payments.
"We have recently learned of potential unauthorized access to servers containing personal information from a subset of merchant applicants," Paul Garcia, Global Payments' chairman and CEO, said during a conference call with shareholders on Tuesday.
Affected individuals will be offered free credit monitoring services and identity protection insurance of $1 million. The three U.S. major credit reporting agencies have also been advised about the incident, Garcia said.
Garcia declined to share an exact number of individuals potentially affected by the unauthorized access to servers that contained merchant data, citing an ongoing process of analyzing that information.
IRS Tax Return Identity Theft Hotline
If you think someone used your identity to file a fraudulent tax return and snatch your refund, call the new Tax Return Identity Theft Hotline.
Launched today by the IRS criminal investigations division and the U.S. Attorney's Office, the number is 412-395-4973.
Last summer, scam artists set up shop in Erie and began offering people help tapping into a fictitious federal stimulus program, then stole their identities, IRS criminal investigations spokesman Andrew Hromoko said. If anything similar happens this year, calls to the hotline could help the agency to identify the scheme quickly.
Callers who leave a message will receive a return call from a special agent within 24 to 48 hours.
A taxpayer who believes they are at risk of identity theft due to lost or stolen personal information should also contact the IRS Identity Protection Specialized Unit at 800-908-4490 so the agency can secure their tax account.
Hackers more aggressive in attacking bank accounts
A survey of large financial institutions shows they faced more attacks by hackers to take over customer banking accounts last year than in the two previous years, and about a third of these attacks succeeded.
The total number of attacks to try and break in and transfer money out of hacked customer accounts was up to 314 over the course of 2011, according to the Financial Services Information Sharing and Analysis Center (FS-ISAC), which released findings of its survey of 95 financial institutions and five service providers. That's an increase from 87 attacks against bank accounts in 2009 and 239 in 2010.
FS-ISAC is the group that coordinates on security issues with the Department of Homeland Security. The survey was conducted by the American Bankers Association.
The actual dollar losses taken by the financial institutions last year was $777,064, down from a high of $3.12 million in 2010. Dollar loss for customers was $489,672 in 2011, as compared with $1.16 million in 2010.
Utah CTO takes fall for data breach
The executive director of Utah's Department of Technology Services has resigned over a data breach two months ago that exposed the Social Security numbers and other personal data of about 280,000 Medicaid recipients.
Utah Governor Gary Herbert announced the resignation of Stephen Fletcher on Tuesday.
In a statement, Herbert also described various initiatives underway that aim to mitigate the risk of similar breaches in the future.
The State's plan includes an independent audit of all IT security systems, the appointment of a new health data security ombudsman and a continuing investigation of the breach by law enforcement personnel.
Banks are complacent about check fraud
Many banks are complacent about check fraud, perhaps because it's been around for so long. And yet, according to the 2012 Faces of Fraud survey, it remains the second-most common form of fraud institutions face.
Another reason for the complacency? Check fraud seems minor, relative to escalating fraud threats posed by emerging e-commerce channels. "Banks perceive the risk to be much higher in the electronic-payment channels," Tubin says. "With check fraud, they've been dealing with it forever, and they're used to it."
But the lines between old-school schemes such as check fraud, and emerging e-commerce scams are blurring. The advent of check images has married the check to the online channel. And financial institutions that continue to rely on manual processes to detect check fraud find themselves challenged by new cross-channel schemes.
BitCoin hacked, More than 18,000 Bitcoins Stolen
Bitcoinica, a Bitcoin exchange started by a 17-year old teenager Zhou Tong, has been shut down for security investigations. It’s believed that at least 18,000 BTC ($90,000 or 68,000 EUR) have been stolen.
News of the hack was posted this morning by Bitcoinica's founder, Zhou Tong:"Today, we have discovered a suspicious Bitcoin transaction that doesn't seem to be initiated by any one of the company owners. Some of them are not online at the moment so this is not conclusive.
700,000 CA social services records lost
The California office of In-Home Supportive Services, which provides health support to elderly and disabled people, reported on Friday that the personal records of some 700,000 caregivers and care recipients were either lost or stolen.
But this data loss was not due to a server breach, or some complex phishing attack—instead, the Social Services office said that Hewlett Packard, which manages the data controlled by the office, notified the IHSS of the breach after a physical package containing microfiche with thousands of entries of payroll data went missing from a damaged package shipped by U.S. Postal Service to the State Compensation Insurance Fund in Riverside, CA.
As the package arrived damaged and incomplete, it’s unclear whether the information was lost or stolen, but the state has launched an internal investigation and notified law enforcement in the hopes of resolving the issue, according to the Los Angeles Times. "The possibly compromised information, dating from October to December 2011, for 375,000 workers included names, Social Security numbers and wages. For 326,000 recipients, state identification numbers may be at risk,” the LA Times reports. The In-Home Supportive Services office is also sending out hundreds of thousands of letters to potentially affected parties.
Your Dead Relative Could be a Victim of Identity Theft
Your lost loved one's financial identity could come back to life in a most unsettling way -- 2.5 million deceased Americans' identities are misused every year, according to ID Analytics, an ID theft risk assessment company. The company's research arm compared the names, Social Security numbers and birthdays listed on applications for credit against the Social Security Administration's master file of deaths to come up with those numbers.
ID Analytics says crooks intentionally steal the identities of about 800,000 deceased Americans each year. The company says identity thieves also make up Social Security numbers, and inadvertently make matches with about 1.6 million people a year who have died.
In addition, ID Analytics detected a disturbing pattern of theft of financial information belonging to people who were dying. It's easy to see how that could happen, since people who are gravely ill can easily lose track of the details of their finances. When you break it down, ID Analytics says con artists use dead people's identities more than 2,000 times a day.
UNC-Charlotte Data Breaches Expose 350,000 SSNs
Confidential data, including bank account and Social Security numbers for some 350,000 University of North Carolina-Charlotte students, staff and faculty, were accidentally exposed -- some for almost 15 years -- due to a system misconfiguration and incorrect access settings that made electronic data publicly available.
The school on Wednesday released a statement on an investigation it launched in February after staff discovered the data breach. The investigation revealed two separate incidents exposed data such as names, addresses, Social Security numbers and financial account information provided during university transactions.
One incident involved misconfigurations and incorrect access settings made during a general university system upgrade that left data stored on the university's H: drive exposed on the Internet from Nov. 9, 2011 to Jan. 31, 2012.
Over 300,000 Complaints of Online Criminal Activity Reported in 2011
FBI's IC3 2011 Internet Crime Report Released
The Internet Crime Complaint Center (IC3) today released the 2011 Internet Crime Report—an overview of the latest data and trends of online criminal activity. According to the report, 2011 marked the third year in a row that the IC3 received more than 300,000 complaints. The 314,246 complaints represent a 3.4 percent increase over 2010. The reported dollar loss was $485.3 million. As more Internet crimes are reported, IC3 can better assist law enforcement in the apprehension and prosecution of those responsible for perpetrating Internet crime.
In 2011, IC3 received and processed, on average, more than 26,000 complaints per month. The most common complaints received in 2011 included FBI-related scams—schemes in which a criminal poses as the FBI to defraud victims—identity theft, and advance-fee fraud. The report also lists states with the top complaints, and provides loss and complaint statistics organized by state. It describes complaints by type, demographics, and state.
“This report is a testament to the work we do every day at IC3, which is ensuring our system is used to alert authorities of suspected criminal and civil violations,” said National White Collar Crime (NW3C) Center Director Don Brackman. “Each year we work to provide information that can link individuals and groups to these crimes for better outcomes and prosecution of cases.”
Acting Assistant Director of the FBI’s Cyber Division Michael Welch said, “Internet crime is a growing problem that affects computer users around the world and causes significant financial losses. The IC3 is an efficient mechanism for the public to report suspicious e-mail activity, fraudulent websites, and Internet crimes. These reports help law enforcement make connections between cases and identify criminals.”
IC3 is a partnership between the Federal Bureau of Investigation, the NW3C, and the Bureau of Justice Assistance. Since its start in 2000, IC3 has become a mainstay for victims reporting Internet crime and a way for law enforcement to be alerted of such crimes. IC3’s service to the law enforcement community includes federal, state, tribal, local, and international agencies that are combating Internet crime.
Three Reasons Skimmers Are Winning
Banks and credit unions say that losses linked to card-skimming and other sources of debit card fraud are increasingly concerning.
Arrests and financial losses linked to skimming continue to add up. Why do many institutions struggle to thwart attacks waged against ATMs and the vestibules that house them?
Mike Urban, a financial fraud expert with Fiserv, a core processor that provides security services to financial institutions, says anti-skimming technologies just can't keep up.
Beyond outdated card technology, a number of factors have contributed to ATM skimming's success. Cardholder behavior, outdated or ineffective anti-skimming technology and too many endpoints are the top three, experts say.
Three Keys to Mobile Security
Mobile banking is being adopted by consumers at an increasing rate, but it's just one piece of the overall mobile financial services puzzle. As the mobility trend grows, banking institutions are still figuring out how far ahead they should look, and what strategies make the most sense.
But Paul Smocer, president of BITS, the technology policy division of the Financial Services Roundtable, says most institutions are doing much more than some observers give them credit for doing. Banking/security leaders are very concerned about mobile, and they're doing what they can to anticipate risks.
During this interview, Smocer discusses:
Three key areas that make up mobile financial services: 1) banking, payments and mobilized traditional services, such as remote deposit capture; 2) Why mobile payments poses the greatest security risks; 3) Steps BITS is taking to address mobile concerns, especially as they relate to FFIEC conformance.
Five tips for small biz to protect against security threats
The threat landscape on the Web is becoming more perilous. Security software maker Symantec, in its annual "Internet Security Threat Report" released April 30 found that even as the number of vulnerabilities in 2011 fell by 20 percent over the previous year, the number of malicious attacks grew 81 percent.
The trend is similar to what Hewlett-Packard saw. In its "Top Cyber-Security Risks Report," announced April 19, HP officials also found that the number of vulnerabilities last year fell by 20 percent, but that the risks involved in those vulnerabilities grew. HP also found that the number of cyber-attacks more than doubled in the second half of 2011. And small and midsized businesses (SMBs) are in the thick of it. More than half of the targeted attacks seen in 2011 were aimed at organizations with fewer than 2,500 employees, and almost 18 percent targeted companies with fewer than 250 employees. The Internet has been a boon for SMBs, making it easier than ever before to do business. But it also raises the threats to smaller companies and their IT departments.
The biggest risk is seeing their intellectual property, customers’ information or financial transaction data fall into the wrong hands. SMBs need to protect themselves, and Symantec has some ideas how.
Insiders played a role in healthcare data breaches
April has been a brutal month for healthcare, with three major breaches disclosed accounting for nearly 1.1 million records lost. The thread woven throughout each has been the role of insiders -- both malicious and inept -- in triggering the incidents.
In one case at the Utah Department of Health, approximately 780,000 Medicaid records were exposed due to the misconfiguration of a server containing these files. Human error also accounted for the loss of 315,000 patient records at Emory Healthcare, when 10 backup disks went missing from a storage facility at Emory University Hospital. Meanwhile at South Carolina's Department of Health and Human Services, an employee sent 228,000 Medicaid patient records to himself via email. The investigation is still ongoing, but already the employee, Christopher Lykes, was fired and arrested by the South Carolina State Law Enforcement Division for his malfeasance.
According to experts, these three incidents are representative of the types of consequences healthcare organizations face when they fail to address insider threats through improved employee screening, monitoring, data controls, and security awareness training. According to Rick Dakin, CEO of the IT security consulting firm Coalfire Systems, more than half of the insider incidents his company investigates involve an insider in some way, shape, or form.
Websites Selling Stolen Cards Shutdown
International law enforcement agencies last week touted the takedown of 36 websites that were used to sell stolen debit and credit data for more than 2.5 million accounts. But how much of an impact will the takedown ultimately have on card fraud?
It's easy for cyberthieves to just take their card numbers to new domains, Klein says. "It's so way down on the fraud chain, it won't have a big impact," he says. "What we need is more effort to arrest bot developers, and then we are really hitting them where it hurts."
A U.S. law enforcement source connected to the bust says that while investigators are combing through the details for connections to other ongoing cybercrime investigations, this source does not see this takedown as extremely significant. Even the amount of recovered card data is low, relative to the number of cards compromised in a typical database breach.
Apple mistake exposes passwords for Lion
Apple's latest update to OS X contains a dangerous programming error that reveals the passwords for material stored in the first version of FileVault, the company's encryption technology, a software consultant said.
David I. Emery wrote on Cryptome that a debugging switch inadvertently left on in the current release of Lion, version 10.7.3, records in clear text the password needed to open the folder encrypted by the older version of FileVault.
Users who are vulnerable are those who upgraded to Lion but are using the older version of FileVault. The debug switch will record the Lion passwords for anyone who has logged in since the upgrade to version 10.7.3, released in early February.
Tax refund fraud increasing identity theft
A wave of refund tax fraud is fueling demand for stolen IDs. A year ago I wrote about how one set of Florida-based scamsters had tricked the Internal Revenue Service out of $12.1 million worth of refunds using the stolen names and Social Security numbers of 5,108 dead people–likely taken from the Social Security Death Index. But that, as they say, is yesterday’s news. The IRS told Congress during recent hearings that it has set up a new computer screen to flag fraud relating to the tax returns of recently deceased taxpayers and Internet genealogy sites like Rootsweb.com have limited free access to the death index. So it appears there’s some progress, at least, on that front.
Meanwhile, the fraudsters are collecting lists of living identity theft victims, either by planting employees in jobs with access to personal data or corrupting employees who already have such jobs. Former federal prosecutor Latour “L.T.” Lafferty, head of the white collar and corporate compliance practice at Florida’s Fowler White Boggs, reports that he has been hired in the past year by two local employers to investigate employee theft of information. In one case, he found, an employee had used her smart phone to take pictures of records. (The iPhone takes such good pictures that you can actually take a picture of your W-2 with it, and have the information entered into Intuit’s TurboTax app.) “The old identity theft,’’ Laferty observes, “was `may we send you a fake email and find out if you’re dumb enough to give me a Social Security number’ or going through your trash.’’ The new trend, he says, is for employees to steal names and numbers in bulk and then use TurboTax or other software to file large numbers of refund claims. (If they get in a bogus 1040 before the real, live taxpayer, or smartly pick the identity of an American who doesn’t have to file, they may be able to get thousands of dollars back.)
Man emails identities of 228,435 people to himself
A South Carolina man was arrested yesterday on charges stemming from a data breach that may have leaked personal information on more than 200,000 Medicaid beneficiaries in the state, including their names, phone numbers, addresses, birth dates and Medicare ID numbers according to a report in the newspaper The State.
Christopher Lykes Jr., 36, of Swansea, South Carolina was charged with five counts of violating the confidentiality of the state's Medically Indigent Assistance Act and another count of disclosing confidential information, according to paperwork from South Carolina Law Enforcement uncovered by the newspaper.
Lykes, a former employee of the South Carolina Department of Health and Human Services (SCDHHS), transferred the personal information of 228,435 South Carolinians to his personal Yahoo! e-mail account from January 31 to April 2.
Identity thieves filing phony tax returns
The Indiana Attorney General’s Office announced today it has received more tax-related identity theft complaints this year than in all of 2011.
Indiana Attorney General Greg Zoeller said 20 Indiana taxpayers have filed complaints so far, because they believe their personal information or their children’s information was used to file fake tax returns and claim refunds. In some cases, Social Security numbers were stolen to obtain employment and as a result the victims are seen as not having reported all their income on their returns.
“Identity theft knows no season, but as Hoosiers file their taxes it provides a unique opportunity for thieves to use names and Social Security numbers to claim significant refunds,” Zoeller said. “These complaints underscore the need for all consumers to be proactive in guarding their personal information whether online, at home or on their person.”
In 2011, the office received 19 tax-related identity theft complaints with only two of those submitted during the three-month period leading up to April. Zoeller said the spike in numbers could be because the Internal Revenue Service (IRS) is doing a better job of finding suspicious activity earlier and reporting it to taxpayers.
Visa Drops Global Payments Following Data Breach
Visa has dropped Global Payments from its list of companies that are deemed compliant with security policies following a data breach that may have compromised as many as 1.5 million Visa and MasterCard accounts.
Visa’s decision to drop Global Payments from its registry of service providers that meet the credit card company’s data security standards came April 1, two days after the breach became public. During a conference call April 2 to discuss the situation, Global Payments CEO Paul Garcia talked about Visa’s move, and reportedly said he expects his company to be returned to the list after it comes back into compliance with the Visa policies. However, Garcia didn’t say when that may be.
Officials with Visa and MasterCard announced last week that data from credit card accounts was stolen following a data breach at a third-party processor, and stressed that their own servers had not been compromised. The credit card companies initially did not say which transaction processing company was attacked, but it soon leaked out that it was Global Payments.
Mail carrier convicted in massive identity fraud case
A jury in federal district court returned a guilty verdict late yesterday against OPEOLUWA ADIGUN, age unknown, and CHUKWUKA ONYEKABA a/k/a Gabriel Onyekaba, 34, both of Marietta, Georgia on charges of stealing the identities of more than 85 individuals in the Atlanta area and opening credit cards, loans, and bank accounts in their names. ADIGUN was also convicted of immigration, social security, and passport fraud.
United States Attorney Sally Quillian Yates said of the case, “Identity theft is a growing problem that destroys the lives of innocent citizens, resulting in years of victimization as they try to clear their good names and credit of the damage done by the criminals. These defendants ran a sophisticated identity theft scheme that included opening multiple accounts in victims’ names, moving the criminal proceeds among different banks in victim names, using fake identifications, and buying ordinary gift cards with stolen credit cards to conceal the source of the proceeds. The jury’s verdict brings some measure of justice to the many victims of these two defendants’ crimes.”
According to Paul Bowman, Area Special Agent in Charge of the United States Postal Service, Office of Inspector General, “Opeoluwa Adigun reflects just a very small percentage of employees who failed to uphold the trust and integrity placed in them. The U.S. Postal Service, Office of Inspector General takes these cases very serious and investigates them to the fullest extent of the law.”
“The U.S. Postal Inspection Service is pleased with the jury’s verdict. Identity theft continues to plague the American public. As long as thieves target the U.S. Mail, Postal Inspectors will continue to target those responsible,” said Keith Morris, Postal Inspector in Charge of the Atlanta Division.
“The Paulding County Sheriff's Office, the investigating officer and I are all very happy with the verdict rendered by this jury,” said Paulding County Sheriff Gary Gulledge. “It is always rewarding to see our justice system work as intended - to hold the guilty accountable and protect the innocent public from further harm. It is also satisfying to see resolution brought to the 85+ victims of the crimes committed by Opeoluwa Adigun and Chukwuka Onyekaba. This case is the perfect example of good police work, inter-agency cooperation, careful prosecuting and an intelligent jury. I commend all involved for the great work and great result.”
“This type of crime is even more egregious when it is conducted by a government employee using his or her position of trust for fraudulent purposes and financial gains,” said Brock D. Nicholson, Special Agent in Charge of U.S. Immigration and Customs Enforcement’s Homeland Security Investigations (HSI) Atlanta, “HSI will continue to vigilantly investigate any individual who engages in activities that jeopardize public safety and national security.” Nicholson oversees all HSI activities in Georgia and the Carolinas.
According to United States Attorney Yates, the charges and other information presented at trial: Between May 2006 and March 2010, ADIGUN and ONYEKABA stole mail, credit cards, and other personal information from individuals in the Atlanta area, and then opened a variety of financial accounts under the victims’ names. As part of the scheme, ADIGUN obtained a job as a mail carrier in the Hiram Post Office under the name “Mary Afolabi,” an identity she had stolen from another person from Nigeria before ADIGUN entered the United States in 2004. During ADIGUN’s time with the Hiram Post Office, over 85 victims on her mail route reported that their identities were stolen and used to open multiple financial accounts in their names.
Using the information stolen from the mail route customers, ADIGUN and ONYEKABA applied for credit cards and bank loans in their victims’ names. They deposited the fraudulent loan proceeds into bank accounts opened under yet other victims’ names and then wrote checks from those accounts to their two fraudulent businesses, GMO Auto Services in Douglasville and Gabmike Limousine Service in Smyrna. They also used the fraudulent credit cards at their businesses.
Further, ADIGUN and ONYEKABA purchased gift cards and thousands of dollars of merchandise with the fraudulent credit cards. In March 2010, law enforcement officers stopped the defendants driving a Lincoln Navigator and found dozens of American Express, Walmart, and Target gift cards that were purchased with stolen credit cards issued to individuals residing on ADIGUN’s mail route in Hiram.
ADIGUN obtained a social security card and a U.S. passport and, in March 2009, was naturalized as a U.S. citizen – all under the assumed name of “Mary Afolabi.”
After a seven day trial, the jury returned guilty verdicts on all 44 counts it considered, including conspiracy, access device or credit card fraud, aggravated identity theft, bank fraud, mail theft, immigration fraud, social security fraud, and passport fraud. The charges carry maximum sentences that range from five to 30 years in prison each, and fines of up to $1,000,000 per count. The aggravated identity theft charges require a mandatory minimum sentence of 2 years in addition to any other sentence imposed. Sentencing has not yet been scheduled before United States District Judge Richard W. Story. In determining the actual sentence, the Court will consider the United States Sentencing Guidelines, which are not binding but provide appropriate sentencing ranges for most offenders.
This case was investigated by the United States Postal Service, Office of Inspector General; United States Postal Inspection Service; United States Immigration and Customs Enforcement’s Homeland Security Investigations; United States Secret Service; Social Security Administration; Paulding County Sheriff’s Office; Douglas County Sheriff’s Office; Cobb County Sheriff’s Office; Hiram Police Department; and Cobb County Police Department.
Assistant United States Attorneys Stephen H. McClain and Shanya J. Dingle are prosecuting the case.
How to protect personal data on old devices you sell
Thinking of selling or giving away your smartphone or laptop computer? If you have a BlackBerry or an iPhone, go right ahead. But if you have an Android phone or a computer running Windows XP, you may want to hold off.
It turns out that it's almost impossible to get rid of personal information from some devices, even if you follow the manufacturer's directions for wiping the device clean.
Robert Siciliano, identity theft expert for the technology security firm McAfee, found this out in an experiment he conducted over the fall and winter. He bought 30 electronic devices from Craigslist — mostly smartphones and laptops — to see how effective people were at removing personal information from their gadgets before selling them.
MasterCard, Visa Report Data Breach of Card Processor
VISA and MasterCard are alerting banks across the country about a recent major breach at a U.S.-based credit card processor. Sources in the financial sector are calling the breach “massive,” and say it may involve more than 10 million compromised card numbers.
In separate non-public alerts sent late last week, VISA and MasterCard began warning banks about specific cards that may have been compromised. The card associations stated that the breached credit card processor was compromised between Jan. 21, 2012 and Feb. 25, 2012. The alerts also said that full Track 1 and Track 2 data was taken – meaning that the information could be used to counterfeit new cards.
More from Krebs
Microsoft Founder Paul Allen Victim of Identity Theft
Microsoft co-founder Paul Allen has become the victim of identity theft, with an AWOL U.S. soldier in Pittsburgh charged with changing the address on a Seattle bank account owned by Allen and attempting to redirect funds to a personal account.
Brandon Lee Price allegedly changed the address on a Citibank account owned by Allen from Seattle to Pittsburgh, and then had a debit card sent to his home in Pittsburgh. According to a report by the AP, Price attempted to wire $15,000 to the new account and to make a $658.81 payment on an Armed Forces Bank loan. He then allegedly attempted to make purchases at a GameStop and Family Dollar store.
One of the stupider headlines or memes around this news is that if a billionaire's identity isn't safe, then how can anyone elses be? There is nothing about a billionaire that makes his or her identity any more protected than anyone elses. If you think there is than by all means name it. Just being rich doesn't inherently give you protections against ID theft.
Debit card fraud up, while check fraud declines
No surprise here. The use of debt cards are way up, so of course fraud increased. The opposite is true for paper checks.
During a year that saw a record rise in financial crime reports, one scam that has plagued banks and consumers for decades is fading away: check fraud.
Reports of suspected counterfeiting, check fraud, and check kiting were among the financial crimes that saw declines during 2011, dropping 7.5 percent from 2010.
The drop in check fraud came as the Financial Crime Enforcement Network (FinCEN) had a record number of suspicious activity reports (SARs) in 2011 throughout the financial industry.
The number of check-related suspected crimes peaked in 2008, with banks sending 152,874 suspicious activity reports to FinCEN. From there, the cases are investigated by federal, state, or local authorities, depending on the amount of money involved in the crime.
Since 2008, the number of check-related crimes has dropped to 107,041.
The drop in check fraud numbers points to a trend many Americans are familiar with, the slow disappearance of checks.
The use of checks as a form of payment has been declining in recent years. Personal check use has dropped by 12 percent among consumers between 2008 and 2010, according to the American Bankers Association.
Meanwhile, the use of debit cards has increased, and with it, debit card-related crime.
From 2006 to 2009, the use of debit cards as a form of payment rose 14 percent among Americans, while debit card crimes rose 41 percent, according to data from the Federal Reserve and FinCEN.
Children 51 times more likely to be ID theft victim
Why are kids so vulnerable? Because they have unused, unblemished credit profiles. Richard Power, Distinguished Fellow, Carnegie Mellon CyLab, recently published the first ever child identity theft report based on identity protection scans of over 40,000 U.S. children. It is extremely alarming that 10.2% of the children in the report had someone else using their Social Security numbers. That figure is 51 times higher than the rate for adults of the same population.
Most people can't imagine a child's identity would be valuable. That comes from a lack of understanding of how the credit system works in the US.
Because children have untouched and unblemished credit records, they are highly attractive targets. More importantly, their credit reports are usually never looked at for years and years, so the thief can get away with the crime for longer. Child identity theft is profitable, hard to detect and a nightmare to recover. Thieves steal a child’s identity early on, nurture it until they have a solid credit score, and then abuse and discard it. If it’s not discovered in time, fraudulent use of your child’s identity could mean the loss of educational and job opportunities and starting off adulthood at a serious disadvantage with someone else’s bad credit in her name. All an identity thief needs to ruin your child’s bright financial future is her name and Social Security Number.
Social media use leads to increase in identity theft
Big users of social networks and smartphones have a higher risk of ID theft.
About 12 million Americans got hit by identity fraud in 2011, a 13% increase from a year earlier, thanks to consumers' growing use of social-media websites and smartphones, plus a sharp jump in security breaches, according to a recent report from Javelin Strategy & Research.
"The new ways in which people can communicate with each other create new risks," says Joel Winston, chief privacy officer at ID Analytics, a consumer risk-management company.
Some 7% of smartphone owners became identity-fraud victims in 2011, the Javelin survey of 5,000 consumers found. Smartphone users are about one-third more likely to fall prey to identity fraud than the general public, the report found.
Why? Because smartphones are minicomputers that store vast quantities of personal information, yet many users don't protect their smartphones the way they do laptops and PCs.
Facebook pushes back against employers demanding passwords
Is it legal or even fair for prospective employers to request -- or in some cases demand -- your Facebook password?
Facebook, perhaps anxious to avoid public controversy as it prepares for a much-publicized initial public offering, is moving to squelch a widely reported practice of employers asking job applicants for their Facebook passwords.
“If you are a Facebook user, you should never have to share your password, let anyone access your account, or do anything that might jeopardize the security of your account or violate the privacy of your friends,” Erin Egan, Facebook’s chief privacy officer, wrote in a March 23 note. “As a user, you shouldn’t be forced to share your private information and communications just to get a job.”
Egan also hinted at the legal repercussions: “If an employer sees on Facebook that someone is a member of a protected group [e.g., over a certain age, etc.], that employer may open themselves up to claims of discrimination if they don’t hire that person.”
Employers also may not “have the proper policies and training for reviewers to handle private information,” Egan added. “If they don’t—and actually, even if they do—the employer may assume liability for the protection of the information they have seen.” That information may also incur certain responsibilities, such as reporting the possible commission of a crime.
FTC report says credit bureaus upsell ID theft victims
A new report by the Federal Trade Commission slams the nation's credit bureaus for upselling identity theft prevention services when victims call looking for help.
The report found that consumers face frustrating voice mail systems that often make it hard to reach a live operator, are confused about their rights and face unnecessary hurdles fixing credit report errors caused by identity thieves. It also pointedly raises the possibility that the new Consumer Financial Protection Bureau could initiate enforcement actions against the bureaus -- Equifax, Experian and TransUnion.
The report comes as that new agency is about to take on regulation of the credit bureaus, a major shift in the way they are policed. The bureau’s new powers will kick in this summer.
More from MSNBC
Armenian Mobsters Convicted in LA for Identity Theft
The convictions were announced by Assistant Attorney General Lanny A. Breuer of the Justice Department’s Criminal Division, U.S. Attorney Andre Birotte Jr. of the Central District of California, Assistant Director in Charge of the FBI’s Los Angeles Field Office Steven Martinez and Special Agent in Charge of the U.S. Secret Service (USSS) Joseph Beaty.
Arman Sharopetrosian, Karen Markosian, Artush Margaryan and Kristine Ogandzhanyan were found guilty of conspiring to commit bank fraud, attempted bank fraud and various counts of aggravated identity theft. Sharopetrosian, Markosian and Ogandzhanyan waived a jury trial and consented to trial by the judge, and Margaryan proceeded with a jury trial.
Yesterday, U.S. District Judge David O. Carter found Ogandzhanyan, 28, of Burbank, Calif., guilty of one count of bank fraud conspiracy, two counts of attempted bank fraud and four counts of aggravated identity theft. On March 16, 2012, the judge found Sharopetrosian, 33, of Burbank, guilty of one count of bank fraud conspiracy, four counts of bank fraud and seven counts of aggravated identify theft. On March 16, 2012, the judge also found Markosian, 39, of Glendale, Calif., guilty of one count of bank fraud conspiracy, one count of attempted bank fraud and two counts of aggravated identity theft. A jury convicted the fourth defendant, Artush Margaryan, 28, of Van Nuys, Calif., on March 16, 2012, of one count of bank fraud conspiracy, one count of attempted bank fraud and three counts of aggravated identity theft.
Evidence was presented at trial that Sharopetrosian is a member of the Armenian Power organized crime group, and Margaryan, Markosian and Ogandzhanyan are Armenian Power associates.
According to evidence presented at trial, Sharopetrosian directed the massive fraud scheme along with co-defendant Angus Brown, while the two were incarcerated at Avenal State Prison. Using cellular telephones that were smuggled into the prison, Sharopetrosian and Brown worked from behind bars to coordinate with others, including Ogandzhanyn, Markosian and Margaryan, to obtain confidential bank profile information and steal money from victim account holders. Often targeting high-value bank accounts, the defendants used account holders’ personal identifying information – including names, Social Security numbers and dates of birth – to impersonate victims in phone calls to the bank. The defendants gathered account information, transferred funds between victims’ accounts and placed unauthorized check orders for the accounts. They then stole the checks, obtained the victims’ signatures from public documents and paid conspirators to cash the forged checks. Over the course of the six-year conspiracy, the defendants and their co-conspirators caused more than $10 million dollars in losses to victims in Southern California, Nevada, Arizona and Texas.
“These defendants, including two individuals who were operating from a prison cell, perpetrated a massive fraudulent scheme on behalf of a dangerous criminal enterprise,” said Assistant Attorney General Breuer. “As members and associates of Armenian Power, they stole sensitive personal and financial information from innocent consumers and caused millions of dollars in losses. Whether organized criminal groups traffic in drugs, commit financial fraud or wreak other havoc to keep themselves going, they must be stopped. We are doing everything possible to shut down dangerous gangs like Armenian Power.”
“The safety and sanctity of confidential financial information is paramount in today’s society,” said U.S. Attorney Birotte. “Identity theft is a fundamental invasion of consumer privacy that cannot be tolerated. These convictions demonstrate that violators, whoever and wherever they may be, will be caught and will be prosecuted to the fullest extent of the federal law.”
“The defendants were convicted in a trial that uncovered a sophisticated and lengthy scheme that targeted victims in multiple states, and included disturbing details, such as orders made from within prison walls and assistance from bank insiders enlisted by the defendants,” said FBI Assistant Director Martinez. “This case is also indicative of the growing trend of gang or organized crime-affiliated groups now engaging in identity theft and other financial crimes in furtherance of their enterprise.”
These defendants are four of 20 defendants who were charged with operating the bank fraud and identity theft scheme in one of a series of federal indictments unsealed on Feb. 16, 2011. The indictments allege various federal crimes against members and associates of the Armenian Power criminal organization. To date, 19 of the 20 defendants charged in the bank fraud indictment have been convicted, including Brown. One defendant, Faye Bell, was arrested earlier this year and is still awaiting trial.
Sharopetrosian, Margaryan, Markosian and Ogandzhanyan face maximum sentences of 30 years in federal prison for each count of bank fraud, 30 years for each count of conspiracy to commit bank fraud and additional mandatory two year sentences for each count of aggravated identity theft.
Sentencing for all four defendants is scheduled for Aug. 6, 2012, before Judge Carter.
The case is being prosecuted by Assistant U.S. Attorneys Martin Estrada and Joseph McNally of the Central District of California and Trial Attorney Cristina Moreno of the Organized Crime and Gang Section in the Justice Department’s Criminal Division. The case was investigated by the Eurasian Organized Crime Task Force, which includes the FBI, the USSS, the Los Angeles Police Department, the Glendale Police Department, the Burbank Police Department, the Internal Revenue Service and the U.S. Immigration and Customs Enforcement.
University of Tampa Data Breach
A breach at the University of Tampa may have exposed the sensitive information of thousands of students, faculty and staff members, including their names, identification numbers, social security numbers and birth dates, according to a press release posted to their the University's Web site over the weekend.
The information of approximately 6,800 students from fall semester 2011 was discovered online by students in a UT class who were searching online. A subsequent investigation turned up two more files containing roughly 30,000 more records from between January 2000 and July 2011.
More from ThreatPost
Unidentified hackers behind Stuxnet and Duqu still at work
The still-unidentified group of attackers behind Stuxnet and Duqu have drawn quite a bit of attention to themselves in the last couple of years with their creations. Researchers, law enforcement and some particularly angry governments all would like to have a long talk with the crew. But that attention apparently hasn't persuaded the group that it's time to tone down their pursuits, as evidenced by the fact that researchers have discovered a newly compiled driver for Duqu within the last couple of days.
One of the unique things about Duqu is that the malware appears to be specifically tailored to each new victim. Rather than writing one piece of malware and spreading it out to a large potential victim base, the crew behind Duqu had a small, specially selected group of targets, each of which got its own specifically crafted components and drivers. Researchers say that the number of known victims of Duqu is quite small, perhaps fewer than 50.
More from ThreatPost
Data breaches take months or years to be discovered
Over 90 percent of data breaches are the result of external attacks and almost 60 percent of organizations discovered them months or years later, Verizon said in a report released at the RSA security conference on Wednesday.
Called the Verizon 2011 Investigative Response Caseload Review, it compiles statistics from 90 data breach cases investigated by the company's incident response team last year, and provides a preview of Verizon's larger annual report that will contain data collected from additional sources like national CERTs and law enforcement agencies.
The report concludes that 92 percent of data breach incidents have had an external cause, which conflicts with the findings of other security vendors, according to whom most data breaches are the result of internal threats.
More from IDG
EU May Propose 24-Hour Breach Notification, Data Privacy Rules
Companies operating in the European Union may be required to disclose data breaches within 24 hours if proposed new rules are approved.
The European Commission will propose several changes to the data protection and privacy rules to protect individual rights and ensure a high level of data protection on Jan. 25. The proposed changes will simultaneously simplify and toughen the current mishmash of rules and policies currently used by the European Union's 27 member countries.
Along with the data breach notification rule, the commission's proposal includes stricter sanctions and would provide national data-protection officials with authority to levy administrative sanctions and fines, such as fining companies a percentage of their global revenue for violating the rules. The proposed changes would overhaul the EU's 17-year-old data protection policies addressing online advertising and social networking sites.
"Companies that suffer a data leak must inform the data protection authorities and the individuals concerned, and they must do so without undue delay," EU Justice Commissioner Viviane Reding said at a conference in Munich on Jan. 22, according to Bloomberg.
Symantec Warns pcAnywhere Users Due to Source Code Theft
Symantec has confirmed that pcAnywhere users are at "increased risk" because attackers have stolen source code to the remote control tool.
The saga over Symantec's stolen code took another twist as the company acknowledged that pcAnywhere customers are at risk for man-in-the-middle attacks and new exploits.
The breach actually occurred on Symantec servers in 2006, and attackers stole source code to several Norton security products and the pcAnywhere remote access tool, Symantec confirmed last week. At the time, the company assured customers that there was no risk to the products because the source code was so old and the company had made security improvements over the past six years.
However, upon further investigation, it appears that pcAnywhere customers are at risk, especially if they are not following "general security best practices" to protect the endpoint, network and remote access, as well as properly configuring the remote access tool, Christine Ewing, director of product marketing in the endpoint management group, wrote on the Endpoint Management Community blog Jan. 24. Those customers are susceptible to man-in-the-middle attacks, which can reveal authentication and session information.
"Customers of Symantec's pcAnywhere have increased risk as a result of this incident," Ewing wrote.
The encoding and encryption elements within pcAnywhere are vulnerable to being intercepted in man-in-the-middle attacks, according to a whitepaper addressing the issues in the remote access tool released by Symantec Jan. 25. If attacker manage to obtain the cryptographic key, they would be able to launch unauthorized remote control sessions and access other systems and sensitive data. If the key is using Active Directory credentials, the attackers would be able to access other parts of the network.
The company released a patch fixing three vulnerabilities in the latest version of pcAnywhere, version 12.5, for Windows on Jan. 23. Symantec plans to release additional patches during the week for older versions of pcAnywhere, including versions 12.0 and 12.1. Symantec is also expected to patch more issues in version 12.5. Symantec will keep updating the software until "a new version of pcAnywhere that addresses all currently known vulnerabilities" is released, Ewing said.
Customers should disable pcAnywhere because malicious developers would be able to identify vulnerabilities within the source code and launch new exploits, Symantec said in the whitepaper. The remote access tool should be disabled unless it is vitally needed for business use, and in those situations customers should use the latest version of pcAnywhere with all the relevant patches and "follow the general security best practices," Symantec said.
"At this time, Symantec recommends disabling the product until Symantec releases a final set of software updates that resolve currently known vulnerability risks," the company said.
Since pcAnywhere is available as a stand-alone product, bundled with other Symantec products and also as part of Altiris-based packages, customers should check to see if the tool is enabled. A remote access component called pcAnywhere Thin Host is also bundled with several backup and security products from Symantec.
The company again asserted that its antivirus and endpoint security products are not at risk. "Our analysis shows that due to the age of the exposed source Symantec antivirus or endpoint security customers, including those running Norton products, should not be in any increased danger of cyber-attacks resulting from this incident," Symantec said in a statement.
The theft was limited to the code for the 2006 versions of Norton Antivirus Corporate Edition; Norton Internet Security; Norton SystemWorks, which includes Norton Utilities and Norton GoBack; and pcAnywhere, Symantec said. The Norton Antivirus Corporate Edition code "represents a small percentage" of the code that appeared in the prerelease source for Symantec Antivirus 10.2, which was discontinued in 2007. Symantec Endpoint Protection 11, which replaced Symantec Antivirus Corporate Edition, was based on a separate code branch "that we do not believe was exposed," Symantec said. Customers running Symantec Endpoint Protection 11.x are at "no increased security risk" due to the code theft.
Customers should follow recommended best practices, such as making sure antivirus definitions are up to date and running the latest version of the software. If it makes sense for the organization, Symantec recommends upgrading to the latest version of Symantec Endpoint Protection, which is SEP 12.1 RU1, but there is no rush.
"The code that has been exposed is so old that current out-of-the-box security settings will suffice against any possible threats that might materialize as a result of this incident," Symantec said.
McAllen insurance agent indicted on charges of mail fraud and ID theft
From a Jan. 26 news release issued by the U.S. Attorney's Office for the Southern District of Texas:
McALLEN, Texas – A McAllen area insurance agent has been indicted on multiple counts of mail fraud and aggravated identity theft arising from a scheme to defraud several private insurance companies offering Medicare Advantage plans and other insurance products, United States Attorney Kenneth Magidson announced today.
San Juana Lopez, 59, of Edinburg, Texas, was charged with five counts of mail fraud and three counts of aggravated identity theft in a federal indictment, returned under seal Tuesday, Jan. 24, 2012. The indictment was unsealed this morning upon her arrest by federal agents at her residence and she is expected to make an initial appearance in federal court later this morning before U.S. Magistrate Judge Dorina Ramos.
According to the indictment, from 2007 through 2008, Lopez worked for a San Antonio, Texas, insurance agency, selling Medicare Advantage insurance plans. These plans provide Medicare beneficiaries with the option to receive their benefits through a wide variety of private managed care plans, rather than through the traditional Medicare program. The indictment alleges Lopez obtained identifiers of beneficiaries through a variety of illegal means and used the identifiers to enroll the beneficiaries in a Medicare Advantage plan offered by Care Improvement Plus - a Baltimore, Md., insurance company - without the authorization or knowledge of the beneficiaries. Lopez received thousands in commissions as a result of the false enrollments.
The indictment further alleges that only a few days after being suspended by Care Improvement Plus, Lopez entered into a sales agent agreement with United Funeral Directors Benefit Life Insurance Company (United), of Richardson, Texas, which offered pre-need funeral contracts allowing insured individuals to pre-plan and pre-fund funeral expenses. According to the indictment, soon after becoming an agent for United, Lopez began enrolling numerous individuals in United’s pre-need funeral insurance policy without their authorization or knowledge. The indictment alleges Lopez used bank account information belonging to unsuspecting United clients, whom she had previously enrolled, to make premium payments on the false policies. Lopez received thousands of dollars in commissions from United in connection with the alleged fraud.
Each count of mail fraud carries a sentence of up to 20 years in federal prison without parole and a $250,000 fine upon conviction. Lopez also faces a mandatory two-year prison term for each count of aggravated identity theft which must be served consecutive to any prison sentence imposed on the underlying charges.
The investigation leading to the charges was conducted by the U.S. Department of Health and Human Services–Office of Inspector General and the U.S. Secret Service. Assistant United States Attorney Greg Saikin is prosecuting the case.
An indictment is a formal accusation of criminal conduct, not evidence.
A defendant is presumed innocent unless convicted through due process of law.
Malware Poses as Google+ Plug-In
Spammers are cashing in on the popularity of Google+ by sending out fake emails inviting users to try out Google+ Hangouts by downloading a malicious file posing as a Google+ Hangout plug-in.
The fraudulent email advertises Google+ Hangouts as “the most popular online meeting service,” which is apparently true, according to a recent article from Lifehacker.
The fake Google+ plug-in promises to make you “look and sound your best with high quality audio and video,” apparently an effort to fool G+ users into believing that the free Web conferencing feature can be juiced. Malware City reports that clicking the link won’t install a Google+ plug-in but downloads an executable file instead.
Despite concerns about privacy, there have been few threats that specifically target the Google+ network since its launch. The company has promised to prevent brand squatting and other nuisance behaviors, but G+ specific malware and attacks have been far and few between. That may change, however, as the size of the nascent social network continues to grow.
ID theft scam in NY has victims in 30 states
Two New York women are accused of scamming $75,000 from victims in 30 states by posting phony Craigslist ads for nonexistent jobs and apartments.
A Long Island prosecutor has announced identity theft charges against the woman and her niece.
Nassau County District Attorney Kathleen Rice said Thursday a grand jury filed grand larceny and other charges against the pair earlier this week. Her spokesman said the women will be arraigned at a later date. Defense attorneys did not immediately respond to calls for comment.
Prosecutors say the pair posted online ads and then asked responders to provide personal information, including Social Security numbers.
The women then allegedly used the information to file more than 250 phony tax returns, obtain bank loans and credit cards in the victims’ names.
Six Charged in Scheme to Use Identities of Dead People to Get Tax Refunds
According to the indictment, between April 15, 2009, to at least August 2011, Muaad Salem, Fahim Sulieman, Hanan Widdi, Najeh Widdi, Hazem Woodi and Daxesj Patel and other unknown co-conspirators allegedly defrauded the United States by filing false and fraudulent tax returns, many in the names of recently deceased taxpayers, and directing refunds to controlled locations in the state of Florida.
The indictment further alleges that the U.S. Treasury checks generated by the false and fraudulent returns would then be sent by the U.S. mail to co-conspirators in Ohio who would sell and distribute the checks for negotiation at various businesses and banking institutions.
“The theft of anyone’s identity is a serious offense, but stealing the identities of the recently departed to defraud all the other taxpayers is particularly egregious,” said Steven M. Dettelbach, the U.S. Attorney for the Northern District of Ohio.
“Identity theft that leads to tax fraud threatens both individual U.S. citizens and the U.S. government,” said John A. DiCicco, Principal Deputy Assistant Attorney General of the Justice Department's Tax Division. “The Justice Department and the IRS will continue to cooperate in investigating and prosecuting these crimes to the fullest extent of the law. In our technology-driven society, this simply must be a top priority.”
The following individuals were charged with conspiracies to defraud the United States and to commit mail fraud:
Muaad Salem, age 33, of Akron, Ohio;
Hazem Woodi, age 31, of North Olmsted, Ohio;
Najeh Widdi, age 45, of Cleveland;
Fahim Suleiman, age 46, of Lutz, Fla.;
Daxesj Patel, age 35, of Canton, Ohio; and
Hanan Widdi, age 38, of Cleveland.
The six are also charged with three counts of mail fraud and two counts of aggravated identity theft. In addition to the other charges, Patel is separately charged with two counts of making a false claim against the United States and with making a false statement to law enforcement officials investigating the crimes.
“The IRS is aggressively pursuing those who steal others’ identities in order to file false returns,” said Steven Miller, IRS Deputy Commissioner for Services and Enforcement. “Our cooperative work with the U.S. Attorney’s Office will help protect taxpayers in Northern Ohio from being victimized by identity theft. The IRS is taking additional steps this tax season to further prevent, detect and resolve identity theft cases as soon as possible.”
“This case is an example of the FBI and IRS working together to aggressively pursue and investigate those organized criminal enterprises that commit identity theft and fraudulent activities in the United States costing the taxpayers of this country millions of dollars,” said Stephen D. Anthony, Special Agent in Charge of the FBI’s Cleveland office.
“IRS Criminal Investigation has made investigating refund fraud and identity theft a top priority,” stated Darryl Williams, Special Agent in Charge, IRS-Criminal Investigation, Cincinnati Field Office. “Filing fraudulent tax returns in the names of other individuals may result in significant harm to those individuals whose identities were stolen, as well as a monetary loss against the U.S. Treasury.”
Mail fraud is punishable by a maximum sentence of 20 years in prison; conspiracy to defraud the United States is punishable by a maximum sentence of 10 years; conspiracy to commit mail fraud, making a false claim against the United States and making a false statement are each punishable by a maximum sentence of five years in prison; aggravated identity theft is punishable by a mandatory sentence of two years incarceration to follow conviction on any other offense.
Defendants also face a fine of up to $250,000 for each count of conviction.
The case was presented to the grand jury by Assistant U.S. Attorney Gary D. Arbeznik following investigation by the Cleveland Division of the FBI, the IRS – Criminal Investigation, and the U.S. Postal Service.
An indictment is only a charge and is not evidence of guilt. The defendants are entitled to a fair trial in which it will be the government’s burden to prove guilt beyond a reasonable doubt
Top Data Breaches in 2011
2011 was a significant year for data security, with some of the biggest data breaches in our history reported. In 2011, 535 breaches involving 30.4 million sensitive records. This brings the total reported records breached in the U.S. since 2005 to the alarming number of 543 million.
Data breaches of sensitive information, especially Social Security and credit card numbers, make consumers vulnerable to identity theft. According to a 2009 report by Javelin Research & Strategy, individuals are four times more likely to be the victim of identity theft in the year after receiving a data breach notification letter. But even breaches that contain data as seemingly innocuous as names and email address can be used by fraudsters to trick consumers into revealing information that can lead to identity theft.
The following half dozen are the most significant data breaches in 2011:
- Sony PlayStation (April 27) – Sony discovered an external intrusion on PlayStation Network (PSN) and its Qriocity music service around April 19. Sony blocked users from playing online games or accessing services like Netflix and Hulu Plus on April 22. The blockage lasted for seven days. Sony believes criminal hacker(s) obtained names, addresses, email addresses, dates of birth, PSN/Qriocity password and login, and online IDs for multiple users. The attacker may have also stolen users' purchase history, billing address, and password security questions. Over the course of the next several months, Sony discovered that the hackers gained access to 101.6 million records, including 12 million unencrypted credit card numbers.
The Sony breach highlights the importance of password hygiene. Passwords are frequently the only thing protecting our private information from prying eyes. Many websites that store your personal information (for example web mail, photo or document storage sites, and money management sites) require just a user name and password for protection. Password-protected web sites are becoming more vulnerable because often people use the same passwords on numerous sites. One study by Sophos, a security firm, found that more than 30% of users recycle the same password for every site that they access. In this case, the stolen passwords were unencrypted, meaning the criminal could potentially "break in" to other sites if the victims used the same password more than once.
- Epsilon (April 2) – Epsilon, an email service provider for companies, reported a breach that affected approximately 75 client companies. Email addresses and customer names were affected. Epsilon has not disclosed the names of the companies affected or the total number of names stolen. However, millions of customers received notices from a growing list of companies, making this the largest security breach ever. Conservative estimates place the number of customer email addresses breached at 50 to 60 million. The number of customer emails exposed may have reached 250 million.
Compromised email addresses and names may seem innocuous to some, but victims may fall prey to spear phishing. Spear phishing occurs when a criminal sends an email that sounds and looks like it’s from a company the recipient has an account with because it addresses him or her by name. A spear-phishing message might say, "Hello Mr. Anderson, Because of the recent hacking incident affecting some Acme customers, we are asking you to visit this website [URL provided] and update your security settings.” The email tries to convince trusting readers to “bite” on the bait and go to that website, and then divulge other information like Social Security numbers and credit card numbers. The result could be as serious as identity theft.
The Epsilon breach is also significant because it highlights the risk of cloud-based computing systems and the need for greater cloud security measures.
- Sutter Physicians Services (SPS) and Sutter Medical Foundation (SMF) (Nov. 16) - A company-issued desktop computer was stolen from SMF's administrative offices in Sacramento, California, during the weekend of October 15th. Although the data was password protected, it was not encrypted. Approximately 3.3 million patients whose health care provider is supported by SPS had their names, addresses, dates of birth, phone numbers, email addresses, medical record numbers and health insurance plan name exposed. An additional 934,000 SMF patients had dates of services and description of medical diagnoses and/or procedures used for business operations, bringing the total to 4.2 million patients. At least two lawsuits have been filed against Sutter Health. One class-action suit alleges that Sutter Health was negligent in safeguarding its computers and data, and then did not notify the millions of patients whose data went missing within the time required by state law.
The security lapse occurred on two levels: both the data itself (being unencrypted) and the physical location (stored in an unsecure location). Although no Social Security numbers or financial information were apparently exposed, all the data elements needed for medical identity theft were included in the stolen records.
- Texas Comptroller's Office (April 11) – Information from three Texas agencies was discovered to be accessible on a public server. Sometime between January and May of 2010, unencrypted data was transferred from the Teacher Retirement Center of Texas, the Texas Workforce Commission (TWC) and the Employees Retirement System of Texas. It ended up on a state-controlled public server as early as April 2010 and was not discovered until March 31, 2011. Sensitive information such as names, Social Security numbers, addresses, dates of birth and driver's license numbers could have been exposed.
A spokesperson from the Texas Comptroller's Office claims that the breach occurred because numerous procedures were not followed. Some employees were fired for their roles in the incident. Approximately two million of the 3.5 million individuals possibly affected were unemployed insurance claimants who may have had their names, Social Security numbers and mailing addresses exposed. The birth dates and driver's license numbers of some of these people were also exposed. Two class action lawsuits have been filed on behalf of the 3.5 million Texans affected by the breach. One such lawsuit seeks a $1,000 statutory penalty for each individual.
Although all breaches of sensitive personal information are serious, the Texas Comptroller breach is particularly significant because individuals generally do not have a choice when providing personal information to a government agency. It is therefore vitally important that government agencies act as responsible stewards of personal data.
- Health Net (March 15) - Nine data servers containing sensitive health information went missing from Health Net's data center in Rancho Cordova, California. The servers contained the personal information of 1.9 million current and former policyholders, compromising their names, addresses, health information, Social Security numbers and financial information.
Not only was Health Net the first massive medical breach of the year, but the company waited three months before notifying affected individuals. The servers were discovered missing in January, but policyholders were not notified until March. The breach highlights the importance of timely notification.
- Tricare Management Activity, Science Applications International Corporation (SAIC) (Sept. 30) - The car theft of backup tapes resulted in the exposure of protected health information from patients of military hospitals and clinics. Uniformed Service members, retirees and their families were affected. Patient data from the military health system dating from 1992 to September 2011 could have been compromised. It included Social Security numbers, addresses, phone numbers, clinical notes, laboratory tests, prescriptions, and other medical information. Four people have filed a $4.9 billion lawsuit over the improper disclosure of active and retired military personnel and family data. The lawsuit would give $1000 to each of the affected individuals. SAIC reported that 5,117,799 people were affected by the breach.
The Tricare/SAIC breach is significant because not only are the victims at risk of medical identity theft, but financial identity theft as well. The breach begs several questions: Why were the backup tapes being transported in an employee’s personal vehicle? And why were those records not encrypted? This breach also illustrates the triple impact of medical breaches. Victims not only suffer the exposure of their sensitive health information; they also are vulnerable to financial identity theft as well as medical identity theft.
It is also significant that two out of six of our top breaches are medical breaches. Data breaches in the healthcare industry are up 32 percent over last year, according to one report. Medical breaches are particularly significant and harmful because of the sensitivity of personal information exposed, in addition to, often, Social Security numbers and dates of birth.
Hacking group releases 75,000 names of Stratfor subscribers
Hackers released another batch of data on Thursday pilfered from Stratfor Global Intelligence, a widely used research and analysis company whose website was attacked last weekend. The data purports to be the names and credit-card numbers of people who have purchased research from Stratfor plus hundreds of thousands of user names and e-mail addresses used to register with the website.
The hackers, believed to be part of the Anonymous movement, described the data on Pastebin, then provided several links to websites hosting the information. They noted that some 50,000 of the e-mail addresses released end in ".mil" or ".gov." The data comprises 75,000 names, credit card numbers and MD5 hashes, or cryptographic representations, of passwords for people who have paid Stratfor for research.
The group also said the data contains 860,000 user names, e-mail addresses and MD5 hashes for passwords for anyone who has registered on Stratfor's website.
From IDG News Service
Privacy Rights Clearinghouse Launches Online Complaint Center
The Privacy Rights Clearinghouse (PRC) is proud to announce the launch of an interactive online complaint center designed to serve as a clearinghouse for consumer privacy complaints. This builds upon our 19-year history of troubleshooting consumers’ complaints and questions regarding a wide variety of information privacy issues, including background checks, debt collection, data breaches, financial information, and online data brokers. The PRC's staff will review and respond to every complaint, providing individuals with information and strategies to address their problem.
The impetus for the development of the online complaint center was the 2009 KnowPrivacy study, conducted by graduate students in the Masters program at the UC-Berkeley School of Information as well as the Law School at UC-Berkeley. The study found that consumers are concerned about data collection and want greater control over their personal information, but don't know whom to complain to. This presents a significant challenge given the important role that consumer complaints can play regarding the shaping of public policy.
The new online complaint center acts as a clearinghouse for privacy-related complaints by offering consumers a central point of contact. Complaints submitted to the PRC will be forwarded upon the consumer’s request to the appropriate governing body. Further, by acting as a magnet for privacy complaints, our goals are to:
- Empower Consumers. There are many avenues for consumers to voice complaints, but few that actually respond with personalized information. The PRC's staff will review and respond to every complaint, providing individuals with information and strategies to address their problem. We also offer individuals the opportunity to escalate the complaint to the media, public authorities, and, if appropriate, attorneys.
- Educate the Public Policy Process. As an education and advocacy organization, the PRC understands the important role consumer complaints play in fostering regulatory and legislative change. The online complaint center will enable us to identify trends and publish reports on key privacy-related issues that are of concern to individuals. By sharing this information with the Federal Trade Commission and other regulators at the state and federal level, public authorities can gain a richer understanding of the consumer privacy landscape.
The online complaint center, available at www.privacyrights.org/complaint, simplifies the complaint process into four main sections:
- Who are you? Consumers can choose to remain anonymous or provide their name and contact information. The only information we require is the consumer's email address and state so that we can properly respond to the complaint. Contact information will not be shared unless the individual chooses to share the complaint with government agencies, lawyers or the media.
- Whom/what are you complaining about? We ask the consumer to identify whom/what the complaint is about: a company or organization, a government agency or a person. If the complaint is about a company or organization, the site has an interactive “smart” feature that can auto-fill company information.
- What is your complaint? Consumers have the ability to describe their complaint in detail, attach supporting documents and add "tags" to categorize the complaint.
- Review and submit your complaint. Before submitting the complaint, consumers have an opportunity to review the entire complaint and make any necessary changes. There is also an option to print or email a copy of the complaint.
The PRC staff review all complaints and email a personalized response to the consumer within one to two business days. If the individual chooses to share the complaint with government agencies, we forward the complaint to the appropriate governing body.
The online complaint center also offers a registration feature. Those users who wish to register can login at anytime to update contact information, access previously submitted complaints, see staff responses to each complaint, and add new information to a complaint. Registration is completely optional and can be pseudonymous.
We invite you to celebrate a new year for privacy by exploring the online complaint center and sharing the site with your friends and family. Any feedback can be emailed to firstname.lastname@example.org.
ID Theft Is More Prevalent Offline with Paper than Online
In Half of the Cases Where the Perpetrator is Known, Identity Fraud is committed by Someone Close to the Victim
SAN FRANCISCO, January 26, 2005 - The 2005 Javelin Identity Fraud Survey Report - released by the Better Business Bureau and Javelin Strategy & Research as an update of the Federal Trade Commission's 2003 Identity Theft Survey Report and Javelin's 2003 Identity Theft Report - shows that despite growing fears about identity theft and online fraud, of the victims that know the identity and method used by the criminal, these crimes are more frequently committed offline than online. Internet-related fraud problems are actually less severe, less costly and not as widespread as previously thought.
Three More States Add Laws on Data Breaches
Companies struggling to keep up with a patchwork of state laws related to data privacy and information security have three more to contend with, as a result of new security-breach notification laws that went into effect in Illinois, Louisiana and New Jersey on Jan 1.
Missing data recovered by ABN AMRO Mortgage
Some Bay Area ABN AMRO Mortgage customers this week are receiving the digital age's dreaded midnight knock on the door: A letter stating a data tape containing their Social Security numbers and other personal information had been lost by a courier.
from Merc News
Update on Credit Freeze & Data Breach Laws
With the New Year almost upon us, a variety of new laws that impact identity theft and personal privacy will begin to go into effect. A variety of states are gearing up to implement new laws that allow consumers to freeze their credit files. Connecticut, New Jersey and Illinois will all implement this type of law on January 1, but these states have very different visions of who should be given the ability to freeze their credit report. See GuardMyCreditFile