Phoenix Personal Injury Lawyer - identity theft - Most Commented

Public Records Containing Social Security Numbers Readily Available in Arizona

Staff Writer — Thu, 01 Mar 2007 09:48:25 GMT

Yesterday News Channel Five reported that some county records containing social security numbers and other confidential information are readily available for inspection by anybody with internet access which unfortunately presents criminals with an invitation to commit identity theft. How would you feel if your social security number has been published on the internet because it has been included somewhere in a public record? Even worse, in the Channel Five news story, when a citizen found that his social security number was readily available from the County Recorder's Office and later tried to remove this information, the Recorder refused. Because the data involves public records, it has been placed in cyberspace without password protection or encryption. Data thieves do not need to hack into this database to steal it. Some state agencies disclose public records by mail only after redacting confidential and personal information. The federal privacy act and other privacy safeguards require removal of personal and confidential information from public records. Although the county has taken steps to remove confidential information for all new records, apparently it will take up to six months to remove social security numbers and other confidential information from remaining records.

Apparently without a direct request by the affected party, the County will not remove the records which have not yet been redacted from the internet during this interim six month time period. The County suggests that a six month delay is acceptable. However, because thieves can copy each and every single social security number on the web in six months, such a delay seems unacceptable. Instead, I believe that the county should take down its public database only for records which have not yet been redacted and add these records back to the database when redactions have been completed. In the meantime, over the next six months, rather than obtaining records via immediate internet access, people making public records requests would simply wait a day or two while employees redact confidential information and provide responses the old fashion way, by mail. Such protections seem reasonable considering that the alternative exposes hundreds of thousands of citizens to the unreasonable risk of identity theft. Perhaps if the County refuses to take such a step, legislation shifting the cost of possible identity theft breaches onto government agencies who do not take reasonable steps to protect data could give the county incentive to take these consumer protection steps. As I have mentioned in prior postings, according to the Federal Trade Commission, unfortunately Arizona has the highest number of per capita victims of identity theft in all states. Because we live in a high identity theft crime state, agencies and corporations alike must take reasonable steps to protect confidential information. Without providing a reasonable explanation, I believe it inappropriate to leave confidential data exposed on the internet and available for public inspection by anybody with a computer. Without encryption or password protection, such conduct seems outrageous. Because the County Recorder's Office now suggests that upon request, it will take steps to remove information, you should probably consider conducting a search on the Maricopa County Recorder's Office web site and if you see compromising information, request immediate removal of the private information by contacting the Recorder's Office at 602-506-3535 or visiting the office in person at 111 S. Third Avenue in Phoenix.

What do you think about the County's conduct? Do you believe our public records laws require that all information including social security numbers be released to anybody over the internet? Do you believe that our government should allow unlimited internet access to social security numbers and other personal information for another six months? Would a short-term delay of a few days be reasonable for the County to provide redacted records by mail rather than to allow immediate access to unredacted records, if such a minor delay minimizes risk of identity theft? Can you see important reasons to allow immediate access to public records while this six month transition takes place? Let me know your thoughts on this important issue.

Originally posted at InjuryBoard by Staff Writer

Even More Details Emerging about TJMaxx and Marshalls Data Breach

Staff Writer — Sun, 21 Jan 2007 08:24:42 GMT

Even more details are beginning to emerge about the theft of data on computer systems belonging to TJX Companies, the parent company of TJMaxx and Marshalls stores. Unfortunately it appears that thieves are actually using information they stole from the TJX Company computers. The on-line publication Computerworld described the data security breach as follows:

The scope of the security breach disclosed this week by The TJX Companies Inc. is starting to make itself evident, with more than three dozen banks in Massachusetts alone now reporting that cards they issued have been compromised.
A spokesman for the Massachusetts Bankers Association said this afternoon that 40 of the MBA's 205 member banks have said they suffered card compromises as a result of the breach at Framingham, Mass.-based TJX. That number is sure to grow as more banks report to the association, he added, noting that only about 60 have done so thus far.

It appears that the data stolen from TJX Company should never have been saved in the company's computer system in the first place. According to the Computerworld article, the data stolen from the corporate computer system included

account numbers, expiration dates and encrypted personal identification numbers, plus other information that card-issuing banks can include at their discretion.

Credit card company standards prohibit retailers from storing this information in its computer systems once a consumer transaction has been completed,

Retailers are forbidden from storing such information under the Payment Card Industry (PCI) Data Security Standard being pushed by Visa, MasterCard International Inc. and other credit card companies.

TJX Companies apparently did not follow this credit card company requirement nor did it encrypt sensitive data on its systems as also required by the Payment Card Industry Data Security Standard. Thus, although thieves stole credit card data and numerous consumers have apparently been affected, it appears that the TJX Company's lax adherence to the Payment Card Industry Data Security Standard allowed such an intrusion to occur. If this information turns out to be accurate, in my opinion, TJX should bear responsibility for allowing such a serious data security breach to occur. If you shopped at TJMaxx or Marshalls, what do you think about the company's approach to consumer privacy and data security? If you have recevied word from your credit card company that you may be a victim of this data security breach, do you think TJX Companies should be held accountable? I'd like to hear your opinions.

Originally posted at InjuryBoard by Staff Writer

Starbucks Employees Possible Identity Theft Victims

Staff Writer — Sun, 05 Nov 2006 10:52:04 GMT

Just this past week, Starbucks lost track of four laptop computers containing sensitive information including social security numbers, addresses and names of over 60,000 company employees. Looks like this company may know how to serve up some Java but needs some lessons on how to protect sensitive employee information. These employees may become the next victims of identity theft as a result of improper data security.

If you suspect that you have been or may become a victim of identity theft, the Federal Trade Commission web site entitled "Fighting Back Against Identity Theft" contains resources which may assist. This web site also contains a list of other web sites providing resources to guard against or assist victims of identity theft.

Originally posted at InjuryBoard by Staff Writer

Automobile Theft Can Lead to Identity Theft

Staff Writer — Sun, 22 Jul 2007 08:00:16 GMT

Arizona leads the nation in reported cases of identity theft. According to the Arizona Republic, metropolitan Phoenix also ranks fourth in the nation in reported cases of automobile theft as well. Considering these statistics together raises some concerns for drivers in Phoenix who leave various personal documents inside their cars. The Republic cautions that based on identity and auto theft risks,

Phoenix police are seeing more crimes in which thieves break into a car to take documents, sometimes snagging a remote garage-door opener to pillage the vehicle owner's home.

Unfortunately, it may no longer be appropriate to leave personal information inside your unattended vehicle. For example, leaving title inside your vehicle allows criminals to attempt to steal your car and obtain a fraudulent title transfer. Also, insurance cards containing your address may lead criminals directly to your doorstep while you are away. You may need to take these identifying documents with you when you leave your vehicle unattended. Other documents containing personal information can expose you to identity theft. In short, according to the Phoenix Police Department,

Cars can be a great place for thieves to get crucial information about you. Phoenix police and the Arizona Automobile Theft Authority offer the following tips:
â€¢ Take your vehicle registration, insurance cards or any other identifying information with you.
â€¢ Remove garage-door openers.
â€¢ Do not leave your purse or wallet in the glove box or under the seat.
â€¢ Routinely clean out your car to remove identifying papers and other items.
â€¢ As a backup, set up a P.O. box to receive mail on vehicles, insurance and other important documents; it safeguards your address.

Following these suggestions will not completely eliminate risks of identity or auto theft. However, these steps may reduce risks and make identity theft more difficult for criminals looking for crimes of opportunity.

Originally posted at InjuryBoard by Staff Writer

TJX Companies SEC Filing Details 47.5 Million Possible Identity Theft Victims

Staff Writer — Thu, 29 Mar 2007 09:20:33 GMT

TXJ Companies has finally come clean with some more details about the number of possible identity theft victims as a result of its failure to abide by credit card processing standards. Discussing this data security breach, in a regulatory filing with the Securities Exchange Commission, the TXJ Companies indicated,

Discovery of Computer Intrusion. On December 18, 2006, we learned of suspicious software on our computer systems. We immediately initiated an investigation, and the next day, General Dynamics Corporation and International Business Machines Corporation, leading computer security and incident response firms, were engaged to assist in the investigation. They determined on December 21, 2006 that there was strong reason to believe that our computer systems had been intruded upon and that an Intruder remained on our computer systems. With the assistance of our investigation team, we immediately began to design and implement a plan to monitor and contain the ongoing Computer Intrusion, protect customer data and strengthen the security of our computer systems against the ongoing Computer Intrusion and possible future attacks.

On December 22, 2006, we notified law enforcement officials of the suspected Computer Intrusion and later that day met with representatives of the U.S. Department of Justice, U.S. Secret Service and U.S. Attorney, Boston Office to brief them. At that meeting, the U.S. Secret Service advised us that disclosure of the suspected Computer Intrusion might impede their criminal investigation and requested that we maintain the confidentiality of the suspected Computer Intrusion until law enforcement determined that disclosure would no longer compromise the investigation.

TJX Companies did not inform the Securities and Exchange Commission about the precise number of identity theft victims resulting from its failure to properly secure or purge data. According to the Associated Press, however, this number is staggering:

At least 45.7 million credit and debit card numbers of TJX Cos. (TJX) customers were stolen from the discount retailer's computer system over several years, according to a regulatory filing by the company Wednesday.

Unfortunately, not only have credit and debit card numbers been stolen, but also criminals have been using the stolen data as evidenced by arrests just this past week of six people in Florida attempting to use stolen credit card numbers to buy goods totaling about $1 million dollars.

This recent SEC filing and TJX Company disclosure should serve as a reminder to consider placing fraud alerts or credit freezes on your credit record if you have ever shopped at TJMaxx or Marshalls stores in the past twenty-four months. I sincerely hope that companies use this case as a stark reminder to take internet security and credit-card processing protections and security standards seriously.

Originally posted at InjuryBoard by Staff Writer

Public Relations Problems after Data Theft

Staff Writer — Sun, 19 Nov 2006 09:10:34 GMT

Well we have heard many stories about compromised data, stolen laptops, disappearing hard drives and personal information gone missing. Too often we hear corporate or agency executives telling us not to be concerned. Too often we hear suggestions that although sensitive personal data has been compromised, no evidence exists that actually proves thieves have accessed this confidential information. However, a new opinion article in the online publication Computerworld Security suggests that executives view data compromises incorrectly. In fact, according to the author, after a breach has occurred, no forensic investigation tools can accurately portray whether thieves have taken confidential information. The author suggests that in today's technological environment, no distinction really exists between a thief who just accesses a confidential database and a thief who actually takes data. In the age of mirroring and copying, either situation could result in identity theft.

According to the Computerworld Security author,

What does it mean, in the age of the Internet, to say that an intruder or attacker could "access" or "view" information, but that it was not "taken" from the database? These are old-school distinctions that ought to have been wiped aside by even the dimmest awareness of MP3 sharing and downloading, among many other examples. When one teenager copies another's MP3, is the data "taken" in anything but a licensing sense? Of course not.

The author cites one example of a recent data breach exposing patients and donors to identity theft risks at an Ohio Hospital and reported in late October, 2006. Hospital executives stated the following remarks apparently designed to set donors and patients minds at ease about the data theft:

Immediately upon discovery of the unauthorized entries, we retained computer security consultants to determine the extent of the breaches. They have found no evidence that any specific data was downloaded, tampered with, or compromised; however, the opportunity to view the data existed.

Based upon the Computerworld Security article, the fact that a data breach occurred should be cause for concern. Identity thieves who know that a free fraud alert placed with credit reporting bureaus will last only ninety days will likely wait that much time before attempting to use or sell compromised data. After having reviewed the Akron Hospital's description of what happend, it appears that over 242,000 patients and donors' confidential information and bank account records were accessed by hackers. This intrusion was not discovered until September, 2006 and the FBI and the public was not informed until late October. For the reasons described in the Computerworld article, if you are a patient of or donor to the Akron Children's Hospital, I would not feel confident in the hospital's suggestion that no evidence exists to suggest that hackers used the data that they viewed. I would demand accountability and responsibility. I would also tell Hospital executives and other officers at corporations or agencies with problems securing data to play things straight. Do not sugarcoat the problem! Unrealistic optimism can create a public relations fiasco. Hospital executives should tell the public the truth about the real identity theft risks. Customers, patients or donors deserve nothing less. Realistic disclosures should help the public to understand the real risks of identity theft in light of our current technological environment.

Originally posted at InjuryBoard by Staff Writer

Channel 12 News Reporter Victim of Identity Theft

Staff Writer — Mon, 03 Jul 2006 18:42:00 GMT

Well Rick DeBruhl, a news reporter with Channel Twelve News in Arizona just became an apparent victim of identity theft and decided to write a story about it in the Arizona Republic. His story presents an interesting variation of typical identity theft problems which unfortunately have been popping up more and more frequently. Apparently, this news reporter's identity on E-Bay was stolen and thieves began selling phantom DVD's to unsuspecting buyers. When buyers paid cash but did not receive their DVD's, they'd blame Rick DeBruhl. Unfortunately, he became a victim and found out the hard way that scammers of this type are out in cyberspace. Fortunately, the theft of his identity apparently was limited to E-Bay account information.

I guess that the moral of this story is that you can never be too careful and never buy DVD's from Rick DeBruhl! When you buy products on E-Bay, generally choose sellers who allow you to use a credit card to pay for purchases. By so doing, your credit card company will come to your rescue in case of fraudulent activity. For all internet vendors, make sure that you only buy products on line from business vendors who take personal information by using encrypted web pages over the internet. Encryption is not full proof; however, it does provide a more difficult hurdle for thieves who are constantly on the look-out on line for easy-to-nab personal information. I am sorry that Rick DeBruhl had such a bad experience; however, perhaps writing about it will help others to use simple prevention techniques to avoid having to caution buyers against buying DVD's from them.

Originally posted at InjuryBoard by Staff Writer

Presidential Candidate Romney Victim of Laptop Theft

Staff Writer — Tue, 11 Sep 2007 09:00:00 GMT

Those who do not learn the lessons of history are bound to repeat them. Republican presidential candidate Mitt Romney has apparently learned some of the lessons from recent high profile laptop thefts involving government agencies such as the Veterans Administration and private business such as Stevens Hospital in Washington.

Over the weekend, burglars broke into Candidate Romney's campaign headquarters and stole several laptop computers and other electronic equipment. According to a Romney campaign spokesman, the laptop computers were password protected and encrypted and

"The only thing they're good for is parts," campaign spokesman Eric Fehrnstrom told the Associated Press.

Password protection and disk drive encryption provide essential security tools to protect against data and identity theft. The Romney campaign apparently did things correctly. The only possible problem would have been if campaign staff members placed passwords on or nearby the stolen laptop computers. According to the Privacy Rights Clearinghouse, since 2005, over 165,000,000 personal confidential records have been compromised exposing personal information to risks of identity theft. In today's world, laptop password protection and data encryption are no longer an option. Keep that in mind the next time you decide to go to work for a presidential candidate.

Originally posted at InjuryBoard by Staff Writer

Major Data Breach at Monster.com Exposes 1.3 Million Personal Records

Staff Writer — Sun, 02 Sep 2007 12:00:44 GMT

This past week, Monster.com disclosed that thieves hacked into and stole confidential information about several hundred thousand job seekers posted in 1.3 million records.

According to a Fox news report,

The information, which included first and last names, e-mail and home addresses and phone numbers, was then used to send "phishing" e-mails to members, apparently from Monster.com, encouraging them to download a tool known as "Monster Job Seeker."
The tool was in fact a malicious program known as a "Trojan," as in Trojan horse, which encrypted files on the victims' machines, making them inaccessible to the computer owner.

Rather than immediately notifying affected consumers about the data breach, it appears that Monster.com waited almost one week before disclosing the intrusion. Yesterday, Monster.com indicated that it would heighten its security and surveillance measures to minimize the risk of such a major data intrusion.

Internet security vendor Symantec corporation described the data intrusion and risks of further criminal activity. Interestingly, according to Symantec, thieves have attempted to extort victims by locking down and encrypting personal files located on their personal computers demanding money to return accessibility to various personal files.

This data breach should serve as a reminder that because data thieves are increasing the type and sophistication of computer attacks, corporations and individuals should take Internet security seriously. Also, when a person or business discovers a data breach, shouldn't disclosure to potential victims occur promptly? I have not seen any explanation about why Monster.com waited close to a week before publicly explaining what happened. During this time period, hundreds of thousands of consumers could have become unwary victims of identity theft or extortion. The delay may have been appropriate to learn more detail about what happened but I cannot find any company explanation. Do you think the company acted appropriately? Will this recent data intrusion affect your interest in doing business with Monster.com or any other electronic commerce vendor? Will it heighten awareness of data security needs? Do you think electronic commerce and computer security will improve in the days and months ahead? I'd like to hear your thoughts.

Originally posted at InjuryBoard by Staff Writer

Former Employee Steals Personal Data on 2.3 Million

Staff Writer — Tue, 10 Jul 2007 10:00:00 GMT

A company providing check authorization services became the most recent target of data theft. An apparently "rogue and dishonest employee" recently stole personal and confidential information about approximately 2.3 million customers and then sold this data to various direct marketing companies leaving behind millions of possible identity theft victims. Although, other than for marketing purposes, this theft has apparently not yet led to the improper use of personal information. However, it did lead to the sale of customer data. This most recent data theft presents yet another internal data security concern and highlights why data protection and security must be prioritized.

Originally posted at InjuryBoard by Staff Writer