The main problem with trying to protect yourself from identity theft is that even if you personally do everything right — say, you're a professional IT- and financial-security genius whose home computer and personal documents are 100% hackproof, theft-proof and malware-proof — you're still at risk from every company, corporation, financier, lender, service provider or governmental organization you ever do business with.
So you can do everything right and still be at risk because you used a credit card at Target or Sally Beauty Supply or P.F. Chang's or any other business that went on to lose customer data to a hacker.
Or maybe you're at risk because you're a legal, licensed driver, and identity thieves broke into your state DMV database.
Or it could simply be that you're an American citizen or resident with any credit history at all, and that's how information about you ended up on the Experian database that became available to an identity thief way the heck over in Vietnam.
You can also be at risk if ever you contacted the call center of a given company. Last June, AT&T announced that some of its customer Social Security numbers and call histories had been stolen. The hack occurred in April and was discovered in May, yet not until June did AT&T publicly announce it.
That said: AT&T's records weren't actually “hacked” in the sense that an unauthorized outsider managed to sneak into the database somehow. Instead, it was an internal security breach: employees of a call center took advantage of their position to steal information out of customer records.
On April 4, the U.S. Attorney's office for Florida's Southern District announced that it had charged eight people in an identity-theft scheme using information stolen from AT&T's customer files. None of the defendants actually worked for AT&T, though; instead, AT&T had hired Interactive Response Technologies, Inc. (IRT) to handle call-center duties, and one of the eight defendants worked for IRT.
This week, the U.S. Attorney's office announced that the first of those eight defendants, former IRT employee Chouman Emily Syrilien, was sentenced: 34 months in prison followed by three years of supervised release.
Four additional defendants have pleaded guilty but not been sentenced yet.
The whole package
Exactly what customer data did IRT employees have access to, anyway? According to the indictment, pretty much everything an identity thief needs to operate: name, address, e-mail, telephone number, Social Security number, date of birth, credit and debit card account and verification numbers, personal identity numbers and passwords.
Once they had your bank, credit or debit card information, they added themselves as additional “authorized users” without your consent or knowledge, and went on to make unauthorized charges or cash withdrawals in your name.