Identity theft can happen so suddenly and so quickly that a simple unexplained purchase on an account can trigger months of investigation and frustration, and hundreds of hours spent preventing serious financial losses. Just ask Suzanne Finch.
"Once your information is out there, it can be compromised at any time," she said. "It can happen to anyone."
As Chief Communications Officer for the College of Business Administration at San Diego State University (SDSU), the sharp-tongued and sharp-witted Finch is accustomed to pressure-cooker situations. So it was that when she noticed an unexplained attempt to charge $2900 to her MasterCard, she didn't waste any time digging in to investigate the problem.
"I applied for a Sears store credit card in 1985," Finch told ConsumerAffairs.com. In 2001, Sears turned over their card accounts to Citibank, which converted them into true MasterCard credit cards -- apparently a perfectly legal practice."
In June 2007, Finch received notice that her card information had been used to make purchases at Stein Diamonds, an online jewelry store in Los Angeles. Finch's personal information had also been used to open up another new credit account in her name, but without her consent.
"The thieves used the Internet to change the billing address for the card to one...in Indianapolis, Indiana," Finch said. "I contacted Stein Diamonds to find out it was they who contacted Sears CitiBank MasterCard...they had noticed an unusually large amount of activity coming from Sears Citibank MasterCards. It was only after Stein alerted Citibank that I received the call from [Citibank]."
Finch filed reports with the police in San Diego and Indianapolis. Indianapolis police detective Brett Seach was assigned to her case and visited the address being used as Finch's, and found it was a freight forwarder shipping goods to Russia.
The freight forwarder noticed the unusual amount of activity and contacted another detective in Seach's division to investigate. The police told Finch they suspected a data breach inside Citibank, "but could do nothing."
Finch estimated she spent roughly 600 hours dealing with the breach, including setting up fraud alerts on her credit reports and "hours and hours on the phone with Citibank." She also contacted the Identity Theft Resource Center in San Diego for assistance. Statistics from the Center indicate that the average identity theft victim spends $6,000 and 600 hours dealing with fallout from the breach. Finch was "dubiously honored" to find out she was a leading statistic.
But the story doesn't end there.
In October 2007, Finch found a post on the Free Money Finance blog detailing a case of a data breach and identity theft remarkably similar to hers, dated August 14, 2006.
"Both my wife and I had out IDs stolen this year," a reader wrote. "[T]he first card was opened in my name at Sears (whose credit is run by Citi) and the thieves spent $2400. Citi thought that this was unusual, so they red flagged it, and found out that the phone number the thieves put down didn't match the one on my credit report. They called me to ask if I had opened an account in Phoenix that morning. Living in Oregon, I told them I hadn't. They closed the account and advised me to call the credit agencies, which I did, and put the fraud alert on my account. Good thing too, I stopped these bastards from opening 3 more cards in my name."
A furious Finch contacted Citibank again as well as the Attorney General of South Dakota, where Citibank's credit card division is located. Citibank representative Mark Browne responded to her in November 2007, saying that the bank "had no knowledge of any compromise," and that this was an "isolated incident" not related to a system breach or an "unauthorized release of cardmember information" by Citibank or Sears.
"Information compromises can happen at a variety of places external to Citibank," Browne wrote. "[W]e have no way of identifying when or where your personal information was compromised."
But Finch wasn't convinced.
"Even if Citibank wasn't responsible, all of the paths lead back to them," Finch told ConsumerAffairs.com. "They told me the information might've been stolen from a doctor's office or an employer," she said.
Finch sent her case to the FBI, which passed it through multiple agents before telling her again that there was no way to follow up on what happened.
"I had three attorneys on the case, all of whom advised me that Citibank is only obligated to alert customers, not fix the security breach for which they may be responsible, or provide assistance to identity theft victims. There's simply nothing anyone can do."
Finch also found Citibank's offer of a year of free credit monitoring insufficient. "One year's just not enough, particularly when more fraudulent activity could happen at any time. I want to be able to monitor my credit on a long-term basis without having to pay for something that wasn't my fault."
What Really Happened?
"Flipping" store cards into true credit cards, without the cardholder's consent or sometimes even without their knowledge, is indeed a common practice in the industry, especially by Citibank.
Macy's store card owners had a similar experience to Finch's in October 2007, when many of their cards were converted into Citibank MasterCards, often with different interest rates and terms. Not only does the conversion potentially harm the cardholder's credit rating, it also creates a brand-new account that identity thieves can use to buy merchandise or open other new accounts.
In March 2006, a few months before the August fraud incident that was similar to Finch's, Citibank shut down thousands of its ATM and debit cards in several countries as a result of a breach of the network used to process payment transactions on behalf of Visa, who co-owned the Citibank debit cards.
Neither Visa or Citibank would comment on the particulars, but industry analysts pieced together that a contractor may have been storing personal identification numbers (PINs) without sufficient security, enabling hackers to steal the numbers and create "clone" cards to make withdrawals from unsuspecting victims' accounts. While debit cards were chiefly affected by this breach, someone may have gotten access to Finch's information and held onto it to use later.
The truth is that there may never be a way to detail what happened.
The financial industry has made an art of revealing only the barest amount of information about any data breach to the public, regularly claiming that there was no evidence of fraud or theft at the time, offering free credit monitoring to the affected, and simply moving on without any large-scale efforts to improve security or provide consumers more options.
Finch's colleague at SDSU, associate professor Murray Jennex, is a certified information security professional and identity theft expert. In an article for SDSU's "Insights Executive Education" magazine, Jennex said that "Eighty percent of the risk for security breaches come from within the company while 20 percent of the risk is from outside the company. A lot of it comes from disgruntled employees or people who aren't aware of what they need to do for security."
"It takes a lot of intelligence to be good at security because there's so much technology and so many things to learn about your particular systems so that it can be implemented properly," Jennex wrote. "On the other hand, the tools are so easy to use that you don't have to be all that smart to be an effective hacker. And most of these tools are available online, for free."
Suzanne Finch is one of the luckier ones. She suffered no financial losses from the breach, and moved quickly to get assistance from experts in the fraud and identity theft realm with her case. But she recognizes that her personal information -- her life -- "is seriously compromised. This could keep you from buying a home," she said.
"There's no justice," Finch said. "In the end, all we have is our good name, and we have to do all we can to protect it."