With the economic crisis and the Presidential election dominating the news, identity theft is no longer the hot-button topic it once was. Yet for people who have been caught in data breaches, the possibility that their information could be used against them in any number of ways is still a very real, and very immediate concern.
Just ask Suzanne Finch. A year after she discovered that her personal information had been used to open up new credit card accounts in her name and make purchases without her permission, she is still searching for answers and running into a wall of silence everywhere she turns.
It was in June 2007 that Finch was notified that her Citibank MasterCard--originally a Sears store credit card that had been "flipped" into a true bank credit card without her permission--was used to make purchases at online jewelry store Stein Diamonds.
When ConsumerAffairs.Com interviewed Finch in March 2008, her investigation had traced the fraud back to a potential data breach inside Citibank by Russian hackers. The source of the breach was never determined.
Although Finch canceled all of her credit accounts with Citibank, her Social Security number and personal information were still "in the wild," available for use by the black-market "underground economy" to create new "synthetic identities" pieced together from components of existing personal data.
Since March 2008, according to Finch, further investigation confirmed that there was a breach of Citibank's servers, but the financial giant refuses to admit it.
"Citibank wants to protect its stock prices and shareholders over its customers," Finch told ConsumerAffairs.com. "Ironically, they have also ended up as my mortgage holder, again, through acquisition of accounts." Finch wants extended credit monitoring of her mortgage account in order to protect her personal information from any potential misuse, but Citibank has thus far refused to grant it.
"Not at liberty to talk"
The Identity Theft Resource Center (ITRC) is the leading organization dedicated to helping victims of identity theft get restitution, as well as assisting law enforcement in identifying potential data breaches and tracking the culprits. According to the ITRC's executive director Jay Foley, who has been working with Finch, she has a case--"up to a point."
"Something definitely happened," Foley told ConsumerAffairs.Com. "For Citibank to admit there was a breach on their part would be an implicit admisison of liability. They don't want to admit to anything one way or the other," he said. "No one's at liberty to talk."
Foley has been working with local authorities and the U.S. Secret Service to investigate the breach, but said there were "multiple potential sources of involvement. Credit card purchases go through multiple processing systems."
If there was concrete proof that Citibank was at fault for the breach, Foley said, then Finch's case for extended credit monitoring would be a lot stronger, but that the case would set precedent for other victims of identity theft to demand extended credit monitoring--which might actually be costly to banks.
The average credit card transaction is indeed not as simple as swiping your card at the register and having the purchase appear on your statement. The transaction is directed through processing networks before reaching the lender, and many of the networks are controlled by outside third-party companies. It was lax security in a processing network that enabled a ring of hackers to wirelessly access customer data from the TJX companies, leading to the biggest breach of personal data on record.
The ITRC reported in August that there had already been 449 separate security breaches of personal information in 2008, surpassing 2007's total of 447, but noted that the actual number of breaches may be greater due to underreporting, and the mixture of multiple reported events as a single event.
"Looking for a culprit"
Ted Manjoras is Citibank's senior field investigator for security on the West Coast. According to him, Citibank may not have been the source of the breach, or they may have been--but he can't say either way.
"I can't talk about the specifics of the case," Manjoras told ConsumerAffairs.Com. "We don't know all the facets of the situation, so I can't come up with a definitive answer."
In general terms, Manjoras said that Finch "needs to find a culprit," and is blaming Citibank even though there is "nothing concrete to go on."
"Banks eat the losses 99 percent of the time in cases of identity theft," Manjoras said. "Merchants have been compromised by international crime rings many times, and no one wins if the business and victim are punished in cases like these," Manjoras said.
Manjoras said he was sympathetic to Finch, given that his own daughter was recently a victim of identity theft, but said that Finch's attempts to "push it further" by blaming Citibank were counterproductive. He also reiterated that he could not definitively state if the bank was or wasn't responsible for the breach.
When asked for more clarification, Manjoras referred ConsumerAffairs.Com to Citibank's General Counsel and Media Relations departments.
Disclosure isn't enough
California, where Finch lives, has some of the strongest data breach disclosure laws in the nation. It was California's notification laws that forced ChoicePoint to admit it had been scammed into giving 145,000 personal information accounts to a ring of Nigerian criminals in 2005. The ChoicePoint incident triggered a cascade of new reporting on the dangers of data breaches, and the passage of many new laws on state and federal levels governing personal information.
But research has shown that data breach disclosure laws do little to actually prevent identity theft, and that without adopting both stronger security procedures and more accurate reporting of data breach incidents, any collected database of personal records is a potential breach waiting to happen.
The major credit card companies have adopted the Payment Card Industry Data Security Standards (PCI DSS) as a set of governing principles for how cardholder data should be collected and transmitted. In recent months, the PCI has focused more attention on Web-based financial applications, such as online payments, in order to continually strengthen security procedures against any avenue of attack.
But critics say that the PCI's penalties for lax security procedures are weak and rarely come back to the financial institutions, which usually blame the card processors for gathering and maintaining too much data on a customer.
California's state legislature recently passed new measures for retailers to disclose more information about breaches and to adopt stronger security standards such as data encryption, but the bill was vetoed by Governor Arnold Schwarzenegger.
"As I stated in last year's veto of a similar bill, this bill attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers," Schwarzenegger wrote.
Identity theft can be a crime that takes literally years to even recognize, as hackers are increasingly savvy when it comes to purloining data. Rather than using it immediately to commit fraud, they often wait months or years, selling and reselling the information in the black market.
And though it's relatively easy to cancel credit cards that have been compromised, changing a Social Security number is incredibly difficult, making it the primary target of any enterprising cybercriminal.
The typical response of a private business or government agency is to offer credit monitoring for a limited time to the affected--usually six months or one year. But not only does credit monitoring not detect many forms of identity theft, all the thieves have to do is wait until the monitoring expires before they reuse the stolen data.
All of this leaves Suzanne Finch and those like her wondering when the day will come that they'll be turned down for a loan or otherwise penalized simply because someone else has access to their identity.
Finch is relatively lucky in that she suffered no direct financial losses, but she says that the cost of compromising her identity is about more than money.
"Citibank acquired my most personal information - my identity - then either through their own actions or those of their partners, carelessly allowed my identity to be stolen," Finch said. "Now they want to refuse me the opportunity to protect myself from their carelessness by denying me access to continued monitoring of my credit report, which would cost them little or nothing."