US federal investigators have charged three men they say were involved in a massive identity theft scheme that spanned three years, involved more than 30,000 victims and, so far, has resulted in more than US$2.7 million in losses.
The scam is thought to be the largest in U.S. history, according to a statement issued by the U.S. Attorney's Office for the Southern District of New York.
The Federal Bureau of Investigation (FBI) has arrested Philip Cummings, who is alleged to have started the scam while he worked on the help desk at Teledata Communications Inc. (TCI), a company in New York that provides banks and other entities with computerized access to consumer credit reports from the three commercial credit history bureaus -- Equifax, Experian Information Solutions and Trans Union LLC.
Authorities said that beginning in 1999, Cummings, who worked at TCI until March 2000, had access to the passwords and codes used by TCI's customers to download consumer credit reports for business purposes. With these codes he was able to access credit reports for himself, authorities charged.
They also alleged that Cummings gave those passwords and codes to an unidentified co-conspirator and received US$30 for each credit report obtained using the stolen codes. That information was then passed on to at least 20 other people, authorities said. Cummings was still able to access the information after he left TCI, officials said.
In addition to Cummings, the FBI charged Linus Baptiste with wire fraud in connection to the case. They also arrested Hakeem Mohammed, who pleaded guilty to charges of mail fraud.
For proprietary and security reasons, the companies involved, including Ford Motor Credit and Teledata, would not comment on the security measures in place at the time of the alleged theft or the steps they might have taken to minimize any future risk. However, they did say they are cooperating with authorities in the investigation.
Analysts said that to guard against such theft, companies should follow a combination of common-sense high-tech, low-tech and no-tech security procedures.
On the high-tech end, companies should encrypt stored data so that even if an unauthorized person is able to access sensitive information, he wouldn't be able to make sense of it, according to Alan Brill, senior managing director of technology services at New York-based Kroll Inc., a security consulting company.
Low-tech security measures include checking for dead accounts and denying access to the network to anyone who has left the company.
"Companies probably remove those people from their e-mail accounts, but don't think to deny them access to the network," said John Pescatore, an analyst at Gartner.
As for low-tech measures, the analysts agreed that enterprises should always do background checks on potential employees, especially those with access to sensitive data.
Pescatore and Chris Rouland, director of X-Force at Internet Security Systems, said companies such as Ford and Washington Mutual Bank also had a responsibility to pay attention to the security procedures of their business partners, including insisting on periodic security audits and vulnerability assessments.