Identity Theft Stories

Data on 3.3 million borrowers was stolen from a nonprofit company that helps with student loan financing.

The theft occurred on March 20 or 21 from the headquarters of Educational Credit Management Corp. (ECMC), which services loans when student borrowers enter bankruptcy. The data was contained on portable media, said the organization, which is a dedicated guaranty agency for Virginia, Oregon and Connecticut.
Dramatically Reduce WAN Costs with Adaptive Private Networking: View now

The data included names, addresses, birth dates and Social Security numbers but no financial information such as credit card numbers or bank account data, ECMC said in a news release.

Law enforcement has been notified. “ECMC is cooperating fully with local, state and federal law enforcement agencies conducting the investigation,” it said in a statement.

ECMC will send a written notification to affected borrowers “as soon as possible” and offer them free services from Experian, a credit monitoring agency.

Data loss can occur in a variety of ways, including by remote hacking or employee theft. ECMC didn’t say whether the data taken was encrypted.

The information could be useful for data thieves, who use personal information to apply for loans and credit cards or to assemble portfolios for larger identity theft schemes.

ECMC’s data loss is significant but far short of some of the largest incidents.

More than 130 million credit card numbers were stolen around 2008 from Heartland Payment Systems, an attack ranked as the largest to date by DataLossDB, which tracks incidents. One of the hackers, Albert Gonzalez , was sentenced to 20 years in prison on Friday in U.S. District Court for the District of Massachusetts.

In 2006, a laptop and hard drive containing personal information of 26.5 million military veterans and their spouses was stolen from the home of a U.S. Department of Veterans Affairs employee.

Not too long ago, I made a disturbing discovery. I received a statement in the mail for a department store credit card that I hadn’t authorized, and noticed a shipping address that was not my own. My name was listed on the bill, and my home address was recorded as the billing address – but the shipping address was for a location in an entirely different state.

I immediately called the credit card company to find out what was happening, thinking there must be some kind of mistake. I was connected with a helpful customer service representative who was able to quickly determine that I was a victim of fraud. Thankfully, she believed me when I insisted I had not authorized this card to be opened.

Once the customer service representative had notified her company’s fraud department, I asked if she might be able to give me any further information. She was very helpful and gave me the name of the person who had opened the account.

After hanging up with the credit card company, I immediately did a quick Internet search. Having the name of the women who opened the account, and knowing the state where the products were sent made my search rather easy. Soon I was able to locate a telephone number for the person who had opened this credit card in my name, without my permission.

I dialed the number and was a little surprised to hear an older woman’s voice on the phone. She was clearly unnerved when I told her my name and asked why she had opened an account using my identity. Out spilled her story of meeting a man with my name in an Internet chat room.

Nervously she shared how he had convinced her to open a few credit card accounts on his behalf. He gave her the necessary information and directed her to make store credit purchases at a major department store, a clothing store, and a toy store. I was a bit alarmed – the major department store was not the only place where an unauthorized credit card had been issued.

The woman continued to tell me that the impostor had convinced her he wasn’t able to purchase products from the United States on his own and needed her help. He told her she would be doing him a big favor if she would order items on his behalf, and have them sent to her address. Then, she was directed to ship the items to him at an address outside the country.

After kindly assuring this lady that I, in fact, had never authorized these purchases, she became filled with remorse, and stopped sharing any information with me. It was clear she feared some kind of punishment or revenge. I tried to calm her by informing her that she was also a victim of fraud, and ended our call by encouraging her to report this matter to her local police.

I then made calls to the other stores where the woman had opened credit accounts in my name. Fortunately, the fraud departments at each of the stores were able to successfully reverse the charges and close the accounts.

It did take a few weeks and some follow-up phone calls for the matter to be completely resolved with all the stores. However, it took longer to shake the feeling of being violated. It was unnerving to know that someone else had used my name and information to open a line of credit without my knowledge. It could happen again, and it could happen to anyone.

I’ve been a victim of identity theft not once, but twice. So, you can be sure that I’m always aware my identity can be stolen.

The first incident happened a few years ago. I was checking my bank account balance online when I noticed a problem. The bank showed I had $900 less in my account than I expected to have. I immediately called my wife to see if she might have made a purchase without telling me. Of course, she hadn’t. When I checked into where the money might have gone, I found out that purchases were being made on eBay—using my money!

My next step was to check my email to see if I could learn anything about these eBay transactions and get the problem resolved. When I tried to access my account, my email password wouldn’t work. The identity thief had not only taken my money, he had also changed my email account password!

By changing my password and gaining access to my email, he had been able to utilize my Pay Pal account on eBay, since Pay Pal was linked to my email. Without my knowledge, the thief had been making eBay purchases for sporting equipment in my name and having the items shipped outside the United States.

Once I figured out the scam and was able to regain access to my email, I could see messages the identity thief had written to the eBay sellers who had sold him products. One seller, upon seeing the account holder was a U.S. resident, had already questioned the thief about his request to ship items out of the country. Fortunately, now that I had control of my email account again, I was able to contact the eBay sellers myself and warn them about the scam so they would not ship any product.

My next step was to file a police report. Unfortunately, the police were not able to help me because the fraud had happened outside the United States. Sadly, this was out of their jurisdiction and there was nothing they could do for me.

I then contacted my bank where immediate action was taken. Next I contacted Pay Pal. They immediately froze my account so they could investigate further.

Although Pay Pal money returned my money in less than two weeks, my account with them is still frozen to this day. I’ve been told I could have my Pay Pal account restored if I will simply send them my original marriage certificate and social security card. Unfortunately, I won’t be doing this since it could compromise the safety of my identity in the future.

I had to exchange a number of emails with eBay in order to restore my account with them. The identity thief had won 10 bids with my username, and there were a number of forms I had to fill out to cancel the purchases. I also changed my eBay user id and password to further protect myself.

My identity was stolen through no fault of my own. Pay Pal had recently been hacked into and most likely this is how the thief got access to my password. However, this hasn’t kept me from taking extra steps to protect myself. I now have longer, more difficult to remember passwords on my accounts—and I never share them with anyone. I also check my credit report regularly to confirm everything looks as it should. Although this situation ended well, it was a hassle to get it resolved and I wouldn’t want to go through this again.

Federal prosecutors this week charged a Southern California woman with aggravated identity theft and other crimes for allegedly using a popular genealogy research website to locate people who had recently died, and then taking over their credit cards.

Tracy June Kirkland, 42, allegedly used Rootsweb.com to find the names, Social Security numbers and birth dates of people who, shall we say, had no further need for their consumer credit lines. She then “would randomly call various credit card companies to determine if the deceased individual had an … account,” according to the 15-count indictment (.pdf) filed in federal court in Los Angeles Tuesday.

She’d then persuade the issuer to change the mailing address for the dead victim to one of her many rented mail drops in Orange and Riverside counties, and in some cases she’d add her own name as an authorized user of the card, prosecutors say. The lenders included Nordstrom Federal Savings Bank, Macy’s and GE Money Bank.

At least 100 of the dearly departed were allegedly used in the scheme, which prosecutors say began in October 2005 and continued until last month. The indictment charges that Kirkland obtained various unspecified goods and cash advances.

Rootsweb, run by Provo, Utah-based The Generations Network, is a genealogical research site offering a wealth of resources. One of them is free, up-to-date access to the Social Security Administration’s Death Index, a list of people who have died, along with their birth dates and Social Security numbers.

Ironically, the government produces the monthly Death Index so that banks and other lenders can prevent people from applying for credit using a dead person’s information — the index is made public by the Department of Commerce under the Freedom of Information Act. The caper Kirkland’s accused of mastering apparently exploits a loophole, by taking over accounts that are already open.

Dorothy Clark, spokeswoman for the Social Security Administration, says she’s not aware of any prior cases of the index being used to perpetrate fraud, instead of prevent it. “None that I can attest to,” she says. “Nothing that I can say concrete.”

Rootsweb spokesman Mike Ward says the company hears rumors or speculation once or twice a year about people using the Death Index for identity theft, but that this is the first prosecution he’s aware of.

“The reason the Social Security Administration has it out there is to prevent fraud, and when it’s used to perpetrate fraud it’s because not all the checks and balances were in place on the financial institution’s end,” says Ward.

“Genealogists use it was one of many tools, like the census records or birth and death records, to fill in their family tree,” Ward adds.

Kirkland is also charged with unauthorized access to a computer, for allegedly hacking into Gallagher Bassett Services, and using the claims management company’s Citicorp bank account number to plunder $47,500 in cash.

A computer intrusion into a Citibank server that processes ATM withdrawals led to two Brooklyn men making hundreds of fraudulent withdrawals from New York City cash machines in February, pocketing at least $750,000 in cash, according to federal prosecutors.

The ATM crime spree is apparently the first to be publicly linked to the breach of a major U.S. bank’s systems, experts say.

“We’ve never heard of PINs coming out of the bank environment,” says Dan Clements, CEO of the fraud watchdog company CardCops, who monitors crime forums for stolen information.

Credit card and ATM PIN numbers show up often enough in underground trading, but they’re invariably linked to social engineering tricks like phishing attacks, “shoulder surfing” and fake PIN pads affixed to gas station pay-at-the-pump terminals.

But if federal prosecutors are correct, the Citibank intrusion is an indication that even savvy consumers who guard their ATM cards and PIN codes can fall prey to the growing global cyber-crime trade.

“That’s really the gold, the debit cards and the PINs,” says Clements.

Citibank denied to Wired.com’s Threat Level that its systems were hacked. But the bank’s representatives warned the FBI on February 1 that “a Citibank server that processes ATM withdrawals at 7-Eleven convenience stores had been breached,” according to a sworn affidavit (.pdf) by FBI cyber-crime agent Albert Murray.

Federal prosecutors in New York have charged 32-year-old Ukrainian immigrant Yuriy Ryabinin, aka Yuriy Rakushchynets, with access device fraud for allegedly using the stolen information to go on a cash-withdrawal spree. Ryabinin, who is allegedly an active member of underground credit card fraud forums, is not charged with the intrusion itself. He and a co-defendant “received over the internet information related to Citibank customers, which information had previously been stolen from Citibank,” according to an indictment (.pdf) in the case.

Also charged is 30-year-old Ivan Biltse, who allegedly made some of the withdrawals, and Angelina Kitaeva. Ryabinin’s wife is charged with obstruction of justice in the investigation.

In addition to looting Citibank accounts, Ryabinin is accused of participating in a global cyber crime feeding frenzy that tore into four specific iWire prepaid MasterCard accounts last fall. From September 30 to October 1 — just two days — the iWire accounts were hit with more than 9,000 actual and attempted withdrawals from ATM machines “around the world,” according to Murray’s affidavit, resulting in a staggering $5 million in losses.

Ryabinin was allegedly responsible for more than $100,000 of the stolen iWire cash, which he pulled from Brooklyn ATMs. St. Louis-based First Bank, which issued the cards, declined to comment on the matter, citing the ongoing prosecution.

At the time of the ATM capers, FBI and U.S. Secret Service agents had already been investigating Ryabinin for his alleged activities on eastern European carder forums.

Ryabinin allegedly used the same ICQ chat account to conduct criminal business, and to participate in amateur radio websites. The feds compared photos of Ryabinin from some of the ham sites to video captured by ATM cameras in the New York Citibank and iWire withdrawals, and determined it was the same man — right down to the tan jacket with dark-blue trim.

When they raided Ryabinin’s home, agents found his computer logged into a carding forum. They also found a magstripe writer, and $800,000 in cash, including $690,000 in garbage bags, shopping bags and boxes stashed in the bedroom closet. Another $99,000 in cash turned up in one of the safe deposit boxes rented by Ryabinin and his wife, Olena. Biltse was also found with $800,000 in cash.

Ryabinin’s wife told investigators that she witnessed her husband “leave the couple’s house with bundles of credit cards in rubber bands and return with large sums of cash,” a Secret Service affidavit (.pdf) reads.

Notwithstanding the court documents, Citibank said in an e-mailed statement that it was not the source of the breach. “There is no evidence that Citi servers were compromised in connection with this fraud,” the company wrote.

Asked about Citibank’s denial, a spokeswoman for the United States Attorneys Office for the Southern District of New York, which filed one of the criminal complaints in the case, said the office would not comment beyond what was in court documents.

Citibank added that it does not hold customers responsible for fraudulent withdrawals, but would not disclose how many customers were affected. Spokesman Robert Julavits did say in an e-mail that “Citibank has complied with all applicable notification requirements.” Under New York’s Information Security Breach And Notification Act, companies must generally warn consumers of data breaches in the “most expedient time possible.”

The timing of the caper — which prosecutors say began in October — overlaps Citibank’s previously-unexplained lowering of ATM withdrawal limits in New York last December.

Citibank was taciturn at the time, when New Yorkers began noticing that their ATM withdrawal limits had been slashed in half. The bank told the New York Daily News that the move was a response to “isolated fraudulent activity” in New York.

In an earlier incident in 2006, Citibank put transaction holds on some Citi-branded MasterCard debit cards. In that case, the action was later linked to a breach at office-supply retailer OfficeMax. That intrusion remains unsolved.

In the new case, the FBI affidavit says that Citibank knew by February 1 which accounts were leaked, but it left those accounts open while the fraud unfolded.

“Citibank identified all of the account numbers involved in ATM withdrawals during the period that the server was compromised … and established a fraud alert system that notifies Citibank each time one of the compromised Citibank account numbers is used,” the affidavit reads.

That language suggests that the attackers may not have had access to stored account numbers and PINs, but instead were tapping into transactions in real time to vacuum up PIN codes as they flew past.

When you hear stories that involve identity theft between a woman and her nanny, one would normally draw the conclusion that the nanny is stealing from the mother. Most likely visions of Rebecca De Mornay and scenes from Hand that Rocks the Cradle flash through your head. This time it was the nanny who was victimized.

Ramie Marston, the mother in this case, is awaiting sentencing for stealing her nanny’s information and making fraudulent purchases while using her name. Shortly after offering the nanny a rent-free stay in Marston’s previous house, Marston began using the nanny’s name and credit with six different creditors and a luxury car agency. Final tally in the nanny’s name? Nearly $62,000.

Marston pled guilty to the charges but filed for bankruptcy to try and avoid paying back the money. The judge in her case still ordered her to pay back the $62k at $500 a month (that’s a 124 months — or ten years and four months of repayment). That would be the end to a typical identity theft case, but Marston isn’t a traditionalist. Instead, while sentencing is still pending for the nanny’s theft, Marston decided to steal a businessman’s identity and charge up $8,000 of debt. What were some of Marston’s (sure to be) pre-jail spending spree purchases? $1,179 worth of fine eating at area restaurants, $945 for furniture, a hotel stay to the tune of $485.33, $171.61 worth of iTunes to rock out to, $1,509 in groceries (she sure likes to eat!), $500 to a childrens camp, $312 to buy a puppy from the SPCA and an unknown amount to pay a criminal fine owed by her newlywed husband.

What a catch!

LifeLock, the industry leader in proactive identity theft protection, today announced the implementation of a new and innovative identity protection system that will provide better and broader protection to current and prospective members. The new system features some of the most sophisticated technologies available, including scientific modeling and multi-point data mining to identify fraud and help protect consumers.

“The implementation of our new identity protection system reflects LifeLock’s unyielding commitment to innovation, consumer protection and industry-leading best practices,” said LifeLock CEO Todd Davis. “Criminals are devising increasingly complex schemes to defraud consumers. Our services must constantly evolve so we are not one, but two, steps ahead.”

LifeLock’s better and broader identity protection system will:

• Use more sophisticated and more scientific algorithms to spot identity fraud.
• Examine patterns over time across the entire network to help predict future identity risks and vulnerable members
• Mine more data sources than the credit bureaus. These additional data sources include retailers, banks, mortgage lenders, utilities, and auto lenders.

In addition to this new identity protection system, LifeLock continues to provide members with a full suite of personal protection services – including WalletLockTM, eReconTM, TrueAddressTM and of course our $1 million total service guarantee in the event you become a victim of identity theft due to a failure in our service.

LifeLock’s new system, which will replace fraud alerts as one of the company’s primary consumer protection mechanisms, will be deployed in the coming weeks.

Identity theft costs Americans more than $1.8 billion annually, according to the Federal Trade Commission, and the latest FTC reports show the number of identity theft complaints has grown by 80 percent since 2000.

If ever there were living proof that identity theft can strike the mighty and powerful as well as hapless consumers, look no further than the nation’s chief banker: Ben Bernanke. The Federal Reserve Board chairman was one of hundreds of victims of an elaborate identity-fraud ring, headed by a convicted scam artist known as “Big Head,” that stole more than $2.1 million from unsuspecting consumers and at least 10 financial institutions around the country, according to recently filed court records reviewed by NEWSWEEK.

Last summer, just as he was dealing with the first rumblings of the financial crisis on Wall Street, Bernanke learned that a thief had swiped his wife’s purse—including the couple’s joint check book. Days later, someone started cashing checks on the Bernanke family bank account, the documents show. “It’s fair to say he was not pleased,” said one close associate of Bernanke, who asked not to be identified discussing what the Fed chairman considers a private matter.

The theft of the Bernanke check book—never publicly revealed until now—soon became part of a wide-ranging (and previously underway) identity-theft investigation by the Secret Service and the U.S. Postal Inspection Service. The probe culminated in recent months with a series of arrests, criminal complaints, and indictments brought by federal prosecutors in Alexandria, Va. The targets: members of a nationwide ring that used an inventive combination of old-fashioned thievery and high-tech fraud to loot the bank accounts of unsuspecting victims.

“Identity theft is a serious crime that affects millions of Americans each year,” Bernanke said in a statement provided to NEWSWEEK. “Our family was but one of 500 separate instances traced to one crime ring. I am grateful for the law enforcement officers who patiently and diligently work to solve and prevent these financial crimes.”

Identity theft is commonly associated with the heists of consumers’ credit-card information and other personal data by cybercriminals. But Bernanke appears to have been swept up in the case only by chance—and through the most ancient of street crimes.

On Aug. 7, 2008, the Fed chairman’s wife, Anna Bernanke, was at a Starbucks, not far from the couple’s Capitol Hill home, when her purse was snatched off the back of a chair, according to Washington, D.C., court records. Among its contents: her driver’s license, Social Security card, four credit cards, and a book of Wachovia bank checks from the couple’s joint checking account. Printed on each check were the Bernankes’ bank-account number, home address, and telephone number. Anna Bernanke reported the missing purse that day to the D.C. police.

But as it turned out, the perpetrator was no ordinary thief: he was working for a sophisticated crime ring that federal agents and the police in several states had been investigating for months. In the Chicago area, where some members were based, the ring went by the street name of “Cannon to the Wiz.” (The term “cannon” is slang for pickpocket.)

One of the group’s ringleaders, Clyde Austin Gray Jr. of Waldorf, Md., pleaded guilty to conspiracy to commit bank fraud in federal court in Alexandria, Va., just last month. Gray (who was known to members of his ring as Big Head) employed an army of pickpockets, mail thieves, and office workers to swipe checks, credit cards, military IDs, and other personal records, according to his plea agreement and other court records filed in his case.

One member of the ring had infiltrated an office of the Combined Federal Campaign, the official U.S. government-sponsored charity, and supplied the crime ring with stacks of checks mailed in by federal workers, the records show. Another worked in a Washington, D.C., doctor’s office, with access to patients’ records and their bank-account information.

The group’s members also often traveled around the country targeting sporting events, such as this year’s NCAA basketball Final Four tournament in Detroit, according to Donna Pendergast, an assistant Michigan attorney general who had her wallet swiped by a member of the ring after attending one of the games. Pendergast, who wrote an account of being victimized by the group last April on a blog called Women in Crime, told NEWSWEEK that the robber was so adroit he managed to lift the wallet from her purse without her even knowing it. “They took it right out of my purse while it was on my shoulder,” she said. “I didn’t feel a thing,”

After obtaining drivers’ licenses and military IDs, the thieves took bundles of their freshly pilfered loot wrapped in rubber bands to cars parked on the street. Other members of the group waiting in the cars—equipped with laptop computers, scanners, and printers—then quickly reproduced phony new driver’s licenses and IDs using the names of the victims, but substituting the victims’ photos with those of Cannon to the Wiz members.

There is no evidence that the group reproduced a fraudulent driver’s license in Anna Bernanke’s name. But one of its members did allegedly put the Bernankes’ joint checkbook to illicit use in a complex financial fraud that federal prosecutors described as a “split deposit” transaction.

Six days after the Starbucks snatch of Bernanke’s purse, an alleged member of the ring named George Lee Reid walked into a Bank of America branch in suburban Prince George’s County and posed as another identity-theft victim, identified in a federal affidavit as “K.N.” (The person had reported his wallet stolen a few days earlier, court records show.)

Reid deposited two fraudulent $900 checks into K.N.’s bank account—one of them from the Wachovia account of “Ben S. Bernanke and Anna Bernanke.” Having inflated K.N.’s account with the fraudulent check from the Bernankes, Reid simultaneously cashed two other fraudulent $4,500 checks that were made out to K.N. from a third victim, according to federal prosecutors. When all was done, he appears to have walked out of the bank with $9,000. (The Fed chairman had alerted Wachovia after the theft of his wife’s purse and suffered no financial loss in the transaction, the Bernanke associate said.)

When federal agents busted the identity-theft ring earlier this summer, Reid was named as a co-conspirator in a 22-page affidavit signed by a U.S. postal inspector. But the names of the victims, including Bernanke, were concealed; the complaint referred to the victims only by their initials, referring, for example, to one of Reid’s victims as “B.B.”

However, a separate criminal complaint against Reid filed last fall in D.C. Superior Court (and overlooked until now) spelled out the full name of the Fed chairman: Ben S. Bernanke.

Reid’s lawyer in the D.C. case, where the charges were ultimately dropped, did not return a phone call seeking comment. But a federal law-enforcement official—who asked not to be identified discussing an ongoing case—says there is now an outstanding arrest warrant for the man who allegedly scammed the Fed chairman and used his checkbook. “We’re looking for him,” said the official.

EDWARDSVILLE, Ill. (AP) – A southwestern Illinois man is accused of using a college’s computer lab to commit identity theft.

Madison County prosecutors have charged Matthew Cornelius, 24, of Granite City with felony identity theft.

Authorities say Cornelius wasn’t enrolled at Lewis and Clark Community College when he was allowed to use the school’s computer lab last week to look for jobs for a woman who accompanied him.

But authorities say a lab worker noticed that Cornelius had gotten a Social Security number on the Internet for an Arizona resident born in the mid-1950s and used it to register on two gambling Web sites. The student worker notified authorities but Cornelius wasn’t in custody Monday morning.