Sunday, September 21, 2008

Britain - Here We Go Again!

Another British data blunder: Stolen bankruptcy agency laptop had personal info.

LONDON (AP) _ The British government has admitted another data loss blunder: Its bankruptcy agency has lost a laptop carrying personal information on more than 100 former company directors.
The Insolvency Service says four laptop computers were stolen from its office in the northern English city of Manchester. It says one of them carried documents that "may give cause for concern."
The service said Wednesday that information on 122 former company directors was lost in the theft, as well as information on an unknown number of creditors, investors and employees.
Britain's government has been humbled by a series of data losses even as it attempts to roll out an ambitious national identification card. Medical, prison, and military records have been stolen or disappeared in recent months.

When will this nightmare end? One problem is that NO ONE is ever punished for putting people at risk. It's always "Oh, it was an oversight. No one is at fault."

If a bus driver in London injured or killed you because of sheer negligence they'd be prosecuted.

If bureaucrats knew they would be fined and do jail time they might remember ton keep their laptops and other sensitive data secure! IT misuse is just as dangerous as other negligence.

Here is the full miserable record of the British government.

Home Office has lost 43 laptops and 94 mobiles in three years
The Home Office has admitted losing 43 laptop computers and 94 mobile phones over the past three years, The Daily Telegraph can disclose.

By Christopher Hope, Home Affairs Editor
Last Updated: 11:39PM BST 24 Aug 2008

The news comes days after the department lost a memory stick containing the details of all 84,000 prisoners in England and Wales.

It has emerged that officials lost more than 300,000 people's details a month in the year to April.

That came on top of the loss of two CDs containing the entire child benefit database – containing the details of 25 million families – last November. The discs have still not been found.
Home Office data released in response to a question by the Tory peer Lord Hanningfield show that 43 laptops and 94 mobile phones have been lost or stolen at the department over the past three years – 15 laptops and 47 mobiles in 2007; 14 laptops and 10 mobiles in 2006; and 14 laptops and 37 mobiles in 2005.

Earlier this year, the Ministry of Defence said that almost 600 laptop computers had been stolen in the past decade.
That admission came after Des Browne, the Defence Secretary, had to make a statement to the Commons about the theft of a laptop containing the personal details of 600,000 people from a car in Birmingham.

A Home Office spokesman refused to say what was on the 43 laptops, but added: "We do not believe that any of the lost laptops contained sensitive or classified information."

Labels: , , , , ,

Tuesday, September 16, 2008

One of our dear bloggers sent this warning. Some of you may have seen this but be forewarned and tell your clients, friends and family. - Thanks. Keep sending us stuff on ID theft.

For Immediate Release
Washington D.C.
FBI National Press Office
(202) 324-3691


Washington, D.C. - The FBI today is providing a warning to the public against an ongoing scheme involving jury service. The public needs to be aware that individuals identifying themselves as U.S. court employees have been telephonically contacting citizens and advising them that they have been selected for jury duty. These individuals ask to verify names and Social Security numbers, then ask for credit card numbers. If the request is refused, citizens are then threatened with fines.

The judicial system does not contact people telephonically and ask for personal information such as your Social Security number, date of birth or credit card numbers. If you receive one of these phone calls, do not provide any personal or confidential information to these individuals. This is an attempt to steal or to use your identity by obtaining your name, Social Security number and potentially to apply for credit or credit cards or other loans in your name. It is an attempt to defraud you.

If you have already been contacted and have already given out your personal information, please monitor your account statements and credit reports, and contact your local FBI office. Local FBI field office telephone numbers can be found in the front of your local telephone directory or on

For further information, please review the warnings posted on the U.S. Courts website at, "Newsroom" news article "WARNING: Bogus Phone Calls on Jury Service May lead to Fraud."

Labels: , , , ,

Saturday, September 13, 2008

Here We Go Again!

This headline in some forms or another has become all too common. Sensitive information is stored on computers that are not well protected. Hackers breach the weak protection and steal information which can and will probably be used for malicious and criminal purposes.

U of I students' information was on breached computer

Register Correspondent

Iowa City, Ia. - The names and Social Security numbers of about 500 University of Iowa engineering students may have been stolen by computer hackers, the university announced Thursday.

The information was stored on a computer that was breached around Aug. 11 by hackers looking to use the machine as a server from which other users could access music and movies.

The computer system was taken offline after the breach was discovered in early August, according to Jane Drews, the U of I's information technology security officer. At that point, she said an extensive analysis was done to determine the depth of the breach.

It was during this analysis that U of I officials discovered the file that contained names and Social Security numbers.

School officials say there is no evidence the information in the file was accessed, but are warning students to monitor their credit information. No information pertaining to birthdates, grades or financial data was in the file, a university news digest said Thursday. The digest said a letter will be sent out to affected students.

Drews said the breach most likely occurred randomly, with one hacker targeting a multitude of systems to find a weak point. "It's kind of like going down the hall trying doors until you catch an open one," Drews said.

Senior biomedical engineering student Cori Thompson said the U of I should do more to protect sensitive information.

"That's extremely scary," Thompson said.

Extremely scary allright! But, it happens every day and there is STILL no culture of information security.

Saturday, September 06, 2008

Want Most of Sarah Palins SS #? It's on the Internet!

The recent sale of Iowan's confidential information (see last posting) raises serious questions about the commodification ( also called commercialization) of America's personal data. We addressed this problem in two books and in all of our talks and training seminars. WE HAVE A SEROUS PROBLEM because you are for sale! (Well all the confidential data about you anyway). Here is the latest proof that things are out of control.

Posted: Friday, September 5 at 05:00 am CT by Bob Sullivan

Part of vice presidential candidate and Alaska Gov. Sarah Palin's Social Security number apparently was published on the Web earlier this week, stirring up privacy concerns. The data – labeled as the first five digits of the candidate’s SSN – is widely available from background services like ChoicePoint or LexisNexis. In fact, such partial SSNs routinely appear on reports anyone could obtain on their neighbor or their nanny.

A report of the Palin SSN leak Tuesday on the Web site evoked memories of a scandal in 2006 that erupted after Democratic staffers obtained Republican Senate candidate Michael Steele’s credit report. But the incident involving Palin bears few similarities.

The first five digits of Palin's SSN appeared in a document posted on Politico, which described the paper as an "opposition document" compiled in 2006 on behalf of Tony Knowles, her Democratic opponent in Alaska's gubernatorial race that year.

The highly detailed 63-page document contains mostly newspaper clippings designed to call attention to Palin's positions on controversial topics like abortion. But in a section marked "Palin Background," a chart containing Palin's name, birthday and part of her SSN appeared. Various previous addresses also were listed. Palin’s campaign could not be reached to confirm the accuracy of the information.

Politico has since obscured all nine digits of Palin's Social Security number.

The site did not identify the source of the document, except to state in an accompanying story that it was not obtained from the Obama campaign. It did not immediately respond to inquiries from about the document.

Publication of the first five digits of Palin’s Social Security number does put Palin at a modest risk for identity theft, though someone would still have to guess the other four digits. (PS from Steffen Schmidt: This is the biggest understatement I have ever seen in my life! There is software that can very quickly "guess" those last 4 numbers. Moreover, most credit card, cell phone, sattelite or cable and other contract actually use the last 4 digits to verify that you are a customer so anyone at any of these companies will know your last 4 numbers to verify!)

But those five digits would be easy for anyone to obtain. Services like ChoicePoint and LexisNexis provide partial Social Security numbers to customers who order background reports. ChoicePoint's policy, for example, is to obscure only the last four digits of SSNs, said company spokesman Chuck Jones.

Taken together with Palin's past addresses, that portion of the opposition document appears to be lifted directly from a commercially available background report.

The document also lists other personal information, such as the size of Palin's mortgages and the vehicle identification numbers for all 26 cars the Palin family has registered since 1994.

There's nothing illegal about obtaining such reports. Many companies use them to "background" potential employees, and journalists regularly use them as reporting tools.

That doesn't mean it's a good idea to sell any part of someone's personal information, but that's a debate that ranges well beyond this campaign.

Since many companies use the last four digits of a Social Security number as a password, revealing the first five SSN digits is generally considered less risky. In fact, the first three can be guessed with relative ease, as they are based on geographical birthplace.

Release of Palin's partial SSN reminded some observers of the Steele credit report incident. In 2005, two members of New York’s Democratic Sen. Charles Schumer staff obtained a credit report for Steele, who was then Maryland’s lieutenant governor. Steele at the time was considered a likely GOP candidate for U.S. Senate in Maryland, and Schumer led the Democrats' effort to win a majority in the Senate. Steele eventually ran in 2006 and lost.

Obtaining a credit report without someone's permission is a violation of the Fair Credit Reporting Act. The staffers were fired.

We have written about this in both of our ID Theft books. Too little hard action by Congress and law enforcement!

The Palin background document and its partial SSN, while to some unsavory, should not be compared with the theft of a political opponent's credit report. But it is another opportunity to consider the uncomfortable ease with which people's personal information can be obtained without their permission, and the need to regulate the databases that track us.

Rob Douglas, who runs, said Congress has shirked its duties to reign in the collection and sale of personal information. As a result, criminals wouldn't have too much trouble getting the rest of Palin's SSN, he said.

"Social Security numbers are floating around all over the place. And for 10 years Congress has been dinking around on Capitol Hill, discussing what to do about it," he said.

Labels: , , , , , ,

Thursday, September 04, 2008

Iowa SS Numbers are "FOR SALE"! Come and Get Em!

You may have seen this in other newspapers like the Chicago Tribune because the AP picked up the story and my quote.

"The possible sale of the records raised red flags among some Iowans on Wednesday.

"Selling these, I personally believe, is not ethical," said Steffen Schmidt, an Iowa State University political science professor and co-author of "The Silent Crime," a new book about identity theft. "The responsibility of public agencies is to serve the public and it's not usually to turn their assets into commodities."

The headline read - "Planned sale of Iowans' records intensifies privacy concerns" By Jason Clayworth, September 4, 2008,
Operators of a public records Web site that lists the Social Security numbers of thousands of Iowans confirmed Wednesday that they have been attempting to sell the information to a real estate database company.

The site came under fire this week from privacy watchdogs who said personal data on it could lead to identity theft. Portions of the site containing personal data were temporarily shut down on Wednesday.

The site,, includes home mortgage records and other documents from each of the state's 99 counties. It is run by the Iowa County Recorders Association, a group of county officials who electronically post hundreds of thousands of public documents from the 99 counties.

"Iowa Land Records is a valuable and important resource to the real estate industry and to the citizens of Iowa," said Joyce Jensen, chairwoman of the Iowa Land Records governing board and Cass County recorder. "That value diminishes when information is restricted."

The recorders association this year negotiated selling its mammoth database and ongoing updates to Data Tree, a company that manages more than 4 billion records nationwide. Unsigned documents obtained by The Des Moines Register on Wednesday show Data Tree would have paid an estimated $11,750 a month for the information.

But recorders association officials agreed to temporarily hold off on the sale earlier this year after lawmakers expressed concern, a spokesman for the association said Wednesday.

Lawmakers have set up an interim committee, partly to review the possible sale. That committee will meet in November.

The possible sale of the records raised red flags among some Iowans on Wednesday.

"Selling these, I personally believe, is not ethical," said Steffen Schmidt, an Iowa State University political science professor and co-author of "The Silent Crime," a new book about identity theft. "The responsibility of public agencies is to serve the public and it's not usually to turn their assets into commodities."

The recorders association's Web site costs roughly $700,000 a year to run. It's paid largely by a $1 fee for documents that are recorded. In addition, most counties allocate $2,000 a year from their local budgets to support the project.

The unsigned agreement would prohibit Data Tree from disclosing confidential information to any third party.

The nearly $12,000-a-month income from Data Tree would help offset the site's costs, said Phil Dunshee, a project manager for The information would be more useful for companies if it were sold in bulk format so they wouldn't have to search for it document by document, he said.

"You've got companies that use this information for credit reports and other legitimate business purposes," Dunshee said. "These are not identity thieves we're talking about. They're in the real estate industry or their customers are in the real estate industry."

Bill Blue, president of the Iowa Land Title Association, said his group is concerned that the information could ultimately be sold to third parties and used to solicit Iowans. He pointed to articles in the Washington Post that have outlined how such public record sales in other states have been used to hawk everything from auto services to new cars to weight-loss programs.

Blue is also concerned that confidential information, such as Social Security numbers, won't remain confidential.

"If it's sold, it's gone. You can do all the redacting you want to your own records and it won't help," he said.

The New Jersey Supreme Court ruled last month that privacy interests outweigh the interests of companies that collect public real estate records for profit.

Similar rulings have been made in Kansas, Ohio, Pennsylvania and Massachusetts, according to Source of Title, a business industry support group based in Ohio.

Some Iowa lawmakers were worried Wednesday about the possible sale of the information.

"The information has generally been open to the public, but people who wanted to get it had to go to 99 different counties," said Sen. Steve Warnstadt, a Sioux City Democrat. He is a co-chairman of the legislative study committee on public records.

Sen. Steve Kettering, a Lake View Republican who is also a committee member, said he believes the public records should, at the very least, be sanitized of private information that may used to steal identities.

"I'm concerned about the access that unscrupulous people have to the data that government collects," Kettering said.
All we can say to the Iowa government agencies is "Git 'Er Done!" The idea that each consumer has to request that Social Security numbers be removed from older posted records (before the use of the SS # was prohibited on these documents) at the request of each consumer is absurd! It is in the interest of the State of Iowa to protect all consumers proactively. If ID theft happens the cost to the state of investigating and prosecuting is much higher than the expense of scrubbing old records.


Wednesday, September 03, 2008

Government Social Security Numbers. Come and get 'Em!

Here is why identity theft is so rampant! (sent by one of my PhD students who is an ID theft specialist). From the Des Moines Register, September 2, 2008 -
Thousands of Iowans' Social Security numbers – including Gov. Chet Culver’s (right)– can be obtained online for free through a statewide Web site sponsored by elected officials.

The Web site,", includes home mortgage records and other documents from each of the state’s 99 counties. A national security watchdog is demanding the numbers immediately be redacted.

Access to Social Security numbers makes it easy for thieves to steal a person’s identity.

The Web site was launched in January 2005 by the Iowa County Recorders Association.

Records older than six years old commonly include Social Security numbers. Most newer documents do not include the numbers.

West Des Moines resident George Davey even found an old credit card number on one of his public documents posted on the Web site. After looking closer at the site, he was able to pull more than 50 Social Security numbers in less than an hour, including Culver’s and that of Iowa Secretary of State Michael Mauro.

“If I can get 50 Social Security Numbers in minutes, then just imagine how many a team of skilled hackers could get over a one month-long period,” Davey said. ”Hackers are not the cause of identity theft, careless government agencies and holders of information, are the cause. Imagine what they already have.”

Betty Ostergren, a Virginia resident who runs her own watchdog Web site, is demanding the state protect its residents and immediately redact the numbers from the site. Otherwise, she's threatened to post the mortgage documents that include Culver's and Mauro’s Social Security numbers.

Ostergren’s husband was a victim of identity theft several years ago. She advocates for reforms on her web site:

“I am willing to print all three of these documents and more that I have downloaded if that site doesn't get shut down,” Ostergren said. “If they only black out just a few Social Security numbers like these people's, that is wrong and unfair to people who have no clue this is going on. They need to protect all or no one’s.”

Officials from the county recorders association couldn’t immediately be reached but a project manager for the Web site said the group works aggressively to keep such information private. For example, some records such as tax liens are not available for download because they often include Social Security numbers, said Phil Dunshee.

Dunshee acknowledged that there are Social Security numbers posted in many of the older mortgage documents. He said his group will redact the numbers when requested.

“Obviously this is a very important source of concern. We take it seriously. That’s why we have the policies that we do,” Dunshee said.

Mauro said he is concerned about the situation, noting that his office has, for years, removed Social Security numbers from voting records.

Culver spokesman Troy Price said this morning he too is concerned. He said the governor's office would respond after further reviewing the situation.

Lawmakers this year passed a bill that allows Iowans to place a “security freeze” on credit information, prohibiting thieves from opening unauthorized accounts.
A separate bill mandates that Iowans are notified by businesses if there's an unauthorized release of their personal information, such as their Social Security number or credit card number.

State Sen. Steve Kettering, a Lake View Republican, worked on a committee that successfully pushed for the notification law. Iowa government should take the same steps and send letters to each citizen if their Social Security numbers have been made public, he said.

"I've always been a believer that government ought to do what it requires private enterprise to do," Kettering said. "If the state has put people at risk, the state should take that step."
This is why we need to activate the Public Sources Identity Theft Protection Training and Education Program (PSITPTAEP) that we have been urging state governments around the USA to implement! Our own governments at the local state and federal level are putting our confidential information out there so you don' even need to hack a web site!

  • All Material is Copyright © 2009 Michael McCoy and SEAS, L.L.C
  • Deter. Detect. Defend. Avoid ID Theft -