Computer Crime Research Center


Hunting for ID

Date: January 11, 2006
By: Dayana Yochim

H&R Block (NYSE: HRB) sent out an unwelcome promotional gift over the holidays -- free tax preparation software. The objectionable surprise wasn't the contents of the box; it's what was printed on the mailing label.

Next to the recipient's name and address was a 40-character source code containing the addressee's nine-digit Social Security number. For alert fraudsters, it was one special delivery.

According to the company, the inadvertent glitch was included in less than 3% of the promotional mailings. (The expanse of the campaign was not made public.) Within 72 hours of the December mailing mishap, H&R Block notified customers whose private data it broadcast via the postal system.

Unfortunately, this is the season when such data is legitimately plastered all over the place. We're now entering the identity thief's version of the annual donor drive.

When wheels are a steal
"January is when we all get our tax documents from banks, credit unions, brokerage houses, state and federal governments, and employers. And thieves know this," says credit expert John Ulzheimer, formerly of Equifax and Fair Isaac (NYSE: FIC). These documents contain the magic ingredient that's missing from most mass mailings -- our Social Security numbers. "The Social Security number completes the loop on what most lenders require to complete some sort of credit application," Ulzheimer says.

It was June when Laura, a technology consultant in Jacksonville, Fla., got a past-due notice for a car loan for a $52,000 Corvette. The problem was that Laura and her husband hadn't purchased a Corvette -- they owned their cars outright. When she called the dealership, she found out that someone fraudulently used her name, address, and Social Security number to get a loan and keys for the car, she told

Later, Laura learned that the actual theft of her identity had taken place in late January. The timing was no coincidence: The fraudster (who was caught) admitted that she targeted mailboxes in Laura's townhouse community when she knew paychecks and bills would arrive. During the last two weeks of January, she struck gold daily, prying open the mailboxes with a knife to get to W-2s, 1099s, and other information-rich tax-related documents.

It's one thing when thieves pick our locks. (According to a recent CNET article, only about 8% of identity theft cases were linked to mailbox breaches.) It's quite another when the companies that compile and profit from this data practically hand the butter knife to bad seeds.

Your very public privacy
The H&R Block blunder is just the latest high-profile data breach at companies entrusted to store and secure personal consumer information.

Last year, data warehouse ChoicePoint (NYSE: CPS) made headlines after it admitted unwittingly giving database access to fraudsters, who then used the information to get into a reported 144,000 individual files and rip off at least 700 people. More than 300,000 files were breached at LexisNexis (owned by Reed Elsevier Group (NYSE: ENL), a company that compiles and sells consumer personal and financial data. Time Warner (NYSE: TWX) reported that a cooler-sized container filled with 40 computer backup tapes with the names and Social Security numbers of 600,000 current and former employees and contractors, as well as the information of some of their dependents and beneficiaries, was misplaced by an outside storage company it had hired.
Original article

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo