Law Firm Creates Possible ID Theft Problem
A swanky Manhattan law firm cleaned house by leaving six Dumpsters stuffed with confidential case files out on the street - exposing their clients' most personal information.
The private documents, mostly from the 1990s, included addresses, medical records and Social Security numbers, according to the New Your Daily News. The paper discovered the files along Trinity Place in lower Manhattan outside a back entrance to Frenkel Lambert Weiss Weisman & Gordon law firm. Several passersby were digging through the mountain of paper. "Dumpster Diving" is a common way to steal information.
Richard Lambert, a partner at the firm, said they recently began cleaning out their files from storage to get ready for moving their office. "We hired a licensed and bonded company to deal with the disposal of our files in a proper manner," Lambert said. "We are investigating this issue."
Labels: dumpster diving, law firm, personal information
Hit Man E-Mail Scam
The Internet Crime Complaint Center (IC3) continues to receive thousands of reports concerning the hit man e-mail scheme. The e-mail content has evolved since late 2006; however, the messages remain similar in nature, claiming the sender has been hired to kill the recipient.
Two new versions of the scheme began appearing in July 2008. One instructed the recipient to contact a telephone number contained in the e-mail and the other claimed the recipient or a “loved one” was going to be kidnapped unless a ransom was paid. Recipients of the kidnapping threat were told to respond via e-mail within 48 hours. The sender was to provide the location of the wire transfer five minutes before the deadline and was threatened with bodily harm if the ransom was not received within 30 minutes of the time frame given. The recipients’ personally identifiable information (PII) was included in the e-mail to promote the appearance that the sender actually knew the recipient and their location.
Perpetrators of Internet crimes often use fictitious names, addresses, telephone numbers, and threats or warnings regarding the failure to comply to further their schemes.
In some instances, the use of names, titles, addresses, and telephone numbers of government officials and business executives, and/or the victims’ PII are used in an attempt to make the fraud appear more authentic.
Below are links for the two previous public service announcements published by the IC3 concerning the hit man scheme:
1.
http://www.ic3.gov/media/2007/070109.aspx2.
http://www.ic3.gov/media/2006/061207.aspx Consumers always need to be alert to unsolicited e-mails. Do not open unsolicited e-mails or click on any embedded links, as they may contain viruses or malware. Providing your PII will compromise your identity!
Individuals who receive e-mails containing threats of violence and their PII are encouraged to contact law enforcement as well as file a complaint at www.ic3.gov.
Courtesy of
FBI.gov.
Labels: "hit man" scam, internet crime
San Francisco Airport Security Scare
A laptop that contains the personal information of some 33,000 customers of an airport fast-pass program was found Tuesday morning after being reported stolen from San Francisco International Airport on July 26, a spokeswoman for the company that runs the program said.
Allison Beer, a spokeswoman for Verified Identity Pass Inc., said the laptop was found tuesday morning in the same secured room at the airport that it went missing from and that officials are working to determine whether any of the data was compromised.
Officials are also investigating the circumstances surrounding the laptop's reappearance, she said. The Transportation Security Administration suspended Verified Identity Pass Inc., the company that operates the registered traveler program under the brand name Clear, from enrolling new applicants due to the alleged theft of the unencrypted laptop. The San Francisco airport was instructed to make sure the company immediately notified the customers who were impacted.
Information on the laptop includes names, addresses, birth dates and some applicants' driver's license numbers and passport information, but does not include applicants' credit card information or Social Security numbers, according to the company.
The information is secured by two levels of password protection, the company reported. The TSA has told SFO and other airports that use Clear to suspend enrollment, cease use of any unencrypted computers and secure devices until encryption can be installed.
The agency requires that all registered traveler service providers encrypt all files containing participants' sensitive and personal information. Companies that don't comply may face suspension of a program and civil penalties.
Verified Identity Pass will be required to submit an independent audit to verify that the required security measures are in place and the Transportation Security Administration will verify the audits before more customers can enroll in the program.
TSA officials said the suspension will protect consumers waiting to enroll in the Clear program and allow the company to bring its procedures into compliance. Current customers will not be affected and will not experience disruption when using the Clear system, which allows travelers to get through security faster.
Labels: airport, laptop, San Francisco, security
Thousands Of British Passports Stolen
Hijackers made off with boxes of blank British passports worth a fortune on the black market in a raid on a delivery van, police said Tuesday, in the latest blow to the government's record on security. Detectives said the 24 boxes of about 3,000 passports and visa documents, destined for British embassies around the world, were worth some 2.5 million pounds (five million dollars, 3.2 million euros).
A hijacker sped off with the vehicle Monday when the driver stopped to buy a newspaper in the Manchester suburb of Oldham in northwest England. The passports, which were en-route to Royal Air Force base Northolt in northwest London, were "very secure" as they contained a micro-chip which can be encrypted, he said.
An industry expert said the passports would not be of much use as travel documents but warned that they could be used to create a new identity while forgers could use them as proof of identity for banks or for people looking to seek asylum.
This is not the first time something like this has happened in England. In December, the government was forced to admit that two data discs containing personal details of some 25 million people were lost in the post.
Top secret files on Al-Qaeda and Iraq were left on a train earlier this year, while hundreds of government laptops and memory sticks have been either lost or stolen in recent years.
Labels: England, identity theft, passports, stolen
Judge Orders Changes To Privacy Protections
Credit card companies know what you've bought. Phone companies know whom you've called. Electronic toll services know where you've gone. Internet search companies know what you've sought.
It might be reassuring, then, that companies have largely pledged to safeguard these repositories of data about you.
But a recent federal court ruling ordering the disclosure of YouTube viewership records underscores the reality that even the most benevolent company can only do so much to guard your digital life: All their protections can vanish with one stroke of a judge's pen.
"Companies have a tremendous amount of very sensitive data on their customers, and while a company itself may treat that responsibly ... if the court orders it be turned over, there's not a lot that the company that holds the data can do," said Jennifer Urban, a law professor at the University of Southern California.
In the past, court orders and subpoenas have generally been targeted at records on specific individuals. With YouTube, it's far more sweeping, covering all users regardless of whether they have anything to do with the copyright infringement that Viacom Inc., in a $1 billion lawsuit, accuses Google Inc.'s popular video-sharing site of enabling.
"What we're seeing is (that) the theoretical is becoming real world," said Lauren Weinstein, a veteran computer scientist. "The more data you've got, the more data that's going to be there as an attractive kind of treasure chest (for) outside parties."
U.S. District Judge Louis L. Stanton dismissed privacy arguments as speculative. Last week, Stanton authorized full access to the YouTube logs - which few users even realize exist - after Viacom and other copyright holders argued that they needed the data to prove that their copyright-protected videos for such programs as Comedy Central's "The Daily Show with Jon Stewart" are more heavily watched than amateur clips.
"This decision makes it absolutely clear that everywhere we go online, we leave tracks, and every piece of information we access online leaves some sort of record," Urban said. "As consumers, we should all be aware of the fact that this sensitive information is being collected about us."
Mark Rasch, a former Justice Department official who is now with FTI Consulting Inc., said the ruling could open the floodgates for additional disclosures.
Though lawyers have known to seek such data for years, Rasch said, judges initially hesitant about authorizing their release may look to Stanton's ruling for affirmation, even though U.S. District Court rulings do not officially set precedence.
The YouTube database includes information on when each video gets played. Attached to each entry is each viewer's unique login ID and the Internet Protocol, or IP, address for that viewer's computer - identifiers that, while seemingly anonymous, can often be traced to specific individuals, or at least their employers or hometowns.
Elsewhere, search engines such as Google and Yahoo Inc. keep more than a year of records on your search requests, from which one can learn of your diseases, fetishes and innermost thoughts. E-mail services are another source of personal records, as are electronic health repositories and Web-based word processing, spreadsheets and calendars.
One can reassemble your whereabouts based on where you've used credit cards, made cell phone calls or paid tolls or subway fares electronically. One can track your spending habits through loyalty cards that many retail chains offer in exchange for discounts.
Though companies do have legitimate reasons for keeping data - they can help improve services or protect parties in billing disputes, for instance - there's disagreement on how long a company truly needs the information.
The shorter the retention, the less tempting it is for lawyers to turn to the keepers of data in lawsuits, privacy activists say. Requests are routinely granted in most cases in banking and healthcare.
Service providers regularly comply with subpoenas seeking the identities of users who write negatively about specific companies, at most warning them first so they can challenge the disclosure themselves. The music and movie industries also have been aggressive about tracking individual users suspected of illegally downloading their works.
Law enforcement authorities also turn to the records to help solve crimes. The U.S. Justice Department had previously subpoenaed the major search engines for lists of search requests made by their users as part of a case involving online pornography. Yahoo, Microsoft Corp.'s MSN and Time Warner Inc.'s AOL all complied with parts of the legal demand, but Google fought it and ultimately got the requirement narrowed.
In the YouTube case, Viacom largely got the data it wanted. Google has said it would work with Viacom on trying to ensure anonymity, and Viacom has pledged not to use the data to identify individual users to sue. The YouTube logs will also likely be subject to a confidentiality order.
But privacy advocates warn that there's no guarantee that future litigants will be as restrained or that data released to lawyers won't inadvertently become public - through their inclusion as an attachment in a court filing, for instance.
And retailers, government agencies and others are regularly announcing that personal information, stored without adequate safeguards, is being stolen by hackers or lost with laptops or portable storage drives.
Labels: Google, privacy, Viacom, YouTube
California Accidentally Releases Personal Data
The California Department of Consumer Affairs is warning that personal information for 5,000 of its workers, contractors and board members was made public accidentally.
The security breach took place June 5 or June 6 when a Microsoft Word document was transmitted electronically outside the department. Department spokesman Russ Heimerich says he did not know how it was transmitted or where it was sent.
The document included names, job titles, salaries and Social Security numbers. Letters warning of the breach have been sent to the thousands of department employees, contractors and members of regulatory boards the department oversees.
The letter urges recipients to watch their credit reports for indications of identity theft. The department is offering a year of free credit reports and up to $25,000 in fraud insurance for those listed on the document.
Labels: consumer affairs, identity theft, personal information
Follow-Up On IRS Posting
I wanted to post a follow-up note on the IRS "phishing" e-mails. I actually received one in my junk folder for my Hotmail address. I wanted to post it so people could actually see the contents of the e-mail. The text follows:
Internal Revenue Service
(IRS)United States Department of the Treasury
Dear Taxpayer, After the last annual calculations of your fiscalactivity we have determined that you are eligibleto receive a tax refund of $184.80. Please submit the tax refund request and allow us6-9 days in order to process it. A refund can be delayed for a variety of reasons.For example submitting invalid records or applyingafter the deadline. To access the form for your tax refund, use the following personalized link:The link is not included for obvious reasons. However, I will point out that readers need to take a hard look at web addresses. Web addresses do not usually have long strings of numbers followed by the valid address (i.e. www.irs.gov). If the web address is valid, it usually only contains the business or government name followed by ".com, .org, or .gov". Next, initial contacts are not sent out by e-mail from the IRS. They use the postal service to notify you of information. Finally, remember that Google is your friend. If you are not sure the e-mail is valid, go to a search engine like Google to look up the official website of the organization. Google will provide you with a direct link, and you can verify if the e-mail is legitimate.
Labels: Google, IRS, phishing scams, search engine
