sponsored by
visit Qwest.com
Hacks, Viruses, Scams & Spam
Study: ID theft usually an inside job
Up to 70 percent of cases start with employee heist
By Bob Sullivan
Technology correspondent
MSNBC
Updated: 7:03 p.m. ET May 21, 2004

A soon-to-be-released study reveals what some identity theft experts have hinted at for years -- the crime is largely the work of insiders. In a study of more then 1,000 identity theft arrests in the United States, Michigan State professor Judith Collins has discovered that perhaps as much as 70 percent of all identity theft starts with theft of personal data from a company by an employee.

 

"It used to be that shrinkage (theft) was the biggest cost to employers after payroll and healthcare. Today what we have to think about, in the information age, is employees stealing information," Collins said. "Why steal merchandise when they can steal data and get money?"

Collins, director of an identity theft program at Michigan State, randomly selected 1,037 cases from around the country, then painstakingly traced each incident to its origins. In 50 percent of the cases, the victim's identity was originally pilfered by a company employee. In another 20 percent of cases, evidence strongly suggested dirty play by an insider.

Her results contradict the conventional vision of identity thieves hacking Web sites or digging through dumpsters. But some experts said the results could have been anticipated.

 
FREE VIDEO
Launch
Inside ID theft
MSNBC.com's Bob Sullivan discusses the ID theft study.

MSNBC

"You don't have 10 million victims a year by people going through the trash," said Joseph Ansenelli, an executive at information security firm Vontu Inc.

Perhaps the greatest surprise: a large number of the identities were stolen not by an employee -- but by the business owner.

Linda Foley, executive director of the San Diego-based Identity Theft Resource Center, actually began the non-profit agency after her identity was stolen by her employer four years ago. She said Collins' findings on insider theft is consistent with reports she hears from victims who call her hotline.

"It only makes sense. A majority of the information is in the hands of corporate America," she said. 

'Crime of opportunity'
Most of the crimes began at health care or financial companies, Collins found in her study. In most cases, temporary workers or employees stealing data from other departments were to blame. That suggests companies need to tighten up data security practices, she said. 

Rob Douglas, an identity theft consultant in the banking industry, said Collins' results weren't a complete surprise. About two years ago, bank regulators issued a string of warnings about insiders committing crimes at banks. One such notice, published by the Office of the Comptroller of the Currency at the Treasury Department, warned that organized crime rings were placing members in low-level teller jobs at banks in order to commit identity theft and other crimes.

"There is always a lot of concern about hacking," Douglas said. "But the demonstrable number of mass hacks pales in comparison to the easy old method of insider theft. It's a crime of opportunity. The information is right there. I always tell banks I talk to, information equals cash."

 
  FACT FILE Your ID's been stolen. Now what?
Step 1: Protect your finances
Contact the fraud departments of each of the three major credit bureaus.
Get a copy of your credit report, which is free to ID theft victims. Ask that your file be flagged with a "fraud alert tag" and a "victim's statement." That will limit the thief’s ability to open new credit accounts, as new creditors will call you before granting credit, generally. Insist, in writing, that the fraud alert remain in place for seven years, the maximum, according to PrivacyRights.org.

Credit bureaus
Equifax
1-800-525-6285
www.equifax.com
Experian
1-888-397-3742
www.experian.com
TransUnion
1-800-680-7289
www.tuc.com

  • More detailed 17-step plan to follow if your ID is stolen
    www.privacyrights.org/identity.htm
  • “When bad things happen to your good name” – FTC document full of sample dispute letters and other recovery procedures.
    www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm
  • U.S. Department of Justice ID Theft kit
    www.usdoj.gov/criminal/fraud/idtheft.html
  • Identity Theft Resource Center
    www.idtheftcenter.org
  • Organizing your ID theft case – good paperwork is key
    www.privacyrights.org/fs/fs17b-org.htm
  • ID theft laws vary by state – here’s a list of state laws
    www.consumer.gov/idtheft/federallaws.html#statelaws
  • Michigan State University School of Criminal Justice ID Theft page
    www.cj.msu.edu/~outreach/identity
  • Print this

    Collins' study, which will be published later this year, comes at the same time federal lawmakers are beginning to focus attention on the insider ID theft issue. The "Identity Theft Penalty Enhancement Act," now working its way through the House of Representatives, includes additional jail time for criminals who steal data on the job. 

    Rep. John Carter, R-Texas, who advocated for the insider theft provision, said the idea was generated largely from an infamous incident in Texas last year, when a student employee at the University of Texas allegedly stole 55,000 Social Security Numbers.

    "It's an extra two years if you are an insider, and steal data, and that data is used for a crime. We compare it to aiding and abetting a crime," Carter said.  "We hope the word will get out, and this will act as a deterrent."

    Ansenelli called the legislation "a step in the right direction." But he advocates for a national standard for all firms that store personal data. Carter's legislation has no provisions for corporate liability when employees steal data.

    Collins' findings also included surprising insights into the perpetrators of identity theft. Unlike most crimes, about half the criminals in her study were women -- suggesting identity theft is a new kind of equal opportunity crime.

    "This crime is much different than any other crime," Collins said.  "Men tend to be more risk-takers, and committing crime is high risk. But ID theft is low risk. For example, credit card fraud can be committed online. ... So we're probably going to continue to see as many women as men commit the crime."

     © 2004 MSNBC Interactive
     

    Bob Sullivan
    Technology correspondent

    E-mail the author

       Try MSN Internet Software for FREE!
       MSN Home  |  My MSN  |  Hotmail  |  Shopping  |  Money  |  People & Chat  |  Search Feedback  |  Help  
      © 2004 Microsoft Corporation. All rights reserved. Terms of Use Advertise TRUSTe Approved Privacy Statement GetNetWise Anti-Spam Policy