FBI wants to know who took 13,000 credit reports

Computerworld - The FBI is investigating how someone made off with 13,000 credit reports from a credit reporting agency, Experian Information Solutions Inc., during a 10-month period by posing as a Ford Motor Credit Co. employee.
According to a letter and statement sent out by Dearborn, Mich.-based Ford Motor Credit, someone collected private information, including the work and home addresses, Social Security numbers, account numbers and credit history of 13,000 people, mostly from affluent neighborhoods around the country. Most of the people weren't Ford customers.
Ford spokesman Dan Jarvis said the company became aware of the breach in March when it was contacted by Orange, Calif.-based Experian, a subsidiary of London-based GUS PLC. Experian customers had complained that Ford Motor Credit had conducted credit checks on them even though they hadn't had any contact with the automaker.
Jarvis said the fraudulent credit checks were distinguished from the legitimate Ford checks because the software the fraudster used was different from Ford's. It isn't clear whether the theft came from a hacker who broke into Ford's system and the company refuses to say how it believes the breach occurred, Jarvis said.
"We're waiting for the FBI to tell us," he said.
Experian spokesman Don Girard said he is still not sure that a hacker was responsible for the breach.
"One scenario could be that an access code was pilfered within Ford," Girard said. Experian gives large companies access codes with which they can gather credit information on potential customers.
"Who we don't give access codes to is Joe Shmo who runs a pawn shop down the street," Girard said.
Girard said no matter how the intruder got the information, Experian will press for prosecution to the fullest extent of the law.

Chris Hoofnagle, legislative counsel for the Washington-based Electronic Privacy Information Center, said he wasn't surprised at the ease with which someone made off with the information.
"There is not a lot of market incentive, aside from lawsuits, for the credit agencies to be more responsible," Hoofnagle said. He said credit-reporting agencies have "poor business practices" and don't place thorough safeguards on consumers' private information. He said the agencies should require greater authentication before sending out such information.
Both Hoofnagle and U.S. Federal Trade Commission spokeswoman Claudia Bourne Farrell said the incident reinforces the need for consumers to get copies of their credit reports annually to check for suspicious entries.
Farrell said tracking how many cases of identity theft happen each year is hard to do because many different agencies gather such information. But in 2001, she said, the FTC received 86,182 complaints -- and the average time between when a theft occurs and a consumer notices is 14 months.
Ford said consumers who discover any fraudulent entries should contact the Detroit office of the FBI or call a Ford hotline: (888) 838-8176, between 7 a.m. and 8 p.m. CDT, Monday through Saturday.