Identity theft case seen as largest in U.S. history

Computerworld - Federal investigators have charged three men they say were involved in a massive identity theft scheme that spanned three years, involved more than 30,000 victims and, so far, has resulted in more than $2.7 million in losses.
The scam is thought to be the largest in U.S. history, according to a statement issued by the U.S. attorney's office for the Southern District of New York.
The FBI has arrested Philip Cummings, who is alleged to have started the scam while he worked on the help desk at Teledata Communications Inc. (TCI), a company in Bay Shore, N.Y., that provides banks and other entities with computerized access to consumer credit reports from the three commercial credit history bureaus -- Equifax Inc., Experian Information Solutions Inc. and Trans Union LLC.
Authorities said that beginning in 1999, Cummings had access to the passwords and codes used by TCI's customers to download consumer credit reports for business purposes. With these codes, he was able to access credit reports for himself, authorities charged.
They also alleged that Cummings gave those passwords and codes to an unidentified co-conspirator and received $30 for each credit report obtained using the stolen codes. That information was then passed on to at least 20 other people, authorities said. Cummings was still able to access the information after he left TCI in March 2000, officials said.
In addition to Cummings, the FBI charged Linus Baptiste with wire fraud in connection to the case. They also arrested Hakeem Mohammed, who pleaded guilty to charges of mail fraud.
For proprietary and security reasons, the companies involved, including Ford Motor Credit Co. and Teledata, wouldn't comment on the security measures in place at the time of the alleged theft or the steps they might have taken to minimize any future risk. However, they did say that they are cooperating with authorities in the investigation.
Analysts said that to guard against such theft, companies should follow a combination of common-sense high-tech, low-tech and no-tech security procedures.
On the high-tech end, companies should encrypt stored data so that even if an unauthorized person is able to access sensitive information, he wouldn't be able to make sense of it, according to Alan Brill, senior managing director of technology services at New York-based Kroll Inc., a security consulting company.
Low-tech security measures include checking for dead accounts and denying network access to anyone who has left the company.
"Companies probably remove those people from their e-mail accounts but don't think to deny them access to the network," saidJohn Pescatore, an analyst at Stamford, Conn.-based Gartner Inc.
As for no-tech measures, the analysts agreed that enterprises should always conduct background checks on potential employees, especially those with access to sensitive data.
Pescatore and Chris Rouland, director of X-Force at Internet Security Systems Inc. in Atlanta, said companies such as Ford and Washington Mutual Bank also had a responsibility to pay attention to the security procedures of their business partners, including insisting on periodic security audits and vulnerability assessments.