What Is Identity Theft - Essay Example

Running Head: IDENTITY THEFT Identity Theft The advent of computers and the almost instantaneous ability to transfer and analyze data and information from far-flung source has both been the boon and the bane of the twentieth and twenty-first century. The more efficiently and expediently computers and the Internet that connects them process and exchange information for the benefit of the consumer and the corporation, the more ways there are to illegally obtain that information and use it for various nefarious ends. Identity Theft is one among the cyber crimes that has been on the rise in the last several decades. A close cousin to cyber terrorism, Identity Theft is a more personal and individual problem that affects many consumers and has begun to reflect poorly on companies that are in the mode of trying to ignore it or downplay it and hope it just goes away. While admitting that your company has had a breach of security may shake the confidence of your clients, refusing to recognize and deal with these situations only makes matters worse. One of the largest computer based international companies in the world, IBM, is not immune to the threat of a data breach and the consequent risk of identity theft. In fact, every company no matter how large or how small and whether it is connected to the internet or not can be a potential victim of data theft or loss. But regarding computer attacks, they can be so fast and furious that they are viewed as more destructive than a thermonuclear war. “There is no longer the luxury of the 20-minute window from launch to landing of a nuclear-tipped intercontinental ballistic missile found in the Cold War” (Vatis, 2006, p. 57). Data breaches and cyber attacks require an even more rapid response in detection after the incident, but more importantly systems must be in place to proactively deter and prevent these breaches. This paper will discuss the definition and history of identity theft as well as analyze specific instances and the ramifications for the consumer and the companies involved. Dr. Charles C. Palmer, the head of the Global Security Analysis Lab, IBM's ethical hacking unit candidly responds to the problem of computer crime and identity theft as well as cyber terrorism: ... I don't think we are "at war," because in this problem the enemy includes ourselves. We view it more as a race -- we're all trying to stay a few steps ahead of the threats ... through improved education and technology. ... The good news is that people are thinking about these issues, and some groups appear to be taking action. (Palmer, 2004) But Identity theft and data breaches are not all computer related. In fact Palmer believes that companies need to remain even more vigilant in regards to simple physical breaches of their organizations. He recounts an personal instance of walking into what should have been a secured facility, never identifying himself, walking up to filing cabinets and walking out with his arms full of confidential material while the security guard on duty holds the door for him (Plamer, 2004). …the only 100 percent, truly secure system is one that is powered-off and filled with concrete. The military has long understood the security of an "air gap" (where a secure machine has no connection whatsoever to an unsecured machine), and we recommend to our customers that they consider such an arrangement for their most secure systems. (Palmer, 2004) This is the first step in maintaining a secured computer system. Having an open connection to the Internet simply invites trouble. What Dr. Palmer suggest, and most compnaieds to date follow is making sure computers on both sides have a secure tunnel or VPN (Virtual Private Network) connection that can only be initiated from specific computer with specific programs to negotiate the connection. Without these programs in place, it is much more difficult to breach the system. Other types of breaches can occur as well. There are also instances of backup tapes being misplaced, stolen or even sold by employees. Laptops being left in cabs with confidential information on them, even though company policy forbids it and many other areas of concern. A non-profit consumer rights and advocacy organization has begun to track these breaches. The Privacy Rights Clearinghouse has data since 2005 tracking various types of security breaches. A very brief sampling compilation can be found in Appendix I of the hundreds of breaches affecting up to possible 234 million data records during that time period. One such data breach was discovered in Louisiana by a student googling the internet. The Company tried to keep it under wraps but the story was picked up by a local Television station there, WDSU. Aaron Titus, a law school student and privacy advocate, said he found the open door to the Board of Regents internal network using Google. Not only did he find the database of student names -- Titus also discovered 150 other files that he said contain up to 75,000 more names of students and employees. For example, there's a list of administrators and instructors at South Louisiana Community College that includes their Social Security numbers…."In some ways, we're thankful that you found it because it showed a deficiency in some of our programs, and we were able to stop it, and now we are going to try to mitigate any damage," Commissioner of Education Joe Savoie said. (“La. Security Breach,” 2007) Another incident occurred even more recently in Washington, DC. While simply trying to save some money on benefits, the people involved did not think much about security when posting this: Three Metro employees have been disciplined after the Social Security numbers of nearly 4,700 current and former employees were mistakenly posted on the transit agency's Web site last month, officials said yesterday. The information was part of a solicitation from Metro to companies interested in providing workers' compensation and risk management services. The document mistakenly included the Social Security numbers of 4,675 employees. (Sun, 2008) What exactly is Identity Theft? The general definition is the use of another person’s identifying information, i.e. financial, personal, geographic (address) or other source, to perpetrate fraud or other types of falsification. This is done by using another person's social security number, date of birth, address, driver's license number, the thief can open bank accounts, apply for loans and credit cards, get a cell phone and so on in that persons name. Stealing their identity as well as their credit. In addition to the financial loss that can result from identity theft, by using another’s identity the credit history and even the legal history of the victim can be damaged in the extreme. ("Identity Theft," 2007) According to the Identity Theft and Assumption Act of 1998, identity theft (ID theft), occurs when someone is "knowingly transferring or using, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, in the unlawful activity that constitutes a violation of federal law." It is a federal crime. (Alt, 2004, p. 67) There is also a theft known as Criminal Identity theft. This is for the most part non-financial and occurs when someone gives another person’s ID to a policeman or other law enforcement official during arrest. This allows the thief to use a clean citizen’s record making it appear as if they are committing a first offence. This often reduces the punishment but also goes on the arrest record of the honest citizen who is the victim. The frequency of identity theft increased markedly beginning in the late 1990s due to the computerization of records and the ability to use another's personal information anonymously and virtually without any prosecution at the time over the Internet. ("Identity Theft," 2007) Other forms of Identity Theft are bank fraud, job related misrepresentation, phone & utilities fraud, consumer fraud, government documents and benefits fraud. Medicare, Medicaid and other health insurance related fraud is also on the increase. (Alt, 2004, p. 68) Many of these can be found in multiple occurrences and intertwine and interrelate to each other, often making it even more difficult to discover. Prior to computers and most forms of governmental organizations and the science of photography, it was also a quite violent crime. Nefarious individuals would murder and then take on the identity of their victims, move to another district or country where their victim was not known and use their good name to settle into a new life. As time went on certain forms of ID were standardized, passports adopted, etc. and it became harder to completely impersonate another human being. It could still be done, but the criminals had to grow with the technology. Furthermore, Identity Theft is becoming prevalent among the influx of illegal aliens in the United States. Passports and other forms of ID are finding their way into black market vendors who sell them to aliens seeking ingress into other countries Another issue in identity theft is the problem of the time to the discovery of the crime. In many cases the crimes may not be discovered until a great deal of damage has been done. Unless an individual is keeping tabs on their credit history or using agencies that have sprung up to do so, the crime can go undetected sometimes for years. The thief takes out a loan or buys a car and changes the address of the victim so that all paperwork goes somewhere else. It is only when the payment of the loan goes into default and the banks start looking around does the victim discover, all to late, the problem. While it is a fact that Nearly 40% of all ID theft victims discovered the misuse of their information within one week of the start of the misuse, the discovery period was significantly different depending on the type of fraud experienced. Victims in the Existing Credit Cards Only (22%) and the Existing Non-Credit Card Accounts (21%) categories were about twice as likely as those in the New Accounts & Other Frauds (10%) category to find out about the misuse the day it started. Nearly one-quarter (24%) of New Accounts & Other Frauds victims did not find out about the misuse of their information until at least 6 months after it started – compared to just 3% of Existing Credit Cards Only and Existing Non-Credit Card Accounts victims. Where discovery of the misuse occurred more quickly, victims reported lower out-of-pocket losses and thieves obtained less. (“Federal Trade Commission”, 2006, p. 23-24) In his book, Credit Card Nation: The Consequences of America's Addiction to Credit, Robert D. Manning infers that the rise in Identity Theft is in direct proportion to the rise of the United States as a Credit Card Nation. It began as the economy of the world shifted. First, the industrial revolution changed the world’s economy from farming and agriculture to manufacture and production as the predominant business sector. Then again in the twentieth century there was a shift that changed the focus from industry to banking and financial products. This became a trend that meant that manipulation of money was now a more lucrative business than traditional goods-producing industries. (Manning, 2000, p. 4) With this new mentality, the finance industry would search for more and more ways to introduce new products and services to its consumers. In many ways this also required a change in perspective from the traditional workaday ethic of the American psyche. Until recently Identity Theft was difficult to prosecute for a number of reasons. One of the largest problems is that giant corporate conglomerates often refused to publicly acknowledge their involvement when someone has breached their system and removed data or damaged programs and information. “More than 89% of security incidents went unreported in 2007, according to survey of about 300 attendees at this year's RSA Conference” (Claburn, 2008). By disclosing that their systems have been jeopardized the business may certainly experience a loss of consumer confidence and potentially loose many clients, depending on the product or service they offer. The company may also be subjected to lawsuits from clients and other businesses claiming that there was no proper security measures in place when their information was stolen. By admitting their guilt, companies face sever loss and damage to their finances and reputations. They can face bankruptcy if they are honest about it. It is estimated that between twenty-five and fifty percent of all business have experienced some sort of intrusion or breach of security of their computer networks. (Yang & Hoffstadt, 2006, p. 208). “The top security challenge, according to respondents [of the RSA survey], is lost or stolen devices (49%), followed by non-malicious employee error and employee education (tied at 47%), budgetary constraints (44%), external hacking threats (38%), executive buy-in (26%), and malicious insider threats (22%). (Claburn, 2008). Another reason is the global nature of the problem regarding the quite often substantial difference between the location of the crime and the criminal who perpetrated it. The crime may be committed upon an individual or company that resides in the United States while the criminal may be in a completely different part of the world and in a country that perhaps has no extradition agreement with the United States (Jacobson & Green, 2002, p. 275). AS one can see this type of crime will require cooperation between governments far beyond the usual methods in order to facilitate the capture and prosecution of these criminals. Governments are making great strides in constructing laws to address Identity Theft. However, it is often difficult to find the appropriate legislative balance between an individual right to privacy and a company’s right to do business, and what form this legislation should take is still a matter of debate. For instance, cookies (the Internet kind) are not protected as an intellectual property right of the consumer who is the subject of the information. This means that the information can be transferred and used without knowledge or authority. Some privacy protection for consumer data may be sought—for example, when there is concern over such data being collected and used without the consumer's knowledge or agreement. A potential conflict exists between the social benefits of disclosure (such as the creation of new databases), and an individual's desire to control the further dissemination of consumer information (perhaps out of concern over reputation, a general taste for privacy or autonomy, or the possibility of identity theft). 29 (Thierer and Wayne, 2003, p. 164) One of the greatest problems facing both the prevention and detection of identity theft is the fact that for more than fifty percent of the victims of identity theft it is often unknown how the information was obtained in the first place. However, interestingly enough, although 56% of the victims did not know how their information was found out, of the 44% that did know, the largest percentage was from people they knew personally. A more recent entrant in the identity theft genre is phishing. Compromising 1% of the total category, “Phishing occurs when fraudulent e-mails are sent to online users by impersonating Internet service providers (ISPs), merchants, and banks, in an attempt to steal financial information” (Stafford, 2004, p. 201) Another issue for victims of identity theft was the lack of a satisfactory remedy after the incident occurred. If you are the customer of a company that has had a security breach and parceled out your personal information you have some recourse in both the form of statutory as well as common law claims. However, individuals who never intended to become the company’s customers or perhaps were never even aware of the company’s existence lack similar support because a business generally does not owe a non-customer the same due dillegence as one of their customers. (Howard, 2005, p. 1264) One of the most recent legislative strides in this area was the construction of The Fair And Accurate Credit Transactions Act Of 2003 or FACTA. President Bush signed this act into legislation in December of 2003. It main goal was to attempt to set some limits regarding the amount of information that an individual or entity exposes to the public. This included the mandatory limit of exposing only the last four number of a credit card on receipts and bills. It also requires that the card issuers quickly investigate and verify any changes of address and new card requests by confirming validation from the individuals. Credit reporting agencies have increased fraud alert requirements and are also required to omit any identity theft related information from the credit reports they produce. The most memorable function of this legislation is that these reporting agencies furnish free annual credit reports to any individual. Other issues that this statute addresses is that credit reporting agencies disclose consumer credit scores to the consumer involved and it also provides for a vast enhancement of the resolution process available to the consumer once they have discovered that identity theft has occurred. It also includes several measures that limit the sharing of medical information within the financial system. The statute goes along way to improve the protection and remedy available to the consumers in the event of Identity Theft. (Linnhoff, and Langenderfer, 2004, p. 206) FACTA is aimed at two prongs of the identity theft problem--reducing the incidence of theft and limiting the impact once theft has occurred. Credit card receipt truncation and change of address protection should help reduce the number of identity theft incidents. The reduction is likely to be small, however, as most credit card companies already have similar measures in place. More effective are FACTA's provisions to limit the damage post-theft. One-call fraud reporting will reduce the burden on victimized consumers as will the credit report blocking and re-pollution measures. (Linnhoff, and Langenderfer, 2004, p. 208) Unfortunately the bill falls short in a number of items. Its main intention is to address the inadequacies of credit-reporting institutions. However, one of the bills major difficulties is that it usurps state law and severely limits individual state efforts to enact stronger privacy policies than those that are established at the federal level. It is understood that having a variety of state laws also poses a problem for businesses that operate nationally as they can face a complex nightmare when trying to comply with many different state restrictions and guidelines. “But when federal law is inadequate to protect the public, preemption effectively denies relief to citizens of those states inclined to provide it.” (Linnhoff, and Langenderfer, 2004, p. 209) Another dilemma is that this legislation fails to address in any significant way the prevalent use of Social Security Numbers as identifiers that are often freely exchanged on many levels. This threatens the consumers with pervasive identity theft and also gives both legitimate businesses as well as criminal the ability to quickly put together a very thorough background on virtually anyone. This ability is troubling not only because it increases the incidence of identity theft but also because of the privacy implications. SSN use and display limitations would help prevent identity theft and also improve privacy in an era in which consumers are becoming increasingly uncomfortable with the amount of personal data that is routinely collected and stored. Truly effective identity theft legislation will deal on a national level with the entire identification system, replacing the current hodgepodge with one that is safe and difficult to duplicate. (Linnhoff, and Langenderfer, 2004, p. 210-11) Another issue is that even though free annual credit reports are now easily available, very few consumers are asking for them. In fact in 2004 only 22% of those surveyed actually received their free credit report. Prior to this law the Fair Credit Reporting Act (FCRA) was written into legislation in 1970 and has been amended almost yearly up until to 2003. This was the first attempt by the government to address the problem of Identity Theft. The FCRA provides consumers with a private right of action for a credit reporting agency's willful or negligent noncompliance with any of the duties imposed by the FCRA. Under this FCRA provision, consumers may recover their actual damages, attorney fees, and costs; when the credit reporting agency has acted willfully, the consumer may also recover punitive damages. Another statutory enactment, the Identity Theft and Assumption Deterrence Act makes identity theft a federal offense and gives victims rights and means to be compensated for their losses. (Howard, 2005, p. 1267) Banks and other institutions that issue credit cards have become a bit more wary of handing out credit without a more through analysis of the individual or entity involved. Initially one could get credit or conduct financial transactions with only two forms of ID, a social security number and a driver’s license. Some states at the time did not eve require a picture to be on the license, so even that level of security was not present. (Howard, 2005. p. 1264) These low-level ID’s also bled into the online realm with the ease with which information was passed onto merchant sites and possibly leaked to others. Credit Card information was and is still easily shared over the Internet and while companies build better and better firewalls and encryption methods, the Identity thieves are often one step ahead. One way credit card companies are protecting their cardholders is by requiring them to provide online merchants with additional information such as their mother's maiden name. That way, even if a thief gets hold of a number, he or she can't use it. The idea is to "make the cardholder feel comfortable that it is a secure transaction," says Bruce Rutherford, vice president and senior business leader with MasterCard Worldwide. (Holmes, 2006, p. 163) Also, even as far back as 1996 an agreement between MasterCard and Visa came about to introduce a single “secure electronic transaction’”(SET) format for credit-card purchases on the internet. This paved the way for the take-off of e-commerce. (Guttmann, 2002, p. 6) Identity theft does not only affect individuals, but can have some major impact on merchants, retailers and other business both in the short and the long term. Although information on these crimes is often hard to come by as businesses by and large refuse to divulge or admit to any problems with identity theft and their customers data safekeeping. In a sense they are more inclined to take the loss quietly rather than have a negative impact on their credibility. The two largest credit card companies estimated that "aggregated identity-theft-related losses from domestic operations rose from $79 million in 1996 to $114 million in 2000, an increase of about 43 percent." Most credit card companies do not consider categories such as lost or stolen cards, never-received cards, counterfeit cards, mail order or telephone order fraud to be identity-theft-related. A serious lack of data on these issues inhibits research into possible intervention strategies that could reduce the harm. (“Cost of Identity Theft,” 2007) It is estimated that approximately 3.2 million consumers have become victims of identity theft in 2007 alone. Thieves who opened new accounts in their names, obtained new identification documents or took other steps to impersonate their victims targeted them. Another 6.6 million were victims of credit fraud, in which thieves who gained access to account numbers raided credit card or bank accounts. (Sovern, 2004, p. 236) Security breaches have become a common problem for companies, government agencies and universities nationwide. … citing the Identity Theft Resource Center, a nonprofit fraud-prevention group, said such data breaches were up 69 percent in the first half of 2008, compared with a similar period in 2007. (Sun, 2008) In order to cope with these issues individuals and companies need to prepare in order to prevent and if necessary cope with these intrusions into personal information. A federal Trade commission reports suggest that business do the following five simple steps in order to help safeguard the information that has been entrusted to them by their clients: 1. Take stock. Know what personal information you have in your files and on your computers. 2. Scale down. Keep only what you need for your business. 3. Lock it. Protect the information that you keep. 4. Pitch it. Properly dispose of what you no longer need. 5. Plan ahead. Create a plan to respond to security incidents. (“Protecting Personal Information,” 2008 ) Their pamphlet goes into detailed information regarding each one of these steps. As for personal protection the following recommendations are suggested: 1. Buy a shredder: 2. Change your passwords monthly 3. Freeze your credit: If your data has been breached 4. Beware of phishing scams: Don't give out your personal information. 5. Protect your computer from spyware and viruses: Always use firewall, virus and spyware protection software that you update regularly. (“Top Five Identity,” 2008) While it may seem like overkill to some, it only takes on instance to ruin the credit gained over a lifetime. References Alt, Betty L., and Sandra K. Wells. (2004). Fleecing Grandma and Grandpa: Protecting against Scams, Cons, and Frauds. Westport, CT: Praeger. “A Chronology of Data Breaches.” (2008) Privacy Right Clearinghouse. Retrieved on July 27, 2008 from http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP Claburn, Thomas. (2008). “Most Security Breaches Go Unreported.” Information Week. August 1, 2008. Retrieved on August 3, 2008 from http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=209901208 “Cost of Identity Theft.” (2008) United States Department of Justice. National Institute of Justice. The Research, Development, and Evaluation Agency of the U.S. Department of Justice. Retrieved on July 28 , 2008 from “Federal Trade Commission 2006 Identity Theft Survey.” (2007) Federal Trade Commission FTC.gov Retrived on July 30 2008 from http://www.ftc.gov/os/2007/11/SynovateFinalReportIDTheft2006.pdf Guttmann, Robert. (2002). Cybercash: The Coming Era of Electronic Money. New York: Palgrave Macmillan. Holmes, Tamara E. (2006). "Is Your Credit Card Number Safe Online? New Technology Offers Consumers Added Protection." Black Enterprise Sept. 2006: pp. 163. Howard, Heather M. (2005). "The Negligent Enablement of Imposter Fraud: A Common-Sense Common Law Claim." Duke Law Journal 54.5 pp. 1263-1278 "Identity Theft." (2007). The Columbia Encyclopedia. 6th ed. Jacobson, H., & Green, R. (2002). Computer Crimes. American Criminal Law Review. 39.2 p. 273-278. “La. Security Breach Exposes Thousands To ID Theft” (2007) WDSU.com. Retrieved on July 28, 2008 from http://www.wdsu.com/news/13698832/detail.html Linnhoff, Stefan, and Jeff Langenderfer. (2004). "Identity Theft Legislation: The Fair and Accurate Credit Transactions Act of 2003 and the Road Not Taken." Journal of Consumer Affairs 38.2 pp. 204-211. Manning, Robert D. (2000). Credit Card Nation: The Consequences of America's Addiction to Credit. New York: Basic Books. Palmer, Charles (2004, April 4). 'Hacking is a felony': Q&A with IBM's Charles Palmer . Retrieved February 13, 2008, from Computer Crime Research Center Web site: http://www.crime-research.org/interviews/224/ “Protecting Personal Information” (2008). Federal Trade Comission Retrieved on 4 August 2008 from http://www.ftc.gov/bcp/edu/pubs/business/privacy/bus69.pdf Sovern, Jeff. (2004). "Stopping Identity Theft." Journal of Consumer Affairs 38.2 pp. 233-247. Stafford, Marla Royne. (2004). "Identity Theft: Laws, Crimes, and Victims." Journal of Consumer Affairs 38.2 pp.201-217 Sun, Lena H. (2008). Posting of Social Security Numbers Results in Suspension of 3 Workers. The Washington Post. Retrieved on August 4, 2008 from http://www.washingtonpost.com/wp-dyn/content/article/2008/07/14/AR2008071402245.html Thierer, Adam, and Clyde Wayne Crews, eds (2003). Who Rules the Net? Internet Governance and Jurisdiction. Washington, DC: Cato Institute. “Top 5 Identity Theft Prevention Tips” (2008) Trusted ID. Retrieved on July 30, 2008 from https://www.trustedid.com/html/identity_theft_protection_resource_010.php Vatis, M. (2006). The Next Battlefield: The Reality of Virtual Threats. Harvard International Review, 28(3), 56-59. Yang, D. W., & Hoffstadt, B. M. (2006). Countering the Cyber-Crime Threat. American Criminal Law Review, 43.2 pp. 201-213. Appendix I Jan. 10, 2005 George Mason University(Fairfax, VA) Names, photos, and Social Security numbers of 32,000 students and staff were compromised because of a hacker attack on the university's main ID server. Feb. 25 , 2005 Bank of America (Charlotte, NC) Lost backup tape compromising 1,200,000 accounts April 8, 2005 San Jose Med. Group (San Jose, CA) Stolen computer A former branch manager at the San Jose Medical Group has been sentenced to almost two years in prison for stealing medical records for about 187,000 patients. Feb. 9, 2006 OfficeMax and perhaps others. Hacking. Debit card accounts exposed involving bank and credit union accounts nationwide (including CitiBank, BofA, WaMu, Wells Fargo) 200,000 accounts Aug. 1, 2006 Dollar Tree (Carmichael and Modesto, CA, as well as Ashland, OR, and perhaps other locations) Customers of the discount store have reported money stolen from their bank accounts due to unauthorized ATM withdrawals. Total number unknown Jan. 17, 2007 TJ stores (TJX), including TJMaxx, Marshalls, Winners, HomeSense, AJWright, TKMaxx, and possibly Bob's Stores in U.S. & Puerto Rico -- Winners and HomeGoods stores in Canada -- and possibly TKMaxx stores in UK and Ireland experienced an "unauthorized intrusion" into its computer systems. ): Court filings in a case brought by banks against TJX say the number of accounts affected by the thefts topped 94 million. Jan. 26, 2007 Chase Bank and the former Bank One (Shreveport, LA) A Bossier woman bought a used desk from a furniture store. She discovered a 165-page spread sheet in a drawer that included names and SSNs of bank employees. 4,100 current and former employees affected Apr. 27, 2007 Google Ads (Mountain View, CA) Top sponsored Google ads linked to 20 popular search terms were found to install a malware program on users' computers to capture personal information and used to access online accounts for 100 different banks. Jan. 24, 2008 OmniAmerican Bank (Fort Worth, TX) An international gang of cyber criminals hacked into the bank's records. They stole account numbers, created new PINs, fabricated debit cards, then withdrew cash from ATMs in Eastern Europe, Russia, Ukraine, Britain, Canada and New York. Fewer than 100 accounts, some of them dormant, were compromised. July 29, 2008 Blue Cross and Blue Shield of Georgia (Atlanta, GA) Benefit letters containing personal and health information were sent to the wrong addresses last week. The letters included the patient's name and ID number, the name of the medical provider delivering the service, and the amounts charged and owed. A small percentage of letters also contained the patient's Social Security numbers. 202,000 accounts July 17, 2008 Bristol-Myers Squibb (Jacksonville, FL) A backup computer-data tape containing employees' personal information, including Social Security numbers, was stolen recently.. Data for some employees' family members also were on the tape. 42,000 employee’s July 9, 2008 Division of Motor Vehicles Colorado (Colorado) The DMV regularly sends large batches of personal information over the Internet without encryption and has failed to properly limit access to its database, according to a recent audit. At one point, 33 former DMV employees could access names, addresses, dates of birth and Social Security numbers 3.4 million June 19, 2008 Citibank (New York City, NY) A Citibank server that processes ATM withdrawals at 7-Eleven convenience stores had been breached. The computer intrusion into the Citibank server led to two Brooklyn men making hundreds of fraudulent withdrawals from New York City cash machines, pocketing at least $750,000 in cash Unknown June 18, 2008 Domino's Pizza (Tucson, AZ) Investigators found credit card numbers blowing in the wind. These piles and papers contained hundreds of old receipts from Domino's Pizza stores. The former owner had been discarding boxes of old records and somehow all those receipts got loose. Unknown June 10, 2008 1st Source Bank (South Bend, IN) 1st Source Bank is replacing ATM cards this month for all its account holders after cyber-thieves accessed an unknown amount of debit-related data. Unknown Read More