ID Theft and FTC Consumer Complaints

        On March 1st the Federal Trade Commission (FTC) released its 2015Consumer Sentinel Network Data Book that reports complaints received by the FTC during the year.  For the first time in 16 years, identity theft DID NOT top the list.
        This year identity theft was edged out of first place by debt collection, which the FTC attributes to its ramped up enforcement against companies violating the Fair Debt Collection Practices Act.
        The complaint categories making up the 2015 top 10 are:

  Number Percent
Debt Collection 897,655 29%
Identity Theft 490,220 16%
Imposter Scams 353,770 11%
Telephone and Mobile Services 275,754 9%
Prizes, Sweepstakes and Lotteries 140,136 5%
Banks and Lenders 131,875 4%
Shop-At-Home and Catalog Sales 96,363 3%
Auto-Related Complaints 93,917 3%
Television and Electronic Media 47,728 2%
Credit Bureaus, Information Furnishers and Report Users 43,939 1%

        The founder and president of Javelin Strategy & Research, a company mentioned in a 2012 identity theft video, has since warned that social media users are a growing target for identity theft.

        A 2012 BankRate.com article  says that paying with a credit card or debit card makes you vulnerable, and mobile phone users are also a target.
        In March 2014, Consumer Financial Protection Bureau (CFPB) Director Richard Cordray warns, “your information is always at risk, every day.”
        My own interest in the topic likely dates back to 2002 when Walter Kevin Scott – a convicted felon – was working as benefits manager for the Indiana Public Employees’ Retirement Fund (PERF).  Mr. Scott had used a false Social Security number in the hiring process, and the State of Indiana had hired him unaware that he had served time in a federal penitentiary –  for identity theft!
        During his trial it was disclosed that from November 2001 to August 2002, Scott had unlimited access to the Social Security numbers of 1.2 million current and former public employees and their families  –  the equivalent of nearly one in every six Hoosiers.  Investigators found personal information and pension fund balances of 750 people during a search of Scott’s home after he quit working at the fund.
        A few years later we began to hear more about breaches, most notably in universities.  In May of 2005, the Lafayette Journal and Courier listed ten universities that had already reported breaches in that year, including Purdue and IU.  Also in 2005 it was reported that identity thieves set up fake businesses and gained access to up to 160,000 consumer records from data broker ChoicePoint.
        Heartland Payment Systems Inc. – one of the largest processors of credit and debit card transactions in the U.S – was hacked in 2009.  With vague explanation, one local bank sent new debit cards to replace ones that were not even near expiration.  When the Target and Home Depot names appear in the news we all noticed, but how many of us would even recognize the name Heartland Payment Systems or ChoicePoint?
        The Identity Theft Resource Center (ITRC) tracked 781 U.S data breaches in 2015, the second highest number since it began tracking breaches in 2005.

Top breaches in 2015:

  • Business sector 40%, up 8.1%
  • Health/Medical sector 35.5%, down from 44.1%
  • Banking/Credit/Financial 9.1%, nearly double the number reported in 2014
  • Government/Military 8.1%
  • Education sector 7.4%


        The ITRC defines a data breach as an incident in which an individual name plus a Social Security number, driver’s license number, medical record or financial record (credit/debit cards included) is potentially put at risk because of exposure.  As of March 16, 2016, the ITRC reports 155 breaches with 4,314,045 records exposed.
        In 2014 Krebs on Security reported that a nationwide beauty products chain discovered a breach in its payment systems and a fresh batch of 282,000 stolen credit and debit cards reportedly went on sale in a popular underground crime store.  That same month, Indiana University reported that information including names, addresses and Social Security numbers of those who attended any of the university’s campuses from 2011 to 2014 was unsecured for more than 11 months because security protections weren’t working correctly.
        Purdue associate professor of communication Josh Boyd states, “The recent security breaches . . .  are a good reminder that the online environment involves no guarantees.  If you put information online and somebody really wants it, it’s vulnerable.
        The use of a credit monitoring service cannot prevent ID theft, but it may help you to discover fraud.  About the well-publicized Target security breach during the 2013 Christmas shopping season, Purdue professor of cyber forensics Marcus Rogers warns, “People have to be vigilant for the next six months, year, even up to two years.
        The ProtectMyID credit montoring service offered by Target is a product of Experian, a credit reporting agency, and monitors changes only to a consumer’s Experian credit report.  According to Consumer Reports, “The service can give consumers a false sense of security, and Consumer Reports can recommend this deal in its present form only as being better than nothing, and only for consumers who understand its significant shortcomings.
        Credit Karma has been advertised much during recent years.  Credit Karma is a service that provides no-cost (so-called “free”) credit scores, credit reports, and credit monitoring from TransUnion.  In 2014, Credit Karma settled with the Federal Trade commission on charges that the company “failed to take reasonable steps to secure” its mobile apps, ‘leaving consumers’ sensitive personal information at risk.
        To monitor your own reports from Experian, TransUnion, and Equifax, you may order copies through www.AnnualCreditReport.com.  For information about how to order by phone or mail, see the FTC’s “Disputing Errors on Credit Reports“.  If you’d like an estimated credit score, use a credit score estimator for which you do not disclose identity information.
        A high score can be useful at times, but do not make it your primary focus.  The Fair Isaac Corporation (the “FICO” people) tells us that 65% of a credit score is related to payment history and amounts owed.  So as it turns out, some of the actions that can increase your score also make financial sense!  Pay bills on time, every time, and don’t take on too much debt.  Then make sure that the information on your reports is accurate.
        It has become clear that no institution, public or private, is immune to data insecurity.  My guess is that by now just about every one of us has been a victim of ID theft whether we know it or not, and there’s nothing that we can do to change that.  Since there is so much that is outside of our control, it does make sense to at least control what we can.  Remain vigilant, and from today forward the less information that you provide – and the fewer places where you provide it –  the better.
        Especially if you have a rural mailbox, consider a post office box instead, and remember that outgoing mail is just as important as incoming.  For several reasons, seniors are a very vulnerable population, and if you have a loved one who is aging watch for signs of fraud.  Whether credit card statement, checking account statement, or utility bill, look through every line and understand what is behind every charge.
        Not all misinformation on a bill or in a consumer report is necessarily fraud – mistakes do happen.  But certainly make sure that all information is accurate.  If you know someone who has been denied a checking account, you might mention the ChexSystems consumer report and Bank On Tippecanoe; those outside of the Lafayette area may see Bank On Indiana.
        The CFPB explains how to check a minor child’s reports from the three major credit reporting companies.  The Indiana Attorney Generalinforms consumers how to place a security freeze with Equifax, Experian, and TransUnion.  The Attorney General has also produced an ID Theft Victim Kit that outlines the steps to follow if a consumer becomes aware that personal information has been stolen or used by someone else.
        Considering the outrageous number of major breaches reported during the past three years I’ve just been unable to keep up with tracking.  Nevertheless, quite some time ago I reached the same conclusion as Lafayette editorial cartoonist Dave Sattler following Jimmy John’s September 2014 breach, “The recent security breach by Jimmy John’s as well as Target, eBay, and Home Depot has many wondering How do we protect our identity . . .  One way is to bring back an old friend . . .
        Take care.

Kurt Burnett

 

Leave a Comment