H&R Block (NYSE: HRB ) sent out an unwelcome promotional gift over the holidays -- free tax preparation software. The objectionable surprise wasn't the contents of the box; it's what was printed on the mailing label.
Next to the recipient's name and address was a 40-character source code containing the addressee's nine-digit Social Security number. For alert fraudsters, it was one special delivery.
According to the company, the inadvertent glitch was included in less than 3% of the promotional mailings. (The expanse of the campaign was not made public.) Within 72 hours of the December mailing mishap, H&R Block notified customers whose private data it broadcast via the postal system.
Unfortunately, this is the season when such data is legitimately plastered all over the place. We're now entering the identity thief's version of the annual donor drive.
When wheels are a steal
"January is when we all get our tax documents from banks, credit unions, brokerage houses, state and federal governments, and employers. And thieves know this," says credit expert John Ulzheimer, formerly of Equifax and Fair Isaac (NYSE: FIC ) . These documents contain the magic ingredient that's missing from most mass mailings -- our Social Security numbers. "The Social Security number completes the loop on what most lenders require to complete some sort of credit application," Ulzheimer says.
It was June when Laura, a technology consultant in Jacksonville, Fla., got a past-due notice for a car loan for a $52,000 Corvette. The problem was that Laura and her husband hadn't purchased a Corvette -- they owned their cars outright. When she called the dealership, she found out that someone fraudulently used her name, address, and Social Security number to get a loan and keys for the car, she told Credit.com.
Later, Laura learned that the actual theft of her identity had taken place in late January. The timing was no coincidence: The fraudster (who was caught) admitted that she targeted mailboxes in Laura's townhouse community when she knew paychecks and bills would arrive. During the last two weeks of January, she struck gold daily, prying open the mailboxes with a knife to get to W-2s, 1099s, and other information-rich tax-related documents.
It's one thing when thieves pick our locks. (According to a recent CNET article, only about 8% of identity theft cases were linked to mailbox breaches.) It's quite another when the companies that compile and profit from this data practically hand the butter knife to bad seeds.
Your very public privacy
The H&R Block blunder is just the latest high-profile data breach at companies entrusted to store and secure personal consumer information.
Last year, data warehouse ChoicePoint (NYSE: CPS ) made headlines after it admitted unwittingly giving database access to fraudsters, who then used the information to get into a reported 144,000 individual files and rip off at least 700 people. More than 300,000 files were breached at LexisNexis (owned by Reed Elsevier Group (NYSE: ENL ) , a company that compiles and sells consumer personal and financial data. Time Warner (NYSE: TWX ) reported that a cooler-sized container filled with 40 computer backup tapes with the names and Social Security numbers of 600,000 current and former employees and contractors, as well as the information of some of their dependents and beneficiaries, was misplaced by an outside storage company it had hired.
More recently, folks who bought a Marriott (NYSE: MAR ) time share, shoppers at ladies' footwear retailer DSW (NYSE: DSW ) , and BJ'sWholesale Club (NYSE: BJ ) customers have gotten more than vacation homes, kicks, and giant cans of mayonnaise for their patronage -- they got hacked.
That's a lot of oopsy daisies.
According to Federal Trade Commission statistics, identity fraud (when someone opens new accounts in other peoples' names or accesses and uses existing accounts) affects approximately 10 million Americans each year at a cost of more than $50 billion, mostly to duped businesses.
It takes some identity theft victims years and thousands of dollars to clear their name and credit track record. At worst, some victims are denied insurance, jobs, and even arrested for crimes they did not commit due to the fraud.
Scenes of the crime
There's no getting around it: If you want a loan, a job, insurance, and a host of other things that make your day run smoothly, you're going to have to unlock your personal Fort Knox.
Most transactions go smoothly (save for the occasional human resources employee snickering about your given name, Wilbur). But as more providers require customers to submit sensitive information, the opportunity for security breaches widen.
"The real story here is the lack of standard privacy protections by businesses," says credit expert Emily Davidson at Credit.com. "Thousands of companies have consumer information on file, and in most cases it's a 'scouts honor' privacy agreement."
Consider this list of entities:
- Video stores often keep credit card and address information on file.
- Gyms collect all kinds of application and membership information, particularly if you sign up for automatic monthly billing.
- Sports teams often ask for Social Security numbers. Davidson says that this is a common source for child identity theft.
- Child-care programs, too, require detailed identity information about kids in their care.
- Schools and universities are a target for data theft due to the volume of personal records stored in one place.
- Utility companies often check consumer credit as part of the application process and keep customer Social Security numbers on file.
- Payday lending offices aggregate detailed records of their customers and are commonly located in high crime areas.
- Banks are notorious data theft victims. Data is often intercepted when it is transferred by mail on data tapes.
- Tax preparers have access to your Social Security number, address, employment history, account information, and more.
- Accountants and financial planners keep detailed records on their clients.
- Car dealerships may keep your personal information in their files, particularly if you arrange financing through the dealership.
- Employers keep your Social Security number and more on file for payroll and reporting purposes.
- Retail stores ask for sensitive data when you apply for a store credit card, or even when turning in a job application.
- Medical offices are now required to implement new privacy policies, but until compliance is 100%, they remain a robust source for identity information.
"These companies don't mean to put your information at risk, but many simply don't have the measures in place to protect your data," Davidson says. "All it takes is one break-in or corrupt employee to create an identity theft crime scene."
Statistically, the chances of you becoming a victim of full-blown identity theft are relatively small. Most of those H&R Block mailing labels are probably already in landfills. (If you were the recipient of one, or have any questions, the company set up an FAQ on its website: http://www.taxcut.com/answers/.) More likely on the identity-related crime spectrum is that a consumer will be the victim of identity fraud (e.g., the use of an existing credit card or the establishment of new lines of credit in the victim's name). Full-blown fraud occurs in only about 2% of accounts that are compromised, a Visa spokeswoman told CNET.
Still, that's little comfort to consumers who now find themselves on the front line of identity data policing.
Protecting your good name and credit
The best way to stop fraud is to safeguard your information. Below are links to more information on keeping predators at bay:
Once you provide your information to a service provider, shepherding its safekeeping is out of your hands. The key is to keep an eye on your score sheet (your credit file) for any unusual activity. At the very least, be sure to check the free reports you're entitled to annually from the three major credit reporting companies (here's how). After that, keep your eyes peeled.