Next to the recipient's name and address was a 40-character source code containing the addressee's nine-digit Social Security number. For alert fraudsters, it was one special delivery.
According to the company, the inadvertent glitch was included in less than 3% of the promotional mailings. (The expanse of the campaign was not made public.) Within 72 hours of the December mailing mishap, H&R Block notified customers whose private data it broadcast via the postal system.
Unfortunately, this is the season when such data is legitimately plastered all over the place. We're now entering the identity thief's version of the annual donor drive.
When wheels are a steal
"January is when we all get our tax documents from banks, credit unions, brokerage houses, state and federal governments, and employers. And thieves know this," says credit expert John Ulzheimer, formerly of Equifax and Fair Isaac
It was June when Laura, a technology consultant in Jacksonville, Fla., got a past-due notice for a car loan for a $52,000 Corvette. The problem was that Laura and her husband hadn't purchased a Corvette -- they owned their cars outright. When she called the dealership, she found out that someone fraudulently used her name, address, and Social Security number to get a loan and keys for the car, she told Credit.com.
Later, Laura learned that the actual theft of her identity had taken place in late January. The timing was no coincidence: The fraudster (who was caught) admitted that she targeted mailboxes in Laura's townhouse community when she knew paychecks and bills would arrive. During the last two weeks of January, she struck gold daily, prying open the mailboxes with a knife to get to W-2s, 1099s, and other information-rich tax-related documents.
It's one thing when thieves pick our locks. (According to a recent CNET article, only about 8% of identity theft cases were linked to mailbox breaches.) It's quite another when the companies that compile and profit from this data practically hand the butter knife to bad seeds.
Your very public privacy
The H&R Block blunder is just the latest high-profile data breach at companies entrusted to store and secure personal consumer information.
Last year, data warehouse ChoicePoint
More recently, folks who bought a Marriott
That's a lot of oopsy daisies.
According to Federal Trade Commission statistics, identity fraud (when someone opens new accounts in other peoples' names or accesses and uses existing accounts) affects approximately 10 million Americans each year at a cost of more than $50 billion, mostly to duped businesses.
It takes some identity theft victims years and thousands of dollars to clear their name and credit track record. At worst, some victims are denied insurance, jobs, and even arrested for crimes they did not commit due to the fraud.
Scenes of the crime
There's no getting around it: If you want a loan, a job, insurance, and a host of other things that make your day run smoothly, you're going to have to unlock your personal Fort Knox.
Most transactions go smoothly (save for the occasional human resources employee snickering about your given name, Wilbur). But as more providers require customers to submit sensitive information, the opportunity for security breaches widen.
"The real story here is the lack of standard privacy protections by businesses," says credit expert Emily Davidson at Credit.com. "Thousands of companies have consumer information on file, and in most cases it's a 'scouts honor' privacy agreement."
Consider this list of entities:
- Video stores often keep credit card and address information on file.
- Gyms collect all kinds of application and membership information, particularly if you sign up for automatic monthly billing.
- Sports teams often ask for Social Security numbers. Davidson says that this is a common source for child identity theft.
- Child-care programs, too, require detailed identity information about kids in their care.
- Schools and universities are a target for data theft due to the volume of personal records stored in one place.
- Utility companies often check consumer credit as part of the application process and keep customer Social Security numbers on file.
- Payday lending offices aggregate detailed records of their customers and are commonly located in high crime areas.
- Banks are notorious data theft victims. Data is often intercepted when it is transferred by mail on data tapes.
- Tax preparers have access to your Social Security number, address, employment history, account information, and more.
- Accountants and financial planners keep detailed records on their clients.
- Car dealerships may keep your personal information in their files, particularly if you arrange financing through the dealership.
- Employers keep your Social Security number and more on file for payroll and reporting purposes.
- Retail stores ask for sensitive data when you apply for a store credit card, or even when turning in a job application.
- Medical offices are now required to implement new privacy policies, but until compliance is 100%, they remain a robust source for identity information.
"These companies don't mean to put your information at risk, but many simply don't have the measures in place to protect your data," Davidson says. "All it takes is one break-in or corrupt employee to create an identity theft crime scene."
Statistically, the chances of you becoming a victim of full-blown identity theft are relatively small. Most of those H&R Block mailing labels are probably already in landfills. (If you were the recipient of one, or have any questions, the company set up an FAQ on its website: http://www.taxcut.com/answers/.) More likely on the identity-related crime spectrum is that a consumer will be the victim of identity fraud (e.g., the use of an existing credit card or the establishment of new lines of credit in the victim's name). Full-blown fraud occurs in only about 2% of accounts that are compromised, a Visa spokeswoman told CNET.
Still, that's little comfort to consumers who now find themselves on the front line of identity data policing.
Protecting your good name and credit
The best way to stop fraud is to safeguard your information. Below are links to more information on keeping predators at bay:
Once you provide your information to a service provider, shepherding its safekeeping is out of your hands. The key is to keep an eye on your score sheet (your credit file) for any unusual activity. At the very least, be sure to check the free reports you're entitled to annually from the three major credit reporting companies (here's how). After that, keep your eyes peeled.