US federal investigators have uncovered a massive identity theft scheme that is thought to have spanned nearly three years and involved more than 30,000 victims.
Three men have been charged in relation to the bust, which so far has resulted in more than $US2.7 million in losses, according to a statement issued by James Comey, US attorney for the Southern District of New York. The scam is believed to be the largest in US history.
The US Federal Bureau of Investigation (FBI) has arrested Philip Cummings, who is said to have started the scam while working at the help desk of Teledata Communications (TCI). The Bay Shore, New York, company provides banks and other entities with credit reports, combining information collected by credit rating agencies Equifax, Experian Information Solutions and Trans Union.
Beginning in 1999, Cummings had access to the passwords and codes used by TCI's customers to access credit reports, authorities say. During that time, Cummings is alleged to have given passwords and codes to a co-conspirator and collected roughly $US30 for every credit report obtained using the stolen codes.
One man, Linus Baptiste, has been charged with wire fraud in relation to the case. A second man arrested, Hakeem Mohammed, has pleaded guilty to charges of mail fraud, authorities say.
With the illegally obtained credit reports, some victims reported having their bank accounts depleted, while others reporting having credit cards, checks and ATM cards sent to unauthorised locations.
The passwords and codes stolen for use in the scam belonged to various entities that request credit reports for their customers. Those entities included banks, credit services, and an apartment complex.
Ford Motor Credit is expected to be one of the hardest hit, as authorities alleged that as many as 15,000 credit reports were illegally obtained using a password and code from the creditor's branch in Grand Rapids, Michigan. Ford Motor Credit says it had been receiving complaints from its customers who had been victims of identity theft and fraud.
Other compromised passwords and codes belonged to Washington Mutual Finance, in Crossville, Tennessee, and Washington Mutual Bank, in Florida, as well as various banks around the country. All the systems that allegedly were breached belonged to TCI customers, according to the statement.
One observer says the crime was only partly a technology problem.
"It was technology-assisted, but the real problem was that this helpdesk employee was given access to a token that was the launchpad for fraud," says Jerry Brady, chief technology officer of Guardent, a security research company in Waltham, Massachusetts.
"There are certainly good practices to control the authority of help desk personnel. It sounds like they weren't being used."
In 2000, the US Federal Trade Commission reported approximately 500,000 people were victims of identity theft, according to data provided by Kroll, a security consulting company in New York. In 2001, that number rose to approximately 700,000, Kroll says.