- The FBI is investigating how someone made off with 13,000 credit reports from a credit reporting agency, Experian Information Solutions, during a 10-month period by posing as a Ford Motor Credit employee.
According to a letter and statement sent out by Dearborn, Michigan-based Ford Motor Credit, someone collected private information, including the work and home addresses, Social Security numbers, account numbers and credit history of 13,000 people, mostly from affluent neighbourhoods around the country. Most of the people weren't Ford customers.
Ford spokesman Dan Jarvis says the company became aware of the breach in March when it was contacted by Orange, California-based Experian, a subsidiary of London-based GUS. Experian customers had complained that Ford Motor Credit had conducted credit checks on them even though they hadn't had any contact with the automaker.
Jarvis says the fraudulent credit checks were distinguished from the legitimate Ford checks because the software the fraudster used was different from Ford's. It isn't clear whether the theft came from a hacker who broke into Ford's system and the company refuses to say how it believes the breach occurred, Jarvis says.
"We're waiting for the FBI to tell us," he says.
Experian spokesman Don Girard says he is still not sure that a hacker was responsible for the breach.
"One scenario could be that an access code was pilfered within Ford," Girard says. Experian gives large companies access codes with which they can gather credit information on potential customers.
"Who we don't give access codes to is Joe Shmo who runs a pawn shop down the street," Girard said.
Girard said no matter how the intruder got the information, Experian will press for prosecution to the fullest extent of the law.
Chris Hoofnagle, legislative counsel for the Washington-based Electronic Privacy Information Centre (EPIC), says he wasn't surprised at the ease with which someone made off with the information.
"There is not a lot of market incentive, aside from lawsuits, for the credit agencies to be more responsible," Hoofnagle says. He says credit-reporting agencies have "poor business practices" and don't place thorough safeguards on consumers' private information. He says the agencies should require greater authentication before sending out such information.
Both Hoofnagle and US Federal Trade Commission spokeswoman Claudia Bourne Farrell say the incident reinforces the need for consumers to get copies of their credit reports annually to check for suspicious entries.
Farrell says tracking how many cases of identity theft happen each year is hard to do because many different agencies gather such information. But in 2001, she says, the FTC received 86,182 complaints -- and the average time between when a theft occurs and a consumer notices is 14 months.