overview
networks
tapes
laptops
sale
law
prevention
responses
related
Guides:
Security &
InfoCrime
Consumers
& Trust
related
Profiles
& Notes:
ID Theft,
ID Fraud
|
sale or publication
This page highlights recent examples of large scale exposure
of sensitive consumer information through sale of that
data or its unintentional publication.
It covers -
ChoicePoint
Major reference agency ChoicePoint sold the personal financial
information of 145,000 people to criminals purporting
to be legitimate businesses.
The incident has attracted particular attention because
ChoicePoint initially sent notice of breach only to Californians.
Following criticism after announcement of its security
failure it spent US$11.4 million during the following
six months on credit reports and credit monitoring for
victims.
Wachovia
In 2005 US police charged Orazio Lembo and bank employees
working for Wachovia, Bank of America, Commerce Bancorp
and PNC Bank with selling customer information to over
40 debt collection agencies, law firms and others. The
data included names, account numbers and balances regarding
over 500,000 consumers.
Lembo's gang reportedly operated for over four years,
with Lembo pocketing several million dollars. He was also
charged with narcotics, forgery and theft counts.
Gratis
New York attorney general Eliot Spitzer sued Washington-based
Gratis Internet for selling email addresses, despite that
organisation's promise of confidentiality to consumers,
in what is claimed as "the biggest deliberate breach
of Internet privacy".
Consumers thought that they were simply registering to
see a site. Contrary to a Gratis statement that it "does
not ... sell/rent e-mails" it allegedly sold 7 million
addresses to three independent marketers, resulting in
hundreds of millions of spam
messages.
Call Centres
In 2005 the London Sun illustrated concerns about
offshoring call centres by buying information about 1,000
UK customers from a Delhi call
centre worker for £4.25 each. The information
included bank account details, passwords, addresses, phone
numbers and passport details. The worker reportedly indicated
that he could provide information on up to 200,000 accounts
each month. India's IT & communications minister commented
that the government had nothing to do with the "freak
incident".
In 2006 Nadeem Kashmiri of HSBC's Bangalore call centre
was arrested after over £230,000 was stolen from
the accounts of British customers, with claims that he
sold confidential information to a criminal gang.
During the same year Australian current affairs program
Four Corners revealed
sale by an Indian call centre of personal information
about Australians, including birth certificate details,
ATM numbers, passport and driver licence details, phone
numbers, address (including time at that address), marital
status, number of dependants, occupation, job title and
employer's business name.
South Korean ISPs
During 2006 personal information regarding some 8.37 million
high-speed internet subscribers in South Korea was sold
by staff of four leading ISPs: KT, Hanaro Telecom, Onse
Telecom and Thrunet. Former and current staff of the ISPs
appear to have sold customer names, identification numbers,
telephone numbers and addresses to marketers for around
US$0.01 per head.
Critics alleged that management of the ISPs was negligent
(if not complicit in the sales) and as highlighted in
the final page of this note initiated class action for
damages.
KDDI
In 2006 Japanese telecommunications group KDDI confirmed
that information about 3.9 million of its DION internet
customers, as of 2003, had been provided to a third party.
The data included names, gender, addresses, birth dates
and telephone numbers, although apparently not bank details
and passwords. Akio Minomura and Akihiko Torii are suspected
of having sought to extort some ¥10 million from KDDI
in exchange for the information.
IPCC, USN and Air Miles
In 2006 personal details of 20,000 people who made complaints
about the Hong Kong police appeared on the net. Publication
of the data, originally provided to the HK Independent
Police Complaints Council (IPPC), was apparently accidental.
The IPCC database contained full details of complaints
made from 1996 to 2004, including the dates of each complaint,
full name of the complainant, their address, the nature
of alleged offences, information on allegedly corrupt
police and the outcome of complaints. Corporate monitor
webb-site.com has speculated that the publication may
have occurred when an IPCC contractor mistakenly copied
the files onto a commercial server in the course of maintenance
work.
Also in 2006 the US Navy reported that five spreadsheets
with sensitive information on some 28,000 personnel and
their families were posted on a civilian web site. The
spreadsheets included names, Social Security numbers and
birth dates.
The Navy announced that it had "moved quickly to
have the spreadsheets taken down" and of course had
"no evidence that any of the compromised information
has been used fraudulently".
A month later the Naval Safety Center reported that it
had discovered personal information on over 100,000 Navy
and Marine Corps aviators was publicly accessible on its
site. The data included Social Security numbers. The same
data was featured on 1,083 web-enabled 'safety program
disks' mailed to all USN and Marine Corps commands; the
Center said it was "working to recall the disks".
The Privacy Commissioner of Canada reported
in 1999 that Canadian business Air Miles left 50,000 records
of people in its loyalty program (the dot-ca version of
Australia's Frequent Flyer scheme) on its site "for
several months and possibly for as long as a year".
The information included the individual's Air Miles card
number, name, home phone numbers, email addresses, business
name and phone number.
ADP
In 2006 Automatic Data Processing (ADP), one of the world's
largest payroll service companies, confirmed that it had
provided a scammer with personal information of investors
who had purchased stock through brokerages that use ADP's
investor communications services. Fidelity Investments
indicated that the breach compromised 125,000 of 72 million
active accounts; Morgan Stanley said 3,800 of its clients
were affected; UBS said 10,000 of its clients were affected.
The data included investors' names, mailing addresses
and the number of shares they held in certain companies.
It apparently did not include Social Security numbers
or brokerage account numbers.
ADP commented
We have been advised that the information disclosed
was not sufficient by itself to permit unauthorized
access to your account, and we have no evidence that
the information on the lists has been improperly used.
However, we recommend that you be alert to any unusual
or unexpected contact or correspondence
next
page (law)
|
|
