E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by Bennett Gold LLP, Chartered Accountants

Effective December 31, 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering articles from the period 1999 to 2012.


Source: Toronto Star

Posted on February 17, 2003

by Tyler Hamilton

      Financial Insights, a Boston-area technology consultancy, has estimated it takes about 14 months before an identity thief's fraudulent activities begin to show up on a victim's radar screen.

      That's a long time. Long enough for a person -- say, the employee charged this month with stealing an ISM Canada computer hard drive -- to be tried, convicted and wrist-slapped for theft under $5,000.

      The big question in the ISM case is whether the employee intended to steal just the hardware or had eyes on the million or so confidential customer files stored on it. The hardware is worth a couple hundred dollars. The information, on the other hand, could potentially be worth tens of millions of dollars to a criminal skilled at assuming the identities of others to hijack bank accounts, write bogus cheques, apply for and run up credit cards and commit other forms of mass fraud.

      This doesn't take into account the social cost to the victims: the anxiety, the stressful burden of proof and the hundreds of hours it may take to clear one's name and rectify one's credit history.

      Police investigating the ISM case are so far siding with the hardware-only theory. They believe the 41-year-old employee, whose name hasn't been revealed but who worked at the information-technology and data-management company for six years, was after the 30 gigabytes of storage space, seemingly oblivious to the social insurance numbers, bank account numbers, insurance and pension plan information and other personal data digitally saved on this device.

      Uh-huh, and apparently pigs do fly. So why do the police believe this?

      Well, likely because that's what the employee told them, first of all. And besides, when police seized the hard drive, the information had been erased and overwritten with software programs and other data. This, of course, is a sure sign that the alleged thief, obviously somebody with a little technical expertise, just wanted more storage space for all his MP3 music files.

      "What information might you be referring to, officer? I haven't a clue what you're talking about," is how I imagine the interrogation.

      Police admit they can't say for sure whether the Western Digital hard drive was copied, and apparently the data on it was not encrypted or partitioned in a way that would protect the information in such unforeseen circumstances.

      Herein lies the problem that has emerged in our data-centric society: We have created, indeed, have become dependent on, technologies that can store millions of pieces of sensitive information inside something the size of a peanut butter sandwich, but we haven't spent enough time figuring out how to keep, let alone assure, that data is adequately protected -- despite promises to the contrary.

      The device was reported missing, meaning it was noticed missing, on Jan. 16. Roughly three weeks passed from the time the hard drive was determined stolen to the time the police retrieved the device. Current technologies make it possible within that timeframe to create thousands of copies of the data and distribute it through the Internet to thousands of different locations -- possibly organized crime groups -- around the world. For all we know, an identity-theft ring in Russia could be sitting on this information, waiting for an appropriate time to pounce.

      The police themselves admit they have no way of verifying whether the information was copied. So, people, you'll just have to take their word that nothing nefarious will arise over the next 14 months from this petty theft.

      No disrespect to our men and women in blue, who have been handed a nearly impossible task, but really, folks, wake up! Maybe authorities have a wildcard up their sleeves -- let's hope they do -- but it's not looking good. Either the alleged perpetrator is dim-witted in his willingness to risk a career for a low-value item, or his testimony to date is a case study in the obstruction of justice.

      I do want to emphasize that nothing has been proved in court.

      If I were Co-operators General Life Insurance Co., Investors Group Inc., the Manitoba or Saskatchewan governments, or any company that has yet to admit their customers' sensitive personal information was on that hard drive, I wouldn't be breathing any sighs of relief.

      One cannot overstate the uncertainty surrounding this privacy breach.

      Perhaps this is why the class-action lawsuit that was launched in response is still being pursued, even after retrieval of the hard drive.

      Make no mistake, the ISM case could easily shape up to be the largest identity-theft scam in North American history.

      The case is strikingly similar to the Dec. 14 theft of computer equipment from TriWest Healthcare Alliance, a Phoenix, Ariz.-based health-services contractor for Pentagon employees across 16 states.

      The hardware contained, among other information, the names and social security numbers of half a million military staff and their immediate family members.

      A lawyer for the U.S. Federal Trade Commission, quoted in the Los Angeles Times, called the size of that information theft unprecedented in the United States. The ISM case involves double the number of potentially affected individuals, giving the crown of shame to Canada.

      As these cases show, identity theft has evolved alongside the evolution of information-storage systems, which have become more centralized, faster, cheaper and capable of handling obscene amounts of data.

      Whereas the crime may have been associated in the past with individuals who search through your garbage, steal your mail or pick your pockets, only to scam you of a few hundred dollars, today's identity-theft crimes are conducted on a larger scale through organized networks.

      Financial Insights (formerly Meridien Research) estimates that banks and brokerages alone will lose $3 billion (U.S.) this year and up to $8 billion in 2006 if more steps aren't taken to crack down. The consultancy says the faceless nature of electronic transactions and payments, particularly when done through the Internet or wireless networks, make the crime effortless, virtually untraceable, indiscriminate and global in nature.

      And committing the crime doesn't require that a hard drive be stolen. Often, it's just a matter of a disgruntled employee at a company who, on a lunch break, loads a floppy disk full of thousands of customer files and hands it over to an underground network of fraud experts.

      Remember the November arrest of a Long Island computer help-desk employee? He allegedly gained access to passwords that allowed him to get bank and credit-agency profiles on more than 30,000 people. Then, with an accomplice, he sold the data to a crime network. This resulted in millions of dollars worth of identity fraud.

      I posed this question in a December column, and I'll pose it again: Do we really want our governments creating massive citizen databases to fight crime and terrorism when that information, as recent events have demonstrated, can easily fall into the wrong hands and, ultimately, be used against us?

      The fear here isn't hackers. As history has shown, it's most often the employees we work with doing the nasty deeds.

      It's a shame that ISM Canada, a subsidiary of IBM Canada Ltd., was the company to be stung by this. Parent International Business Machines Corp. is one of the most progressive companies on the planet when it comes to consumer privacy. The company has led the world in the development of privacy management and privacy-enhancing technologies. IBM has a chief privacy officer with clout. Unlike some other companies, which use the privacy card for marketing and public relations purposes, IBM seems to care about the issue.

      Last month, for example, Big Blue said it would begin demanding, as of Jan. 1 next year, that as many as 100 health-insurance providers in the United States stop using social security numbers as a form of patient identification.

      The company, which covers more than half a million current and retired employees and their family members, spends more than $2 billion a year on health insurance. It plans to use that buying clout to force change in the industry.

      The hope is that IBM's action will spark other companies to follow.

      The ISM hard-drive theft shows that even the most diligent and well-intentioned companies can slip up. And slipping up in an age where information flows, leaks and disappears so easily is not a difficult thing to do.

CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

Final Entries

LINK TO: Bennett Gold Chartered Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Privacy Breaches.

Get WebTrust
Working For
Your Site.