LifeLock Blog

According to the UC Irving Police 93 UCI graduates and medical students who graduated between 2006 – 2007 have had their identities stolen. Perhaps not in the traditional way but all 93 of them have been informed by the IRS that they have already filed their Tax returns. The identity thieves, whoever they may be, are filing false tax returns in their names and collecting the money.

Filing false tax returns is a crime that doesn’t take money directly out of your pocket but does prevent you front collecting from the government what is yours. According to the IRS the students will eventually receive their tax returns, whoever the bigger problem is who has the information and what else are they going to do with it. With the information needed to file a tax return the criminal could do just about anything including apply for credit cards and opening bank accounts.

Another big question is how did the information get out. The University is working hard to figure that out and is still looking for the solution. There is no sign that the University’s computer systems have been breached, but the University will continue its investigation until it finds answers.

Women who get mammograms improve their chances of surviving breast cancer, but 236,000 women who get mammograms in North Carolina are now at an increased risk of becoming ID theft victims because a hacker attacked a University of North Carolina server containing their information.

Among the compromised records were those of 163,000 women that included their Social Security numbers, placing them at a very high risk of identity theft.

The accessed server at UNC-Chapel Hill contained information from the Carolina Mammography Registry, a compilation of data from 31 mammography sites in the state. The project is funded by the National Institutes of Health.

Little is known about the breach, which was discovered in July. Forensics experts haven’t yet been able to determine who committed the attack, its origin, or its impact. One thing they have learned, however, is that some of the viruses were installed as far back as 2007.

The university waited to notify individuals until they knew how many women were affected and could identify them, according to university officials.

The compromised server was one of two that stored a total of more than 662,000 women’s information. The second server wasn’t part of the data breach. 

Social Security number used to be used as patient identifiers, but are no longer. That’s why only some of the records included Social Security numbers, which are considered the most valuable information for identity thieves.

One of the biggest worries now for the researchers who study the compiled information is that the data breach may cause them to lose their NIH five-year, $2 million grant in the future.

Social networking site have been a topic of discussion in security circles for some time now. Everyone has heard or read a story about how you should be careful about what you put on a social networking profile because that information could be used to steal your identity.

Well what about the information that is being leaked out of Social networking site in order to send advertisements out targeted for you. According to a study done at AT&T Labs and the Worchester Polytechnic Institute several social networking sites are leaking out personal information about you. They take information about you from your profile and your viewing habits, which are then stored in a cookie and used by data aggregators.

What does that mean? Well that means the social networking sites store who you are, what you like, and what you look at so that advertisers can target people that would most likely be interested in a product or service. That’s not all though, once they have this information they can track where you go and what you see when you’re not on the social networking site.  If they have a tracker on another site you visit they will see you visited that site and can match your IP address to your social media profile. Which makes browsing the Internet less anonymous.

This is truly scary and bothersome. I know it’s a good way to make ads smarter and better targeted to a specific audience, but I don’t like my information being released like that. I am not worried about what the aggregators and advertisers are doing with the information I’m worried about how secure the information is.

This could be a security threat and could lead to people stealing this information and using it to steal identities. Many data breaches are a result of a company or organization giving information to a third party who ends up loosing it. I am sure that this type of information would he helpful in the pursuit of identity theft.

So once again be careful what information you put on your social networking site. The less a stranger can find out about you the better. Try not to use your full legal name and leave out your birthday or use a fake one when possible. Never allow yourself to give out information that could be a part of a security question, like the name of your pet or your mother’s maiden name. If your mom is on Facebook and has her maiden name as her middle name make sure she leaves it out, so people can’t just look for family and find it. Things like these can make your social networking experience a lot more secure.

LifeLock has received the Arizona Corporate Excellence ACE award last night. The Ace Award is an award given out by the state of Arizona to companies that show promise and excellence. LifeLock was recognized as the fastest growing company in Arizona. LifeLock was selected for the ACE award based on revenue growth over the last 2 years. They took into consideration the actual dollar amount as well as the percentage-revenue growth over those last 2 years.

LifeLock was of course very happy to accept the award and was honored to have received it. LifeLock CEO Todd Davis said “We`ve seen phenomenal growth over the last few years, and I`m proud of my team to meet the challenges that come with the fast-changing dynamics. I`m also proud to be helping to build our community right here in Arizona.”

It’s good to see LifeLock doing so well in a down economy. A time when Identity theft is at it’s worst. Over the last year Id theft is up 22% to 9.9 million. It’s good to know that a company like LifeLock is going to be here for a long time protecting its customers from Identity theft. LifeLock has been the leader in Identity theft protection for some time now and even with setbacks and a changing dynamic they are still offering better and more innovating ways to protect your identity.

Health care related businesses have only two more days to prepare a data breach notification plan. A new rule requiring that health care providers, insurers and clearinghouses must notify individuals whose information has been inappropriately accessed goes into effect September 23.

Additionally, the data breach notification rule applies to any business associates of any entity covered by HIPAA.

The notification is to be made “as soon as reasonably possible,” but in most cases within 60 days of discovery. An exception to this provision is made if law enforcement requests a delay, a common occurrence when an investigation is ongoing, particularly if the breach appears to affect a large number of people or is part of a larger scam.

However, even if notification takes place within 60 days, but the Department of Health and Human Services (HHS) could determine the covered entity failed to meat the provision if notification could have been made sooner.

If the breach involves 500 or more people, HHS and the media have to be notified. All other smaller breaches should be reported annually.

Another exception to the rule is encrypted or destroyed information. If a hacker breaks into a server or database that the health care entity has taken measures to adequately protect, the entity is off the hook and doesn’t have to make any notification.

Data breach is defined as “the acquisition, access, use or disclosure of protected health information in a manner not permitted (by the HIPAA Privacy Rule) that compromises the security or privacy of the protected health information” or that means a “significant risk of financial, reputational or other harm to the individual.”

The rule is part of an alphabet soup of new legislation. It applies to any entity covered by the Health Insurance Portability and Accountability Act (HIPAA), and is part of the new Health Information Technology for Economic and Clinical Health (HITECH) Act, which is part of the American Recovery and Reinvestment Act of 2009 (ARRA).

Larry Alan Hayes, 41, was convicted of identity theft and sentenced to 15 years for his crimes. Hayes asked the judge for a second chance to turn his life around but the judge wasn’t going to have it. According to the judge society needs to be protected from people like him.  Hayes was convicted of six counts of identity theft and six counts of possession of stolen property and two counts of possessing a stolen vehicle.

It seems that Hayes was a fan of Luxury vehicles since he had in his possession a 2007 Hummer 3 and a 2007 Chevrolet Tahoe. They also found high-end motorcycles and parts to stolen Harley Davidson’s.  His id theft ring used 800 old credit card receipts stolen from a storage unit used by a hair salon chain to create fake credit cards. The fake credit cards were then used to buy or rent merchandise in Washington, Idaho and Oregon.

Apparently it was more that just the money for Hayes. He was apparently addicted to drugs and many of his identity exploits were driven by the need for drugs. People testified on the behalf of Hayes saying he is a decent man when sober and with some help could turn his life around.

It is sad to see someone who can’t stop what they are doing because of a drug addiction. So many times you see identity theft cases tied to addictions. There seems to be a connection between them and it is heart breaking every time you see it.

I hope that Hayes does turn his life around and what he said wasn’t just a show for the courts to try and get his sentence reduced.

I have written several articles on how to stay protected from identity theft while in college. I have written many talking about how you should keep your sensitive documents secure by using a safe and I have discussed keeping your computer safe using passwords and a laptop safe. It has come to my attention that perhaps a more in depth discussion of Internet and computer safety might be needed.

I don’t feel I went into as much detain as I could have when talking about computer safety. So this post is going to be all about how you can do simple things to prevent an identity theft at your school or College.

Physical Protection
Always know where your laptop is and make sure it’s secure at all times. This is where the laptop safe that I mentioned in an earlier post comes in handy. You can lockup your laptop and know no one is using it. Desktops can be secured to desks and other furniture to prevent theft. Don’t think they won’t take your desktop they, the thieves, will.

Your Computer
Make sure you always have a password for your account login. This will not protect against everyone, but will prevent casual encounters with your account. People who knows what they are doing can get around your account password but some protection is better than none. Also you can enable the screensaver login so that your computer will lock itself when the screensaver comes on.

Make sure you have anti-virus protection this will prevent you from getting malware that can steal your login information to any website you login to, including your bank account. Keep it up to date and update it often. Many people get their laptop and never subscribe to the definition updates. I know it cost money, but it’s worth it to keep your laptop safe.

Internet and Network Use
Be careful what you do on the school’s network. Many schools have large networks and there are many people on them. Be careful what files you are sharing on your computer. When placing orders over the Internet make sure they are encrypted so you don’t send your account information over the Internet. This also applies to any online accounts. Make sure before you login that the address includes the https: this means the site is encrypted and you should be relatively safe. Most web browsers will display a little locked padlock in the address bar to alert you when sites are encrypted and an unlocked padlock when they are not.

Be careful what information you put on your social networking sites. Even if you protect your information from strangers hackers have been known to hack into your friends accounts and harvest information from them and all their friends. Be careful never to provide information that would be part of a security question. Like what is your mother’s maiden name, or what is your pet’s name. All this kind of information is stuff people might put on a Facebook or MySpace profile. It might not be under the information section, but a picture with your mother or pet with the proper tags might just be the ticket to getting into an online bank account for the thief.

Mail accounts are a great place to obtain login information that would allow access to many things you don’t want people to see. Most web email providers encrypt their login and webmail applications. Be careful however when using a mail client like Outlook or Apple Mail that you setup the mail account to use a secure login. If you don’t, it won’t use an encrypted login and will sends your login information right over the network to be seen by everyone.

Peer to peer clients like Limewire are a lot of fun but getting your identity stolen because of them isn’t. Plus most of them are illegal anyways so just stay away from it all together. The question you might be asking is does that include torrents? Yes, don’t use torrents either; there have been recorded cases of hackers using torrents to steal information and identities.

Identity theft is a crime that typically stays anonymous. There isn’t that many people out there that actually get to see the face of their identity thief. Identity theft is a crime that is hard to track. Thieves can change names and identities quickly and it’s not a question of what they are doing but who is doing it. What they are doing is easy to track it’s who is doing it that makes it difficult.

One Seattle woman actually got the chance to meet her identity thief when she walked into the JC Penny she worked at and tried to obtain a credit card.

Michelle McCambridge, back in January, discovered that her identity had been stolen when she began to receive credit statements from several department stores that she didn’t ask for. After filing a report and some official investigations federal agents recovered security photos of the thief applying for the credit cards in her name. Michelle didn’t recognize the identity thief because they had never met, that is until about a week later.

A week after seeing the identity thief’s face in photos Michelle got the chance to see it up close and personal. Michelle’s identity thief was attempting to apply for a credit card at the JC Penny where Michelle worked. Not only did the identity thief apply for the card at the same department store Michelle worked at, but the same counter Michelle worked from.

When Michelle saw the woman standing in font of her counter asking about a credit card account she recognized her from the security photos. Her heart skipped a beat and she calmly excused herself from the counter and notified the security staff to focus on her. The security staff was able to get a pretty good look at the identity thief.

Unfortunately they police were not able to catch her right then and there. After the credit card was denied the thief left without a scene. Michelle’s efforts weren’t in vain however they did help connect the crimes when investigators finally caught the perpetrators. One of the identity thieves was arrested a couple weeks later trying to take out a credit card at a Kohl’s department store.

In this case it wasn’t just one person the identity thefts were all connected to an identity theft ring consisting of at least 5 people. The identity theft ring was responsible for the theft of 39 different identities.

College is a great time in a young person’s life. They get their first taste of freedom from their parents, but at the same time live in security that their parents will take care of them to some extent. Keeping your child’s personal information secure while they’re at college is something you might think about but I guarantee they aren’t. There are a couple of things a college student can do to keep his or hers personal information secure.

Dorm rooms are the perfect place to steal private information. They’re almost always more than one person living in a dorm room, which means your child may not be able to control whose goes in and out of the room. For this reason it’s a good idea to provide your college student with a safe that can hold documents that have private information on them, like credit cards, and bank statements. Not all safes are super heavy a 25-pound safe would be big enough to deter someone looking for a quick information grab.

The other item I would suggest having when living in a dorm room is a laptop safe. People always talk about locking up their sensitive papers, but think about the personal information on ones laptop. Sometimes information that can be found on a laptop can outweigh that of an entire filing cabinet. A device, like the one shown above, is designed to deter someone from swiping a laptop from your dorm room. It mounts to the call and locks to prevent theft. If you have a desktop you can anchor it the desk using special computer locks. Also make sure that you have your computer password protected and all sensitive files protected by a password.

These two suggestions are just the beginning to protecting ones identity while at college. There are many other ways to increase identity theft protection, but at least these two will help prevent dorm room identity theft.

August was an especially busy month for hackers, thieves and inept university IT employees. There were nine reported data breaches at American educational institutions last month—hackers were blamed for two; thieves for three; and, inept employees who inadvertently exposed personally identifying information caused three more.

The ninth incident occurred at the University of Texas, Brownsville and involved student and employee fraud. The security breach involved stolen test answers and no personally identifying information was revealed.

The total reported number of compromised records is low—roughly 2,000—but three of the universities failed to reveal the number of compromised records, so the total is undoubtedly higher.

• University of Oregon
  Unauthorized disclosure
  Roughly 20 student records exposed because of a flaw in the university’s degree auditing system.
• University of California, Berkeley
  School of Journalism
  Hacking
  Names, birth dates, and Social Security numbers of 493 students who applied for admission between September 2007 and May 2009 were vulnerable when the school’s web server was breached.
• Louisiana State University
  Unauthorized disclosure
  Number of affected records unknown
  Students’ personal information, including names and Social Security numbers, was inadvertently posted on an LSU web site.
• Northern Kentucky University
  Computer theft
  Names and Social Security numbers of at least 200 current and former students were contained on a laptop stolen from an on-campus, secured location. There was no mention of whether the information was encrypted or password-protected.
• California State University, Los Angeles
  Computer theft
  Names, address and Social Security numbers of more than 600 CSULA employees and former students were contained on two desktop computers and 12 laptops stolen from campus.
• Boston University
• ROTC Program
  Unauthorized disclosure
  6,675 ROTC students (406 from BU; the balance from other ROTC programs around the country) were affected when their records were inadvertently exposed on the Internet via a file-sharing program installed on a university computer.
• University of Massachusetts, Amherst
  Hacking
  Number of affected records unknown
  20 years of student records exposed in a data breach, which occurred last year between September 15 and October 27. Information includes names, Social Security numbers and some credit card information of current and former students who attended the university between 1982 and 2002.
• Bluegrass Community and Technical College, Lexington, KY
  Theft
  Little information is available, other than that personal information including Social Security numbers of 100 or fewer students was stolen from the college.

Information for this post was gathered from ESI (Education Security Incidents). For more information on data breaches at colleges and universities, visit www.adamdodge.com/esi/month/2009/08.