[Dataloss] CA: Identity Thefts Traced to Graduate Healthcare

Al Mac Wheel macwheel99 at wowway.com
Wed Jun 4 15:56:33 UTC 2008 

The fact remains that according to the FTC, one of the largest growing 
areas of identity theft exploitation is the filing of false tax returns in 
the name of the identity theft victims.  Congress had to hold hearings into 
how brain dead the IRS has been in dealing with this mess.  One of the 
reasons it is growing so fast, is the IRS is crooked-friendly, in how it 
handles victims of identity theft.

I remember an FTC report that went back further than this one, but now 
cannot find the link.  My memory is that it is now bigger than 10% of id 
crimes, but 10 years ago it was smaller than 1% of them.

In the 2007 FTC statistics (52 pages), which include information gathered 
from other organizattions, in some categories they compare statistics 2005-2007
* types of id fraud
* number of complaints vs. amount of $ stolen
* how the money was stolen
** dominated by credit card, wire transfer, debit credit bank card
* how people got contacted
* age of victims
* victimization by geography
http://www.ftc.gov/opa/2008/02/fraud.pdf
23 % of id theft was credit card fraud
18 % was utilities fraud
14 % was employment fraud
13 % was bank fraud

but if you compare their statistics over many years, you can see some kinds 
of fraud are growing much more rapidly than others, such as phony income 
tax returns

The metropolitan areas with the highest per capita rates of reported 
consumer fraud complaints were Albany-Lebanon, Oregon; Greeley, Colorado; 
and Napa, California.

ID Theft tops the list of complaints to the FTC
32 % of complaints for that reason
8 % is the next highest category
http://www.consumeraffairs.com/news04/2008/02/id_theft.html

There's phishing to get people's IRS info.
http://www.irs.gov/individuals/article/0,,id=96596,00.html


, Casey, Troy # Atlanta wrote:
>Seems to me that to e-file for taxes, you have to provide either a
>pre-selected PIN or the Adjusted Gross Income (AGI) from the previous
>year's 1040.  Assuming the thieves here did in fact e-file - and not
>send in paper forms - they would have had to have the AGI for the
>previous year for each student they filed for.  Of course, the
>university's financial aid department would have that information, but
>it seems unlikely that United Healthcare would have had that.
>
>So it looks to me like the trail would lead back to someone at the
>University that had (or gained) access to both the health insurance info
>and the financial aid info, assuming these were in fact e-filed.
>
>Just thinking out loud,
>Troy
>
>-----Original Message-----
>From: dataloss-bounces at attrition.org
>[mailto:dataloss-bounces at attrition.org] On Behalf Of Arshad Noor
>Sent: Tuesday, June 03, 2008 7:38 PM
>To: Michael Hill, CITRMS
>Cc: dataloss at attrition.org
>Subject: Re: [Dataloss] CA: Identity Thefts Traced to Graduate
>Healthcare
>
>Its interesting that identity thieves are taking the theft of personal
>information to new levels - filing IRS tax returns in the names of the
>victims for tax refunds!  This is the result when business processes
>(eFiling) are modified to take advantage of electronic efficiency
>without taking security into consideration.
>
>There are thousands of such business processes waiting to be exploited
>IMO - credit card numbers are just the tip of the iceberg.  What makes
>this especially problematic is that most business processes are not as
>standardized as credit card processing, and consequently have many more
>vulnerabilities due to their variability.
>
>Companies and government agencies are well advised to start reviewing
>their business processes for security - specifically authenticity and
>integrity - before issuing any money or benefits.  However, this is
>easier said than done - business people and management consultants don't
>know enough about security, while security consultants don't know enough
>about business processes.  Attackers will be sure to exploit this gap
>for some time to come.
>
>Arshad Noor
>StrongAuth, Inc.
>
>Michael Hill, CITRMS wrote:
> > http://www.newuniversity.org/main/article?slug=identity_thefts_traced_
> > to156
> >
> >
> > United Healthcare, the provider for UCI's Graduate Student Health
> > Insurance Program, admitted that it was the source of identity thefts
> > of past and present UCI graduate and medical students on Wednesday,
>May 28.
> >
> > Beginning in February, UC Irvine graduate students who attempted to
> > submit income tax returns electronically were informed by the IRS that
>
> > their had already been filed, provoking complaints to the UCI Police
> > Department to solve the identity thefts. To date, all 155 reported
> > victims were participants in UCI's Graduate Student Health Insurance
> > Program.
> >
> > UCI is currently making efforts to provide identity theft victims with
>
> > sufficient information to solve the problems caused by the situation.
> > UCIPD sent out the first crime alert on March 20 and has released
> > periodic updates with more information. In addition, affected students
>
> > will also be provided a guide to prevent identity theft and fraud in
> > the future.
> >
> > Administration has assured students that data security is their top
> > priority. IT security teams meet regularly in discussion of security
> > problems and practices. UCI's computer safety Web site, located at
> > security.uci.edu, provides students with information on how to protect
>
> > their computers from cyber attacks. The site also discusses recent
> > security concerns and email scams.
> >
> > UCI's financial aid office has set up emergency loans available to
> > victims of identity theft whose delay in receiving their income tax
> > refund has affected their financial status.
> >
> > [...]
>_______________________________________________
>Dataloss Mailing List (dataloss at attrition.org)
>http://attrition.org/dataloss
>
>Tenable Network Security offers data leakage and compliance monitoring
>solutions for large and small networks. Scan your network and monitor
>your traffic to find the data needing protection before it leaks out!
>http://www.tenablesecurity.com/products/compliance.shtml
>_______________________________________________
>Dataloss Mailing List (dataloss at attrition.org)
>http://attrition.org/dataloss
>
>Tenable Network Security offers data leakage and compliance monitoring
>solutions for large and small networks. Scan your network and monitor your
>traffic to find the data needing protection before it leaks out!
>http://www.tenablesecurity.com/products/compliance.shtml

More information about the Dataloss mailing list