On Friday, the FBI arrested a former Countrywide employee and his accomplice for stealing and selling personal information (including social security numbers) obtained from people applying for mortgages. According to news sources, the number of people compromised was about 2 million.

The Countrywide inside man was identified as Rene L. Rebollo Jr., who worked at Countrywide’s sub prime lending division, Full Spectrum Lending. Also arrested was Wahid Siddiqi, who was the alleged information reseller in the caper. Both arrests took place in Southern California.

The criminal complaint alleges that Rebollo downloaded 20,000 names a week for about two years. The batches of 20,000 were sold for about $500 to Siddiqi. This amounts to about 25 cents a person compromised.

According to a spokeswoman at Countrywide, the investigation shows that 19,000 peoples information has been actually used.

Beth Givens, of the Privacy Rights Clearing House was quoted in a story about this in the LA Times and aptly pointed out Rebollo sold the information at well below known black market prices. Although the prices for stolen information — which is sometimes sold in underground Internet forums has dropped in recent years — a name that has a matching social security number is worth well more than 25 cents a pop.

The official spin is that this information was used for leads to sell real estate, but my speculation is that how would anyone know for sure? According to the news reports, the information was being sold to companies. The FBI posing as a company was able to buy records for Siddiqi.

If it was sold to companies, who knows who they might have sold it to, or if they have any dishonest employees selling it, elsewhere?

This made me wonder if any of the companies buying the information will be publicly disclosed? In a similar case at Certegy — where another dishonest employee was caught and convicted for selling stolen information to “companies” — the companies involved were never made public or charged with any crime (to my knowledge). Court records indicated a co-conspirator in this case, but again (to my knowledge) no one has ever revealed exactly who this mysterious co-conspirator was?

Givens also pointed out that names, which include a social security number and perhaps financial data, can be used to commit what is known as new account fraud. New account fraud is where an identity thief poses as their victim and opens new lines of credit. Once this is done the first time, the thief (sometimes thieves) continue to open lines of credit until the victim’s credit report makes them look like a deadbeat.

My guess is that the affected people will be offered some sort of credit monitoring/identity theft protection. While this prevents some forms of identity theft, it doesn’t necessarily protect from all the ways a stolen identity can be used. Some examples of when it might not show up on a credit report are cases of medical benefit fraud, employment fraud, government benefit fraud, some forms of check fraud and last, but not least, when it is used to commit crimes of other than a financial nature.

Recently, the Privacy Rights Clearinghouse, issued a well written fact sheet pointing out that existing credit monitoring/identity theft protection services do not protect a person from all forms of identity theft. I highly recommend that anyone — who thinks their identity has been compromised — read this fact sheet before buying or relying on the free protection offered in the aftermath of a known data compromise.

If and when — employers are required to react to workers using social security numbers that do not match — the millions of illegal immigrants already over here are going to have to use real social security numbers and a matching name to remain employed, or obtain employment. While the federal law on this has been tied up in federal court, some States have already enacted similar legislation. This type of identity theft normally doesn’t appear on a credit report and is often discovered when a person files their tax return, or gets their social security earning statement and notices employment listed they never had.

A statistic that might support this is the IRS revealing that identity theft used to file tax returns has grown 644 percent in recent years. The two main reasons cited for this were people using them to obtain employment or to file a fraudulent tax return to obtain a phony refund, normally using what is known as the earned income credit.

Stories of large scale data breaches seem to surface, frequently. Despite this, there are a lot more that no one ever finds out about. Recent evidence revealed by Finjan, a computer security outfit, supports the contention that we really don’t know how much stolen information there is out there, or how it is being used. Finjan has been discovering what they term as crime servers on the Internet, which contain all kinds of stolen information. This information included compromised patient data, bank customer data and even sensitive e-mail communications. At least some of this information wasn’t even password protected on the crime server.

This particular data breach at Countrywide will probably fade into the mist fairly quickly. It does show that any and all security measures can and will be defeated when a person who has access is the point of compromise. The sad fact is that despite a lot of efforts — until the issues that fuel (enable) this problem are addressed — we will continue to see personal and financial information stolen.

We have made personal and financial information worth a lot of money and there are a lot of people buying and selling it. Some of them even have legitimate or semi-legitimate status. The more this occurs means the information is going to be electronically transmitted (sold) and then stored in a lot of different places. As long as this keeps happening, it’s probably impossible to protect all of it.

Be Sociable, Share!