Apr 122014

Nathan Baker reports:

Tennessee’s two public higher education systems are trying to trace the source of a possible federal income tax scam resulting from the stolen identities of some of their employees.

An email sent to faculty and staff in the Tennessee Board of Regents system said the college governing body was alerted to the possible scam by the University of Tennessee at Knoxville, which belongs to its own system.

The email said that when at least eight UTK employees attempted to file their income tax returns, they were notified by the U.S. Internal Revenue Service that a return had already been filed under their names and Social Security numbers.


Read more on Johnson City Press.

Apr 052014

Over on Security Bistro, Linda Musthaler discusses the recently disclosed Spec’s breach and the fact that Spec’s knew about the breach but was asked not to disclose it by law enforcement.

We’ve seen this many times – delays in notification so as not to interfere with a law enforcement investigation. But should there be some limits on how long notification can be delayed or should it be open-ended at law enforcement’s request, keeping in mind that law enforcement can only request, it seems, but not order the entity not to disclose?

In terms of a balancing act, if the data involved are “just” credit or debit cards, it’s relatively easy to restore individual’s accounts and issue new account numbers, and it should be relatively easy (although often isn’t) to get credit reports corrected and restored. So even though it’s inconvenient for customers who may be without their cards for a while and who may have to re-do any accounts on automatic payment and spend time correcting credit reports, consumers can be restored and compensated.

But what about if the data being stolen or compromised include SSN or medical information? Should the criminal activity be allowed to run for another year or so while law enforcement investigates and people’s sensitive information or SSN may wind up in the hands of others?  If people become identity theft victims or medical identity theft victims (and not just card fraud or new account fraud victims), it’s a lot harder to fix things. We’ve seen cases where people are arrested erroneously as a result of ID theft. We know that medical identity theft can lead to treatment errors and potentially serious medical care and/or insurance problems. What about those risks? Does law enforcement’s understandable needs outweigh what happens as more people become victims because no one notified them in a timely fashion?

Do we need to draw a line on nondisclosure for law enforcement purposes or not?

You can read Musthaler’s commentary on SecurityBistro.

Apr 052014

A 22-count indictment charging eight defendants with participating in a conspiracy to unjustly enrich themselves by stealing personal identifying information of AT&T customers and using the information to make unauthorized wire transfers from the victims’ bank accounts and obtain unauthorized credit or debit cards has been unsealed in the Southern District of Florida. The indictment was announced yesterday.

The defendants charged are: Chouman Emily Syrilien, 25, of Lauderdale Lakes, Arrington Basil Segu, 28, of Miami, Carlos Antonio Alexander, 24, of Orlando, Angel Arcos, 23, of Pompano Beach, Shantegra La’Shae Godfrey, 23, of Deerfield Beach, and Monique Smith, 31, of Pompano Beach. Arcos, Godfrey and Smith had their initial appearances this morning before U.S. Magistrate Judge Alicia O. Valle. Segu had his initial appearance yesterday. Alexander is currently incarcerated. Two defendants remain at a large.

According to the indictment, Syrilien was employed by Interactive Response Technologies, lnc. (IRT) located in Margate. IRT provides staffing for call centers to handle direct sales and customer inquiries for AT&T. Syrilien unlawfully provided a co-conspirator with the personal identifying information from multiple AT&T customer files. Segu also unlawfully provided personal identifying information of numerous individuals to the co-conspirator.

Read the full press release here

Apr 042014

Tim Hull reports:

A man who admitted to a $300,000 fraud on Chase Bank is not guilty of aggravated identity theft, the 9th Circuit ruled Thursday.

Doren Ward conceded that in 2011 he worked with co-consipirators in the United Kingdom to steal the personal information of various Chase Bank customers and impersonate them to obtain replacement bank cards, with which the scammers then stole some $299,000.

Ward tried to plead guilty in Los Angeles to conspiracy to commit bank fraud, bank fraud and access-device fraud while denying two counts of aggravated identity theft, but U.S. District Judge Terry Hatter refused, finding that he could not admit to conspiracy without admitting to identity theft.

Read more about the case and why the court reversed and remanded the conviction on aggravated identity theft on Courthouse News. It seems that because the indictment only named two victims for the aggravated identity theft charge, the prosecutor should not have presented – and the court should not have allowed – testimony about other victims…?

Apr 032014

Curt Anderson of Associated Press reports:

Twenty-five people accused of using thousands of stolen identities to claim $36 million in fraudulent tax refunds have been arrested in the latest South Florida sweep, federal authorities said Thursday.

Among those charged in 19 separate cases is a middle school food service worker who swiped the identities of at least 400 Miami-Dade County students, a mail carrier charged with filching tax documents out of mailboxes and a jail guard who stole identities of inmates, according to Miami U.S. Attorney Wifredo Ferrer.

Read more on Star-Telegram

Update: I’ve posted the USAO’s press release here.

Apr 022014

KGW reports:

A data breach at the Archdiocese of Seattle that led to rampant tax fraud appears to have spread to Oregon.

The Archdiocese of Portland said hackers have stolen Social Security numbers from Catholic Church employees and volunteers in order to file false tax returns and claim the refund.

So far, 105 Catholic Oregonians have been impacted.

Read more on KGW.

Previous coverage of the breach on this blog can be found here.