Aug 312017

Morgan Chalfant reports:

Democratic members of the House Energy and Commerce Committee are pressing a government watchdog to further investigate whether existing credit monitoring services do enough to protect consumers affected by data breaches.

The Government Accountability Office (GAO) released a report in March on identity theft services offered by the federal government and private companies to consumers who have had their information exposed. While the watchdog concluded that services like credit monitoring offer some benefits, auditors said that they are “limited” in preventing some types of fraud.

Read more on The Hill.

Yes, this is a good question to pursue, and of course, some of us having been blogging about this, advocating about this, and pulling our hair out about this for years now. But is this the year and the administration that will do something about it? It’s unlikely, given the pro-business executive branch and the other legislative priorities. So there may be a hearing or two at best, but I don’t expect to see meaningful change on this. I’d love to be pleasantly surprised, though. Go on. Surprise me pleasantly, Congress.

Aug 312017

There really is such as a thing as “obvious.”  Isn’t there?

Adam Stone reports:

Federal agencies continue to over-collect, over-use and over-display Social Security numbers, leading to the an unnecessarily high risk of identity theft.

That’s the latest from the U.S. Government Accountability Office. In a recent report GAO declares that a decade’s worth of effort to pare the use of SSNs in government has had only “limited success.”

Read more on Federal Times.

Aug 302017

Judy Greenwald reports:

A federal appeals court has upheld dismissal of most of the plaintiffs who sued the SuperValu Inc. grocery distributor in connection with 2014 data breaches, but reinstated the case of one plaintiff who provided evidence his credit card was misused.

Supermarket wholesaler and retailer SuperValu, based in Eden Prairie, Minnesota, reported two separate data breaches in 2014, according to Wednesday’s ruling by the 8th U.S. Circuit Court of Appeals in St. Louis in In re: SuperValu Inc., Customer Data Security Breach Litigation.

Read more on Business Insurance.

Aug 052017

Luke Wilusz reports:

A former U.S. Air Force member was sentenced to four years in prison this week for stealing and distributing personal information from other service members.

A federal jury found 28-year-old Ronnie Allen II guilty earlier this year of two counts each of of identity theft, aggravated identity theft and access device fraud, according to the U.S. attorney’s office. U.S. District Judge Matthew Kennelly sentenced him to 48 months in prison Wednesday.

Allen, who lives in Greensboro, North Carolina, was enlisted in the Air Force and held a clerical position in the maintenance group at Mountain Home Air Force Base in Idaho, prosecutors said. Two weeks before his discharge on Jan. 31, 2013, he downloaded the “Alpha Roster,” a database of personal identifying information for more than 1,400 Air Force members assigned to the base.

Read more on Chicago Sun-Times.  The government’s press release on the sentencing can be found here.

Aug 052017

A Nigerian man has been arrested for his alleged role in W-2 phishing attacks on school districts that resulted in tax refund fraud.  On Friday, the U.S. Attorney for Connecticut issued the following press release:

Deirdre M. Daly, United States Attorney for the District of Connecticut, Patricia M. Ferrick, Special Agent in Charge of the New Haven Division of the Federal Bureau of Investigation, and Joel P. Garland, Special Agent in Charge of IRS Criminal Investigation in New England, today announced that DANIEL ADEKUNLE OJO, 33, a citizen of Nigeria residing in Durham, N.C., was arrested yesterday on a federal criminal complaint charging him with fraud and identity theft offenses stemming from a scheme to obtain the personal identifying information of school employees in Connecticut and elsewhere.

Following his arrest at his Durham residence, OJO appeared before a U.S. magistrate judge in Greensboro, N.C., and was ordered detained pending his transfer to the District of Connecticut.

As alleged in the criminal complaint, special agents from the FBI’s cybercrime squad in New Haven and the IRS have been investigating “phishing” emails that were sent to various school districts in Connecticut earlier this year.

In February 2017, an employee of the Glastonbury Public Schools received an email that appeared to be sent by another Glastonbury school system employee.  The email contained a request to send W-2 tax information for all employees of the school system.  The recipient of the email responded by sending copies of the W-2 information for approximately 1,600 Glastonbury Public Schools employees.  After the W-2 information was emailed, approximately 122 suspicious Forms 1040 were filed electronically with the IRS in the names of victims of the Glastonbury phishing scheme.  The 122 tax returns claimed tax refunds totaling $596,897.  Approximately six of the returns were processed, and $36,926 in fraudulently-obtained funds were electronically deposited into various bank accounts.

The complaint alleges that OJO controlled or used an email account and a email account involved in this phishing scheme, and that he participated in the scheme to obtain the Glastonbury school system employees’ personal identifying information and use it for personal gain.

This ongoing investigation also includes phishing incidents that victimized the Groton Public Schools, and the Bloomington Independent School District in Bloomington, Minnesota.

As to the Groton Public Schools, in March 2017, a school system employee emailed copies of the W-2 information for approximately 1,300 employees.  After the W-2 information was sent, approximately 66 suspicious Forms 1040 were filed electronically with the IRS in the names of victims of the Groton phishing scheme.  The tax returns claimed tax refunds totaling $364,188.  The fraudulent tax returns were not processed by the IRS because they were flagged as being part of an identity theft scheme, and no money was released in connection with the returns.

The complaint alleges that OJO entered the U.S. on a visitor’s visa in May 23, 2016, and failed to depart on his scheduled departure date of June 8, 2016.

“Cybercriminals are becoming increasingly cunning in exploiting technology to steal identifying information from unwitting victims,” said U.S. Attorney Deirdre Daly.  “Fortunately, our cyber investigators are skilled at cracking these crimes and catching these fraudsters.  To help avoid becoming a victim, always remember when you click on a link or send an email, check – and then double check – that the link you’re being asked to open, or the email address you are responding to, is authentic.  A single mistake can lead to a lot of misery.  I commend the FBI cybercrime squad and IRS for quickly bringing this individual to justice.  This investigation is ongoing.”

“The individuals that conduct these phishing schemes have one goal:  To steal personal information for financial gain,” said FBI Special Agent in Charge Ferrick.  “This case is particularly disturbing due to the methods used and the targeted victims.  Cybercrimes are on the rise so we need corporations and the general public to be cognizant of their day to day computer use and vulnerabilities.  We will continue to utilize our best resources and top law enforcement personal to bring cybercriminals to justice.”

 “Investigating identity theft and refund fraud is a top priority for IRS Criminal Investigation,” said Special Agent in Charge Garland.  “Stealing identities and filing false tax returns is a serious crime that harms innocent taxpayers.  This arrest, in cooperation with the FBI and U.S. Attorney’s Office, should serve as a strong warning to those who are considering similar conduct.  Law enforcement will aggressively pursue cyber-criminals who undermine the integrity of the U.S. tax system.”

The complaint charges OJO with conspiracy to commit wire fraud, an offense that carries a maximum term of imprisonment of 20 years, and aggravated identity theft, an offense that carries a mandatory consecutive term of imprisonment of at least two years.

U.S. Attorney Daly stressed that a complaint is only a charge and is not evidence of guilt.  Charges are only allegations, and a defendant is presumed innocent unless and until proven guilty beyond a reasonable doubt.

This matter is being investigated by the Federal Bureau of Investigation and the Internal Revenue Service, Criminal Investigation Division, with the assistance of the Durham (N.C.) Police Department.  The case is being prosecuted by Assistant U.S. Attorney Sarala V. Nagala, with the assistance of the U.S. Attorney’s Office for the Middle District of North Carolina.