Identity Theft: Overview

Introduction

About sixteen million Americans per year have their identities stolen, according to 2017 data from the Harris Poll. The Federal Trade Commission (FTC), describing the many problems that this can cause, says, “identity thieves may rent an apartment, obtain a credit card, or establish a telephone account in your name. You may not find out about the theft until you review your credit report or credit card statement and notice charges you didn’t make-or until you’re contacted by a debt collector.” In addition to reported cases, the identities of millions of Americans each year are compromised as security breaches among government and private sectors increase.

In 1998, Congress made identity theft a federal offense and mandated harsher sentences for criminals. Additional federal legislation has set guidelines that make it easier for victims to clear their names and prevent the use of social security numbers (SSNs) and credit card numbers on retail sales slips.

Many Americans criticize the lack of further federal legislation to prevent identity theft crimes and security breaches from occurring in the first place. The Electronic Privacy Information Center (EPIC) has been urging the government to restrict the use of SSNs among government agencies and in the private sector. They maintain that legislation is necessary to mandate security procedures for databases that contain SSNs and other personal data. Government-run programs such as health benefit providers Medicaid and Medicare complain that it would be too costly to change the current process of tracking by social security numbers. Medicare requires that an identification card with the user’s social security number be carried at all times, endangering particularly the elderly.

Some citizens have criticized the government for not requiring business and governmental offices to notify them when a security breach has occurred. Many states have enacted legislation in response; however, many citizens remain unprotected.

Understanding the Discussion

Botnets: Short for “robot network,” botnets are computers that have been hijacked by criminals for the purpose of identity theft, or to send spam, or commit other cyber crimes. Botnets are often made of up thousands or millions of computers.

Free Wi-Fi: The name chosen by cyber thieves for a wireless Internet connection that directs traffic through a personal computer where files can be grabbed and keystrokes logged. Becoming more common in airports and other public places that offer legitimate Wi-Fi, the sites can easily fool the unsuspecting user.

Identity Theft: A federal crime in which a person uses another’s social security number (SSN), driver’s license number, or other personal information to commit a fraudulent or criminal act in that person’s name. The most common uses are to open a new credit card or cell phone account. Personal information can be obtained from paper trails, cyberfraud, security breaches, the theft of wallets and purses, rifling garbage cans and other means.

Phishing: The act of sending out e-mail intended to trick the receiver into providing credit card information, passwords, or other personal information. The e-mails seem to have been sent by a reputable company, but direct the recipient to update information on a counterfeit website.

Security Freeze: A term that refers to locking a credit file managed by a credit bureau to prevent identity thieves from opening new credit card accounts or conducting other financial fraud.

The Identity Theft and Assumption Deterrence Act of 1998: Legislation that made identity theft a federal crime.

Vishing: Short for “voice phishing,” in which a Voice over Internet Protocol (VoIP) phone is used to fraudulently obtain credit information or other personal data.

History

The history of SSNs began in 1936, when millions of workers were assigned an identifying number that would be used to collect and track funds for retirement accounts and to pay those benefits later in life. For the first time in history, adult citizens had a unique federal identifying number.

The Internal Revenue Service (IRS) began to require the use of SSNs on tax forms beginning in 1961. Private businesses seized on the value of using the numbers for identification, and during the next decade, the use of SSNs for a variety of financial transactions became standard procedure. Soon, a person could not obtain a savings account, car loan, department store credit card, or attend college without a SSN.

The widespread use of SSNs made them a primary target for thieves; many people carried the cards in their wallets and purses, so most SSNs were physically stolen. As advances in computer technology enabled the storage of numbers in databases along with other personal information and the use of SSNs for identification became even more widespread, identify theft increased. To address part of the problem, Congress passed the Privacy Act of 1974, regulating the collection, usage, and sharing of personal data among federal agencies.

The act did little to regulate the private business sector. Use of SSNs for identification continued at phone companies, doctors’ offices, and video rental stores, to name a few, making the SSNs the most highly-coveted form of identification. By the late 1990s, the Social Security Administration’s Fraud Hotline was receiving tens of thousands of reports of abuse annually. Taking into consideration the use of stolen credit cards and driver’s licenses, identity theft losses totaled hundreds of millions of dollars each year.

In 1998, Congress passed the Identity Theft and Assumption Deterrence Act (Identity Theft Act) that made crimes involving the theft or misuse of personal information a federal offense. The legislation enabled the Federal Bureau of Investigation (FBI) to prosecute the growing number of identity theft cases. One of their largest cases involved a former help desk employee of Teledata Communications in Hauppauge, New York, who was arrested for stealing over thirty thousand credit reports from the three top credit bureaus (Equifax, Experian and TransUnion). Since then, thousands of high profile and smaller-scale thefts have occurred.

Thefts have also become more complex involving conspirators from across the globe. Thieves take advantage of the fact that laws differ in various countries and the difficulty of tracking co-conspirators by law enforcement. The Internet has made it possible for collusion among identify theft predators. Authorities trapped eleven co-conspirators from five countries. In August 2008, thieves stole more than 40 million credit and debit card numbers by hacking into retail computer networks. One conspirator used an online alias to mask his identity. One of the most complex cases, however, was the TJX case, wherein forty-six million consumer records were acquired.[d2]

Prior to 2003, many cases of identity theft occurred when thieves obtained SSNs or credit card numbers from receipts tossed in wastebaskets in libraries, restaurants, retail stores, gas stations, and other places. That year, Congress passed the Fair and Accurate Credit Transactions Act, which prohibited retailers and other organizations from printing SSNs and entire credit card numbers on receipts. Since then, hundreds of lawsuits have been filed against companies that have refused, or have been unable, to comply.

In many identity theft cases, victims are unaware that abuse has occurred until their credit accounts have been sabotaged. The Fair and Accurate Credit Transactions Act was also intended to help solve the delay by requiring credit bureaus to provide free annual copies of reports to monitor accounts. The legislation also permitted citizens to place an alert on their credit bureau reports, requiring extra precaution on the part of financial lenders, credit card companies, and others who use the service to check credit ratings. Alerts, however, are only good for ninety days.

One of the largest security breaches occurred between 2005 and 2006, when almost forty-six million records containing credit and debit card account numbers and driver’s license numbers were hacked from computers at TJX, the parent company of TJ Maxx, Marshalls, and other retailers. Investigators determined that outdated technology and a lack of data encryption allowed the hacking to occur. Hundreds of other security breaches have taken place in government and in business due to inadequate computer security procedures. Although the government and technology vendors have been investigating new technology to deter identity thieves, many technology methods are viewed as intrusive or put additional burden on honest citizens.

In 2006, the United States Department of Veterans Affairs (VA) reported the theft of a laptop computer and external hard drive containing the SSNs and other personal data for 26.5 million veterans. The laptop had been stolen from a VA employee’s home. In other cases, laptops have been stolen from cars, warehouses, and offices. Dozens of other scenarios have left Americans vulnerable, including the loss of data-sensitive CDs in the postal system, mail sent with visible SSNs through envelope windows, and SSNs posted on non-secured websites. President George W. Bush formed a task force in 2006 to investigate how the government can best fight identity theft. Among its findings is the need for agencies to improve handling of private data and to improve authentication methods for the retrieval of data; however, no new legislation resulted in 2007.

Cases involving college student and employee data were numerous in the late 2000s. According to the Privacy Rights Clearinghouse, an organization that maintains an online list of security breaches, among the many cases in 2007 was the theft of two computers containing SSNs for over ten thousand Yale University students and employees. At the University of Nevada, an employee lost a flash drive containing the SSNs for sixteen thousand students, and at the University of Cincinnati, a stolen flash drive comprised the identities of seven thousand students. At the time, colleges routinely used SSNs for admission, financial aid, course registration, library privileges, grades, transcripts, and more. Professors commonly posted SSNs along with grades in hallways, assuming they were protecting the privacy of students by not posting names. Credit card companies often targeted college students as new sources for customers. Also, many students banked online and keep passwords and other sensitive data on unsecure devices. Several states enacted laws that required colleges to devise a new system for student ID numbers and prohibited the continued use of SSNs. Some schools issued new student ID numbers without state mandates as well, but many schools continue to use SSNs or retain old data.

The Identity Theft Enforcement and Restitution Act became law in October 2008. It established new federal laws that make cyber-extortion a crime and set additional penalties for hacking and for modifying computers with malicious spyware or keylogging software.

Additional preventive legislation has been undertaken by individual states. California was the first to require companies to notify citizens involved in security breaches. Once a person is aware that personal data has been lost or stolen, he or she can choose to freeze a credit account and take other steps.[d4] Unfortunately, legislation is always trailing the state of the art in identity theft. States often find that existing laws don’t go far enough or provide enough of a deterrent. In 2008, several states enacted or proposed identity theft legislation. Some legislation increased the sentencing terms while others clarified the state’s position or improved the ability of citizens to protect their interests.

Congress began considering the Personal Data Protection and Breach Accountability Act in 2011, which would prevent identity theft and ensure privacy by holding companies accountable for failing to prevent breaches, and increasing criminal and civil penalties for those guilty of identity theft. Likewise, many states have increased the severity of identity theft crimes. Arizona, Colorado, and New Mexico, for example, classify identity theft as a felony. The aggressive action against identity theft results in the growing prevalence of this crime.

The Personal Data Protection and Breach Accountability Act was introduced to Congress on September 8, 2011, but was not enacted. The law would have prevented identity theft and ensured privacy by holding companies accountable for failing to prevent breaches. A similar law, the Stop Identity Theft Act of 2012, also did not pass the Senate on August 1, 2012.

In 2012, a number of states introduced legislation on identity theft crimes. Alabama, for example, introduced the Alabama Digital Crime Act, which expanded identity theft crimes to include using another’s identity for employment purposes. Likewise, the Business Identity Theft Prevention Act was enacted in Louisiana. Colorado increased the punishment for identify theft crimes against juveniles, adding an extra fee to those convicted. These laws were implemented to help protect against the prevalence of identity theft.

In late 2013, a data breach reminiscent of that of TJX occurred when Target reported that, during the holiday season, forty million debit and credit card accounts were stolen. The next year, yet another major retailer announced that it had suffered a large-scale security infiltration. Home Depot reported that fifty-six million credit and debit cards were likely compromised and fifty-three million emails were lost in the data breach concerning payment terminals. The company later cited issues with the security of the Microsoft software being used in stores.

At around the same time, forty-nine states and the District of Columbia had passed legislation that would allow citizens to request a security freeze, which offered longer protection for consumers, on their accounts with credit bureaus. Michigan, the final state remaining, was working on passing such a bill. In response to the overwhelming interest, the three credit bureaus also decided to extend the security freeze option to consumers in every state. A freeze lasts indefinitely, until the owner of the account requests it to be removed. While an account is frozen, creditors are unable to check credit ratings, thereby preventing a person from opening a fraudulent account.

In 2017, there was a record high of 1,579 data breaches, according to the Identity Theft Resource Center, opening about 178 million people up to possible identity theft. Particularly of note was the breach of Equifax, one of the three major credit reporting agencies in the United States, due to the large number of people whose credit information Equifax stores. It is estimated that about 209,000 people had their credit card information stolen in the Equifax breach.

Identify Theft Today

Identity theft continued to pose a significant data security concern in the 2020s. The number of identity theft reports received by the Federal Trade Commission (FTC) more than doubled from 650,000 in 2019 to 1,389,000 in 2020 before increasing again in 2021 to 1,434,000 reports. In 2024, the FTC reported that it had received about 1.0 million reports of identity theft in 2023. Jack Caporal, a research director for The Motley Fool and The Motley Fool Ascent, wrote that although the number of reports had dropped after 2021, they had still not fallen to pre-COVID-19 pandemic levels. Caporal also noted that many cases of identity theft go unreported and likely were not reflected in the FTC statistics.

According to the FTC, credit card fraud remained the most common type of identity theft in 2023, followed by other identity theft (involving email and social media, insurance, medical services, online shopping, and investing accounts), loan or lease fraud, and bank fraud. Reports of government documents fraud, which had been the most common form of identity theft in 2021, had decreased in 2022 as government pandemic-related benefits ebbed, before increasing again in 2023.

One identity theft trend to emerge during the 2020s was an increase in the number of cyberattacks targeting schools and the data of their students, with nearly 2,000 schools across 45 districts experiencing such attacks in 2022. Identity theives sought to gain access to students' "identifying information, assessments, assignments, grades, homework, health records, attendance history, discipline records, special education records, home communications, and more," according to Rachel Curry for CNBC in December 2023.

These essays and any opinions, information or representations contained therein are the creation of the particular author and do not necessarily reflect the opinion of EBSCO Information Services.

Bibliography

Brown, Robbie. "South Carolina Offers Details of Data Theft and Warns It Could Happen Elsewhere." The New York Times, 20 Nov. 2012, www.nytimes.com/2012/11/21/us/more-details-of-south-carolina-hacking-episode.html?ref=identityfraud&gwh=1D75FEE11F632B0D3B089AE5AD2C8361.

Caporal, Jack. "Identity Theft and Credit Card Fraud Statistics for 2024." The Ascent: A Motley Fool Service, 29 Feb. 2024, www.fool.com/the-ascent/research/identity-theft-credit-card-fraud-statistics/. Accessed 2 Apr. 2024.

"Consumers Union’s Guide to Security Freeze Protection." Consumer’s Union, 5 Feb. 2014, consumersunion.org/research/consumers-unions-guide-to-security-freeze-protection/. Cullen, Terri. The Wall Street Journal. Complete Identity Theft Guidebook: How to Protect Yourself from the Most Pervasive Crime in America. New York: Three Rivers Press, 2007.

Curry, Rachel. "Hackers See Wealth of Information to Steal in Children's School Records." CNBC, 27 Dec. 2023, www.cnbc.com/2023/12/27/hackers-see-wealth-of-information-to-steal-in-kids-school-records.html. Accessed 2 Apr. 2024.

Frohlich, Thomas C., and Mark Lieberman. "States with the Most Identity Theft Complaints." USA Today, 28 Apr. 2015.

Grant, Kelli B. "Identity Theft Victims: You Might Know the Culprit." MSNBC, 21 July 2015. Gressin, Seena. "The Equifax Data Breach: What to Do." Federal Trade Commission, 8 Sept. 2017, www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do. Accessed 25 Oct. 2018. "Identity Fraud Hits All Time High With 16.7 Million U.S. Victims in 2017, According to New Javelin Strategy & Research Study." Javelin, 6 Feb. 2018, www.javelinstrategy.com/press-release/identity-fraud-hits-all-time-high-167-million-us-victims-2017-according-new-javelin. Accessed 25 Oct. 2018. "Identity Theft 2012 Legislation." NCSL, 21 Nov. 2012, www.ncsl.org/issues-research/banking/identity-theft-2012-legislation.aspx.

Morton, Heather. "Identity Theft Strikes Young." State Legislatures, vol. 40, no. 6, 2014, pp. 14-17.

"Number of Fraud, Identity Theft and Other Reports." FTC Consumer Sentinel Network, Federal Trade Commission, 8 Feb. 2024. Tableau Public: The Big View: All Sentinel Reports, public.tableau.com/app/profile/federal.trade.commission/viz/TheBigViewAllSentinelReports/TopReports. Accessed 2 Apr. 2024.

Ody, Elizabeth. "Identity Theft Fraud 34%, Victims Pay More." Bloomberg, 8 Feb. 2011, www.bloomberg.com/news/2011-02-08/identity-theft-fraud-falls-34-victims-pay-more.html.

Reed Edge, Kathryn. "The New Outlaws: Cybercriminals." Tennessee Bar Journal, vol. 50, no. 4, 2014, pp. 30–32.

Schultz, Jennifer Saranow. "The Rising Cost of Identity Theft for Consumers." The New York Times, 9 Feb. 2011, bucks.blogs.nytimes.com/2011/02/09/the-rising-cost-of-identity-theft-for-consumers/?src=busln.

Smith, Anne Kates. "They Are Watching You." Kiplinger’s Personal Finance, vol. 68, no. 5, 2014, pp. 46–51. "Taxpayer Guide to Identity Theft." IRS, 27 July 2015.

White, Martha C. "Study: 10,000 Identity Theft Rings in U.S." Time, 20 Nov. 2012, business.time.com/2012/11/20/study-10000-identity-theft-rings-in-u-s.

Williamson, Kevin D. "Hopelessly Hackable Feds." National Review, vol. 67, no. 19, 2015, pp. 18–21.

Willis, Gerri. "Putting a Freeze on Your Credit." CNN Money, 11 Oct. 2007, money.cnn.com/2007/10/10/pf/saving/toptips/index.htm.