Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Day 14 - Containment: a Personal IdentityTheft Incident

Published: 2008-10-14
Last Updated: 2008-10-14 14:02:55 UTC
by Swa Frantzen (Version: 2)
2 comment(s)

Containing a IDtheft incident can be seen from multiple sides.

The organization leaking the sensitive information by accident

As always being prepared is key to reacting properly. Randy wrote: "An organization must identify and classify personally identifiable information (PII) in order to contain the accidental disclosure that could result in consumers being exposed to identity theft." Information processing for such information could be segregated from the mainstream of the systems and be placed under closer monitoring and tighter security measures.

But if it does go wrong you need an action plan involving key stakeholders in order to abide local laws and regulations as well as protect the interests of the individuals who confided the sensitive data to the organization. Randy goes on: "This data breach plan should be be tested much like a disaster recovery plan to ensure that each team member understands their role."

Still how do you plan to contain a breach?

Depending on what was identified as leaked, the plan should at least consider how to most effectively

  • Consider requirements form a legal and regulatory viewpoint
  • Communicate the problem to affected individuals so they can assist from their end
  • Offer some sort of protection to the affected individuals
  • Cover any wanted or unwanted media attention appropriately
  • Work with authorities and law enforcement

 

The individual having his personal information exposed.

What better to learn than from a victim. Laura stepped up with her condensed version:

"I recently became a victim of identity theft. The beginning of October I received a letter indicating my information had been exposed http://www.bnymellon.com/tapequery/. This is an incident that occurred in February 2008 and it wasn't until October 2008 that I was notified. I was upset that 8 months passed before I was notified. I immediately signed up for the free 2 year credit monitoring service offered. Days later I received another letter from Capital One indicating someone had applied for (and received) a credit card in my name although some information did not agree with my credit history. Capital One asked me to contact them. I immediately reviewed my credit history and found that Capital One performed a credit inquiry for someone with my name located in another city about 150 miles from my home - the address was listed in my credit history. Additionally, the perpetrator also obtained a copy of my credit history from a company I've never heard of before - Mighty Net. All this occurred before I received the letter from BNY Mellon.

So far I have:

  1. Reported the fraud to the FTC.
  2. Immediately requested a 90 day fraud alert or credit freeze with Experian, Transunion and Equifax. This was a temporary move until I could obtain a permanent freeze.
  3. Called Capital One and reported the fraud.
  4. Called Mighty Net and reported the fraud. They immediately canceled the online account used to request and access my credit history.
  5. Filed a report with the police department.
  6. Obtained copies of the police report and sent it with a  notarized document confirming my identity (http://www.ftc.gov/opa/2002/02/idtheft.shtm) to the three credit bureaus requesting a seven year credit freeze using USPS certified return receipt.
  7. Reviewed my husband's credit history to make sure he was not a victim of identity theft.
  8. Sent notarized certified return receipt letters to Capital One and Mighty Net of INITIAL VICTIM OF IDENTITY THEFT STATEMENT AND FRAUDULENT ACCOUNT INFORMATION REQUEST (http://www.idtheftcenter.org/artman2/publish/v_templates/Letter_Form_100_-_1.shtml)
  9. Wrote certified return receipt letters to all the companies listed in my credit history requesting all infrequently used accounts be canceled to prevent further exploitation of this fraud.
  10. Contacted BNY Mellon to inform them that I am a victim of identity theft.

I can't help but wonder - was this identity theft the result of the BNY Mellon lost tape incident or is there another incident that has not yet been identified for which there are other victims?

An event like this really takes an emotional toll on the victim and family. I recommend everyone place a credit freeze or monitoring on their credit history. It may not prevent identity theft but it can put the investigation into motion early. Finally, document everything - every phone call and every action you take. Treat it like your own forensic investigation. You may need the information later."

 

Living in a county where the issue is much more privacy, not by far not so much IDtheft (we have decent ways to authenticate ourselves), I'm counting on your feedback on how you plan to contain such incidents, and will update it with submssions we receive.

--
Swa Frantzen -- Section 66

Keywords: Awareness2008
2 comment(s)
Diary Archives