Twice bitten: Acts of stupidity can lead to identity theft
For the second time in over a year, a high profile figure has had his identity stolen after publicly releasing his own financial information. Is identity theft really this easy?
A British TV presenter has learned the hard way that identity theft is serious, and in the process, become the joke of the moment for privacy bloggers. More importantly, this is the second time in just one year that such a thing has happened. This blog post explores the latest incident, looks back to the past, and then concludes with a more broad analysis.
Jeremy Clarkson, host of the BBC show Top Gear, recently wrote an article for the U.K.'s Sunday Times in which he ridiculed the uproar that had occurred after the British government admitted to losing two compact discs containing the personal information on 25 million people. To prove his point that there was no risk of financial fraud for those consumers, he published his bank account details, and instructions on how to locate his address. Writing in the Times, he claimed that "All you'll be able to do with [the account numbers] is put money into my account. Not take it out. Honestly, I've never known such a [fuss] about nothing."
The following week, he changed his tune after learning that an identity thief with a sense of humor had used the details to create an automatic bank transfer to the charity Diabetes UK.
"I opened my bank statement this morning to find out that someone has set up a direct debit which automatically takes £500 from my account," he said. "The bank cannot find out who did this because of the Data Protection Act and they cannot stop it from happening again.
Admitting the error of his previous article dismissing identity theft concerns, he wrote that, "I was wrong and I have been punished for my mistake." The incident seems to have changed his opinion about the risks to which the 25 million Brits have been exposed. "Contrary to what I said at the time, we must go after the idiots who lost the discs and stick cocktail sticks in their eyes until they beg for mercy."
Todd Davis is the CEO of LifeLock, a company that offers a mostly useless $10 per month identity theft protection service. In an effort to eat his own dogfood, and promote his company's service, Mr. Davis includes his social security number in all of the company's advertisements--see here. A full page ad in this week's USA Today had his SSN listed in big letters.
Making a mockery of LifeLock's identity theft protections, a Texas man in 2006 was able to secure a $500 payday loan with Mr. Davis' social security number.
While the BBC's Clarkson can be forgiven for not hearing about the woes of LifeLock's CEO, I think an important lesson can be drawn from these two incidents: Identity theft is real, and easy to commit with just a few bits of personal information.
Thus, I now introduce Soghoian's Law of Identity Theft Stupidity: Anyone who publishes their own private financial details in a public discussion of identity theft will eventually find that information used for fraud.