Identity theft raises questions about security

With the announcement Monday of the breakup of a New York identity theft ring that absconded with the sensitive financial data of over 30,000 U.S. consumers, attention has quickly turned to lax security in the systems that lenders use to obtain information from credit bureaus such as Experian Information Solutions, Trans Union LLC and Equifax.

Top on the list of questions raised by the crime is the role that loose security at Teledata Communications Inc. (TCI) may have played in the identity theft scheme.

TCI makes the software, workstations, and laptop devices that businesses use to retrieve credit reports from the three major credit bureaus. TCI employed Philip Cummings between May 1999 and March 2000, according to a statement released by the company. Cummings worked on the help desk at TCI, assisting the banks and lending organizations that used TCI's software with problems related to the company's products.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

With the announcement Monday of the breakup of a New York identity theft ring that absconded with the sensitive financial data of over 30,000 U.S. consumers, attention has quickly turned to lax security in the systems that lenders use to obtain information from credit bureaus such as Experian Information Solutions, Trans Union LLC and Equifax.

Top on the list of questions raised by the crime is the role that loose security at Teledata Communications Inc. (TCI) may have played in the identity theft scheme.

TCI makes the software, workstations, and laptop devices that businesses use to retrieve credit reports from the three major credit bureaus. TCI employed Philip Cummings between May 1999 and March 2000, according to a statement released by the company. Cummings worked on the help desk at TCI, assisting the banks and lending organizations that used TCI's software with problems related to the company's products.

During his time of employment, Cummings is alleged to have used his access to TCI customer accounts to copy the passwords and subscriber codes used by a number of different businesses, including banks and mortgage companies such as Ford Motor Credit Corp.

That information was then used by Cummings and others to pose as legitimate financial institution officials and download the personal credit history of thousands of consumers over a two-year time span, according to a complaint unsealed by James Comey, U.S. Attorney for the Southern District of New York. Cummings then sold those reports, according to the U.S. Attorney's office.

Even more alarming than the theft of passwords, Cummings appears to have been able to continue to use the information gleaned from his work at TCI long after he resigned from the company in March of 2000, even providing one of his co-conspirators with a laptop outfitted with TCI software and supplied with passwords to download credit reports at will.

In a statement, TCI acknowledged that it had employed Cummings, but declined to comment on the pending prosecution of its former employee.

A spokesman for the U.S. Attorney's Office said that TCI was cooperating with the investigation but declined to answer questions about when the company became aware of the fraud or whether TCI property was used in perpetrating the identity theft.

Behind TCI's apparently lax security is an even more troubling question about the security standards set by the three major credit monitoring organizations: Experian, Equifax, and Trans Union, security experts say.

All three companies were targeted by Cummings and his co-conspirators. Each of those companies allows customers using TCI's software to download consumer credit reports from its massive databases with a valid password and a subscriber code that is unique to a particular lender or branch location.

However, with both pieces of data apparently accessible to TCI help desk employees, all three credit agencies were left vulnerable to an "insider" attack either from TCI or from one of TCI's customers, experts say.

The IDG News Service is a Network World affiliate.