Compromised accounts within just 25 companies account for nearly half of the identity theft complaints filed with the U.S. Federal Trade Commission, according to recently released FTC data compiled by the University of California, Berkeley.
In data culled from three months' worth of 2006 FTC complaints, Sprint and AT&T averaged more identity theft events than any other institution except Bank of America, the largest consumer bank in the U.S.
The FTC encourages victims of identity theft to file complaint forms in order to help the commission, as well as law enforcement organizations, get a picture of criminal trends. It publishes a survey on identity theft, but until now it has not broken down its data on complaints by institution.
That work was done by Berkeley's Center for Law and Technology, which used the Freedom of Information Act to obtain FTC data on more than 88,000 complaints filed in January, March and September 2006.
The data show that a handful of companies account for the lion's share of identity theft complaints.
Complaints mentioning just 25 companies account for 49.9 percent of all identity theft events in the FTC database, according to the report's author, Chris Hoofnagle, a senior fellow with the Berkeley center. About 7,500 companies are mentioned in the other 50.1 percent, he said.
Not surprisingly, banks dominate the top 25, with Bank of America, JP Morgan, Capital One and Citibank topping the list. But there are many telecommunications and technology companies there too, including Verizon, T-Mobile, Dish Network, Dell, eBay and DirectTV.
According to FTC data, about 8 percent of new account fraud comes from telecommunications companies, Hoofnagle said, calling that number "really astounding."
Often a phony telephone account is the first step toward a more complex identity theft scheme. Thieves can set up fake telephone accounts using real Social Security numbers but phony names, and then pay them for a few months to build up a credit history and apply for credit cards, Hoofnagle said.
AT&T said it is clear that many industries have a problem with identity theft. AT&T takes steps to educate customers about identity theft and what they can to do prevent it, and also works with law enforcement agencies when thefts occur, the company's public relations agency said in a statement
Because the FTC data are not comprehensive -- only crimes that get reported to the FTC are counted -- and since there are no reliable figures on the number of consumers who have accounts with these companies, it is impossible to get an accurate picture of how common identity theft really is at any of these institutions, Hoofnagle said.
Companies should make this information public so that consumers can see how bad the problem really is, he said.
In the meantime, the Berkeley study gave the government some ideas about how to tackle the identity theft problem, he said. For example, banks that send out a lot of preapproved credit card applications seem to pop up more frequently in FTC complaints.
It's also worth looking more closely at why these month-by-month complaint numbers change for some companies. For example, Dish Network saw its total number of complaints drop off after spiking dramatically in March. "Something happened in February, or just before March, that caused a huge number of complaints," Hoofnagle said. "I have no idea what it was."
"Regulators should know this, and their attention should be focused on these 25 companies. What is going wrong at these places?"