Identity in a crisis


5 Mar 2009

Opportunistic data thieves are taking advantage of the recession to steal personal data from jobseekers, as well as glean data from the computers of bankrupt firms.

Criminals will always target the vulnerable. During a recession, one group most vulnerable to data theft is jobseekers; your CV builds up a detailed profile of your working life and contains information such as your date of birth and address. Should this fall into the wrong hands, your identity and credit rating are on the line.

Businesses are also at risk. As layoffs occur, discarded, redundant computers and exiting employees greatly increase the risk of data theft and possible abuse.

Firms with little or no policy regarding data protection are now in a high-risk category.

For jobseekers, a recent scam requiring the submission of personal details, including bank account details and PPSN numbers, in exchange for a job application resulted in the Data Protection Commissioner issuing an urgent warning.

“I am very concerned that in the current economic climate, criminals are trying to take advantage of job applicants. They seem to be seeking personal details for identity-fraud purposes,” said Data Protection Commissioner Billy Hawkes.

Data criminals are putting pressure, not only on those seeking jobs, but also on job-recruitment firms and individual companies, whose duty it is to protect this information.

“As a jobseeker, you should first think about what you put on your CV,” says James Galvin of Glandor Systems, a firm that provides behind-the-scenes technology called Resume Safe for job sites.

“There have been many warnings on the dangers of including personal details such as a social-security number or driver’s licence number on your CV, but other information can also be used as a source of fraud.

“This could include the date of birth, which is sometimes used as a password reminder or an extra layer of security for logging in online, and can also be valuable to scammers as an important piece of information in the construction of your personal profile,” he adds.

However, the CV itself is not the only risk – individuals need to be aware of where on the web they post it.

“In addition to the content of your CV, you must be careful about where you post your resume. There are over 60,000 job boards on the internet, and many of these do not have adequate security policies in place to protect your information.

“While there have been numerous high-profile privacy breaches among the larger job boards such as Monster.com or Jobs.ie, security flaws in smaller job boards often fail to make headlines and go unnoticed by their users,” explains Galvin.

In addition to this, there are scam job sites out there populated with bogus job listings, which exist for the sole purpose of collecting as much information as you will supply.

“A legitimate employer would never look for detailed information so early on in a recruitment process, if at all. Beware of wild, unrealistic promises of work and never agree to pay for an offer of an interview,” says Colm Murphy, technical director with IT security firm Espion.

“This is dependent on the kind of information you have included in your CV. Typically, fraudsters need three to four unique pieces of information to try to commit an identity theft or fraud.

“Name, address, date of birth, mother’s maiden name, PPS number and bank account number are obvious candidates,” he explains.

But what of data theft and the employed? A recent global survey from security firm McAfee revealed that 42pc of IT decision-makers feared for data security as a result of internal corporate espionage due to laid-off employees taking intellectual property (IP) with them.

A further 36pc worried that employees in financial dire straits would steal data while still working in the company.

“Fraud is always going to increase in a downturn. Organisations need to be more wary and more vigilant in such a climate,” says Murphy.

“It is likely that ex-employees will look to set up competing businesses, or bear grudges.

“Organisations should have clear data classification policies to help identify important or sensitive information, and take appropriate steps to adequately secure and protect that data,” he says.

When it comes to managing the data implications of staff redundancies, the dramatic and fast-moving nature of the downturn has left many businesses on the back foot, explains Martin Carey, managing director of computer forensics and data-recovery firm Kroll Ontrack.

While some companies are better prepared and better equipped than others, the key for all businesses is to have policies in place prior to events such as mass redundancies, he says.

“A period when the business is in major transition is clearly not an ideal time to be reviewing data-security strategies.

“Any sector dealing with large volumes of sensitive data is at risk if it fails to adequately secure information, be it on redundant computers or those still in active use.

“The financial sector has so far experienced the greatest number of redundancies, and so from the point of view of making devices no longer in use secure, it is currently very exposed,” adds Carey.

Kroll Ontrack calculates that in the UK alone, by the end of 2009, just under a quarter of a million man hours will be required to back up data on computers in the financial sector.

Another issue companies must address surrounding data storage and backup is compliance, especially in light of recent data breaches.

Data-security scandals have affected organisations including Bank of Ireland, which suffered a 10,000-customer data breach, and the Irish Blood Transfusion Service, which had the records of some 175,000 patients taken on a stolen laptop.

“From a compliance angle, firms are increasingly required to make large-scale data disclosures. The Competition Commission, for example, is making such demands of large companies more and more frequently,” explains Carey.

“If companies are unable to meet these demands, having not backed up data, they could face immediate fines and be disadvantaged in any ensuing legal process.

“Compliance covers many areas of business and practice, and can comprise all forms of data ranging from communications by email documents to accounting systems. Basically, it depends on the area with which you are complying,” Carey says.

From a carelessly lost USB memory stick to a CV containing key personal information, we all have a lot to lose by failing to protect our data.

The USB memory stick could result in the devastating loss of a company’s IP. The CV brimming with information could potentially be enough for data thieves to open a bank account in your name and destroy your credit rating.

A case in point: “An experiment staged last year in the UK during the national identity-fraud prevention week lured 107 people into submitting their CVs to a fake website,” says Murphy.

“Of the 107 CVs, 61 contained enough information to apply for a credit card.”

How my identity was stolen

It started with a challenge to steal my identity, equipped only with the Google search engine and my name. Brian Honan, security expert of online security consultancy BH Consulting, accepted the challenge with one condition: no illegal methods could be used to obtain information.

About a month later, I received a surprise in the post: my birth certificate with Honan’s calling card attached.

Aside from being furious that I had lost the challenge, I was worried. I rang Honan immediately and asked him two questions: ‘How did you do that?’, and, ‘What is the worst that could happen?’.

Honan said it was quite simple – all it required was a little patience and a little ingenuity. Googling my name brought up various pieces of information from social-networking sites, blogs, my Twitter account and bits of personal information buried deep within some of my writings.

Honan used this to slowly build up a complete profile of Marie Boran. From gathering mundane facts such as my favourite food, to all-important private data such as my father’s name and date of birth, he was well on his way.

The final piece in the puzzle for Honan was to acquire a copy of my birth certificate. As long as you have some key pieces of information, you can source this through the General Register Office online at www.groireland.ie.

Or so Honan thought. It turns out that human error can play a big role in identity theft. While Honan had requested my birth certificate, he had incorrect details for my place of birth and mother’s maiden name.

No worries. Someone from the office rang him back while processing the form and informed him of this, but still allowed him to be sent a copy.

With my birth cert, Honan said the next step in his bid to steal my identity would have been to have a hypothetical female accomplice visit a Garda station with my cert and her own photo ID to obtain a drivers licence in my name.

Bang, bang. My identity, as I knew it, would have been dead.

Oh, and the interesting part? Honan said my online information was better protected than the average web user.

So, how private is your data?

By Marie Boran