Learning From Four Cases of Corporate Identity Theft

One of the main ideas behind document destruction is to protect the data of your clients to avoid it being used for nefarious purposes. However, there’s another side to the equation. Sensitive data can also be used against businesses themselves, with third parties targeting not a company’s clients, but its employees. Sometimes, an entire company is targeted. Fortunately, these cases are on the public record and can therefore be examined. This is a good idea, because, essentially, if we don’t learn from our mistakes we are destined to make them again. Looking to the past to discover ways that various companies opened themselves up to identity fraud can help businesses working in the present prevent such occurrences. Take these stories to heart, and apply their lessons. You just might end up being able to avoid a potentially harmful situation somewhere down the line.

#1: Be Careful With Your Data


The Case: A few years ago, Todd Davis, the CEO of an identity theft prevention company named Lifelock, came up with a novel way of promoting his company: he would release his social security number (457-55-5462) publically, to the entire world, basically asking the public to attempt to steal his identity so that he could show off the power of Lifelock. Now, he could have made the same attention-grabbing statement by posting a phony social security number, one which was not actually in use, but Todd was bold. He really believed that his company was infallible. As such, he thought nothing of using his actual SSN. Not only that, but he put it everywhere. The campaign was fairly large in scope, with Davis’ private data plastered all over local billboards. He had internet and television ads made, all of them advertising his SSN. The fallout was pretty much what you’d expect. Despite the efforts of Lifelock, no less than 88 people were able to use Davis’ data to aid their economic situation.


The Lesson: There are a few lessons to learn here. First of all, be careful with your data. While Todd Davis simply handed his over to the public, many companies do the same thing accidentally every year. Whether you’re throwing a piece of data in the trash or plastering it on a billboard, the second you relinquish control of that information is the second in which it can begin to be used against you. The second lesson here is to not be overly confident. Just because you’ve been storing or disposing of data incorrectly and it hasn’t gotten you in trouble so far, that doesn’t mean it won’t in the future. Have some humility, expect the unexpected and don’t let down your guard.


#2: Know the Dangers of Sharing Data


The Case: A company, unnamed in the official record, sold one of its departments in an effort to improve their economic standing. When they did so, they handed over personal data they had gathered about their employees. This might seem like a reasonable course of action. After all, this other company now owned a part of the operation, and as such they had every right to know who was now in their employ. The bad news is that the purchaser in question then used that data to steal money from the employees included on the list. More than 60 people were effected, their accounts overdrawn and their money gone.


The Lesson: Be careful who you trust. Only give your private data to those who have proven their honesty to you. Ideally, you should give it to no one. If you do have to share data, share as little as possible, exactly what is necessary and nothing more. If your clients or employees are damaged by your actions, namely your trust of a duplicitous person or company, you are to blame. You have an obligation to all of those people to be responsible with their data. Do not take this obligation lightly.


#3: Know the Obligations of Storing Data


The Case: In 2009l 130 million credit card numbers were taken from the data banks of three corporations: Heartland Payment Systems, Hannaford Brothers Company and 7-Eleven Incorporated. They were stolen by three men who, after methodically researching the security of each corporation, hacked into their computer-stored data and retrieved the information. They would then sell the credit card numbers online, whereupon the buyers would use the information to purchase whatever they required. It was, at the time, the most massive example of identity theft ever recorded.


The Lesson: Be vigilant. What happened here wasn’t really the fault of anyone at any of the hacked corporations. They stored the data responsibly, and these men found a way around that. There’s no perfect answer when it comes to security. There are flaws in every system, no matter how exhaustive. The idea here to be mindful. When a problem like this occurs, it needs to be dealt with as soon as possible. Watch carefully for issues such as these so that they can be quickly minimized. Also, store only the data you actively need. Whatever is not completely necessary should be destroyed. Keeping as little data as possible lowers the stakes and puts less in jeopardy. Be watchful, and be ready to act quickly.


#4: Hire Trustworthy People:


The Case: Earlier this year, two people in Pennsylvania were found guilty of performing several cases of identity theft in an effort to illegally claim $1.7 million dollars which would have been awarded to those people through tax returns. They did this by bribing the employees of a local hospital to steal medical forms for them. These forms contained a great deal of sensitive data, including social security numbers. The couple used this data to forge fraudulent tax returns, each one of them calling for refunds from the IRS. Though this scheme, the thieves made more than $250,000 before they were caught.




The Lesson: The couple would have not been able to succeed in their plan without the help of those unlawful employees, so the lesson to impart here is that you should be careful who you trust, not just externally but internally. We often feel that corporate identity theft can only occur as a result of external machinations, but the fact of the matter is that the problem can indeed be internal. You owe it to your clients to protect their data, not only from outside aggressors but from your employees and business partners as well. You also have an obligation to protect client data from other clients and employee data from other employees. When you are given sensitive information, make sure it’s as secure as possible. Give as few people access to it as you possibly can. Monitor that data as closely as possible, and don’t betray your clients for anything.


As a business owner or even an employee, you can learn a great deal from cases such as these. Though none of them deal directly with document destruction, all of them provide examples of why carefully handling and disposing of data is so important. The more unnecessary data you leave around and the more people you trust with vital information, the better the chance that data will be used against you, your clients, or your employees. Learn from these stories, and apply their lessons to your business. Don’t allow yourself to be a victim, and don’t let you clients, or your employees, down.