Easy access to passwords by employee leads to largest identity theft fraud in U.S.
Incident Date: 2002
Incident Location: New York NY USA
Philip Cummings worked at Teledata Communications Inc. (TCI) as a computer helpdesk employee for a little less than a year, but his time there made a huge impact. The New York-based company sold a computer system that provided lenders with access to the three major credit card databases at Experian, TransUnion, and Equifax. Clients would use TCI software to request credit reports on their customers prior to settings up lines of credit.
TCI clients were assigned account numbers (called "subscriber codes") and passwords to utilize the credit reporting services. Mr. Cummings apparently had access to a spreadsheet containing a list of these account and password combinations. It was this access that led Mr. Cummings to begin the largest known identity theft crimes of our time.
Using the password of a TCI client, Mr. Cummings began illegally accessing credit reports in early 2000. He worked with Linus Baptiste, who provided him with the names or social security numbers of targeted victims. Mr. Cummings would obtain the credit reports of the specified individuals and turn the documents over to Mr. Baptiste.
Mr. Baptiste then sold the information for about $60 per report to other criminals and split the money with Mr. Cummings. These reports were valuable to criminals, some of whom belonged to a gang of Nigerian immigrants, because they contained information that could be used for stealing money either directly from the victim or by making purchases using their identity.
Eventually Mr. Cummings moved from New York to Georgia. But he provided his accomplice with a computer, TCI software, and client passwords enabling him to download credit reports directly.
Officials estimate that a password associated with a Ford Motor Credit account was used to obtain more than 15,000 unauthorized Experian credit reports over 10 months. Mr. Cummings also handed out passwords associated with Washington Mutual Bank in Florida, Dollar Bank in Cleveland, Community Bank Chaska in Minnesota, and a number of other TCI clients.
Experian first detected the fraud when they sent Ford its bill and received complaints about the large number of unauthorized reports. Their subsequent investigation revealed that other customers, like Washington Mutual, were experiencing similar fraud.
When TCI or a credit reporting company identified the unauthorized access they would disable the suspect account and password. However, Mr. Cummings would then just switch to another account and password to continue the fraud. This happened even after Mr. Cummings left TCI in March of 2000 since he retained a copy of the account spreadsheet. His crimes using the Ford Motor Credit account took place between April 2001 and February 2002.
It appears that law enforcement officials were first alerted to Mr. Cummings’ role in the crimes when unauthorized access to Equifax was tracked back to Mr. Baptiste. Police arrested Mr. Baptiste on October 29, 2002 after his home phone numbers were linked to the unauthorized access into Equifax and downloading of several hundred credit reports. Computers, credit reports, a ledger, and other evidence in Mr. Baptiste’s home pointed to Mr. Cummings involvement.
Prosecutors claim that Mr. Cummings and Mr. Baptiste received hundreds of thousands of dollars from criminals in payment for the credit reports. Initial victim losses started at $2.7 million, but more recent estimates place the expected cost of the crimes in the range of $50 - $100 million.
During September of 2004 Mr. Cummings pled guilty in a New York federal courtroom to several fraud counts and conspiracy. His sentence includes 14 years of imprisonment and compensation to his victims. He is scheduled to report to prison on March 9, 2005.
Mr. Baptiste pled guilty to four counts of conspiracy, wire fraud, computer fraud, and forfeiture. Investigations into other conspirators of the fraud were not complete at the time of this story.
The Web site of TCI (www.tcicredit.com) now advertises security measures that "go far beyond password protection."
Title: U.S. Announces What Is Believed The Largest Identity Theft Case In American History; Losses Are In The Millions
Author: United States Attorney Southern District of NY
Publication: Press Release
Publication Location: New York NY USA
Publication URL: http://www.usdoj.gov/criminal/cybercrime/cummingsIndict.htm
Title: Man pleads guilty in huge ID theft case
Author: Bob Sullivan
Publication Location: USA
Publication URL: http://www.msnbc.msn.com/id/6001526/
Title: ID theft mastermind gets 14 years
Publication: BBC News
Publication Location: England
Publication URL: http://news.bbc.co.uk/2/hi/americas/4163237.stm
Do you have additional information to contribute regarding this story? If so, please email firstname.lastname@example.org with the details and source.