U.S. PIRG Consumer Blog: A few interesting ID theft issues in the news

The Hannaford stores security breach of 4.2 million credit and debit cards happened even though the stores may have met payment industry security standards; your re-issued credit card after a breach may mess up your credit; don't buy ID theft services; and, that passport thing with the candidates? Not the first time. Here's more:

From the latest AP story -- New way to steal Hannaford data breach differs from prior attacks -- on the massive credit and debit card breach at Hannaford stores in New England:

While thieves have commonly pilfered payment card data sitting in databases maintained by merchants or card processors, the Hannaford episode appears to represent a new line of attack: the first large-scale piracy of card data while the information was in transit.[...] Another intriguing facet is that Hannaford was found -- while the hack was still going on last month -- to be in compliance with the security standards required by the Payment Card Industry, a coalition founded by credit card companies.

The story goes on to quote an industry expert saying that Hannaford "may have been tripped up by ambiguity in the PCI standards." Wouldn't surprise me. Merchants tell me all the time about the incomprehensible, unclear and even secret rules that they must comply with to accept credit and debit cards.

In the Washington Post, Joan Goldwasser of Kiplinger's warns that industry insiders are saying different things about the credit reporting treatment of re-issued credit cards after such a breach:

A replacement card should not affect your credit score, says Craig Watts of Fair Isaac, which created the FICO credit score. "FICO will see the account as a single history, even though there are two account numbers." But spokesmen for Experian and TransUnion -- two of the three major credit bureaus -- say that how the issuer reports the reissued account could make a difference. If it's reported as an old account with a new number, your payment history is unchanged. If it's treated as a new account, however, the closed account and the new account will both be listed on your credit report.

So, dear consumer, it is up to you to check your credit report. We agree with the experts quoted by Kimberly Lankford of Kiplingers in her story Do-It-Yourself ID Protection (also in today's Washington Post):

"We don't feel that credit-monitoring services are worth it," said Paul Stephens of the Privacy Rights Clearinghouse.

This long entry describes your rights to free credit reports in detail. Over at Consumers Union, publisher of Consumer Reports, you can see a much more up-to-date list of state security freeze rights laws than that blog entry. The security freeze is the only way to stop identity theft before it starts. That's why U.S. PIRG and Consumers Union ran a national campaign to get 39 states and DC to make it a law. We're still working on the Congress, but want to make sure anything it does doesn't take away what the states have done.

Also, the papers over the the last few days (see Washington Post by Glenn Kessler: Rice Apologizes For Breach of Passport Data) have reported that various beltway bandit government contractors and even State Department officials have been looking at passport files of candidates McCain, Clinton and Obama. A state department flack is quoted: Not to worry, this was only "imprudent curiosity." It isn't always such vicarious amusement, to coin another throwaway. Dirty-tricks opposition researchers routinely try to snare data like these from any database or disillusioned or money-seeking database-worker that that they can and private detectives have been caught buying it over the years. IRS, Social Security and Motor Vehicle workers have been caught selling it. Identity thieves themselves even famously bought dossiers from ChoicePoint.

As long as we keep creating more databases of citizens and consumers, and the more we link them for multiple uses, we'll keep having more mistakes that falsely ensnare innocent consumers, we'll keep having more identity theft, and we'll keep having more "imprudent curiosity." Better controls will help; fewer databases and fewer secondary uses will help, too.