Grand Theft Identity

"To a certain extent you can't do anything," says Essita Holmes, a D.C. public defender whose years of shredding documents seemed wasted after ID thieves established a phony bank account in her name to cash bad checks at Target and Wal-Mart. "We're all victims in waiting."

For years, the primary cause of ID theft has been good old-fashioned analog crime. Thieves rifle mailboxes, snatch purses and dive into Dumpsters for discarded bank statements or credit-card receipts. More recently, we've seen a plague of "phishing"--sending bogus e-mails that look like they come from legitimate companies, asking us to supply supposedly lost or outdated personal information. Last week phishers, trying to capitalize on the news, sent out e-mails supposedly from MasterCard, asking people to update their information. "They played on the fear that consumers had when the announcement was made," says Susan Larson of SurfControl, an Internet-security firm.

By now, savvy computer users know the requisite defense against a phishing attack: never respond to a request for your personal information. This wisdom is part of the standard tool kit of protections against ID theft. Check your credit-card bills with an eagle eye. Request your credit report. Shred your information with the fervor of an Enronite. Every aspect of this regime makes perfect sense for each of us to protect the identity we call our own. But when it comes to companies charged with safeguarding millions, sometimes even billions, of records, what do they do?

They leave it unencrypted on computers, where malicious hackers get hold of it. The DSW Shoe Warehouse is far from the only hacked database owner. According to an FTC consent order, BJ's Wholesale Club, a Massachusetts-based firm operating big-box stores and gas stations, not only failed to encrypt, but stored records in violation of bank-security rules, didn't use a firewall to prevent wireless intrusions and protected the information with the easy-to-guess default passwords that came with the system. Result: credit cards ripped off in early 2004 were used to fraudulently charge millions in goods.

They inadvertently sell it to crooks.ChoicePoint is an information broker that keeps, or can electronically access, 19 billion records on American consumers, almost certainly including you. It prides itself on the security of its databases--but that didn't matter when it sold the secrets of at least 145,000 consumers to a fake company last year, including the Social Security number of Kei Kishimoto, a Boston biotech researcher. ChoicePoint gave Kishimoto a year of free credit monitoring, but then he's on his own. "Those numbers could be in a million places by now," he says.

They pack it in boxes and put it in a UPS truck. That's what CitiFinancial, a unit of Citigroup, did with the financial secrets of 3.9 million customers last May. The box never arrived at its destination, and now CitiFinancial's telling customers that their identities are at risk. For Jessica Jerwa, a Seattle paralegal, who's a previous victim of ID theft, learning that her records were lost by Citi was a scary deja vu.