Grand Theft Identity

They leave it on laptops that get stolen. Last March at UC Berkeley someone made away with a computer holding personal information of almost 100,000 grad students and applicants.

They don't monitor what insiders may do with it. In April, Hackensack, N.J., police arrested eight employees at Bank of America, Wachovia, PNC and Commerce banks for selling customer-account numbers to an unlicensed collection agency run by a convicted criminal. The operation snared data on more than 676,000 people, including customers from six additional banks.

They just plain lose it. Bank of America is still looking for backup tapes with information on 1.2 million government workers, discovered lost in December. Maybe they're in the same place as the records Time Warner lost in March, containing 600,000 missing records on past and current employees and their families.

One reason we're hearing about all these breaches is that a 2003 California law required companies for the first time to disclose the failures that affect residents of that state. "Before the disclosure law, we were in the dark," says Beth Givens, head of the Privacy Rights Clearinghouse. "The general public is just now learning about how insecure the computer networks are that hold our sensitive personal information."

Without that law, we may not have even heard about the mother of all breaches, CardSystems. The privately held company processes an estimated $15 billion credit- card transactions a year (between the merchant and the bank). In direct violation of its agreement with MasterCard and Visa, CardSystems retained 40 million credit-card numbers "for research purposes," as its CEO John Perry initially told the press. These were sucked out of the system by digital invaders. CardSystems's clients admit that protection was lax: "Obviously there were deficiencies and other issues," says Josh Peirez, head of government affairs for MasterCard. Since the break-in, CardSystems has reportedly installed a new "intrusion-prevention product" (hey, thanks).

Obviously, an elaborate infrastructure of crime has emerged to collect and distribute stolen records. "It's not the lone gunman of the past," says Chris Painter of the Department of Justice. "There are highly structured criminal organizations operating." When it comes to attacking databases, malicious hackers either use automated software "bots" to methodically probe the Internet for vulnerable databases or target companies that are likely to harbor honey pots. Most often, they enter systems through preventable security flaws, like guessable passwords (example: "Dave" or the default password that came with the program) or known vulnerabilities in software.