Ian Umscheid, 7, became a victim of identity theft after his health insurer suffered a data breach
First Posted: 8/22/11 09:27 AM ET Updated: 8/22/11 02:22 PM ET
Every few weeks, Stephanie McManis receives a phone call from a collection agency asking for someone she never met. She recently opened a letter from a bank threatening to sue her for defaulting on a loan she never took out. She checks her credit report monthly, disputing late payments on emergency room visits she never made.
McManis, 31, says she is a victim of identity theft, a well-documented problem these days. One detail elevates her case from the typical, however: her identity was stolen when she was 12 years old. Now, nearly two decades later, she still can't separate herself from a checkered financial past created before she was old enough to drive.
"It's frustrating because I'm constantly having to jump through hoops," McManis said. "I'm resigned to the fact that I will be dealing with this for the rest of my life."
Experts say children represent an emerging market for identity thieves who steal their Social Security numbers because they offer clean slates that can be used to commit fraud for years without detection. Many victims don't learn about the crime until they are young adults and find their credit in tatters as they are rejected for student loans, jobs and places to live.
Even as recent data breaches at large corporations have raised awareness about safeguarding consumer information, children's Social Security numbers are lying around little-guarded places not accustomed to fearing cyber-attacks -- like schools and pediatric centers -- constituting a goldmine for criminals seeking untainted identities.
If left unchecked, child identity theft poses risks not only to young adults, but also to the financial system by eroding confidence that loans will be repaid, experts say.
"There's a systemic financial impact, as well as what we should be doing morally, ethically and legally to help our children have a future that they design on their own," Michelle Dennedy, a privacy consultant and founder of TheIdentityProject.com, said at a July conference on child identity theft sponsored by the Federal Trade Commission.
With increasing frequency, cyberthieves are hijacking those futures, tapping the pristine Social Security numbers of children for adult purposes, enabling undocumented immigrants to gain employment and people with tainted credit to secure credit cards, mortgages and car loans, experts say.
Utah officials have started checking a state employment database with a list of Utah children on public aid, finding "thousands" of workers using children's identities to acquire jobs, according to Utah Assistant Attorney General Richard Hamp. In one recent case, nine people were using a 9-year-old's Social Security number to gain employment, Hamp said.
"I have prosecuted a number of those cases at this stage and can tell you -- I've got kids that are brick masons. I've got kids that are waitresses. I've got kids that are carpenters," Hamp said at the FTC forum.
A THEFT GOES UNDETECTED
Last year, about 8 percent of identity theft complaints came from victims 19 and younger, slightly more than the year before, according to the Federal Trade Commission. More than 140,000 children are victims of identity theft each year, according to ID Analytics, which sells identity fraud protection and based its estimate on a one-year review of children enrolled in its services.
Both figures are probably much higher, experts say, because parents typically don't monitor their child's credit report, assuming one should not exist. And even if they did, the fraud may go undetected by credit bureaus because identity thieves pair children's Social Security numbers with new names and birthdays.
Debix, which sells identity protection services, says it recently ran credit reports on 381 cases of confirmed child identity theft and found credit reports only turned up fraudulent activity in four cases, or 1 percent.
Child identity theft is driven largely by organized crime, but undocumented immigrants and family members are also using children's Social Security numbers to start new lives or pay bills, experts say. Foster children are particularly vulnerable to identity theft because their personal information is floating through the foster-care system, experts say.
Jaleesa Suell entered foster care when she was 8 years old and was placed in six different foster families. At some point, someone used her identity to apply for a credit card, she said.
When Jaleesa turned 21 last year, she said she was denied her first credit card. Then she noticed on her credit report an account opened when she was 17 with payments in default. Despite six months of corresponding with credit bureaus and the bank, she has been unable to have the fraudulent payments removed.
She fears the issue won't be resolved in time for graduation when she will need credit to rent an apartment -- a cruel irony for someone who grew up in foster care.
"I've spent my life wondering if I'll have a place to stay," she said. "And now that my identity is stolen I find myself in the same circumstance."
To combat identity theft among foster children, Rep. Jim Langevin (D-R.I.) has introduced legislation that would require states to annually obtain their credit reports and prohibit states from using their Social Security numbers to identify them.
"These youth already face so many unique challenges and it is unconscionable that we are seeing more and more evidence of identity theft that further hinders their ability to become self-sufficient young adults," Langevin said in a statement.
McManis, 31, says she is a victim of identity theft, a well-documented problem these days. One detail elevates her case from the typical, however: her identity was stolen when she was 12 years old. Now, nearly two decades later, she still can't separate herself from a checkered financial past created before she was old enough to drive.
"It's frustrating because I'm constantly having to jump through hoops," McManis said. "I'm resigned to the fact that I will be dealing with this for the rest of my life."
Experts say children represent an emerging market for identity thieves who steal their Social Security numbers because they offer clean slates that can be used to commit fraud for years without detection. Many victims don't learn about the crime until they are young adults and find their credit in tatters as they are rejected for student loans, jobs and places to live.
Even as recent data breaches at large corporations have raised awareness about safeguarding consumer information, children's Social Security numbers are lying around little-guarded places not accustomed to fearing cyber-attacks -- like schools and pediatric centers -- constituting a goldmine for criminals seeking untainted identities.
If left unchecked, child identity theft poses risks not only to young adults, but also to the financial system by eroding confidence that loans will be repaid, experts say.
"There's a systemic financial impact, as well as what we should be doing morally, ethically and legally to help our children have a future that they design on their own," Michelle Dennedy, a privacy consultant and founder of TheIdentityProject.com, said at a July conference on child identity theft sponsored by the Federal Trade Commission.
With increasing frequency, cyberthieves are hijacking those futures, tapping the pristine Social Security numbers of children for adult purposes, enabling undocumented immigrants to gain employment and people with tainted credit to secure credit cards, mortgages and car loans, experts say.
Utah officials have started checking a state employment database with a list of Utah children on public aid, finding "thousands" of workers using children's identities to acquire jobs, according to Utah Assistant Attorney General Richard Hamp. In one recent case, nine people were using a 9-year-old's Social Security number to gain employment, Hamp said.
"I have prosecuted a number of those cases at this stage and can tell you -- I've got kids that are brick masons. I've got kids that are waitresses. I've got kids that are carpenters," Hamp said at the FTC forum.
A THEFT GOES UNDETECTED
Last year, about 8 percent of identity theft complaints came from victims 19 and younger, slightly more than the year before, according to the Federal Trade Commission. More than 140,000 children are victims of identity theft each year, according to ID Analytics, which sells identity fraud protection and based its estimate on a one-year review of children enrolled in its services.
Both figures are probably much higher, experts say, because parents typically don't monitor their child's credit report, assuming one should not exist. And even if they did, the fraud may go undetected by credit bureaus because identity thieves pair children's Social Security numbers with new names and birthdays.
Debix, which sells identity protection services, says it recently ran credit reports on 381 cases of confirmed child identity theft and found credit reports only turned up fraudulent activity in four cases, or 1 percent.
Child identity theft is driven largely by organized crime, but undocumented immigrants and family members are also using children's Social Security numbers to start new lives or pay bills, experts say. Foster children are particularly vulnerable to identity theft because their personal information is floating through the foster-care system, experts say.
Jaleesa Suell entered foster care when she was 8 years old and was placed in six different foster families. At some point, someone used her identity to apply for a credit card, she said.
When Jaleesa turned 21 last year, she said she was denied her first credit card. Then she noticed on her credit report an account opened when she was 17 with payments in default. Despite six months of corresponding with credit bureaus and the bank, she has been unable to have the fraudulent payments removed.
She fears the issue won't be resolved in time for graduation when she will need credit to rent an apartment -- a cruel irony for someone who grew up in foster care.
"I've spent my life wondering if I'll have a place to stay," she said. "And now that my identity is stolen I find myself in the same circumstance."
To combat identity theft among foster children, Rep. Jim Langevin (D-R.I.) has introduced legislation that would require states to annually obtain their credit reports and prohibit states from using their Social Security numbers to identify them.
"These youth already face so many unique challenges and it is unconscionable that we are seeing more and more evidence of identity theft that further hinders their ability to become self-sufficient young adults," Langevin said in a statement.
Jaleesa Suell's identity was stolen while she was 17 and in foster care.
7 YEARS OLD AND $725,000 IN DEBT
In the largest study on child identity theft to date, researchers at Carnegie Mellon University found that 10 percent of children were victims of identity theft, compared with less than 1 percent of adults.
Though not scientific, the study, which was published this spring, analyzed more than 800,000 records, including 40,000 belonging to minors, that were compromised by data breaches in 2009 and 2010. The information was provided by Debix, which sells identity theft services and offers free scans for parents who want to find out if a credit file exists on their child.
The stolen identities were used to purchase homes and cars, open credit card accounts, gain employment and obtain driver's licenses, the report found. The youngest victim was five months old. In one case, eight people are suspected of opening 42 accounts and incurring more than $725,000 in debt using a 17-year-old's Social Security number.
Many child identity thefts begin with a cyber attack, according to Bo Holland, chief executive of Debix. Hackers are now using computer viruses and botnets, or networks of infected computers, to search for specific documents on computers such as tax records and health records, which contain children's Social Security numbers, Holland said.
Once stolen, children's Social Security numbers are sold to human traffickers or thieves looking to open fraudulent credit accounts, authorities say. Last fall, two men in Newark, Del., were convicted of stealing the identities of more than 93 victims, including 44 children, and using them to open 343 credit cards, 54 bank accounts and two shell businesses over six years, resulting in about $1 million in losses.
In the largest study on child identity theft to date, researchers at Carnegie Mellon University found that 10 percent of children were victims of identity theft, compared with less than 1 percent of adults.
Though not scientific, the study, which was published this spring, analyzed more than 800,000 records, including 40,000 belonging to minors, that were compromised by data breaches in 2009 and 2010. The information was provided by Debix, which sells identity theft services and offers free scans for parents who want to find out if a credit file exists on their child.
The stolen identities were used to purchase homes and cars, open credit card accounts, gain employment and obtain driver's licenses, the report found. The youngest victim was five months old. In one case, eight people are suspected of opening 42 accounts and incurring more than $725,000 in debt using a 17-year-old's Social Security number.
Many child identity thefts begin with a cyber attack, according to Bo Holland, chief executive of Debix. Hackers are now using computer viruses and botnets, or networks of infected computers, to search for specific documents on computers such as tax records and health records, which contain children's Social Security numbers, Holland said.
Once stolen, children's Social Security numbers are sold to human traffickers or thieves looking to open fraudulent credit accounts, authorities say. Last fall, two men in Newark, Del., were convicted of stealing the identities of more than 93 victims, including 44 children, and using them to open 343 credit cards, 54 bank accounts and two shell businesses over six years, resulting in about $1 million in losses.
For $40 to $80, websites illegally sell 9-digit "credit privacy numbers," which are clean Social Security numbers mostly belonging to children, according to Jennifer Walker, who works in the Office of the Inspector General of the Social Security Administration.
And if thieves are unable to buy or steal a child's Social Security number, they may be able to guess it. In fact, children's numbers are easier to predict than adults' numbers thanks to a government program created in 1987, according to Alessandro Acquisti, associate professor at Carnegie Mellon University.
The Social Security Administration's program encouraged parents to apply for their newborn's Social Security numbers at birth to prevent identity thieves from hijacking their child's Social Security numbers before they could apply for them.
But the program had the opposite effect because Social Security numbers have been issued in a predictable sequence based on when and where a child was born. So when nearly all children began receiving Social Security numbers at birth, thieves could infer all nine digits based on publicly available information, Acquisti said.
In June, the Social Security Administration hoped to fix this by assigning a randomized series of numbers, but the more predictable Social Security numbers will remain in effect for people born before this summer.
"We're talking about hundreds of millions of Social Security numbers that are still potentially predicable," Acquisti said. "We've made the job of identity theft way too easy."
LEAKY SOURCES OF IDENTITIES
While they have long focused on financial institutions, online thieves have also begun targeting organizations that store vast amounts of children's Social Security numbers, such as health care providers and schools. But those agencies often fail to properly safeguard the information or promptly disclose data breaches when they occur.
Last July, a Bronx man was charged with filing false tax returns by using Social Security numbers of children who were patients of pediatric cancer and other hospitals in New York City.
In January, health care insurer Health Net learned that computer servers containing data on nearly two million members, employees and health care providers went missing. But the company waited nearly two months to report the breach, according to the San Francisco Chronicle. Then it began offering free credit-monitoring services to enrollees whose information may have been compromised.
That was when Simon Umscheid learned his 6-year-old son Ian was apparently the victim of identity theft. After the data breach at Health Net, an identity thief set up several bank accounts and bought jewelry and cable television service under his son's name, racking up about $14,000. Umscheid said the fraud is being resolved, but he remains angry with Health Net, which also suffered a major data breach in 2009.
"It's incredibly frustrating," he said. "My son obviously doesn't understand what's going on and we haven’t talked to him about it. You feel victimized."
Meanwhile, at least 26 states now collect Social Security numbers from students to track their future performance in the workplace, according to the Data Quality Campaign.
But schools have struggled to secure children's identities. The education sector represented 12 percent of all data breaches last year, according to the security firm Symantec. And this year, data breaches at schools have continued.
In one example, officials at Lancaster County School District in Lancaster, S.C., sent letters in April notifying parents that hackers had broken into a system housing the Social Security numbers of about 25,000 students. In June, two laptops containing Social Security numbers of 10,000 students and staff from northern Illinois were stolen from a car, according to the Privacy Rights Clearinghouse.
"There are likely many schools that have exposed data that don’t understand how exposed it is," said Robert Hamilton, senior manager of product marketing at Symantec.
Some parents have fought efforts to collect sensitive information on their children. After strong opposition from parents and school boards, the Maine legislature this year removed language in a state law that required schools to collect student's Social Security numbers.
Such groundswells of protest should happen more often, privacy advocates say. Parents should be skeptical when giving out their child's Social Security numbers, particularly when there is no apparent need for it, Dennedy said.
"There's not enough education in the marketplace to tell parents to push back when someone asks you for their Social Security number to join a church canoe trip," she said at a forum last month. "They probably won't be trying to get a credit card in the canoe. I'm not sure why they're even asking for that kind of information."
And if thieves are unable to buy or steal a child's Social Security number, they may be able to guess it. In fact, children's numbers are easier to predict than adults' numbers thanks to a government program created in 1987, according to Alessandro Acquisti, associate professor at Carnegie Mellon University.
The Social Security Administration's program encouraged parents to apply for their newborn's Social Security numbers at birth to prevent identity thieves from hijacking their child's Social Security numbers before they could apply for them.
But the program had the opposite effect because Social Security numbers have been issued in a predictable sequence based on when and where a child was born. So when nearly all children began receiving Social Security numbers at birth, thieves could infer all nine digits based on publicly available information, Acquisti said.
In June, the Social Security Administration hoped to fix this by assigning a randomized series of numbers, but the more predictable Social Security numbers will remain in effect for people born before this summer.
"We're talking about hundreds of millions of Social Security numbers that are still potentially predicable," Acquisti said. "We've made the job of identity theft way too easy."
LEAKY SOURCES OF IDENTITIES
While they have long focused on financial institutions, online thieves have also begun targeting organizations that store vast amounts of children's Social Security numbers, such as health care providers and schools. But those agencies often fail to properly safeguard the information or promptly disclose data breaches when they occur.
Last July, a Bronx man was charged with filing false tax returns by using Social Security numbers of children who were patients of pediatric cancer and other hospitals in New York City.
In January, health care insurer Health Net learned that computer servers containing data on nearly two million members, employees and health care providers went missing. But the company waited nearly two months to report the breach, according to the San Francisco Chronicle. Then it began offering free credit-monitoring services to enrollees whose information may have been compromised.
That was when Simon Umscheid learned his 6-year-old son Ian was apparently the victim of identity theft. After the data breach at Health Net, an identity thief set up several bank accounts and bought jewelry and cable television service under his son's name, racking up about $14,000. Umscheid said the fraud is being resolved, but he remains angry with Health Net, which also suffered a major data breach in 2009.
"It's incredibly frustrating," he said. "My son obviously doesn't understand what's going on and we haven’t talked to him about it. You feel victimized."
Meanwhile, at least 26 states now collect Social Security numbers from students to track their future performance in the workplace, according to the Data Quality Campaign.
But schools have struggled to secure children's identities. The education sector represented 12 percent of all data breaches last year, according to the security firm Symantec. And this year, data breaches at schools have continued.
In one example, officials at Lancaster County School District in Lancaster, S.C., sent letters in April notifying parents that hackers had broken into a system housing the Social Security numbers of about 25,000 students. In June, two laptops containing Social Security numbers of 10,000 students and staff from northern Illinois were stolen from a car, according to the Privacy Rights Clearinghouse.
"There are likely many schools that have exposed data that don’t understand how exposed it is," said Robert Hamilton, senior manager of product marketing at Symantec.
Some parents have fought efforts to collect sensitive information on their children. After strong opposition from parents and school boards, the Maine legislature this year removed language in a state law that required schools to collect student's Social Security numbers.
Such groundswells of protest should happen more often, privacy advocates say. Parents should be skeptical when giving out their child's Social Security numbers, particularly when there is no apparent need for it, Dennedy said.
"There's not enough education in the marketplace to tell parents to push back when someone asks you for their Social Security number to join a church canoe trip," she said at a forum last month. "They probably won't be trying to get a credit card in the canoe. I'm not sure why they're even asking for that kind of information."
Stephanie McManis, 31, says her identity was stolen when she was 12
A STRUGGLE TO REGAIN HER NAME
For victims of child identity theft, the damage can take years to unwind. After graduating college in 2001, Stephanie McManis applied for her first credit card, but was rejected.
Only after she requested her credit report did she learn that someone else had used her identity since she was 12 years old, she said. Her credit report was "inches thick," she said, filled with unpaid mortgages, car loans, cell phone contracts and credit card debt.
McManis filed a report with her local police department and authorities tracked down the woman who was using her identity and living just a few hours away in Avon, Ohio, just west of Cleveland.
Avon Police Officer Kevin Krugman, who investigated the case, said the Social Security numbers of the two women are one digit off and he believed the confusion was caused by "nothing more than a clerical error" by someone at a credit agency, not identity theft.
"Their identities are tied together for good until they take care of it," Krugman said.
But privacy advocates familiar with McManis' case still believe she is a victim of identity theft. Dennedy said local police departments often do not want to conduct thorough investigations of identity theft because they do not have the time or resources. And if it was an honest mistake, Dennedy said, why is this woman still using McManis' Social Security number today?
"Cops don’t want to believe it's identity theft because they have to close their cases," Dennedy said. "They don't understand the harm. Even if it was an honest mistake, and you still can't get a house or a loan, the impact is the same. You're still stuck with someone else's bad credit."
A few years ago, McManis was denied a mortgage on a house because the other woman had filed for foreclosure. The issue was eventually straightened out, but the calls from collection agencies asking for hospital bill payments continue.
To this day, McManis does not know how her identity was stolen. She knows the woman's name and has found her Facebook page, but has never contacted her directly because she does not want to appear to threaten her. The woman did not return calls for comment.
"I'm angry at her but also frustrated with the system," McManis said. "I shouldn’t have to prove myself when I've had good credit my whole life."
5 tips for parents to protect their children from identity theft:
1. Don’t carry around a child’s Social Security card. This increases the risk of losing the card, which is the most common way identity thieves obtain a child’s information.
2. Be discriminating when asked for a child’s personal information. If it has to be provided, ask how it will be stored. If the information will not be retained, inquire how any record of it will be destroyed or returned.
3. Cross-shred documents with personal identifying information before disposing of them.
4. Don’t post children’s pictures online. Most digital cameras have geocoding features that embed within images the location where pictures were taken. This gives identity thieves information they can use to steal children’s identities.
5. Don’t give children their Social Security numbers until they understand how and why to protect the numbers.
Source: Identity Theft 911
For victims of child identity theft, the damage can take years to unwind. After graduating college in 2001, Stephanie McManis applied for her first credit card, but was rejected.
Only after she requested her credit report did she learn that someone else had used her identity since she was 12 years old, she said. Her credit report was "inches thick," she said, filled with unpaid mortgages, car loans, cell phone contracts and credit card debt.
McManis filed a report with her local police department and authorities tracked down the woman who was using her identity and living just a few hours away in Avon, Ohio, just west of Cleveland.
Avon Police Officer Kevin Krugman, who investigated the case, said the Social Security numbers of the two women are one digit off and he believed the confusion was caused by "nothing more than a clerical error" by someone at a credit agency, not identity theft.
"Their identities are tied together for good until they take care of it," Krugman said.
But privacy advocates familiar with McManis' case still believe she is a victim of identity theft. Dennedy said local police departments often do not want to conduct thorough investigations of identity theft because they do not have the time or resources. And if it was an honest mistake, Dennedy said, why is this woman still using McManis' Social Security number today?
"Cops don’t want to believe it's identity theft because they have to close their cases," Dennedy said. "They don't understand the harm. Even if it was an honest mistake, and you still can't get a house or a loan, the impact is the same. You're still stuck with someone else's bad credit."
A few years ago, McManis was denied a mortgage on a house because the other woman had filed for foreclosure. The issue was eventually straightened out, but the calls from collection agencies asking for hospital bill payments continue.
To this day, McManis does not know how her identity was stolen. She knows the woman's name and has found her Facebook page, but has never contacted her directly because she does not want to appear to threaten her. The woman did not return calls for comment.
"I'm angry at her but also frustrated with the system," McManis said. "I shouldn’t have to prove myself when I've had good credit my whole life."
5 tips for parents to protect their children from identity theft:
1. Don’t carry around a child’s Social Security card. This increases the risk of losing the card, which is the most common way identity thieves obtain a child’s information.
2. Be discriminating when asked for a child’s personal information. If it has to be provided, ask how it will be stored. If the information will not be retained, inquire how any record of it will be destroyed or returned.
3. Cross-shred documents with personal identifying information before disposing of them.
4. Don’t post children’s pictures online. Most digital cameras have geocoding features that embed within images the location where pictures were taken. This gives identity thieves information they can use to steal children’s identities.
5. Don’t give children their Social Security numbers until they understand how and why to protect the numbers.
Source: Identity Theft 911
