Instances in which Iowans’ identity was stolen jumped a whopping 30 percent, from a rate of 56 people for every 100,000 Iowans in 2014 to 73 just a year later, in 2015.
Most of the thefts happened via the internet. The growth in Iowa mirrors what is happening nationwide. Thefts via the digital world are on the rise as the crime evolves with technology. Yet, many people making legitimate purchases online still have a false sense of security about their private financial information.
ABOUT THIS PROJECT
Seven students in a Simpson College journalism class spent spring 2017 researching and writing this report about identity theft and cybersecurity. Team members were:
- Ashley Smith of Edina, Minnesota
- Madison Wilson of Corydon, Iowa
- Alex Kirkpatrick of Indianola, Iowa
- Stephanie Woodruff of Fairfield, Iowa
- Erich Bogner of Keokuk, Iowa
- Clayton Bowers of Indianola, Iowa
- Hunter Hillygus of Marshalltown, Iowa
Mark Siebert, Simpson College assistant professor of multimedia communication, led the class. IowaWatch executive director-editor Lyle Muller worked with the class on story development and editing.
The project was featured on the IowaWatch Connection radio program, which you can listen to here:
The result, a series of interviews for an IowaWatch-Simpson College journalism project revealed, is a feeling of intrusion and personal violation for cyber identity theft victims.
“I felt just devastated, I didn’t know what all was affected,” Christy Eichelberger, 51, of Altoona, said. Thieves stole her identity to make online purchases in 2003 and she wonders now how technological advances have made things easier for cyber identity thefts.
Once inside a computer’s network, hackers can view documents, files and confidential data and use them for personal gain. Susan Kerr, a consumer protection investigator with the Iowa Attorney General’s Office, said digital security breaches have displaced the old way of obtaining unsuspecting consumers’ information: going through mail to steal people’s information.
The rate per 100,000 is a standard that considers the population for jurisdictions reporting crime data. In 2015, Iowa recorded 2,214 total impersonation reports. It recorded 1,371 impersonations in 2011.
But 2,558 Iowa victims were involved in those 2015 cases, which means more than one victim was targeted in some incidents.
Tracy Loynachan, a statistical research analyst at the Iowa Department of Public Safety, said the vast majority of these victims were individuals, while the others were business, financial institutions, governments, unrecorded or unknown.
In Eichelberger’s case, thieves hacked her eBay account and stole $1,300 in August 2003. She told her bank as soon as she noticed something was wrong.
That marked the beginning of a long process to restore and secure her financial accounts. “There were extra steps that we had to take to make sure that I really was who I said I was,” she said.
Police told Eichelberger identity theft is becoming huge and that people need to protect themselves, she said.
The process of regaining personal information is difficult, said state Rep. Zach Nunn, R-Bondurant, a former director of cybersecurity on the National Security Council and a former national counterintelligence officer in the Obama administration. It can mean getting new credit cards or even a new Social Security number and changing your banking information.
“That stuff is not only time-consuming but it creates a real fear in the individual that, ‘Hey, this happened once. How could it happen again?’” Nunn said.
Nunn said the most important part of reclaiming an identity, and perhaps finding vindication, is finding out where the stolen information is being redistributed or sold so that illegal websites can be shut down. He also urged people to give information that can be used to convict criminals before the thieves do more harm.
The identity reclamation process leaves banks and businesses with plenty of work to do, setting up firewalls and tests that consumers must pass to get into their systems. This makes hacking more difficult but not impossible.
The Federal Bureau of Investigation’s website states that identity theft is falsely representing someone’s identity or position and acting like that person to gain advantages the person has, such as profit or privilege.
A specialized website for fighting identity theft, Idtheftcenter.org, states that your identity can be stolen when you swipe your debit or credit card at a gas pump and don’t realize a reader, which is a device made to steal card information that looks like part of the pump, is stealing your personal financial information.
Or, thieves can steal your personal information when you order something online, even though you thought doing so was safe.
That’s how thieves stole $1,800 from the PayPal account of the Rev. Elizabeth Bell, 49, of Fairfield, in February 2017.
“The fact that this happened seems so surreal to me and then it made me angry,” Bell, a United Methodist minister who formerly worked in the credit and collections business and who is appointed to three Van Buren County churches, said. “There’s a vulnerability that happens with this. The idea of trusting a system or trusting individuals gets compromised.”
PROTECTIONS AND PUNISHMENTS
Kerr said the only way to protect yourself from data breaches is by putting a security freeze on your credit reports. This restricts access to the reports. Three main companies — Equifax, Experian and TransUnion — do this.
Megan Stufflebeem, 29, of Des Moines, canceled her credit card and went through necessary paperwork after $200 was stolen from her bank account in 2013 but said the process was painful. “It took a good month or two before they were able to refund my money,” she said.
The Federal Trade Commission has free data security resources — including free publications, videos, and tutorials — to help businesses of any size protect their customers and meet their legal obligations.
Iowa Code requires that anyone who owns or licenses computerized data containing a consumer’s personal information for professional or vocational purposes must notify the Attorney General’s Office consumer protection division within five business days about a security breach if it affects 500 people or more.
Thieves are charged depending on how much in monetary value was stolen, with first-degree theft covering property exceeding $10,000 in value and carrying the maximum punishment for a Class C felony, which is up to 10 years in prison and a fine of up to $10,000.
Thefts in which less than $10,000 in value was stolen have varying degrees of lesser punishment, 30 days in jail, for instance, or a fine ranging from $65 to $6,250.
Nunn said Iowa lawmakers face a challenge when trying to legislate crime in the internet’s virtual world the same way they legislate other crime.
“The virtual world is not always mirrored and handled in the physical world,” Nunn said. “If someone breaks into the Bank of America (in a cyberattack), steals billions of dollars or disrupts the business flow of a major bank, it’s very difficult to move to a physical crime in the same way if somebody broke into a bank and stole that money.”
Kevin Anderson, director of enterprise information protection at Farm Bureau Insurance, said he works with companies so that former employees no longer have access to a company’s security system. But hackers try reaching current employees, said Anderson, who interfaces with businesses to make sure the company meets their cybersecurity needs.
“They’re willing to pay employees large sums of money to, basically, hack from the inside,” he said. “So it’s always a concern. It’s a threat.”
However, most hacking attempts his company sees are by large-scale programs and bots, which are computer programs designed to do tasks in repetition, at a rate of 2.1 million intrusions a month, Anderson said.
The West Des Moines, Iowa-based gas station chain Kum & Go has taken extensive measures to implement these methods and strategies in order to lower their costs, Aaron Tekippe, IT security architect, said.
“We use a combination of technologies to protect customer data,” Tekippe said. “We use firewalls, intrusion prevention systems, we have data loss prevention systems that actually watch network traffic to ensure that data doesn’t actually leave our environment.”
He would not say how much that costs.
However, “I would assume the problem will stay the same as far as expense goes or be more expensive,” he said. “I think the attacks will become more frequent over time and as the attacks get more frequent, it would make sense it becomes more expensive.”
Allyson Nielsen’s cybertheft case had to be resolved over interstate lines. Learn about her story here.
Concern about cyber hacking has increased with reports that Russian hackers were behind a massive 2014 Yahoo data breach, in which information from a half-billion Yahoo users’ accounts was stolen.
Bringing online identity thieves to justice is complicated when the suspects are from overseas. Many times prosecutors in foreign jurisdictions don’t care about the U.S. case, said Einaras von Gravrock, chief executive officer of CUJO Smart Firewall, a Los Angeles-based company that specializes in home and businesses internet security.
“The least of their worries is policing people who steal money from America, which is a shame, but that’s the world we live in,” von Gravrock said. He said Russian law enforcement personnel, for example, won’t waste time pursuing charges for virtual attacks intended for locations outside of their jurisdictions.
“The bad guys throw away your money 6,000 miles away,” von Gravock said. “It’s not necessarily blaming the Russian government. They have their own challenges.”
NOTABLE BREACHES GO WORLDWIDE
Some high-profile cases of identity theft have hit not only Iowa but the nation and world.
In 2014, 70 million Target customers were affected by a data breach. Target reported that the stolen data included names, mailing addresses, phone numbers or email addresses.
In one of the biggest hacking incidents in 2007, thieves stole 94 million credit and debit card numbers from T.J. Maxx customers nationwide.
Kerr, at Iowa’s Attorney General’s Office, said data breaches such as these happen all the time to small credit processors and banks but do not make the kind of news large ones like those at Target and T.J. Maxx make.
“I think it boils down to crime that we know, crime that we don’t know, and there’s a lot of crime that we don’t know, specifically in the world of hacking,” Lt. Chris Scott, who has served with the Des Moines Police Department since 2001, said.
“You’re talking about a savvy hacker group, and there are groups. We have groups in America, and that’s what they invest their time in: ‘How can I financially benefit myself by getting into people’s bank account?’”
Scott knows how frustrating it is to have your identity stolen. He was an identity theft victim after someone stole and activated a credit card under his name and then went on a spending spree in Texas.
That was in 2000. Seventeen years later technology is more sophisticated, but the same kind of bad guys exist, he said.
Ashley Smith, Hunter Hillygus, Erich Bogner and Clayton Bowers contributed to this report.
TO LEARN HOW IOWAWATCH’S NONPROFIT JOURNALISM IS FUNDED AND HOW YOU CAN SUPPORT IT, GO TO THIS LINK.
This IowaWatch story was republished by USA Today, The Hawk Eye (Burlington, IA), The Gazette (Cedar Rapids, IA), The Des Moines Register, Council Bluffs Nonpareil, KCCI.com and OskyNews.org under IowaWatch’s mission of sharing stories with media partners.