Title: VULNERABILITIES

Vulnerabilities

Within the United Kingdom, various vulnerabilities exist which facilitate the occurrence of identity fraud. With regard to identity theft, the public availability of information is a significant issue. Kevin McNulty, Head of the Identity Fraud Reduction Team, acknowledged how there is a “huge availability of public data” including records of births, marriages and deaths. Furthermore, several websites exist which provide perpetrators with extensive personal details of potential victims. Staff members, especially within call centres, also have access to significant amounts of sensitive personal data including credit card numbers and ccv numbers. These employees are a major vulnerability because they can either access the information voluntarily to commit dishonest acts or organized crime networks can bribe them into handing over the customer information.

Nicola Westmore, from the UK Ministry of Justice, described an important recent case which emphasized this data availability vulnerability in the United Kingdom. This issue related to land registry which were posted online. New legislation allowed them to put details of people’s titles and properties on the internet which created a massive database of sensitive personal information. These included photocopies of mortgage deeds, including signatures. Thankfully enforcement came to take it off, due to the fact that individuals felt as though there was the potential for identity theft, because anyone had access to all information. According to Westmore, “They should have blacked out information which was personal and could have been used for other purposes. People tend to develop policies in isolation without thinking it through entirely.”

In addition, the recent high-profile data losses within the United Kingdom have introduced an entirely different dimension to the availability of sensitive personal data. Interviewees all mentioned this recent issue. A prime example is the data loss which occurred in November 2007, when news broke about how the HM Revenue & Customs lost disks which contained records of 25 million child benefit recipients. These disks were lost in the mail, when they were handed to TNT by courier mail and were supposed to arrive at the National Audit Office. According to Iain Thomson, “The material was apparently put in the post by a junior employee at the HMRC office in Washington, Tyne & Wear.” The disks contained rather sensitive information. The following data was password protected but not encrypted: names, addresses, dates of birth, child benefit numbers, National Insurance numbers and bank or building society account details.

While this data loss receives tremendous attention from both the government and the media, it was the not the first data loss at HMRC. In October 2007, an HMRC member left a laptop in his car, which was subsequently stolen. According to Iain Thomson, “The computer contained records from finance houses revealing the identity of high value customers who had invested in Individual Savings Accounts.” Ever since the media caught on to the HMRC data loss, many other organizations have come forward about data losses. The data loss also led to, perhaps expected and inevitable, new phishing attacks.

Problems within the private sector also exist. The Information Commissioner’s Office describes how a freelance journalist, based in Southampton, decided to check local banks in his area. He went along to several banks and a post office, looked in the bins placed outside them and found a significant number of discarded personal data (cut up debit/credit cards, torn up bank statements/insurance application forms etc). He contacted the banks, did not receive a very favourable response and as result contacted the ICO. The ICO commenced an investigation but before that was completed the journalist contacted the BBC Watchdog program. Watchdog visited several towns in the UK and their ‘researchers’ found similar discarded personal data in bins outside banks/building societies.

About a month later, BBC Watchdog researchers repeated the operation in other towns and again got similar results. In addition, a journalist in Scotland carried out a similar operation in his local town and recovered personal data. All the documentation recovered was forwarded to the ICO and it resulted in the undertakings being obtained from the Post Office, 11 Banks and the Immigration Advisory Service. The ICO hopes that these undertakings signed by chief level executives will assist in the prevention of sensitive data being disposed of in a rather careless manner which could subsequently lead to identity theft.  

Another vulnerability identified by McNulty is how individuals within the United Kingdom can rather easily change their name. A name change does not require a legal deed, which means perpetrators who want to commit an act of identity-related crime can simply change their name to correspond with whatever documentation they have managed to obtain and subsequently commit fraud.  

While particular vulnerabilities exist with regard to the identity theft stage, societal factors also facilitate the actual occurrence of identity fraud. Within one research ‘experiment’ Gill along with a colleague tried to assess to what extent they could accomplish certain activities with a voter registration card. Within the United Kingdom, any eligible citizen has a voter registration card. This card is not a form of identification, yet Gill and colleague tried to see whether people (i.e. employees at a financial institution and the post office) would be willing to accept it as a form of identification. As they went to withdraw money, the bank employee did not even bother asking for identification and neither did the post office employee when they went to pick up a parcel. This clearly hints at potential problems with regard to verification of a client’s identity. When asked about this McNulty acknowledged how certainly this is a vulnerable area within the United Kingdom.