Federal authorities have busted a Florida identity theft ring that used hundreds of thousands of stolen credit card numbers to pile up millions in illegal charges.
After an investigation by the Secret Service and other law enforcement officials, Miguel Alegria, 46; Raynier Pupo, 22; Ariel Montero, 32; and Javier Padron-Bravo, 35, were charged with aggravated identity theft, counterfeit credit card trafficking and conspiracy, the agency announced today.
According to the Secret Service, the four Cuban nationals purchased tens of thousands of stolen credit card account numbers from known cybercriminals in Eastern Europe. The men sent their payments through online money transfer service, e-gold, which is heavily used in the criminal underground because transactions are fast, irreversible and seemingly anonymous. (Owners of e-gold are facing criminal charges).
The four men used the data they received to counterfeit credit cards in "plants" throughout southern Florida.
The arrests came as a result of an earlier investigation into the activities and arrest of Julio Lopez and his girlfriend, Anett Villar. The Secret Service said Lopez, who used the screen name "Blinky," trafficked in counterfeit credit cards and identifications for years over the internet.
The recent arrests led to the recovery of more than 200,000 credit card account numbers used in connection with the ring's activity, which was responsible for fraud losses of more than $75 million. Secret Service agents also seized two pick-up trucks, $10,000 in cash and one handgun.
Because such a large number of stolen credit card numbers could come only via a data breach, this case proves "there's a huge connection between data breaches and ID theft," said Mari Frank, an attorney who became a consumer-rights advocate after having her identity stolen. "How can consumers protect themselves when cases like this are so far beyond their control?"
The President’s Identity Theft Task Force recommended federal legislation permitting companies involved in data breaches to determine whether consumers are at risk before notification, according to Frank. Such a law would overturn California's much stricter law, which requires companies to notify everyone whose personally sensitive information was stolen or lost in an electronic breach.
A "significant risk for identity theft trigger for notification recognizes that excessive breach notification can overwhelm consumers, causing them to take costly actions when there is little risk, or conversely, to ignore the notices when the risks are real," according to the task force's April "Combatting Identity Theft" plan.
But, the task force recommends, a national notification law should cover data that can be used to orchestrate identity theft, such as names, addresses or telephone numbers that are paired with Social Security or driver's license numbers.
"The standards should not cover data, such as a name and address alone. That by itself typically would not cause harm," the report says.
As it stands now, the threshold for notification is left up to the discretion of each of the more than 35 states that have approved data-incident reporting measures.
Two national breach alert bills have been approved by the Senate Judiciary Committee, although they differ in what threshold would require reporting to authorities and customers.
The Personal Data Privacy and Security Act of 2007 requires companies to report if the lost or stolen data posed "significant" risk to customers, while the Notification of Risk to Personal Data Act of 2007, introduced by Sen. Dianne Feinstein, D-Calif., names "reasonable risk" of harm as the threshold, according to a May report in the Washington Post.
Frank said this pending legislation leaves "the fox minding the hen house. They say there should be no notification [of a data loss] until a company decides there's reasonable risk of harm."