By Glenn Kessler
Washington Post Staff Writer
Friday, October 31, 2008
The State Department has notified approximately 400 passport applicants in the D.C. area of a breach in its database security that allowed a ring of thieves to obtain confidential information so they could fraudulently use credit cards stolen from the mail, officials said.
The scheme, involving two major government agencies, came to light months ago through a fluke. On March 25, D.C. police officers on a routine patrol stopped a car on the suspicion that its windows were excessively tinted, an apparent violation of city law. Smelling marijuana, the officers searched the car and discovered that the 24-year-old driver was carrying 21 credit cards not in his name and printouts of eight passport applications -- and that four of the names on the passport applications matched the names on four of the credit cards, according to documents filed in U.S. District Court.
Upon his arrest, the driver, Leiutenant Q. Harris Jr., told police that he worked with a co-conspirator who was employed by the State Department and another co-conspirator who worked for the U.S. Postal Service, court documents said. Officers on the scene called American Express about some of the cards in Harris's possession, and were told that they had recently been used and that a fraud alert had been placed on them.
But the investigation was hampered because Harris was fatally shot while getting into his car in Northeast Washington on April 17, just days after appearing in court on fraud charges and shortly after he agreed to cooperate in the probe.
Florence Fultz, the acting managing director of the State Department's Passport Services division, urged applicants whose passport files had been breached to "thoroughly review bank and credit card statements and obtain a copy of your personal credit card history," according to a copy of the letter that was sent out this month. The letter informed recipients that the State Department would provide free credit monitoring for a year and would reimburse out-of-pocket expenses and lost wages resulting from identity theft. The applicant's passport record would be flagged to issue an alert if another application is made, the letter said.
The criminal investigation has not been completed, but the scam is one more black eye for State's passport division. Last year, the department greatly underestimated the number of passport applications it would receive and fell behind in processing them, resulting in ruined vacation plans for many Americans. Then, this year, it was discovered that workers repeatedly snooped without authorization inside the electronic passport records of entertainers, athletes and other high-profile Americans -- including Sens. Hillary Rodham Clinton (D-N.Y.), John McCain (R-Ariz.) and Barack Obama (D-Ill.).
The 192 million passport files maintained by the State Department contain individuals' passport applications, which include Social Security numbers, physical descriptions, and names and places of birth of the applicants' parents -- information that is often requested by credit card companies when they activate cards sent through the mail. The files do not contain records of overseas travel or visa stamps from previous passports.
In July, the State Department's inspector general documented a widespread lack of controls on the personal data of the 127 million Americans who hold passports, finding "a general lack of policies, procedures, guidance and training."
Fultz, in the letter, said: "We are thoroughly examining every aspect of our information security systems and procedures to safeguard against unauthorized access of passport records."
The State Department refused to allow any officials to discuss the case on the record, saying it is still under investigation. But in a written statement provided on the condition of anonymity, a spokesman said the department has "undertaken a number of immediate and long-term measures to significantly improve the protection of personally identifiable information to include mandatory audits, an enhanced monitoring list, improved training and a revamped reporting system. In addition, we have formed a working group to develop long-term systems solutions to improve the security of these records such as a tiered access system to all passport records."
In another statement, the department said that a single State employee was allegedly involved in the fraud and that so far 400 individuals had been identified "whose records may have been accessed by the suspect for illicit purposes." But, the statement added, "to the best of our knowledge, most of these individuals have not experienced identify theft."
Officials declined to say how much money was stolen or how many people were involved in the scheme.