A computer help-desk employee with access to sensitive passwords from banks and credit companies has been charged with stealing financial information on thousands of Americans in what federal prosecutors said yesterday could be the largest case of identity fraud ever detected.
Philip Cummings, 33, appeared in U.S. District Court in Manhattan to face charges that he and another man downloaded the personal information of 30,000 people over three years. The two would get reports from the major credit reporting bureaus using Cummings's access to passwords belonging to Ford Motor Credit Co., Washington Mutual Bank and other financial institutions.
Federal prosecutors allege that they then sold lists of credit card numbers, checking accounts and other personal information to scam artists, splitting a fee of $60 per name. Authorities said early efforts to track down victims have so far turned up $2.7 million in losses.
"With a few keystrokes, these men essentially picked the pockets of tens of thousands of Americans and in the process took their identities, stole their money and swiped their security," Manhattan U.S. Attorney James B. Comey said at a news conference announcing the arrests.
Credit companies have long relied on big central databases to help lenders decide which applications to approve, and the federal government is now looking at tapping the same information to improve homeland security.
But the ease with which Cummings and his confederate are alleged to have stolen and sold highly valuable information raises major questions about the security of such efforts, privacy experts said.
Cummings worked at Teledata Communications Inc. -- a Long Island, N.Y., company that provides lenders with software, terminals and support to help them tap the major credit databases kept by Equifax Inc., Experian Information Solutions Inc. and TransUnion LLC. His ability to pull credit information did not initially raise eyebrows among the credit agencies, according to court documents and officials familiar with the case. Instead, the agencies began to investigate only after consumers questioned why the agencies were issuing credit reports without their authorization.
"Whatever controls there are on the systems that make data available clearly aren't working," said Robert Gellman, a privacy consultant in the District. "Identity theft is not a retail operation anymore, it's a wholesale business."
According to a criminal complaint unsealed yesterday, help-desk employees generally had access to password and access-code information. Beginning in 2000, Cummings took requests from up to 20 people in the Bronx and Brooklyn, running specific names for $60 apiece, the complaint said. The victims were generally not customers of Ford or the financial institutions that supplied the passwords.
Cummings and his accomplice accessed the credit bureaus' databases from a personal laptop, according to court documents. Between April 2001 and February 2002, they used a password from the Ford Motor Credit branch in Grand Rapids, Mich., to download more than 13,000 credit reports. When consumers began to complain about unauthorized credit checks, Ford changed the password, reported the problem to the FBI and sent letters to people whose information had been accessed, officials said.
But the accused moved on, the complaint said. Using the same New Rochelle, N.Y., phone numbers, they posed as a Washington Mutual branch in Florida, a Dollar Bank in Cleveland, an apartment company in Houston and the Community Bank Chaska of Chaska, Minn. They downloaded hundreds of reports at a time, the complaint said.
Some victims have reported unauthorized charges on their credit cards, money lost from their bank accounts, or use of their identities on credit card and loan applications, federal officials said.
If convicted of wire fraud, Cummings faces up to 30 years in prison, plus up to five years in jail for conspiracy. He was released by a federal magistrate in New York after posting a $500,000 bond, and his attorney declined to comment, according to the Associated Press.
Another man, Linus Baptiste, was charged in late October with wire fraud in connection with the case. According to court documents, phone numbers from his residence were used to dial into Equifax's databases and download 400 to 600 names.
A third man, Hakeem Mohammed, pleaded guilty in October to mail fraud and conspiracy. Prosecutors said he opened lines of credit in the names of two people whose information was run through databases using the Ford Motor Credit password.
"The defendants took advantage of an insider's access to sensitive information much in the same way that a gang of thieves might get the combination to the bank vault from an insider. But the potential windfall was probably far greater than the contents of a bank, and . . . they didn't even need a getaway car," said Kevin P. Donovan, the head of the FBI's New York field office.
Donald Girard, public relations director for California-based Experian, said he could not explain how anyone would have been able to use the same passwords repeatedly over the course of months. "They shouldn't have," Girard said. "Security and identity theft is a big issue for us. . . . I anticipate diligence will increase."
Ford Motor Credit spokeswoman Melinda Wilson said the lender responded quickly after it learned of the breach. "As soon as we became aware of it, we turned our systems upside down and inside out to change them. We think it's a wake-up call to the entire credit industry."
Teledata Communications declined to comment on the case. Cummings worked on the help desk from mid-1999 through March 2000, according to the complaint.
Marty Abrams, executive director of the Center for Information Policy Leadership, said the case demonstrates how identity theft has grown from a petty crime to a major national problem. "It's an expanding crime, and it's one that really bugs consumers. It's also one that law enforcement is still trying to get its arms around," he said.
Edmund Mierzwinski, consumer program director of the U.S. Public Interest Research Group, said the problem will grow worse unless companies take it more seriously.
"Sloppy security and credit-granting practices make it easy for thieves -- inside and outside a company -- to make big money stealing or selling identities. Until corporations are held accountable, crooks will continue to steal consumers' good names," he said.