Re: CA: Identity Thefts Traced to Graduate Healthcare

["Casey, Troy # Atlanta" <Troy.Casey () McKesson com>]

Seems to me that to e-file for taxes, you have to provide either a
pre-selected PIN or the Adjusted Gross Income (AGI) from the previous
year's 1040.  Assuming the thieves here did in fact e-file - and not
send in paper forms - they would have had to have the AGI for the
previous year for each student they filed for.  Of course, the
university's financial aid department would have that information, but
it seems unlikely that United Healthcare would have had that.

So it looks to me like the trail would lead back to someone at the
University that had (or gained) access to both the health insurance info
and the financial aid info, assuming these were in fact e-filed. 

Just thinking out loud,
Troy

-----Original Message-----
From: dataloss-bounces () attrition org
[mailto:dataloss-bounces () attrition org] On Behalf Of Arshad Noor
Sent: Tuesday, June 03, 2008 7:38 PM
To: Michael Hill, CITRMS
Cc: dataloss () attrition org
Subject: Re: [Dataloss] CA: Identity Thefts Traced to Graduate
Healthcare

Its interesting that identity thieves are taking the theft of personal
information to new levels - filing IRS tax returns in the names of the
victims for tax refunds!  This is the result when business processes
(eFiling) are modified to take advantage of electronic efficiency
without taking security into consideration.

There are thousands of such business processes waiting to be exploited
IMO - credit card numbers are just the tip of the iceberg.  What makes
this especially problematic is that most business processes are not as
standardized as credit card processing, and consequently have many more
vulnerabilities due to their variability.

Companies and government agencies are well advised to start reviewing
their business processes for security - specifically authenticity and
integrity - before issuing any money or benefits.  However, this is
easier said than done - business people and management consultants don't
know enough about security, while security consultants don't know enough
about business processes.  Attackers will be sure to exploit this gap
for some time to come.

Arshad Noor
StrongAuth, Inc.

Michael Hill, CITRMS wrote:
> http://www.newuniversity.org/main/article?slug=identity_thefts_traced_
> to156
>  
>
> United Healthcare, the provider for UCI's Graduate Student Health 
> Insurance Program, admitted that it was the source of identity thefts 
> of past and present UCI graduate and medical students on Wednesday,
May 28.
> Beginning in February, UC Irvine graduate students who attempted to 
> submit income tax returns electronically were informed by the IRS that

> their had already been filed, provoking complaints to the UCI Police 
> Department to solve the identity thefts. To date, all 155 reported 
> victims were participants in UCI's Graduate Student Health Insurance 
> Program.
>
> UCI is currently making efforts to provide identity theft victims with

> sufficient information to solve the problems caused by the situation.
> UCIPD sent out the first crime alert on March 20 and has released 
> periodic updates with more information. In addition, affected students

> will also be provided a guide to prevent identity theft and fraud in 
> the future.
>
> Administration has assured students that data security is their top 
> priority. IT security teams meet regularly in discussion of security 
> problems and practices. UCI's computer safety Web site, located at 
> security.uci.edu, provides students with information on how to protect

> their computers from cyber attacks. The site also discusses recent 
> security concerns and email scams.
>
> UCI's financial aid office has set up emergency loans available to 
> victims of identity theft whose delay in receiving their income tax 
> refund has affected their financial status.
>
> [...]
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml