Running head: IDENTITY THEFT IN BUSINESSES 1

Addressing Identity Theft in Businesses and Organizations

Prepared by
James Shell and Marina Melnik
IT 486: Critical Issues in Information Technology
Central Washington University
Prepared for: Terrance Linkletter
June 5, 2014

IDENTITY THEFT IN BUSINESSES 2



Table of Contents
Abstract.................................................................................3
Introduction...........................................................................4
Types of Identity Theft......................................................4
Conclusion........................................... 13
References.............................................................................15

IDENTITY THEFT IN BUSINESSES 3


Abstract
This paper provides administrative and information systems managers with useful information
regarding the various forms of identity theft affecting businesses and organizations today. Due
to the large amounts of Personally Identifiable Information (PII) necessarily processed and stored
by businesses and organizations of all sizes, they have become lucrative targets for identity
thieves. Identity theft can take many forms ranging from the extremely low-tech to the decidedly
technologically advanced. The authors chose a helpful problem/solution format in which
pervasive identity theft concepts are discussed, followed by guidelines and strategies for
prevention and mitigation. The intent is that these solutions will be adopted in some form, and
embodied in a comprehensive information security policy. Included is the extensive three-
month-long research by the authors, as well as insights and solutions solicited from students in
the Information Technology and Administrative Management (ITAM) program at Central
Washington University (CWU)
Keywords: identity theft, PII, data breach, information security

IDENTITY THEFT IN BUSINESSES 4



Introduction
Identity theft is the crime of obtaining personal identifying information from another
person or group for fraudulent or deceptive purposes; usually resulting in some type of financial
gain for the thief. Personally identifiable information (PII) generally includes an individuals
name, address, phone number, credit card number, checking or savings account number, and
Social Security or Social Insurance numbers. Additionally, identity data for businesses and
organizations includes financial information such as account and routing numbers and access
codes, copies of government issued licenses, and customer lists.
Types of Identity Theft in Organizations
Businesses and organizations are especially rich targets for identity thieves. Identity theft
as it pertains to businesses and organizations is similar to identity theft that applies to individuals
and typically falls into the following three categories:
Organization Financial Identity Theft
Employee Identity Theft
Customer Identity Theft
Organizations which fall victim to identity theft may be exposed to data breaches of all types.
Here are some statistics from a recent study which focused on data breaches in general:
53% of small businesses experienced a data breach and 55% of those businesses had
multiple breaches.
49% of breaches included theft of business information.
59% needed to manage public damage to their brand and corporate reputation because of
the breach.
The average cost to fix business identity theft is $194,000 per breach.
60% of small businesses close within six months of a breach.
IDENTITY THEFT IN BUSINESSES 5

Thieves may use an organizations financial information to obtain loans under that
organizations name and good credit. Employee identities can be reconstituted into false medical
insurance documents, social security cards, or also used to obtain loans under that employees
name. Illegally or unethically obtained Customer lists and identities can also be misused in a
similar fashion to employee identities, but are also sold or provided to competitors. With these
customer lists, competing organizations have access to key personnel and possibly pricing which
they may undercut to lure customers away from the victim organization.
Methods of Identity Theft in Organizations
Systemic Causes
Sometimes company data is compromised as a result of the system it exists in.
Employees or information systems may be transmitting or storing sensitive information without a
legitimate business need to do so, or the information may be handled in a manner which makes it
easily accessible to thieves. For instance, employees who are not part of Human Resources or
Finance departments may be tasked with archiving employee applications, counseling and
review paperwork, contracts, financial statements, or payroll information. Often, these same
documents can be perused on an unsecured file share on the company network
In some systemic cases, data can be exposed by critical business software, the actual
operation of which is not clearly understood by officers or employees. The Seattle coffee giant
Starbucks and their mobile app are an example of errant software. Early in 2014 Daniel Wood, a
Minneapolis-area computer-security specialist, said he was able to break into the apps
unencrypted plain text file containing customer phone number information. Though the
company could not determine if customer information had been compromised by the app flaw,
and have since altered their app to encrypt all personal information, the fact remains that a
IDENTITY THEFT IN BUSINESSES 6

popular business tool which accounted for roughly 11% of transactions in the third quarter of
2013, was putting customers at risk.
Limit handling and access of documents containing PII to those employees with a
legitimate business need-to-know. Lock file cabinets containing hardcopies of sensitive
documents and use file permissions based on user accounts to restrict access to electronic PII
documents on network resources. Analyze organizational workflows and activities to identify
and eliminate instances where PII is recorded or stored unnecessarily. Any publicly available
software must be thoroughly vetted by skilled software engineers for vulnerabilities which may
expose employee, customer, and organizational PII.
Insider Theft
According to a 2009 Ponemon Institute survey, 60 percent of employees who quit a job
or are asked to leave, abscond with company data. Customer names, transaction histories, and
pricing information (customer identities) could be damaging to an organization if they fell into
the hands of competitors. Respondents admitted to regularly taking data off site as part of their
daily operations; increasing the risk of data theft (Figure A). 79 percent of those respondents
said they had done so without company authorization.
Figure A Surveyed Methods for Removing Data
IDENTITY THEFT IN BUSINESSES 7

Conduct criminal history background checks on prospective employees and Limit
employee access to PII to those with a need-to-know. Implement a well-documented and
common knowledge information security policy and enforce it. Conduct surprise audits to
ensure policy is being followed and to uncover any policy revisions which may be necessary.
Have all employees sign a nondisclosure agreement in regards to PII and all proprietary company
data to both deter theft as well as provide the organization with legal avenues to pursue
employees who abscond with private information. In general, foster an open and trusting
working relationship with employees; however, when a decision is made to terminate or layoff
an employee with access to PII, lock or delete their user account before confronting them
(Polevi,2012).
Mail Theft
Mail theft can be performed by an individual thief or by an organized ID theft ring that
can even include that manufacture of postal uniforms, impersonation of mail carriers, or theft of
mail delivery trucks. Incoming and outgoing business mail can contain blank checkbooks,
checks, financial records, credit cards, employee payroll records, and bank statements. All of
those items have the potential for identity theft. Businesses with a lot of foot traffic are
vulnerable to any stranger walking in to the business and picking up a bag or a pile of mail and
walking out. The mail thief could be a supplier, contractor, employee, friend, or even family
member.
Avoid having mail delivered to a curbside mailbox. Have it delivered directly to
authorized personnel if possible. If mail must be delivered to a curbside mailbox, make sure it is
a locking mailbox firmly secured into the ground. Collect mail as soon as possible every day to
minimize the amount of time thieves have to steal it. (Privacy Matters, n.d.)
IDENTITY THEFT IN BUSINESSES 8

Dumpster Diving
Dumpster diving is when a thief gains access to the business-owned dumpsters or trash
and recycling receptacles, and steals PII documents. Bagdasarian states in his article that many
internal business investigations showed that companies have thrown out paperwork such as
payment slips containing cardholder information and even unprocessed consumer checks that
have been mistakenly thrown away. That information does not only include a paper trail, it also
includes nametags, CDs, Hard drives, memory sticks, and business credit cards. It is an effective
way to find any corporate information and this method is used not only by individual thieves, but
it is the way of competitors to find out how the business is doing and what it is up to.
(Bagdasarian, n.d.)
Any documents containing PII, including notes between colleagues, should be shredded
in a high-quality shredder. Any credit cards removable media should be treated similarly to
paper documents, and shredded or destroyed before discarding them into a dumpster. Most
modern shredders include CD and credit card shredding capabilities. (Massi, 2007, p. 44)
Employees should not take these items home unless authorized. Steve Thompson, a freelance
security writer, suggests that if employees are authorized to take PII off-site, they must follow
the same destruction procedures as at the office, or bring all work documents back to work to be
properly destroyed (Thompson, 2007). Security cameras should be installed at the location of
the business' dumpsters, and video should be reviewed regularly to discover and deter all
dumpster divers.
Social Engineering
Social engineering is a way to get information through psychological manipulation. It is
easy to trust someone and become the prey of a well-prepared identity thief. However, if a
IDENTITY THEFT IN BUSINESSES 9

company provides consistent training, its employees can be well prepared to not release the
sensitive information that leads to identity theft. Individuals who use social engineering
techniques usually follow a common pattern of activity that a Gartner analyst Mogull, calls the
Social Engineering Attack Cycle, as illustrated in Figure B.








Figure B The Social Engineering Attack Cycle (Hiner, 2002)


Impersonation and Conformity. The act of an identity thief pretending to have the
authority to acquire sensitive information is called impersonation. The identity thief can pretend
to be an employee, client, or contractor. This technique is most effective combining a convincing
impersonation of a superior and an emergency or "situation that requires an immediate
response." (Manjak, 2006, p 8)
Conformity is when an identity thief can convince an employee that everybody else has
already performed what the thief is requesting, which might be supplying critical documents or
providing passwords, social security numbers, or account numbers. The thief usually convinces
IDENTITY THEFT IN BUSINESSES 10

an employee that a manager has already approved what he or she is requesting and that other
peers have already complied.
A business should have clearly defined duties for all employees, employees should know
who has the authority to direct them and employees should verify the authenticity of such
authority. This can be done with a simple phone call or email but a policy and procedure should
exist where an employee can consult it and all employees should be trained.
Shoulder Surfing and Eavesdropping. This social engineering method is perpetrated
upon an employee logging on to his or her computer or accessing a secure application. The
identity thief is visually monitoring the employee, or literally looking over their shoulder, and
memorizing their username and the keystrokes for their password. In some cases, a thief might
use a cell phone to record or snap a picture of PII. The identity thief could use stolen credentials
to log in as the victim employee; accessing any electronic PII the victim has access too.
Similar to shoulder surfing, eavesdropping is the simplest method of stealing information.
This kind of theft occurs when the identity thief intentionally listens to conversations employees
are having over the phone or in person. PII including name, phone number, address, credit card
number, PIN, account number, or social security number may be collected and misused.
The simplest way to protect business from both techniques is to train employees to be
aware of their surroundings and to wait until the person in question leaves. To protect businesses
from eavesdropping thieves, companies should provide as much office privacy as possible for all
employees that work closely with customers that provide PII on the phone or in person. For
shoulder surfing protection, all employees must be trained to never leave their computer
unattended while they are logged on. In addition, businesses can provide privacy protector
IDENTITY THEFT IN BUSINESSES 11

screens for all monitors that are located in a high traffic area. Nobody else but the person in front
of the screen would be able to see information on that computer.
Computer and Software-based
Increasingly, identity thieves are relying on computer software to collect PII and other
sensitive data. An employee workstation or corporate server could be compromised with
malicious software (malware) which quietly collects PII and other sensitive data in background
processes, and transmits it to thieves over the Internet.
Malware can sometimes be installed on a business' computer simply by inserting infected
removable media. It is even easier to install malware if a thief has both physical access to a
computer and stolen credentials to log on with. An employee who clicks on buttons or links in a
compromised website or email may execute scripts compelling the computer browser to execute
scripts to download and install malware (Cullen, 2011, p.117).
The pervasiveness of wireless connectivity has created another avenue for identity
thieves. Utilizing a combination of hardware and software, identity thieves can impersonate
wireless access points. Such malicious access point acts as a man-in-the-middle (MITTM)
relaying - and capturing - all communication between an employee and network or internet
resources as illustrated in Figure C. In rarer cases, a thief with physical access to a wired
network can insert a similar wired device to sniff or capture sensitive information.
IDENTITY THEFT IN BUSINESSES 12

Figure C Wireless MITM Attack Scenario
To combat malware, IT personnel should ensure that networked computers are running
up-to-date firewall and anti-malware software. Computer security logs should be screened
regularly for suspicious behavior (Zelster, 2011). Filtering technology at the router level, or
through a proxy server should be utilized to prevent employees from visiting compromised
websites and to screen incoming and outgoing email messages for signs of malware. To protect
against MITM attacks, wireless access points should utilize encrypted keys and communications
between endpoints, such as an employee and a server resource, should always utilize encrypted
authentication such as SSL (MITTM, Wikipedia).
Theft of Mobile Devices
Increasingly, employees are in possession of mobile devices such as smartphones, tablets,
and laptop computers. An identity thief who manages to steal a mobile device may have
unfettered access to a wealth of PII.
Protect mobile devices with passwords and encrypt laptop hard drives with a
comprehensive product such as the source-available TrueCrypt, or Microsofts BitLocker.
Ideally, in addition to encryption, the devices should be further secured with some sort of
IDENTITY THEFT IN BUSINESSES 13

biometric such as a fingerprint scanner. Employees should utilize laptop cable-locks when
working on laptops to deter snatch-and-grab thieves.
Data on Leased, Recycled, or Sold Computer Equipment:
Information on old or unused computer equipment that is improperly disposed of may
subject a business to loss of intellectual property, identity theft, legal penalties, or damage to
their corporate reputations. Computers, laptops, tablets, smartphones, even digital copiers, all
have some type of data storage where business information such as contacts, documents,
passwords, or bank information may reside. Identity thieves could access much of this data,
compromising the business.
If a business wishes to keep data from old equipment, they should back it up onto another
device. The business can then choose a method to completely remove the data. A certified
refurbisher or recycler will use secure data destruction methods to accomplish this; alternatively,
a device can be wiped in-house using specialized software designed to strict government
standards. One more option is to physically destroy the drive or memory card.

Conclusion
Protecting a business and its clients from identity theft is an important piece of the larger
Information security puzzle. Ethics, as well as legal ramifications, mandate that every
organization dealing in any fashion with personally identifiable information have policies and
procedures for protecting it. Martin Manjak (2006) wrote, "The success of any enterprise
depends on a well-informed, dedicated, and ethical workforce." (p. 5). A well-documented
information security policy must be internalized by management and employees; and revisited
regularly to ensure compliance and effectiveness. Businesses should trust their employees to
follow the security procedures in order for the business to operate effectively. This applies in
IDENTITY THEFT IN BUSINESSES 14

varying degrees to anyone who is affiliated with an organization, which includes part-time staff,
contract employees, business partners, consultants, and vendors (Manjak, 2006). As thefts of
personal identifiable information show no signs of abating, managers must remain vigilant and
steadfast in their dedication to information security.


IDENTITY THEFT IN BUSINESSES 15


References
Adams, A. A., McCrindle, R. J. (2008). Pandoras box: Social and professional issues of the
information age. West Sussex: John Wiley & Sons Ltd.
Bagdasarian, H. (n.d.). Dumpster Diving. Retrieved from http://www.identity-theft-
awareness.com/dumpster-diving.html
Cullen, T. (2007). The Wall Street Journal complete identity theft guidebook. New York: Three
Rivers Press.
Gonzlez, ngel (2014). Starbucks iPhone App Vulnerable, Security Specialist Says. The Seattle
Times. Retrieved from
http://seattletimes.com/html/businesstechnology/2022679329_starbucksflawxml.html
Hiner, J. (2002). Change your companys culture to combat social engineering attacks.
Retrieved from http://www.techrepublic.com/article/change-your-companys-culture-to-
combat-social-engineering-attacks/
Man-in-the-middle attack. (n.d.). Retrieved June 05, 2014 from Wikipedia:
http://en.wikipedia.org/wiki/Man-in-the-middle_attack
Manjak, M. (2006, December 19). Social engineering your employees to information security.
Retrieved from http://www.sans.org/reading-room/whitepapers/engineering/social-
engineering-employees-information-security-1686
Massi, R. (2007). People get screwed all the time: Protecting yourself from scams, fraud,
identity theft, fine print, and more. New York: HarperCollins.
Polevi, L. (2012). 5 Tips to keep employee theft from running you out of business. Retrieved
from http://blog.intuit.com/employees/5-tips-to-keep-employee-theft-from-running-you-
out-of-business/
Privacy Matters (n.d.). Mail theft and identity theft. Retrieved from
http://www.privacymatters.com/identity-theft-information/mail-theft.aspx
Recalde, M. E. (2005). Workplace identity theft: Proactive measures employers can and should
take To combat it. Sheehan, Phinney, Bass & Green PA. Retrieved from
http://www.sheehan.com/publications/good-company-newsletter/Workplace-Identity-
Theft-Proactive-Measures-Employers-Can-And-Should-Take-To-Combat-It.aspx
IDENTITY THEFT IN BUSINESSES 16

SuperUser (n.d.). Truecrypt v. PGP v. Bitlocker For Whole Disk Encryption? Retrieved from
http://superuser.com/questions/166617/truecrypt-v-pgp-v-bitlocker-for-whole-disk-
encryption
Symantec Corp. (n.d.). More than half of ex-employees admit to stealing company data
according to new study. Retrieved from
http://www.symantec.com/about/news/release/article.jsp?prid=20090223_01
Thompson, S. (2007, Mar 6). How to protect your business from dumpster diving. Retrieved
from http://voices.yahoo.com/how-protect-business-dumpster-diving-223093.html
Zelster, L. (2011). 4 steps to combat malware enterprise-wide. Various Research. Retrieved
from http://zeltser.com/combating-malicious-software/malware-in-the-enterprise.html