A growing number of online services are now available offering to find details on any member of the public, highlighting the increasingly widespread availability of personal data.
For example, 192.com’s entirely legal service trawls sources such as electoral registers, census records, the Land Registry database, and mobile phone user locations.
But identity theft is still on the rise – UK fraud prevention service Cifas estimates it has increased by 500 per cent since 1999. And such scams may need only a single piece of illegally-obtained data on top of that which can be legally accessed.
The What price privacy now? report published by information commissioner Richard Thomas in December calls for stricter penalties for people selling illegally obtained data, in line with regulations established for the government’s national ID card scheme.
‘I repeat my call for a two-year jail term to deter those convicted of trading unlawfully in personal information, and I am very encouraged that the government has consulted publicly on this,’ said Thomas.
‘The Identity Cards Act 2006 provides the blueprint, with a two-year custodial sentence for those unlawfully disclosing information. The same deterrent is needed to protect more sensitive information such as bank accounts, phone bills, and health and criminal records.’
The Information Commissioner’s Office (ICO) report says there has been ‘significant and encouraging progress’, with many organisations taking steps of their own to raise awareness and tighten security.
But the problem is not going away. ‘Investigations by the ICO and the police have uncovered evidence of a widespread and organised undercover market in confidential personal information,’ says the report.
A survey published by Sainsbury’s Bank last month paints a similarly gloomy picture. More than four million people – nine per cent of the adult population – claim they have been a victim of identity fraud, with an average financial loss of £3,039.
Illegally-obtained personal information tends to come by one of two methods, says the ICO.
It can be bought from unscrupulous employees of relevant public and private sector organisations with large customer databases. Or it is obtained by ‘blagging’ over the telephone, usually by impersonating the subject of the data or an official from elsewhere in the company.
In March 2005 the ICO investigated a case where a Hull JobCentre received a call purporting to be from a civil servant working in the Department for Work and Pensions.
The caller was familiar with office jargon and procedures, and during a 90-minute conversation managed to obtain information about 140 members of the public.
There are numerous organisations holding personal information that could be targeted by identity thieves. Public bodies at risk include HM Revenue & Customs, NHS trusts and surgeries, education authorities, the ID and Passport Service, schools and the Police National Computer.
Critics of the ICO recommendations say a two-year custodial sentence only targets one part of the thriving personal information industry.
Deterrents are not enough on their own, says Gartner analyst Jay Heiser.
‘Raising jail sentences is tackling the symptom not the cause. Prison sentences are just not going to discourage people, especially those who operate scams from outside the country and believe that they are not going to be penalised, he said.’
A central issue in attempts to beat ID fraud is that it is a relatively easy scam to carry out.
‘The problem is that credit givers are willing to accept relatively weak forms of authentication,’ said Heiser.
‘You can walk into a mobile phone shop with two different utility bills and they will let you set up a phone account, and the same holds true for some credit card companies.
‘The implications of the widespread availability of personal data are still not completely understood, but there are plenty of people who think it will become a pretty dire situation,’ he said.
ID theft is also a growing problem for small companies, says Federation of Small Businesses policy officer Rosina Robson.
‘The message on the importance of protecting your data seems to be getting out to a lot of larger organisations, but smaller businesses are less aware of the dangers and scams that are out there to get their data,’ she said.
Obtaining information
The Information Commissioner’s Office (ICO) report What price privacy now? says the trade in illegal information breaks down into three different stages.
The source Phone companies and call centres are vulnerable to attacks, either by confidence tricksters, or by bribing low-paid employees.
The middle man Usually private detectives and often ex-police officers, they may have contacts who are still in the police or other authorities. There can be many stages in the trading of information at this point, with data sold from one agency to another.
The buyer Most frequently newspapers. Fraudsters looking to carry out ID scams also purchase information, as well as lenders and creditors, including local authorities chasing tax arrears.
A recently prosecuted case by the ICO involved a marine insurance claim for a sunken boat. The claim was passed to a City law firm, which in turn passed the case to a private detective for investigation. The private detective then passed the case on to another detective, who used a local contact in a call centre in Cornwall to obtain financial information on the claimant.
Further reading:
Four million UK victims of ID fraud
reader comments