A 33-year-old help desk worker at a small Long Island company was charged Monday with the biggest identity theft fraud in U.S. history. Philip Cummings’ actions led to the theft of more than 30,000 people’s identities, federal authorities charge, in what U.S. Attorney Kevin Barrows called “every American’s worst financial nightmare multiplied tens of thousands of times.” But as authorities explained how Cummings allegedly ripped through the nation’s financial system, the irresistible question hung in the air: Why was it so easy?
To victims, the data can mean everything. After a full-blown identity theft, many will spend months clearing up financial demerits from overdrawn credit cards and bad car loans, and spend years checking their credit reports.
To Cummings, the data was worth $30 per victim, authorities said.
During a three-year crime spree, Cummings was allegedly the point man in a scheme that saw victims’ personal financial information stolen and sold to a ring of about 20 Nigerian nationals in the New York City area. Until the group got greedy earlier this year, and stole 15,000 credit reports while impersonating the Ford Motor Company, no one noticed.
“With a few keystrokes, these men essentially picked the pockets of tens of thousands of Americans and, in the process, took their identities, stole their money and swiped their security,” Manhattan U.S. Attorney James Comey said at a press conference Monday.
Victims reported losing money from their bank accounts, seeing their credit cards hit with unauthorized charges and having their identities assumed by strangers. So far, victims have reported losing $2.7 million, but that total is expected to rise.
How it happened
Court papers filed in the case paint a clear picture how easy it was for Cummings to allegedly steal the data from the nation’s powerful credit reporting agencies: Experian, Equifax and Trans Union. The faulty back door: a third-party service provider named Teledata Communications Inc. Teledata provides “credit prompter boxes,” easy-to-use credit-check terminals found at more than 25,000 companies. The terminals make it simple for a car dealership or an apartment rental office to perform routine credit checks.
Teledata thus has access to all the credit report data at Experian, Equifax and Trans Union. And apparently, until recently, so did Cummings.
Simply by applying the right user name and password, Cummings was allegedly able to impersonate firms like Ford, giving him the keys to almost any citizen’s personal financial kingdom.
“Any help desk representative has access to confidential passwords and subscriber codes of (Teledata) client companies that would have enabled that employee to download credit reports from all three credit bureaus,” writes Barrows in his indictment.
It all started in 2000, when Cummings was allegedly approached by a suspect-now-turned-informant, who suggested there was a hot market for stolen credit data. There was. Soon, targeted requests were coming in from a group of at least 20 “individuals of Nigerian descent” living in the Bronx or Brooklyn. Authorities say the group would provide names and sometimes Social Security numbers, and Cummings returned credit reports. He allegedly split the $60 fee with the informant, whose name is being withheld by investigators.
The codes kept working
In March of 2000, Cummings quit Teledata, but that didn’t even slow down the scheme, investigators say. The company codes he had allegedly stolen still worked, and most worked right up until his arrest earlier this year.
He left New York for Georgia, but frequently traveled back to the city to participate in the scheme, investigators say. Eventually, he allegedly loaded a special laptop computer with the right passwords so the informant could download credit reports on his own. This laptop now gave anyone who had it access to virtually everyone’s personal financial data. When a company did change its password, temporarily stumping the laptop, the informant claims he just called Cummings, who had an ample list of additional passwords that still worked.
During the next two years, the scam continued unabated, with the criminals allegedly posing as dozens of companies to steal data. Initially, only Experian’s service was used, but soon Trans Union and Equifax were also used.
Eventually, the group apparently got greedy. During most of 2001 and the early part of 2002, some 15,000 credit reports were ordered in Ford’s name, and finally, someone noticed. Access to Ford’s account was cut off. But even that didn’t deter the thieves from their easy money. From February to May 2002, 6,000 reports, 100 at a time, were ordered in the name of Washington Mutual Bank. And as recently as September 2002, long after the Ford incident had been well-publicized, the brazen thieves ordered 4,500 credit reports through Central Texas Energy Supply.
When Equifax finally checked the requests, the firm learned that most were coming from a common telephone number in New Rochelle, N.Y. The requests regularly came in unusually large batches and they were often made by an operator using the initials “MM.”
The operation finally came to a crash on Oct. 29, when federal authorities searched the New Rochelle home of their soon-to-be-informant. Computers and other equipment seized there revealed the extent of the crime.
Why would employees have access?
Betsy Broder, the Federal Trade Commission’s expert on identity theft said she was disturbed that the victim’s personal data was so readily available to Teledata employees.
“Part of the problem is security and part is proper hiring practices,” she said. “You have to ask what kind of safeguards does a company have.”
The big three credit agencies distanced themselves from the issue Monday, saying they don’t work directly with companies like Teledata.
“Our contract is with Ford Motor credit,” said Donald Girard, director of Public Relations for Experian. “They are our clients ... Apparently they had a relationship with (Teledata) to facilitate their access to us.”
The criminal complaint suggests the thieves needed only a user name and password to foil Experian’s security system and impersonate real credit report clients; Girard said he couldn’t confirm or deny that. He said the company has already made improvements to its systems to prevent such a heist from happening again, but he wouldn’t say what they were.
“This is the first time it’s ever happened. ... it’s a pretty unique situation,” he said.
While Cummings only worked at Teledata for 10 months, the scam succeeded for nearly three years, and continued two years after he left the firm. That’s not unusual, according to a bank fraud investigator who requested anonymity.
“All you need is a small window to steal what you need to do something like this,” the investigator said.
For its part, Teledata declined to be interviewed but said in a statement that it is cooperating with authorities.
“We are pleased to learn that (the investigation) has apparently come to a successful conclusion,” the statement read.
Cummings, who now lives in Cartersville, Ga., was released on $500,000 bond after an appearance in Manhattan federal court Monday. He issued no statement. If convicted, he faces up to 30 years in prison for wire fraud and millions in fines.
In addition to Cummings, the FBI also charged Linus Baptiste and Hakeem Mohammed in the fraud. Mohammed is accused of fraud against GMAC, General Motors’ financing arm, and Bank One. In one scheme, he allegedly changed address information in a victim’s credit report so paper checks and other financial documents would be sent to his Bronx apartment. Baptiste is accused of using computer codes and passwords supplied by Cummings to access thousands of credit reports that he later sold.
The Associated Press contributed to this report.