CNET News.com has a story that says 135,000 people may have had their personal information stolen. The school posted a notice on their web site.

 The Fairfield, Conn.-based university said in the posting that it discovered the intrusion on May 8 and notified police and the FBI, which have launched investigations.  Television news channel WTNH reported Thursday that the school has notified about 135,000 people that their personal information, including Social Security numbers, may have been compromised. Some of the people notified, according to WTNH's report, have never been associated with Sacred Heart.

GuardMyCreditFile reports on movement in three states, Oklahoma, New York and Illinois, to increase consumer protection.

Legislators in three states are attempting to strengthen consumer privacy laws and enhance consumer rights in order to prevent identity theft. The moves come as the nation comes to grips with the theft of data from the Veterans Administration on 26 million veterans.

Mitchell Zuckoff wrote a pheomenal article in the The New Yorker that takes you deep inside an international advance-fee scam (also known as a Nigerian or 419 scheme). The victim (or accomplice depending on your interpretation) is a man in his sixties, a decorated veteran, minister and respected psychotherapist. He got sucked into the scam and it destroyed his life. He lost around $80,000 and as told to pay restitution in the hundreds of thousands. And he ended up being convicted of bank fraud and sentenced to 2 years in jail.

If you ever wanted to understand how these work, read this article. There are many lessons to be learned. For example, if you are ever sent checks to deposit (with the intent of sending the money through your account elsewhere), calling a bank to verify that a check is “good” doesn’t mean much. It could be a real check that was altered. And if you deposit a check and it “clears” that doesn’t mean you are in the clear. A fraudulent check can clear but you are not absolved of all responsibility at that point.

Robert Brennan of the SoCalCreditDamage.com Blog has a press release on his blog about a class action case he is representing.

Consumers shopping at DRIVE TIME (formerly known as UGLY DUCKING) for used cars usually have filled out credit applications containing all of their confidential financial information, including name, social security number, employment information and home address. These consumers assumed that DRIVE TIME would keep these credit applications under lock and key and not leak them to anyone outside of DRIVE TIME.

…the La Crescenta, California firm of Brennan, Wiener & Associates (“BWA”) discovered that DRIVE TIME had, for some years, been leaking these confidential credit applications in large numbers to insurance brokers for the purpose of placing auto insurance. The affected consumers had no idea that this was happening.

The U.S. PIRG Consumer Blog gets “medieval” on the Veterans Administration for the horrifying data breach that was reported here May 22 (26 million veterans had their sensitive data exposed). Here’s some highlights.

…VA goes on to pass the buck by claiming that the employee "violated policy." So what? The breach is still VA's fault for having a weak, unenforceable data protection policy that fails to recognize its responsibilities. A potential thief or thieves now has the keys to establish false identities in the names of 26 million veterans. (The birthdates are a bonus -- just makes it easier-- SSNs would would have been enough.) Here are some questions we have:

1. Why weren't the data encrypted (no story claims the data were encrypted), after so many reported breaches of unencrypted data in the last 15 months?

It’s worth pointing out that while it’s not hugely difficult for a skilled programmer with the right software tools to securely encrypt data, it’s non-trivial. It’s not something that just anyone can do like saving a “file as” encrypted. That’s not an excuse, though.

3. On a related matter, why does the military still place Social Security Numbers on the health insurance cards and other IDs given to some 2.5 million or more active duty personnel and all of their dependents?

Yes, isn’t it clear by now that SSN’s should be eradicated from any and all identification cards and ID’s? This is a no-brainer.

4. Will industry lobbyists try to make lemonade for themselves and lemons for us by using this fiasco to try and convince Congress to pass weak, industry-approved data security and breach notice laws that preempt the better state laws that forced this public disclosure? See my blog on HR 3997, the worst data bill ever, for example. Will Congress go along with the industry requests and pass those weak industry-approved laws that don't protect us but prevent the states from doing so?

How’s that for possible irony. The U.S. government (VA) screws up, putting 26 million at risk, and the end result is that the credit bureaus might see tons of additional revenue for credit monitoring AND the credit bureaus might also benefit by a knee-jerk reaction from Congress that removes consumer protections in over a dozen states.

5. Even though sloppy creditor and credit bureau practices make it easy for unskilled ID thieves to use these "keys," will the credit bureaus and credit card companies brazeningly use this fiasco to market under-performing and over-priced credit monitoring services? Credit monitoring doesn't protect consumers from identity theft. Security freezes do.

I am fed up with expensive credit monitoring too. Think about it. If you buy into the idea that credit monitoring is a must, you are signing up to pay $120–150 per year for the rest of your life to monitor your data. And what you get for that expense is to be informed that maybe something bad is happening—after that fact. In fact, I am so fed up, I have done something about it. Stay tuned to this blog, I’ll be announcing something soon.

6. What should veterans do?

If you are a veteran that may have been effected, the U.S. PIRG blog post does a good job of telling you what you can do. Unfortunately, it means you now will be burdened with doing some extra work. That’s not fair, but it’s the reality. This includes checking your credit reports or putting a freeze on your credit file, depending what state you live in.

If you fall victim to fraud over the Internet or by telephone, in addition to reporting such crimes to your local law enforcement, here’s what you can do to help catch the criminals or at least help alert the government to them. What if you didn’t fall victim? You can still report the criminal contact.

United States

• U.S. victims of Internet fraud schemes should file complaints online with the Internet Crime Complaint Center (a joint project of the FBI and the National White Collar Crime Center) at http://www.ic3.gov.
• U.S. victims of telemarketing fraud should contact the Federal Trade Commission's Consumer Sentinel, either by calling the FTC's toll-free number, 1-877-987-3728, or by filing an online form available through its website, http://www.ftc.gov. The FTC does NOT investigate these crimes.

Canada

• Victims of Canadian-based telemarketing schemes may contact PhoneBusters at 1-888-495-8501 or http://www.phonebusters.com.
• Victims of Canadian-based Internet or financial fraud can report them to the Royal Canadian Mounted Police's Reporting Economic Crime Online (RECOL) service at https://www.recol.ca/intro.aspx.

From U.S. Newswire, a press release announcing a crack down on a huge number of scams in the U.S. The fraudulent schemes investigated accounted for nearly 3 million victims through criminals operating in the US, Canada, Cost Rica and Holland.

More than 565 people in North and South America and Europe have been arrested as part of "Operation Global Con" -- the largest and most far-reaching multinational enforcement operation ever directed at mass-marketing fraud schemes, the Department of Justice announced today.

The ongoing action began on March 1, 2005, and involved unprecedented coordination by law enforcement agencies at the national and international levels. "Operation Global Con" targeted mass-marketing schemes that were international in scope and impact, were conducted by criminal groups, and generated significant proceeds. The schemes were carried out through various methods, such as telemarketing, the Internet and mass mailings. The wide variety of schemes uncovered during the operation included so-called "419" advance-fee schemes; foreign currency trading; bogus lottery, prize and sweepstakes schemes; offers of nonexistent investments; bogus offers of "pre-approved" credit cards or credit-card protection; and tax fraud schemes. The 96 separate U.S. investigations in this operation led to the discovery of more than 2.8 million victims, who suffered losses totaling more than $1 billion.

More from the U.S. Department of Justice. My only question—what about Eastern Europe? There is massive fraud originating in Russia and some of the former Soviet countries. I hope they are making some headway there. I wonder how troublesome it is working with law enforcement in those countries.

GuardMyCreditFile has this story…

About 1 million people contained in a Red Cross blood donor database have been exposed to identity theft by a dishonest employee of the organization. The suspect in the case, Lonetta S. Medcalf worked as a telerecruiter for Red Cross blood drives in the Midwest and is now believed to have had access to a database of donors including most of Missouri, Southern Illinois and eight counties in eastern Kansas.

Firstgov.gov has got a web page for more information about the huge security breach at the Dept. of Veterans Affairs.

The Department of Veterans Affairs (VA) has recently learned that an employee, a data analyst, took home electronic data from the VA, which he was not authorized to do. This behavior was in violation of VA policies. This data contained identifying information including names, social security numbers, and dates of birth for up to 26.5 million veterans and some spouses, as well as some disability ratings. Importantly, the affected data did not include any of VA's electronic health records nor any financial information. The employee's home was burglarized and this data was stolen. The employee has been placed on administrative leave pending the outcome of an investigation.

The full web page URL is http://www.firstgov.gov/veteransinfo.shtml

Yahoo! News reports:

Personal electronic data on 26.5 million US military veterans and some spouses was stolen from the home of a government employee, the US
Department of Veterans Affairs announced.

Veterans affairs officials said there was no evidence the information had been used but acknowledged it had exposed military veterans to the risk of identity theft.

UPDATE: GuardMyCreditFile adds some more information:

…The Department of Veterans Affairs has announced that a computer disk containing the names, address and Social Security Number of all 25 million living US veterans, 1 million dead veterans and 500,000 dependents of veterans has been stolen.

A data analyst for the department brought the information home to work on a department project. He had not received permission to take the data out of his office. The information was on a laptop computer that was stolen from the employee’s home in Maryland. The analyst involved has been suspended from work while the FBI investigates.