Theirs for the taking: sensitive credit data
Resale of reports depends on an honor system that goes unpoliced
Sensitive personal financial information belonging to Massachusetts Governor Mitt Romney recently ended up on sale online for $125, exposing the inner
workings of a credit reporting network that operates largely on an honor system and is rarely policed. As part of a story on the vulnerability of personal financial data, The Boston Globe purchased Romney's TransUnion credit report -- listing his credit card accounts, credit card numbers, credit limits, and payment history -- from a Colorado company calling itself Goldshield Inc.
It wasn't hard to do. On its website, Goldshield asked: "What are you looking for?" On sale were Social Security numbers ($30), unlisted telephone numbers ($85), telephone billing information ($95), vehicle information ($65), credit reports ($125), and credit card billing statements ($125). Everything a thief would need to steal an identity.
All the information was sold with no questions asked. John Strange, who identified himself as the president of Goldshield, said he could obtain a person's credit report or a credit card billing statement without anyone knowing about it. "I can pull miracles out of the air," he said.
But those miracles apparently were obtained illegally. The federal Fair Credit Reporting Act prohibits companies or individuals from obtaining credit reports for other than a "permissible purpose." There are a number of permissible purposes, but the main ones include determining the credit worthiness of an individual, screening new employees, and underwriting insurance.
Under the Fair Credit Reporting Act, any employee at a consumer reporting agency who releases an individual's information to someone who is unauthorized to receive it, or someone who obtains such information under false pretenses, is subject to fines and imprisonment for up to two years.
Since Goldshield's sale of Romney's credit report to the Globe and the Globe's purchase of it appeared to violate the law, TransUnion immediately launched an investigation to find out what happened.
After 10 days of review, TransUnion spokesman Jeffrey Junkas disclosed that the Chicago-based company had sold the Romney credit report to Savvydata Technologies of Fort Lauderdale, Fla., which in turn sold the report to Colorado-based USA Skiptrace.
USA Skiptrace and Goldshield share employees and the same toll-free phone number, so it appears USA Skiptrace passed the Romney credit report to Goldshield.
Junkas, who said he did not know how many credit reports had made their way to Goldshield in the past, accused Savvydata of violating its contractual obligations to TransUnion by transferring Romney's credit report to a third party for a nonpermissible purpose.
"The responsibility lies with the reseller to follow their obligation and comply with the law," Junkas said.
TransUnion halted Savvydata's access to its credit reports, but as of late last week it had not referred the case to law enforcement authorities.
Savvydata, a company that offers its business clients pre-employment screening, data security assistance, and white-collar crime investigative services, blamed USA Skiptrace/
Goldshield for the security lapse. Michael Nevins, the president and chief executive of Savvydata, said all of the firm's customers go through a detailed due diligence process. "We are investigating the current situation and have suspended all business activities with the company in question," Nevins said in a statement. "We are cooperating fully with TransUnion to determine if our customer has violated any of our agreements and policies."
Goldshield/USA Skiptrace, which charged the Globe $125 for Romney's credit report, paid less than $7 for it, Nevins said. He did not know what his company paid TransUnion for the report, but said it was probably less than $7 because his firm does such high-volume business with TransUnion.
Officials at USA Skiptrace and Goldshield, which as of this week is no longer listing credit reports or credit card statements as being for sale on its website, could not be reached for further comment.
Mary Culnan, a professor of management at Bentley College in Waltham who specializes in privacy issues, said the Goldshield incident illustrates the pass-the-buck mentality of the credit reporting industry. She said the industry is dominated by three national credit bureaus -- TransUnion, Equifax, and Experian -- but has a soft underbelly of resellers.
"It's just a big chain," she said. "This is supposed to be a lockdown system, but it's not."
Critics also say the Federal Trade Commission and state attorneys general don't do enough to enforce the Fair Credit Reporting Act. The Foundation for Taxpayer and Consumer Rights in San Francisco sent a letter on Oct. 8 to Massachusetts Attorney General Thomas F. Reilly, urging him to investigate the release of Romney's credit report. Reilly declined to comment.
"It's basically a black market in information that leads back to one place, the credit bureaus," said Jamie Court, the executive director of the foundation. "This information isn't falling off a truck. It's being delivered."
US Representative Barney Frank, a Massachusetts Democrat serving on the House Financial Services Committee, said the law is difficult to enforce.
"Part of it's a resources problem. Part of it's a priority problem," he said. "It's hard to prevent the sale of these things, since the purpose of them is to make them available to other people to determine whether to give you credit."
Peggy Twohig, assistant director for financial practices at the FTC, said resellers of credit reports have been a problem in the past. She said Congress in 1999 tried to address the issue by requiring that credit reporting agencies and resellers maintain an audit trail of who receives a consumer's credit information and for what purpose.
It's unclear how extensive the audit trail was in this instance, but some critics say the Goldshield case illustrates how the security of the nation's credit reporting industry is largely dependent on an honor system. When one link in the credit reporting distribution chain fails to fulfill its responsibilities, these critics say, the entire system collapses.
"TransUnion would laugh you out the door if you asked them for this sort of information directly, but they're willing to sell it to another company I've never heard of who's willing to sell it to another company I've never heard of," said Ed Mierzwinski, program director for the US Public Interest Group, a consumer watchdog organization in Washington. "TransUnion just wants to make a lot of money and they don't want to be bothered with the end of the food chain."
Bruce Mohl can be reached at mohl@globe.com.
