NYSEG loses social security numbers

nyseg-ssn.png

NYSEG and RG&E collected customer social security numbers.  To clarify, these companies are do not issue credit cards - they provide gas and electricty.  Why do they need social security numbers?  The simple answer is that they don't (more on that in a minute).  I am guessing that they collect them so that they can harm your credit score if you neglect to pay them.  So, put bluntly, you gain NOTHING by giving them your SSN. I moved in to my current apartment in July 2011 and when I signed up for my utilities, one of the mandatory fields was my social security number.  I left it blank.  (In fact, I think I wrote "no way!")  They still sent me a bill and they still get paid.  My old energy company in Minneapolis was the same way.  I always refused to give them my social security number and every time I talked to them, they told me it was required.  I never once gave it to them and they never once cut off my service.

The point is - don't give people your social security number, even if they "require it."

Let's take a look at their letter

Now, I've attached a PDF of the letter below.  I've even run it though OCR so Google can find it easier.  I want to quote a line from their document:

While we have no evidence that such data has actually been misused, or that there was any malicious intent..

WTF is that?  The data were just stolen.  I'm not surprised that no one has confirmed that it hasn't been misused yet. Let's count the steps that you would need:

  1. Your data has to be sold to someone willing to commit identity fraud.
  2. They have to setup a line of credit in your name.
  3. It has to be approved.
  4. It then they have to draw on that line of credit.
  5. The account then has to become delinquent.
  6. The bank then has to send a warning letter to the victim demanding payment.
  7. The victim has to figure out that their identity was stolen
  8. find the source of the leaked information
  9. definitively prove that it was NYSEG that lost the information and they have to admit what happened.

OF COURSE IT HASN'T BEEN PROVEN YET.

The second half of that quote states that there was no malicious intent.  This is even more ludicrous than then first part. Do people steal SSNs because they like collecting strings of 9-digit numbers?  They steal them because they have value!  What kind of moron PR firm wrote that statement?  That is as dumb as saying that someone steals money because they like the look of it, not because they have any malicious intent.

From the day that the data were stolen until the day that every last NYSEG customer dies, someone will be at risk for identity theft.  This will be a perpetual problem for everyone involved.  We don't get new SSNs when there is a data breach.  Instead we get a SINGLE YEAR of credit monitoring service that costs maybe $30/customer.

Do you know what I would do if I stole these numbers?  I'd let them age for a year.  Most of the victims will still be alive but you'll get a higher yield once this monitoring service is over.

And NYSEG is a monopoly so they don't have to care.

 

The letter:

[slideshare id=11419526&doc=nyseglostpersonalinfo-120204115452-phpapp02&type=d]

 

NYSEG RG&E PO Box 483 Chanhassen, MN 55317-9678 Dear Valued Customer: January 23 , 2012 We take our responsibility to protect your personal data very seriously. For this reason, we are writing to inform you that earlier this month we discovered that an employee of an independent software development consulting firm (contracted by NYSEG and RG&E) allowed unauthorized access to one of our customer information systems. The customer records contain Social Security numbers, dates of birth and, in some cases, financial institution account numbers. While we have no evidence that such data has actually been misused, or that there was any malicious intent, we are notifying you out of an abundance of caution so that you have the information and tools necessary to help detect and prevent any misuse of personal information. We have consulted with law enforcement and engaged computer forensics experts. Our investigation is ongoing and we will continue to provide law enforcement with our full assistance. Credit Monitoring Assistance Above all, we ask you to be vigilant in monitoring your credit and bank accounts for any sign of unauthorized activity. If you suspect any incidence of identity theft, please contact your local law enforcement agency or the Federal Trade Commission. As a precautionary measure, NYSEG and RG&E have arranged for Experian to offer you the option of a year of credit monitoring free of charge through ProtectMyIDTM. If you'd like to take advantage of this offer, you must enroll by April 30, 2012. You can activate your membership in two easy steps: 1. Visit the ProtectMyID website: www.protectmyid.com/NYSEGandRGE or call 1.877.736.4495 (toll-free) or 1.479.573.7373 (for international callers) to enroll. 2. Provide Your Activation Code: Your complimentary 12-month ProtectMyID membership includes: • Credit Report: A free copy of your Experian credit report. • Daily Credit Monitoring: Alerts you to suspicious activity including new inquiries, newly-opened accounts, delinquencies, or collections found on your Experian credit report. You can elect to receive alerts bye-mail, text message, or first class mail. • Identity Theft Resolution: If you have been a victim of identity theft as a result of this situation, you will be assigned a dedicated, U.S.-based Experian Identity Theft Resolution Agent who will walk you through the fraud resolution process, from start to finish. • $1 Million Identity Theft Insurance*: As a ProtectMyID member, you are immediately covered by a $1 million insurance policy that can help you cover certain costs including lost wages, private investigator fees and unauthorized electronic fund transfers in the event of an identity theft incident. Support If you have questions, need help enrolling in the credit monitoring program, or feel that you may have an identity theft issue, assistance is available at 1.877.736.4495 (toll-free) or 1.479.573.7373 (for international callers), Monday through Friday, 9 a.m. to 9 p.m. (Eastern Time), and Saturday through Sunday, II a.m. to 8 p.m. In addition, you are entitled under U.S. law to order one free copy ofyour credit report every 12 months from each ofthe three nationwide credit bureaus. To order your free credit report, visit www.annualcreditreport.com or call 1.877.322.8228 (toll-free). Additional information about this matter is available on our websites - www.nyseg.com and www.rge.com. If you wish to learn more about ways to limit the risk of identity theft, such as fraud monitoring and security freezes on credit accounts, consider contacting the Federal Trade Commission or your state Attorney General. Federal Trade Commission: 600 Pennsylvania Avenue, NW Washington, DC 20580 1.877.IDTHEFT (1.877.438.4338) wwwftc.govlidtheft We take pride in serving you and apologize for any inconvenience or concern that this incident may cause. Please be assured that we take the privacy of customer data very seriously, and we remain dedicated to using our best efforts to regularly assess and adapt our physical, administrative and technical security measures in order to protect such data. Sincerely, Mark S. Lynch President NYSEG and RG&E • Identity theft insurance is underwritten by insurance company subsidiaries or affiliates of Chartis, Inc. The description herein is a summary and intended for infoImational purposes only and does not include all teIms, conditions and exclusions of the policies described. Please refer to the actual policies for tenns, conditions, and exclusions of coverage. Coverage may not be available in all jurisdictions.