The Mercer County, New Jersey prosecutor's office said it ended a seven-month identity theft investigation by charging four defendants in identity-theft related activities. According to the prosecutor, each defendant used their insider access to obtain the information they purportedly sold.
The investigation began, according to this statement, seven months ago following the Mercer County Prosecutor's Economic Crime Unit (ECU) receiving information relating to a state government employee's involvement in identity theft activities. "Further investigation uncovered that two employees of the New Jersey Motor Vehicle Commission (MVC) were providing the names, addresses, dates of birth and Social Security numbers of unsuspecting residents that they obtained through their employment," according to the statement.
Investigators say suspects charged as little as £129 ($200) for each identity.
According to county prosecutors, Sherilyn Rivera and Johnny Semmon were both arrested and charged last week with official misconduct, bribery and identity theft. Both worked at MVC offices located in Trenton, NJ. If convicted, each defendant could face up to 10 years in state prison.
81% use someone else's account to bypass controls
Others charged include Lee Daniel Roberts and Abdulah Sumo. Each were charged with identity theft and trafficking in personal identifying information pertaining to another person. Both Roberts and Sumo also face up to 10 years in prison if convicted.
Roberts and Sumo, prosecutors allege, were selling the names, addresses, dates of birth, Social Security numbers and credit history reports of victims obtained through their respective jobs. Roberts is a tax preparer and Sumo was employed by a reality company at the time of arrest. When Sumo was arrested in June 2011, authorities claim to have found documentation containing the personal identifying information of more than 60 individuals in his car.
Such insider abuse of systems is a long-standing concern among IT professionals.
According to a recent survey, Risk of Insider Fraud, conducted by the Ponemon Institute and sponsored by Attachmate Corp, more organisations are paying attention to the risks posed by insiders. The survey of more than 700 organisations found that 75 percent of the respondents indicated that privileged users within their own institutions had or were likely to turn off or alter application controls to change sensitive information and then reset the controls to cover their tracks. Eighty-one percent replied that individuals at their institutions either had used or were likely to use someone else's credentials to gain elevated rights or bypass separation of duty controls.
Most fraudsters get away with it
With a lack of controls like that, it's no surprise that survey respondents reported that their organisation experienced more than one incident of employee-related fraud per week - about 53 annually to be more precise.
And 24 percent of respondents indicated that their organisations had more than 100 incidents in the past year.
Consider the recent case of Chinese national and a former resident of Carmel, Indiana, Kexue Huang. Last month, Huang pleaded guilty to one count of economic espionage to benefit a component of the Chinese government and one count of theft of trade secrets. According to the US Department of Justice, Huang admitted that during his employment at Dow and later Cargill that he had misappropriated and stolen trade secrets.
Huang's case is likely an outliner. Not because such crimes are so unusual but because so many go unnoticed. According to the Ponemon Risk of Insider Fraud survey, once an incident has occurred, it takes an average of 89 days for that incident to be uncovered and an additional 96 days to spot the root cause of the breach. Also, about two-thirds of internal fraud investigations do not result in gathering any actionable evidence against those who committed the fraud.