About a year ago, in early 2006, I received a call from my credit card company telling me that they noticed some suspicious transactions on my credit card. The transactions, they said, didn’t match my buying patterns, and they wanted to know if the purchases were mine. After some phone calls and some postal mailings back and forth, we determined that indeed my credit card information had been compromised and some fraudulent transactions had occurred.
The amounts ranged from around $50 to $200 and all were payments through online payment systems including Stormpay.com. StormPay is a service similar to PayPal, although PayPal was not involved in my ordeal. I use credit cards very little, and these transactions were easy to catch. However, for many people who use their cards often, this could have been very bad news. These transaction amounts fall in the range of everyday purchases, and if they were buried in a long list of other legitimate transactions, the fraud might have gone undetected for months. I was lucky to catch them right away.
I worked with my credit card company and the vendors involved in the transactions, and all were resolved satisfactorily except one that dealt with Stormpay. Stormpay refused to refund my money. They sent back a list of disclaimers stating that they weren’t responsible for fraudulent transactions going through their system. They also sent a printout of the transaction detail. The printout listed my correct name, address, and phone number. Curiously though, the email address was not mine. The name was attached to the email domain @e-no.lv, which is registered in the country of
The transaction detail showed a deposit of $50 into the Stormpay account from my credit card. Then the money was shown to be refunded to a person by the name of Drahoslav Trinka, who then withdrew the money from the account. This was clearly a fraudulent series of transactions, but Stormpay would not acknowledge the fraud. Using circular logic, they insisted that the person opening the account had read all the disclaimers, making the account holder name (me) responsible for transactions.
Since the amount of the transaction was small and appeared to cross international boundaries, my credit card company wasn’t inclined to pursue the case further. Happily though, my bank which issued the credit card, made up for my loss and transferred $50 into my account. I felt a bit violated by the whole affair, but I was no worse off financially. I thought that was the end of the story.
I wondered who had stolen my credit card information. The bulk of my credit card purchases were for airline tickets to see my girlfriend on the west coast. Other than that I had used the card very little, and only once had I used it in the previous few months. I had some suspicions, but nothing really made sense.
Recently I received a letter from a company called LexisNexis marked ‘Important Security Information’. The letter stated that they were writing on behalf of LexisNexis and their affiliated company Seisint because “a user ID may have been used in an unauthorized manner that allowed some personal information about you to be viewed”.
The information in the letter was a little distressing, but I wondered why this company would have information on me. I did a Google search on ‘LexisNexis Siesint’, and what I found out distressed me even more. I found an article at Infoworld.com with the following title:
LexisNexis: 280,000 more possible data theft victims
Personal information may have been exposed to unauthorized individuals
By Paul Roberts, IDG News Service
April 12, 2005
The following paragraph is an excerpt from the article:
“An in-depth review and analysis of two years' of search activity uncovered 59 incidents of unauthorized access to information, LexisNexis said in a statement. The news follows revelations in March that intruders used the IDs and passwords of legitimate LexisNexis customers to gain access to information on 30,000 people whose information was stored in "Multistate Anti-Terrorism Information Exchange," (MATRIX), a database and information retrieval system managed by LexisNexis's Seisint division. The latest report form (sic) the company expands the number of potential victims by 280,000.”
For the whole article see http://www.infoworld.com/article/05/04/12/HNmoredatatheft_1.html
My first question is why am I in a database called the “Multistate Anti-Terrorism Information Exchange”? My best guess is that I was selected for my airline ticket purchasing habits. Wasn’t this database the center of controversy a few years ago when it was discovered that the Bush Administration was selecting citizens somewhat at random and without warrants to be put in a database and scrutinized for terrorist activities? There was no accounting of who was put in the database or who had access to the data. Then I realized that the credit card I used to purchase airline tickets was the same one compromised by the Latvian fraud artist. It took 20 months for LexisNexis to send me a notification letter. Thanks a lot guys.
If this story fits together the way I think it does, then I almost have to laugh at the strange, absurd irony. The government is spying and collecting data on innocent, unsuspecting citizens. They are mining the data and fishing for criminal or terrorist activities. However they don’t make the database secure, which allows the real bad guys, possibly even terrorists, to break into the database and steal the identities and cause real harm to the innocent and unsuspecting citizens. Is this really the way our government is supposed to work?
I suppose I should be careful what I say. After all, they do have my number.
