While, there may be errors in the report, it is time that banks should be held accountable for the chinks in their armor. They certainly have sufficient funds to fight identity theft and have no excuse whatsoever for allowing it to continue. Unfortunately, with our deposits all in their control, they also have the power to ignore it. While they indicate they have policies in place, I'll bet further investigation would show the extreme weaknesses of their policies. Their only concern is to the stockholders and certainly not to the depositors who really made them what they are.

How interesting this is. My parents recently switched to AT&T services (cable, internet etc). and two hours later the credit card company they used called saying there was a suspicious charge on their account. Turns out someone at AT&T "stole" their credit card information and started using it! Of course a pollice report was filed and all the agencies put on alert but still - if not for the cc company "heads" up - it would have been weeks until they got their statement and read it - which they always do - that they saw this and could have acted upon it. I am going to email this article to them immediately as AT&T swore up and down it was an isolated incident and that they couldn't track how it happened...

Well BOA was a problem of mine and with the help of my US Congressman I found out it was not me filling out anything and an application was in fact filled out because I got a copy of it! I am quite sure it was an inside BOA employee job! But BOA won't admit to it. BTW without a discussion, BOA removed all charges. It took several months and my US Congressman, but it all worked out.

It doesn't surprise me about the phishing but BofA sucks anyway. They have enough problems without this. As for the other companies, I'm truly surprised that Chase made the list. I have a Chase credit card and security is so tight on it that if I want to make a cash withdraw I have to call and talk to their security department, answer a series of questions and only THEN can I make the withdraw. They practically question everything. I like it though and really don't have a problem with it, it's just time consuming.

I'd like to know what services these companies offer to protect your identity. All I ever get offered is to pay a $10 service charge each month to be notified when new accounts are opened in my name. They tell me how it's going to cost hundreds of dollars to clear up identity theft if I fall victim but I'll end up paying hundreds of dollars trying to protect myself from it. These services should be free.

We consumers are labeled with a FICO score that supposedly represents one's creditability. Perhaps there should be a similar score (i.e. Identity Theft Risk - ITR) available to all for any and all institutions who collect, use, sell, etc. personal data.

Sprint being high on this ugly list doesn't suprise me. I discovered that anyone who steals your phone can go on their website, establish a web identity for themselves using your account, then add services and contracts to their heart's content. Sprint leaves the door open for establishing multiple web identities for a single account holder. If you're a Sprint customer, try it sometime.

Perhaps an interesting study would include the victims place of employment. Employers have much of the victims information, and it would be naive, to assume that all the people working in a company Human Resource Department are all honest and above reproach.
And remember: The larger the corporation, the more graft and corruption you will find there.

No wonder BofA rank highest. They send you convenience checks with/without credit card statements our asking for them! Only thing a crook has to do is intercept mail! Viola!

Suggestion- We have had a Citibank (based) credit card cancelled by Citi twice in the last 12 months. In both cases they claimed "it was because a merchant's data base had been comprimised".Maybe the Fed banking oversight system should require the banks to report whose system was actually at fault, including a description of the nature of the comprimise Or do they?

Numbers 2 and 3 in the reseached story have the most ID thefts...come from cell phone companies. I find it dangerous indeed that to get a cell phone or switch companies, that they require your SSN and in many cases your Driver's License as well; the exact perfect windows of theft opportunity into your entire life, and all just to allow you a cell phone via a "credit check" first. Am I the only one who thinks this is a repugnant practice by cell phone companies? A hacker need only get into Verizon, Sprint, AT&T Wireless, Alltel, or the other cell carriers...and hundreds of thousands, or even millions, of lives can and will be financially jepordized or ruined. But at least the customers had their own cell phone to call from jail, so to speak. Way, way too much requirement by far too many companies to have your Social Security Number, much less your Driver's License number. Requiring your SSN is akin to asking for a copy of your house key. Can't the cell companies come up with any better ideas to quality people than requiring the keys to their houses? Think about what they are demanding from individuals because they have sole control over a communications commodity. As the saying goes, "there should be a law against this being done" by the cell phone companies.

Publish the graph using the adjusted data discussed in the article

No wonder BofA rank highest. They send you convenience checks,with/without credit card statements, without our asking for them! Only thing a crook has to do is intercept mail! Viola!

Credit Unions, Credit Unions, Credit Unions. I've said it before... I'll take a credit union (and have for the last 20+ years) over any bank, any day. Better rates, local folks, and far more convenient.

An important component, not listed here, of banks / financial entities registering higher is the unacceptable practice of sending pre-approved notices or teaser checks in mass mailing campaigns. How many of these get thrown away without shredding or otherwise removing the information is likely a large amount that contributes to the problem.

I hope this is wake up call to both consumers and companies to get on the ball and fix this problem. Consumers should boycott these companies for thier lack of responsibility for security.

What concerns me are the employees of these companies. I had problems with my Discover card. They issued me a new one, and the day I received the new one in the mail, it had been compromised. This made me think the problem was at Discover.

How about companies being held accountable when the theft when some idiot leaves a thumb drive in a taxi cab that has secure personal information on it.

http://redtape.msnbc.com/2005/11/why_you_should_.html

Where is the accountability there? How on earth does that kind of information even get to leave the building?

If the banks are perfectly aware of ID theft and try to take measures to protect us why can't they acknowledge that your identity has been compromised when you apply for credit, for instance a home loan or car loan, and find out at that point that someone has stolen your identity. The banks act like you're lying if you try to explain that this is what happened to you. And then try to get that loan!

My BOA business account was compromised to the tune of app. $5800.00. I had checks returned to business partners marked NSF although the money was in the account and authorized to be released. I took the necessary steps pronto to avoid this, but BOA failed miserably to follow through on there end. It cost me extreme mental stress and put my business relations in a position of compromise.

BOA did return the money to my account but fell short of following through to resolve the issue of who done it. I was told they would just write it off becasue it costs too much to persue it. That is a license to commit fraud and place their clients finanacial status in a position of compromise

I actually had to visit the branch on two occasions and spend numerous hours on the telephone to resolve what should have been resolved in one visit if BOA had done their part.

The problem lies not with companies. The problem lies with the inherent insanity of allowing companies to make profit over the handling of personal financial information.

If there needs to be a credit system in the way the US has it, it should be very protective of the person whose financial info is collected.

By the way: there are plenty of countries around the world where they have not US-like credit system. And without such a system, there is not identity fraud possible.

“We can say that customer protection around identity theft is of paramount importance to HSBC. We take fraud of any kind very seriously,” the statement read. “We have a range of robust fraud detection and monitoring systems in place for the early identification and prevention of fraud to protect our customers and their accounts.”

Oh please. HSBC is currently in the midst of a HUGE fraud clean up. The fraud has been mentioned on blogs for two weeks and people were still being hosed as of this Monday/Tuesday. I suppose taking it seriousy and actually bothering to do something about it are considered to be two completely separate things.

The Consumer Credit Reporting Agencies (Equifax, Experian, and Transunion) owe a burden to the consumers to serve (for free) as one of the consumer’s first lines of defense against identity theft. It is their business model at risk since their records are the ones being compromised and invalidated as identity theft data compromises the system. Continuation of the current process leads to people losing the minimal control of their information they have and to businesses losing faith (eventually) in the reliability of the CCRAs information (they won’t pay for something flawed and inaccurate).

The Consumer Credit Reporting Agencies (hereafter CCRAs) collect and compile individuals’ personal and private information; they sell it to generate profits. They do not share with the people whose information they are selling. This is done without the permission of the consumers, or in spite of the consumer requests that they not do so.

The CCRAs already have a well documented history of errors in their records and unresponsiveness to requests for access to check data and correct mistakes. The sad history of these organizations is such that the U.S. Congress wrote laws to force them to share the information with the consumers (in the late 80s-90s and again after that law expired) and those same still CCRAs make it difficult to access, and if necessary, and correct the personal information.

Identity theft is likely to continue for some time. It is time that the CCRAs to step up and share the burden of fixing the issue. It can be argued that the CCRas are free loaders who actually started the problem through their compilation of the data and their lax controls over the years.

One of Sprints trust-worthy employees "reopened" my cell phone account for a fried more than 2 years after I had closed it. When I discovered a $1500 charge off on my credit report I called Sprint. Despite the fact that the bill was going to an address in a city more than 400 miles from where I lived, they argued with me for over an hour before I could get the supervisor to actually pay attention to their computer information. Finally, he looks again and says "oh, it does look like someone stole your account."

Although they finally corrected the issue, it took many hours of my time and enduring their supremely crappy customer service. No shock they are a high target, they dont care and do even less to try to fix it.

The cost of placing effective controls in place dissuades companies from doing so. It's a "dollars and cents" decision: the cost of putting effective controls in place versus the cost of making good on a customer's loss due to fraud.

The emotional anguish visited on the consumer probably doesn't even enter into the decision: bank and other business executives don't put a value on customers' anguish, except when it translates into loss of business and therefore revenue decline.

There are way too many companies out there who think that your personal information has to be in their files. Start telling them NO when they ask for your SS#, your home phone #, your date of birth. If they really don't need it to process your account, JUST SAY NO...

I noticed that car dealers were not listed. Personally I feel they are probably the worst when it comes to disclosing ID theft.

Interesting article, but I think the real source of ID theft is the weak punishment for committing ID theft related crimes. I beleive people would think twice about committing ID theft if physical torture was one of the consequences.

I don't see Capital One Bank listed anywhere. In my opinion, based on personal experience, they should be number one on the list. They have already issued four credit cards in my name and social security number. I have told them repeatedly that I wasn't the one that requested their credit cards, so they resolved the problem by filing several lawsuits against me. Maybe we should start suing these institutions for lax security and facilitating ID theft.

I can see the large banks being listed because you are using their account numbers with retailers all the time. Even though it should obviously be stopped, the exposure makes the high ranking understandable.

But why the cell companies? The only way I can see them compromising customer information is through employee theft. Who else has access?

If it is employee theft, shouldn't the companies be responsible for the losses? Why isn't there a class action suit against the cell companies for negligence?

Where are the evil trial lawyers when we actually need them?

What about giving all your personal information to a so-called real estate broker. This has happened to me recently wherein, the broker with a neighbor used my information, where I work, cell phone, social security number, and have followed me around with some kind of digital GPS system to obtain further personal information. It was reported to the police and they said I have to prove it. So how do I do that, obtain a warrant to search the broker's business or the neighbor's apartment -- very difficult. Why do real estate brokers have to know all your personal information in order to rent an apartment? There are so many shady so called real estate brokers out there that can use your information to destroy you.

Approximately three weeks ago someone tried to access my Wells Fargo account on line, from oversees. As a result, my access to the account was stopped. Wells Fargo did NOT contact me when they did this, nor even afterwards. I had to discover it myself. I have been unable to get access re-established. Why? Wells Fargo gives me nothing but excuses. The excuses have included;
1. Computer system was down - not once, not twice, but three times in three weeks. As a result, it will take at least two days to update your access. I guess Wells Fargo is having financial troubles, as any stable financial insitution should be able to correct a computer glitch faster than that.
2. You social security number was incorrectly entered into the system. When I specifically asked, was there an attempt to change it, such as an identify theft situation, I was told no, just a typo. That however is impossible, since I have had the account since before the bank was Wells Fargo, and my information was correct when they sent me my tax information in January.
3. Someone made a typo and attached your social security number to a safety deposit box. Again, I ask several people if there has been further attempts to steal my account by outsiders, and I am told no.
4. I have been into a branch, not once, but twice, in order to prove my identity. I am now told that I have to go in again, as the On Line Dept can't solve this, only the Fraud Dept, but there is no problem with my account. All I can say in LIARS, and I am filing a state regulatory complaint and I told the last customer service "supervisor" that I would have her arrested for embelzement if any of my funds were missing. I will go to the bank again, to clost it out. What incompetent thieves they are at Wells.

Crimes of this nature (identity theft) are perpetrated by criminals that make a conscious decision based on weighing the risk vs. the reward. We can’t change the reward BUT we can change the risk. First, if you find someone has stolen you identity beat them within an inch of their (your) life but don’t kill them because that would be suicide and that is against the law. Second, when they finally admit who they really are hold them financially responsible for the act. Third, adopt the age old punishment for a thief by chopping off their hand so they can’t sign your name anymore.

I have a BOA credit card and had not used it for a long time. Last fall I received a phone call from BOA's fraud department asking if I had recently made some large purchases. They indicated that a questionable online computer company had submitted charges for several thousand dollars worth of computer and video equipment. They had pended the transaction until I responded. A second transaction from an other online company hit an hour or so later. I said I did not make the purchses. Luckily, BOA immediately deleted the transactions, cancelled my existing credit card, and issued a new number and card.

When I did try the new card, imagine my shock when I immedilately received a call on my cell phone from BOA asking if I had just made a purchase. I said yes and the transaction went through. This happened for the next two transactions that I made on the card.

I was very appreciative for the fast response that I received from BOA. Without their assistance, I'd be in an ID theft nightmare right now.

Although not at retirement age yet, I recently received my annual Social Security statement, which was clearly marked as such through the very "unsecure" US mail. Upon opening, it clearly contained my birthdate, obviously my address, and the last four digits of my SS#. Three keys ingredients that we're generally asked to give to access almost any personal account. THROUGH THE US MAIL!
Also through the US mail we receive our annual W-2 forms, 1099's , or whatever applicable tax statement. With the exception of our birthdate, these contain all pertinent information, including our complete SS#.
So, in my opinion it's not a huge mystery how identity theft occurs. Maybe we should start with the US mail system.

This is not to say that these companies shouldn’t be “beefing-up” their security policies but the majority of the incidents of identity theft that occur today are the result of the victims’ sloppiness or just plain ignorance of how identity theft occurs and what they need to do in order to help to prevent it.

Two thirds of all identity theft that happens today starts at the paper end – meaning you put something into the trash that hasn’t been shredded, you lose your wallet or purse, someone copies your credit card numbers, something gets lifted from your mailbox, or ect…. Only a small portion of identity theft is computer related, yes I know that this side is growing, and even a smaller portion is a result of sloppy housekeeping on the business side. Basically the general public exposes themselves to threats regularly without knowing that they’re doing it. Examples – not shredding old check and junk mail, not opting out of convenience check (yes this takes time to stop), putting credit monitoring on their credit report (ok this cost but I have an 800+ score and it’s worth $20 or $30 a year to protect this), not checking out emails that phish for info, doing business with less than reputable businesses (online and brick and mortar) – yes I know that any company can have criminals working for them – you can’t protect yourself from this, - and finally getting a copy of your credit report every six months and looking for problems (I do this once a quarter and have yet to pay for one) and lastly invest in a locking mailbox with a slot for the postman. Why make it any easier for the criminal?

Ok – so let’s say you do all this and your identity still gets stolen, guess what? I know people that exercise daily and still have died from a heart attack. The idea here is to reduce your exposure/risk and protect yourself from becoming an “easy target”. Criminals are criminals because they’re looking for the easy way – if you make if tough on them they’ll move on to an easier target with less exposure for themselves.

I do know something about what I’m talking about, I’m in the business of providing fraud protection solutions to businesses and banks (TROY Group, Inc.). I’m also a Certified Security Compliance Specialist and a Certified HIPAA Professional but I have been practicing good credit protection for years and so far, so good – knock on wood.

Final thought here; Blame anyone you want, my advice is to get a identity theft insurance policy ($25 a year and most insurance companies offer them), put credit monitoring on the major three agency reports, shred everything, watch your wallet/or purse, and when in doubt, trust no one! Your information is already out there and available – the only thing that you can do is try to protect yourself against becoming a victim and have a plan ready in case it happens.

Guess I’m kind of like the Smokey the Bear of identity theft and fraud, “Only you can protect your credit report!”