Submitted by Philip G. on Friday, 10/10/2008 – 8:17pm.

Last year in late November I was the victim of identity theft, my SS#, DOB, Mother maiden name, Discover Card number and security check were comprised and used to change address information at Discover Card’s web site.

I was called in early December from Discover Card fraud asking me if I had made some purchases (at a major computer manufacturer) and had I recently changed my address at their web site. The answer to both was no. I was informed that someone had made purchases using my account and changed the mailing information on my account at their web site. In order to do this the individual had to have had the above information to change the password at Discover.

Two ways this could have happened I had applied for a store Credit Card (national chain) using my Discover Card as a credit reference. Or the Saturday before the incident I tried to log into the Discover web site and could not because my password did not work. I didn’t think anything of it since it seems at different sights you cannot use the same characters to create a password. So I went through their checks to change it, this required the above information.

So my current account was closed, and a new one opened for me. I was informed there would be an investigation as to what happened. I called back after a couple days only to find the account had not been given to a specialist yet. In the mean time I provided the individual with all the information I had including; order numbers, rep I talked with from the computer manufacturer, phone of their fraud rep etc. and what I thought could have happened.

In the mean time I found out from a rep we could place alerts with the 3 major credit-monitoring services. We also checked with any other financial account if anything had happened with them. I established a account monitoring with one of the credit services in case this info was used to get a new card of some type. I filed reports with the local police and the FTC.

I felt I did as much as I could and left the investigation to the pros, sure. This week (1/2/2006) I got a letter from Discover saying they were closing the case because the old account was closed a new account was opened and financial loss had been recovered.

Short version; they got their money back and don’t care that somebody stole my personal information. When I called them and questioned the rep and her supervisor, I was informed any further investigation would have to be done by my local police agency.

Why is there identity theft, because all this credit card company cared about was recovering their funds. They didn’t pursue any of the leads I gave them; they didn’t contact the other manufacturer or my local police and try to resolve the bigger issue. They didn’t want to find the person who did this. They just wanted their money back.

If my account information had been changed weren’t they able to follow up on it. They had the order number and reps name from the computer manufacture but didn’t follow up on it. They didn’t contact my local police even when they were provided with the case report and officers name. It was like it was a dead end, they got their money back and that was all they cared about. We used to use their card as our first choice, but as I told them it just became our last choice.

Submitted by Brian P. on Tues, 9/23/2008 – 12:07pm.

The first I knew about it was a phone call. My girlfriend admonished me for succumbing to the temptations of Facebook, a website whose poisoned fruits I had previously said I found unappealing. I stood accused of two crimes: a lack of willpower and a failure to confess. Not guilty on both counts, I pleaded.

Alas, I was the victim of a fraud. Somebody, somewhere – and believe me, I’m pretty sure I know who you are – had launched a vendetta. They hated me. And what a visceral, calculating and malicious hate it was.

A profile was launched under my name which gave personal details including my sexuality, relationship status, political views and date of birth. Thirteen friends, online nuts all, had befriended whoever was pretending to be me. They included people with whom I have made a concerted effort not to remain in touch. Goodness knows what messages passed between them and my usurper.

Did my online self profess love to an ex-girlfriend? Did “I” tell an old schoolmate that I never really liked him anyway? Once I reported the fraud, Facebook removed the profile – although not without delay. I was assured that a block would be put up to stop anyone else stealing my identity online.

In the following months, four profiles of me, each with subtly differing labels, but each including my first and second name, were uploaded onto the site, and simmered there for several months despite repeated requests to Facebook for their removal.

More recently, a named woman set up a fan club called “Amol Rajan fanclub” [sic], with the description “Just for Fun”. It contained a highly defamatory and professionally damaging biography of me that was soaked in false information.

Another profile, which makes reference to my last job, is still active. It is now customary to describe Facebook as a modern miracle.The wealth of Mark Zuckerberg, its 24 year-old billionaire founder, does much to give that cliché merit. Online social networking is having a profound effect on the way in which people communicate, chiefly by substituting virtual association for real friendship. In so doing, it is also redefining friendship, giving it more porous boundaries and relaxing the rules by which two people, or a group, interact. In this respect, as in others, the Facebook phenomenon merits both close attention and respect.

Politicians who have their wits about them know it cannot be ignored; witness Barack Obama’s extraordinary fundraising prowess, which owes a substantial debt to the capacity of online networking.

Nevertheless, a skeptic should risk sounding priggish in highlighting attendant dangers, to whose existence Matthew Firsht for one can testify.

At present, there are almost no impediments to online identity theft. That means those with a vendetta, such as Grant Raphael, can infect personal relationships and ruin careers. Online networking also destroys the boundary between public and private. My public identity becomes not so much a consequence of my achievements as of your dodgy snaps from last Friday.

Little would be achieved in wishing Facebook away. In dissolving the boundaries between people in a shrinking world, it is a marker of modernity. But it cannot fulfill its potential, and it could cause immense damage, if users abandon their skepticism, or thieves remain free.

Submitted by Mary M. on Tues, 9/02/2008 – 10:47am.

With ID fraud on the rise, the assumption is you’ll lose money which can be claimed back. But Simon Bunce lost his job, and his father cut off contact, when he was arrested after an ID fraudster used his credit card details on a child porn website.

Simon Bunce used to be a keen internet shopper, delighted to escape the hordes and have goods delivered to his door. Wary of fly-by-night operators, he bought only from big name retailers with secure websites.

But then, four years ago, he was astonished to find himself embroiled in Operation Ore, the UK’s largest ever police hunt against internet paedophiles. He was arrested on suspicion of possession of indecent images of children, downloading indecent images of children and incitement to distribute indecent images of children.

Hampshire Police took away his computer and data storage devices including flash drives, CDs and floppy disks, as well as examining the computer and storage devices that he used at work.

The effect was devastating. When his employers became aware of the reason he had been arrested, he was abruptly dismissed from his £120,000 a year job, and close members of his family disowned him.

“I made the mistake of telling my father, and he cut me off,” Mr Bunce says. “He then told all my siblings and they also cut us off.”

Suddenly deprived of his income, Mr Bunce had to consider selling the family home. But his wife, Kim, stuck by him, and supported his mission to clear his name.

Mr Bunce knew he was innocent – he had never downloaded indecent images, and so he knew that the police would not find any evidence on the computers or storage devices they had taken away.

But the police’s computer technicians take several months to examine these, and Mr Bunce could not afford to wait to repair the damage done to his reputation. “I knew there’d been a fundamental mistake made and so I had to investigate it.”

Identity fraud occurs when personal information is used by someone else to obtain credit, goods or other services fraudulently. Recent surveys suggest that as many as one in four Britons have been affected by it. In 2007 more than 185,000 cases of identity theft were identified by Cifas, the UK’s fraud prevention service, an increase of almost 8% on 2006.

Tarnished name

Operation Ore targeted suspected paedophiles believed to have been downloading indecent images of children, those whose credit card details had been used to buy pornography via an American portal called Landslide – the gateway site and central credit card handler for hundreds of websites.

Hundreds of successful prosecutions ensued, with extensive media coverage given to high profile suspects, including actor Chris Langham of The Thick of It.

As Landslide was based in the United States and under investigation there, Mr Bunce was able to use the US Freedom of Information Act to obtain a complete copy of all of the relevant material, including databases, access logs and credit card information, together with detailed information of the webmasters, which allowed him to find out how his credit card details had been used.

Each computer has a unique internet protocol number, or IP address, which identifies the specific computer and its geographic whereabouts whenever it is used to access the internet.

Mr Bunce discovered that the computer used to enter his credit card details was in Jakarta, Indonesia, and the date and time that his credit card details were entered onto the Landslide website was at a time when he could prove that he was using the same card in a restaurant in south London.

“I can’t be in two places at once, so somehow my data had got to the man in Indonesia.”

He was also able to discover that his credit card details had been obtained from a popular online shopping site, but he doesn’t know how these came to be in the hands of a criminal.

The man responsible for using his credit card details hid behind the online name “Miranda” – a webmaster who hosted and produced pornographic websites and received a commission from Landslide for subscriptions to his website which were paid by credit card. “Miranda” had used Mr Bunce’s credit card details – without his knowledge – to take out a subscription to one of his websites.

Cash convert

In September 2004, the police told Mr Bunce they would not proceed with any action against him. They had not found indecent material, and accepted that it wasn’t him who had entered his credit card details on the Landslide website.

It took another six months before he got another job, earning a quarter of the salary he’d earned before his arrest.

Mr Bunce has also reconciled with his family, having explained to them how he came to be implicated and then cleared. Are bygones bygones? “I’ve forgiven them [my family] – there’s no point in bearing a grudge.”

Four years on, he is bringing a High Court action against the shopping website for allowing his personal details to be compromised. So no more internet shopping? “No, no, no. Once bitten, twice shy,” says Mr Bunce, who now sells encryption services.

“I wouldn’t say that I live in the cash economy now, but I’d rather go to the bank to withdraw money to buy petrol, as you hear of card details being harvested at garages. I’m paranoid about data security. I shred everything, I never use credit cards anymore.

“Being arrested and accused of what is probably one of the worst crimes known to man, losing my job, having my reputation run through the mud, it’s a living nightmare.”

The number of reported data breaches has been soaring, with the figure from the first six months of 2008 some 69 percent higher than the number from the identical period last year. Among those were little-known recent breaches of Facebook, H&R Block and BearingPoint.

The report from the non-profit San Diego-based Identity Theft Resource Center lists 342 data breaches since Jan. 1, 2008. Of those 342 breaches, about 12 percent were cyber thieves, 16 percent were insider theft, 15.2 percent were accidental exposure and 13.5 percent were subcontractor issues. Also, about 20 percent of the data breaches involved data “on the move,” referring to laptops, thumb drives or PDAs.

The Identity Theft Resource Center “data breach count has reached an all-time high,” the report said. “The actual number of breaches is more than likely higher, due to underreporting, and the fact that some of the breaches reported, which affect multiple businesses, are listed as a single event.”

Georgia’s largest health insurer sent an estimated 202,000 benefits letters containing personal and health information to the wrong addresses last week, in a privacy breach that also raised concerns about potential identity theft.

Blue Cross and Blue Shield of Georgia later confirmed that the erroneous mailings were primarily Explanation of Benefits (EOB) letters, which include the patient’s name and ID number, the name of the medical provider delivering the service, and the amounts charged and owed.

“A small percentage” of letters also contained the patient’s Social Security numbers, said Cindy Sanders, a Blue Cross spokeswoman. The EOB forms were mailed to the addresses of other Blue Cross policyholders.

The security breach may be a violation of the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), which protects patients’ medical information. The privacy rules were fully implemented in 2003, but few fines have been assessed under the law, experts said.

While the insurer said it was still determining the number of letters involved, state Insurance Commissioner John Oxendine, whose office is investigating the problem, gave a preliminary estimate of 202,000.

That figure does not equal the number of patients affected, though, because some would have received multiple EOBs if they had visited several medical providers, Oxendine said.

“This is very, very serious,” Oxendine said. A person with knowledge of medicine or billing, for example, could determine if the patient was treated for cancer, HIV or fertility problems, he said.

Blue Cross said the mix-up was caused by a change in the computer system that was not properly tested.

“As soon as we became aware of the mailing error, we worked to determine the exact cause, and we have made changes to prevent it from happening again in the future,” Sanders said.

Blue Cross has 3.1 million Georgia policyholders.

The error occurred statewide and affected both employer and individual health benefit plans. The company has many state employees and schoolteachers as members, as well as large and small corporate customers. Blue Cross declined to identify large employers that it serves.

Blue Cross’ parent company, Indianapolis-based WellPoint, “is committed to protecting the privacy and security of all members’ health information and is working diligently to mitigate any impact which may result from this operational error,” Sanders said.

Oxendine said he ordered the company to provide free credit monitoring for affected patients for one year. Blue Cross also must give written notice to policyholders whose names were on the EOBs and compile a list of names of those who erroneously received the forms.

Blue Cross is in the process of removing all Social Security numbers from such future mailings, Sanders said.

Rhonda Bloschock, a registered nurse in Atlanta, said Monday that she discovered EOB forms from nine other patients in a large envelope she received Friday from Blue Cross.

“This is a serious privacy breach,” Bloschock said. Nurses and other hospital staff “jump through all sorts of hoops protecting people’s privacy,” she said.

Since the passage of HIPAA, health insurers, hospitals, doctors and other medical providers have increased their efforts at protecting the privacy of medical records. And consumers have become more attuned to privacy issues, said Anne Adams, chief privacy officer for Emory Healthcare.

“There is an expectation that their personal information is protected and not used inappropriately,” Adams said.

But with the movement toward keeping health records electronically, there’s more potential for breaches to happen, Adams said.

Joy Pritts, director of Georgetown University’s Center on Medical Record Rights and Privacy, said the push for electronic medical records “should proceed hand in hand with additional privacy and security protections.”

WHAT TO DO?

Policyholders who received an incorrect EOB should contact Blue Cross’s dedicated toll-free number at 866-800-8776 between 7 a.m. and 9 p.m. Monday through Friday. Members who may have received an EOB of another individual should return it to Blue Cross. The company will provide a postage-paid envelope.

LifeLock, one of the companies that offers identity-theft protection in the United States, has been taking quite a beating recently. They’re being sued by credit bureaus, competitors and lawyers in several states that are launching class action lawsuits. And the stories in the media … it’s like a piranha feeding frenzy.

There are also a lot of errors and misconceptions. With its aggressive advertising campaign and a CEO who publishes his Social Security number and dares people to steal his identity — Todd Davis, 457-55-5462 — LifeLock is a company that’s easy to hate. But the company’s story has some interesting security lessons, and it’s worth understanding in some detail.

In December 2003, as part of the Fair and Accurate Credit Transactions Act, or Facta (.pdf), credit bureaus were forced to allow you to put a fraud alert on their credit reports, requiring lenders to verify your identity before issuing a credit card in your name. This alert is temporary, and expires after 90 days. Several companies have sprung up — LifeLock, Debix, LoudSiren, TrustedID — that automatically renew these alerts and effectively make them permanent.

This service pisses off the credit bureaus and their financial customers. The reason lenders don’t routinely verify your identity before issuing you credit is that it takes time, costs money and is one more hurdle between you and another credit card. (Buy, buy, buy — it’s the American way.) So in the eyes of credit bureaus, LifeLock’s customers are inferior goods; selling their data isn’t as valuable. LifeLock also opts its customers out of pre-approved credit card offers, further making them less valuable in the eyes of credit bureaus.

And, so began a smear campaign on the part of the credit bureaus. You can read their points of view in this New York Times article, written by a reporter who didn’t do much more than regurgitate their talking points. And the class action lawsuits have piled on, accusing LifeLock of deceptive business practices, fraudulent advertising and so on. The biggest smear is that LifeLock didn’t even protect Todd Davis, and that his identity was allegedly stolen.

It wasn’t. Someone in Texas used Davis’s SSN to get a $500 advance against his paycheck. It worked because the loan operation didn’t check with any of the credit bureaus before approving the loan — perfectly reasonable for an amount this small. The payday-loan operation called Davis to collect, and LifeLock cleared up the problem. His credit report remains spotless.

The Experian credit bureau’s lawsuit basically claims that fraud alerts are only for people who have been victims of identity theft. This seems spurious; the text of the law states that anyone “who asserts a good faith suspicion that the consumer has been or is about to become a victim of fraud or related crime” can request a fraud alert. It seems to me that includes anybody who has ever received one of those notices about their financial details being lost or stolen, which is everybody.

As to deceptive business practices and fraudulent advertising — those just seem like class action lawyers piling on. LifeLock’s aggressive fear-based marketing doesn’t seem any worse than a lot of other similar advertising campaigns. My guess is that the class action lawsuits won’t go anywhere.

In reality, forcing lenders to verify identity before issuing credit is exactly the sort of thing we need to do to fight identity theft. Basically, there are two ways to deal with identity theft: Make personal information harder to steal, and make stolen personal information harder to use. We all know the former doesn’t work, so that leaves the latter. If Congress wanted to solve the problem for real, one of the things it would do is make fraud alerts permanent for everybody. But the credit industry’s lobbyists would never allow that.

LifeLock does a bunch of other clever things. They monitor the national address database, and alert you if your address changes. They look for your credit and debit card numbers on hacker and criminal websites and such, and assist you in getting a new number if they see it. They have a million-dollar service guarantee — for complicated legal reasons, they can’t call it insurance — to help you recover if your identity is ever stolen.

But even with all of this, I am not a LifeLock customer. At $120 a year, it’s just not worth it. You wouldn’t know it from the press attention, but dealing with identity theft has become easier and more routine. Sure, it’s a pervasive problem. The Federal Trade Commission reported that 8.3 million Americans were identity-theft victims in 2005. But that includes things like someone stealing your credit card and using it, something that rarely costs you any money and that LifeLock doesn’t protect against. New account fraud is much less common, affecting 1.8 million Americans per year, or 0.8 percent of the adult population. The FTC hasn’t published detailed numbers for 2006 or 2007, but the rate seems (.pdf) to be declining.

New card fraud is also not very damaging. The median amount of fraud the thief commits is $1,350, but you’re not liable for that. Some spectacularly horrible identity-theft stories notwithstanding, the financial industry is pretty good at quickly cleaning up the mess. The victim’s median out-of-pocket cost for new account fraud is only $40, plus ten hours of grief to clean up the problem. Even assuming your time is worth $100 an hour, LifeLock isn’t worth more than $8 a year.

And it’s hard to get any data on how effective LifeLock really is. They’ve been in business three years and have about a million customers, but most of them have joined up in the last year. They’ve paid out on their service guarantee 113 times, but a lot of those were for things that happened before their customers became customers. (It was easier to pay than argue, I assume.) But they don’t know how often the fraud alerts actually catch an identity thief in the act. My guess is that it’s less than the 0.8 percent fraud rate above.

LifeLock’s business model is based more on the fear of identity theft than the actual risk.

It’s pretty ironic of the credit bureaus to attack LifeLock on its marketing practices, since they know all about profiting from the fear of identity theft. Facta also forced the credit bureaus to give Americans a free credit report once a year upon request. Through deceptive marketing techniques, they’ve turned this requirement into a multimillion-dollar business.

Get LifeLock if you want, or one of its competitors if you prefer. But remember that you can do most of what these companies do yourself. You can put a fraud alert on your own account, but you have to remember to renew it every three months. You can also put a credit freeze on your account, which is more work for the average consumer but more effective if you’re a privacy wonk — and the rules differ by state. And maybe someday Congress will do the right thing and put LifeLock out of business by forcing lenders to verify identity every time they issue credit in someone’s name.

This essay originally appeared in Wired.com.

Personal information for current and former employees of Anheuser-Busch Cos. Inc. in several states is missing, the nation’s largest brewer said Friday.

Anheuser-Busch said in a statement that several laptops were recently stolen from one of its office buildings in the St. Louis area, where it has its headquarters.

It said at least one of those laptops contained data on current and former employees, dependents and some people involved in employee assistance programs. All the data was password-protected and encrypted, the company said.

Anheuser-Busch would not say how many people were affected or when exactly the theft occurred. But offices for attorneys general in Missouri, New Hampshire, Texas and Florida confirmed either they or their residents have been notified of the breach.

A letter from Anheuser-Busch to the New Hampshire Department of Justice said at least 2,250 residents in that state were affected.

The letter, which was posted on the New Hampshire’s DOJ Web site, said the data was reported missing in early June and included Social Security numbers, addresses, marital statuses, and dates of birth.

One of the company’s 12 plants is in Merrimack, N.H.

The state of Florida, where Anheuser-Busch has a brewery in Jacksonville, was also notified that some of its residents were affected, said Sandi Copes, a spokeswoman for Florida Attorney General Bill McCollum.

Anheuser-Busch’s home state of Missouri was also notified of the data losses, said John Fougere, a spokesman for Missouri Attorney General Jay Nixon.

Both said they were not sure how many residents were affected.

Anheuser-Busch said there was no evidence the loss resulted in any identity theft crimes, including fraudulent credit card applications. Affected individuals are being notified and offered one year of free credit monitoring.

Data breaches like this are now an everyday occurrence, said Beth Givens, director of the Privacy Rights Clearinghouse, a nonprofit consumer organization based in San Diego, Calif. She said the fact that Anheuser-Busch’s laptops were encrypted was rare, and that makes the breach less of a threat to people.

“It’s obvious that they have adopted strong security practices,” she said.

August 6, 2008
Federal authorities said yesterday that they had cracked the largest identity theft case in U.S. history, charging 11 people in the theft of more than 40 million credit and debit card account numbers from computer systems at major retailers such as T.J. Maxx and Barnes & Noble.

The three-year investigation by federal agencies and overseas allies brought home the global nature of the Internet’s underground economy as agents tracked leads from China to Ukraine and picked up suspects in Turkey and Germany as well as the U.S.

Total damages may never be learned, but the Justice Department said the fraud reached at least into the tens of millions of dollars. Many potential victims have yet to be contacted.

“So far as we know, this is the single largest and most complex identity theft case ever charged in this country,” U.S. Attorney General Michael Mukasey said at a news conference in Boston, where he announced indictments handed up by grand juries there and in San Diego.

To the chagrin of the U.S. Secret Service, which handles many electronic fraud investigations, the trail led back to one of its own informants, Albert Gonzalez. Justice Department officials said Gonzalez served as the ringleader and double-crossed the agency by tipping off his cohorts. Prosecutors said Gonzalez could face a life term in prison.

T.J. Maxx especially has become the latest poster child for the identity theft epidemic, an evolving type of fraud estimated to affect 15 million U.S. residents a year at a cost of $50 billion.

“Credit cards are constantly being stolen in different ways,” said Lance James, chief technology officer at the identity theft tracking firm Secure Science Corp. “There will be more surprises to come.”

Besides T.J. Maxx and Barnes & Noble, other retailers that lost data to the hackers were Sports Authority, BJ’s Wholesale Club, OfficeMax, Boston Market, Forever 21, DSW and T.J. Maxx’s sister company, Marshalls.

TJX Cos., which owns TJ Maxx and Marshalls, discovered the security breach in its system in late 2006 and announced it early the next year. Likewise, shoe retailer DSW discovered the breach in 2005, contacted federal law enforcement officials and posted a customer alert on its Website. It contacted credit card companies and hired a computer security firm to investigate the breach, spokeswoman Debbie Mitchell said.

But some other companies weren’t aware that hackers had broken into their databases until day and, therefore, hadn’t notified customers about possible identity losses – as may be required under the laws of California and some other states.

Barnes & Noble “had not received inquiries from credit card companies or customers about these alleged activities,” company spokeswoman Mary Ellen Keating said.

Angela Proctor, spokeswoman for restaurant chain Boston Market, said her company had detected a “potential data compromise” at one location in Florida in late 2004. But an outside audit couldn’t confirm that any data had been compromised, she said, so no notifications were issued.

She said the company was still unsure if customers’ data had been stolen, though the indictments stated that Gonzalez and six others had access there.

Secretary of Homeland Security Michael Chertoff, who was in Silicon Valley to discuss Internet security Tuesday, said that the government would leave it to the companies to warn customers. He said the government lacked the authority to notify consumers.

The break in the case began when a handful of people were arrested in Florida last year, not long after TJ Maxx revealed that it had been hacked. They were caught trying to buy goods at Wal-Mart by using fake credit cards that been encoded with the account numbers and other data lifted from TJ Maxx.

Some began cooperating, and the trail led to such members-only websites as DumpsMarket.net, as well as to Internet chats and Web transactions in the millions of dollars.

Two Chinese nationals – who are among several accused conspirators who remain abroad and at large – were charged with providing the blank credit cards that were encoded with stolen information.

The bigger suspects include Ukrainian Maksym Yastremskiy, accused of selling credit card numbers for more than $10 million, and Aleksandr Suvorov of Estonia, who allegedly supplied Yastremskiy with the numbers and related data.

The two were arrested after they had traveled on vacation to closer U.S. allies Turkey and Germany, respectively. Federal cyber-crime agents have complained privately for years about poor cooperation from most states formerly belonging to or allied with the old Soviet Union.

The Boston indictment charges Gonzalez, who is being held in New York, with computer fraud, wire fraud, aggravated identity theft and conspiracy. Fellow Miami residents Christopher Scott and Damon Patrick Toey were described as participants but not indicted, suggesting that they may be cooperating and expect to plead guilty.

In San Diego, prosecutors charged Yastremskiy, Suvorov, the Chinese nationals and a man known only as Delpiero with trafficking in unauthorized access devices and other offenses. In addition, a criminal complaint filed in San Diego accuses Sergey Pavlovich of Belarus and Dzmitry Burak and Sergey Storchak, both of Ukraine, of conspiracy to traffic in stolen credit card numbers.

Retailers have much to worry about with the loss of sensitive data.

The initial disclosure by TJ Maxx triggered consumer lawsuits and legal fights with the banks that backed the credit and debit cards, forcing the company to set aside more than $100 million to deal with the issue.

The revelation capped years of data loss horror stories emanating from companies, government institutions and elsewhere.

“TJ Maxx is kind of the granddaddy of them all,” said Phil Dunkelberger, chief executive of encryption firm PGP Corp.

Security experts said some of the hacking feats described in the indictments were impressive. Suspects used a virtual private network, Internet security tunnels common at big companies, to funnel the stolen information to encrypted computers in Eastern Europe.

Others were trivial efforts, such as driving on U.S. 1 in Miami and looking for unsecured wireless networks at retailers. They hacked into the wireless systems and installed “sniffers” to record payment card information as it was transmitted within the company.

Retailers have generally improved their security in the last few years, forcing identity thieves to be more resourceful, Dunkelberger said.

More remarkable, experts said, was the mini-United Nations that came together in the enterprise, and the speed with which everyone acted when the data fell into their hands.

“The underground economy is a global economy, and there are hot spots, like China and Eastern Europe,” said Alex Eckelberry, chief executive of security firm Sunbelt Software. “It is a full distribution channel, with people who steal the data, resell the data and use the data.” On Tuesday, TJX Cos. said banks and credit card agencies needed to work closely with retailers to protect customer privacy.

“The sheer number of retailers attacked by these cyber-criminals demonstrates the much broader challenges in protecting sensitive consumer data from this increasing threat,” spokeswoman Sherry Lang said.

TJX has posted a customer alert on its website and on the sites of its retail chains, including TJMaxx and Marshalls, notifying shoppers of the identity theft and providing them with a toll-free number to call for more information.

DSW also has sent notification letters to affected customers whenever possible, spokeswoman Mitchell said. Altogether, about 1.4 million credit cards and electronic data on 96,000 checks were breached, she said.

BJ’s Wholesale Club, OfficeMax and Forever 21 did not return calls seeking comment.

Many companies have been slow to improve security because customers haven’t stopped shopping.

“Consumers, regardless of what they tell surveys, do not take this seriously,” said Evan Shuman, editor of a blog on retail technology, StorefrontBacktalk.com. “As long as they do not punish retailers that get breached, how can they cost-justify spending to prevent it?”

NEWARK, N.J. (AP) — A woman has sued the call girl linked to the downfall of New York Gov. Eliot Spitzer, claiming Ashley Dupre used her lost driver’s license to appear on a “Girls Gone Wild” video.

A federal lawsuit filed this month by Amber Arpaio seeks unspecified monetary compensation for defamation and invasion of privacy.

Dupre has said she was only 17 when she signed a contract to appear in the “Girls Gone Wild” video.

The video displays a New Jersey driver’s license in the name of Amber Arpaio and a birth date that would have made her appear to be in her 20s.

Arpaio, 26, of Sussex County, cannot recall where she lost the license and doesn’t know Dupre, although the women have similar faces, said Arpaio’s lawyer, Joseph J. Fell.

“Somehow, Ashley Dupre got ahold of the license and had it for some period of time,” Fell said Thursday.

Arpaio also sued “Girls Gone Wild” founder Joseph Francis.

Lawyers for Francis and Dupre had no immediate comment. Dupre’s publicist did not immediately return a call seeking comment.

Earlier this month, Dupre dropped her own lawsuit against Francis. She had claimed her name and image were exploited.

Dupre made news in March when she was identified as a high-priced call girl in the Emperors Club VIP prostitution ring whose client list included Spitzer, who resigned soon after the scandal broke.

The lawsuit by Arpaio was filed in U.S. District Court in Trenton on July 11 and reported Thursday in The Star-Ledger of Newark.

Troubled rapper DMX has been accused of using a false identity to avoid paying hospital medical expenses.

The star — real name Earl Simmons — was charged in Arizona on Tuesday with one count of theft and one count of stealing someone else’s identity.

Authorities claim Simmons gave medical officials the fake name of Troy Jones while receiving treatment for pneumonia at the Mayo Clinic in Scottsdale, Ariz., in April. He also allegedly failed to pay his $7,500 bill.

The indictment is just one of many legal woes the hip-hop star has faced so far this year. In January, he was arrested for allegedly speeding down a Phoenix, Ariz., freeway. In May, he was charged with suspected drug possession and animal cruelty following raids on his Arizona home.

A month later in June the star was arrested for allegedly attempting to buy drugs from an undercover officer, and earlier this month he was taken into police custody for violating his bail terms relating to a previous incident in June of driving without a valid license.