As cybercriminals become more skilled, the privacy practices at many organizations have not kept apace. In the State Compendium of Unclaimed Property Practices that I’ve compiled, I found this to be the case at many state treasuries where the data exposed provides fraudsters with a crime exacta: claiming money that no one will ever miss and gathering various nuggets of personal data that can help facilitate other types of identity theft.
First, you have to understand what “unclaimed funds” are and how they work. Our states are responsible for ensuring unclaimed property makes it into the right hands. Twice a year, organizations like banks and insurance companies report uncollected payouts to their state’s Unclaimed Property Office. From there, the debt is published in a local newspaper, and if it remains unclaimed, the property (funds, stocks, commodities, etc.) has to be surrendered to the state for safekeeping until a claim is made.
Two years ago, there was a total of $58 billion in unclaimed property nationwide. In theory, it’s safe. You need to be able to identify yourself and go through a verification process to collect the money. However, because Social Security numbers and other personally identifiable information (PII) are increasingly easy to find on the dark web, consumers are faced with a potential fraud-frenzy not unlike the spike in stolen tax refunds of recent years. It takes a good deal of information for a fraudster to claim funds that rightfully belong to you, but the danger of PII on unclaimed funds sites cuts both ways – fraudsters can find out that you have unclaimed money and try to gather other information about you in order to claim it, or they can use the information from the unclaimed funds sites to build a dossier on you and target you for other scams.
This is not a hypothetical problem. Interestingly, the first explanations of the issue in a simple Google search (i.e., unclaimed funds identity theft) came not from a state treasury, but a site called Scambusters. One common scheme involves charging a fee to “locate” your unclaimed property. In the process, the swindler grabs personally identifiable information that can be used to commit identity theft. Stories about stolen unclaimed funds abound. In 2011, a Houston woman was convicted for stealing almost $500,000 in tax refunds and unclaimed funds. According to KHOU.com, “Officials said Thomas used public databases to locate the names of the people owed money, then used their personal information to claim the funds.” Texas scored a lone star in the compendium—the worst ranking here.
This has become an issue because of data breaches. News is still trickling out about the millions of federal employees whose personally identifiable information was exposed to hackers because of shoddy data security at the Office of Personnel Management. Between the breach at Anthem that leaked Social Security numbers and the Premera breach that leaked far more specific information (in addition to SSNs), almost 100 million records were stolen. The recent IRS revelation that fraudsters essentially walked through the digital front door and stole $50 million in tax refunds using information accessed in its “Get Transcript” application highlighted the need for more stringent processes at government agencies. That swindle, like so many others, was made possible by a seemingly never-ending string of breaches. The fraudsters had enough information to game the IRS verification process. The same approach could be used with unclaimed funds.
While I am focusing here on the state offices responsible for unclaimed funds, knock on any organization’s door these days and you will find data security and privacy issues.
According to some estimates, there are more (perhaps significantly more) than a billion records “out there.” Therefore, it is crucial that organizations entrusted with our personal information do everything possible to limit our exposure, especially when our money (as well as the integrity of our identities) is on the line.
The compendium found that more than half the country could be doing a better job. Thirty-six states had practices that exposed more personal information than was necessary—ranked “Not Good” (28) or “Bad” (8)—exposing various kinds of data that fraudsters can use to build the type of personal information dossier on an individual (or even a celebrity, we found) that facilitates the commission of identity theft.
What Can We Do About It?
For Consumers: Get your money now! Visit your state’s unclaimed property site as soon as possible to see if you have a claim, and if you do, go through the process before your evil twin does. And, as always, stay vigilant. Just because you don’t have unclaimed funds doesn’t mean a scammer can’t get to you other ways. Monitor your financial accounts regularly for unauthorized charges, and keep an eye on your credit reports and scores for signs of new-account fraud.
For States: Respect your fiduciary duty to protect us and expose less PII in the verification process.
How does your state measure up? Click here to read the full State Compendium of Unclaimed Property Practices.