Thanks to last year's scandal at Hewlett-Packard, consumers learned how easily private investigators can trick companies into divulging personal information. Now, thanks to a new federal indictment full of data theft allegations, we know they also can trick the IRS and the Social Security Administration into handing over information.
Ten suspects were indicted last week in Seattle for allegedly impersonating consumers and obtaining their bank records, tax returns and Social Security earnings statements.
According to the indictment, the Internal Revenue Service and the Social Security Administration were repeatedly tricked into coughing up very sensitive documents. In one case, the IRS gave a defendant nearly 10 years worth of tax records, the indictment alleges. In another, a suspect allegedly obtained tax records by claiming his accountant had recently been fired for embezzlement and the information was needed for verification purposes.
In all, 12,000 consumers were victimized by the defendants from 2004-2007, the indictment alleges.
At the center of the crime, according to the indictment, were a Emilio and Brandy Torrella, a Seattle couple, and their employee, Steven Berwick. Operating as BNT Investigations in Belfair, Wash., the three allegedly took orders from private investigators around the country and filled them by impersonating the targeted consumers. The other investigators then resold the information.
"This indictment alleges that private investigators across the country illegally obtained confidential information and sold it to the clients who hired them," Jeffrey C. Sullivan, the U.S. attorney for western Washington, said in a statement accompanying the indictment. "This is a very serious matter. The investigation is continuing and it is our intention to go after these 'clients' if we can prove that they knew this information was obtained illegally."
Many of the crimes took place -- and the information was divulged -- while the Hewlett-Packard pretexting scandal was splattered in the headlines, according to the indictment. In that incident, H-P hired investigators to obtain phone records belonging to reporters in order to determine the source of a news leak.
And about the same time Congress was debating a law that would firm up rules making the release of telephone records illegal, federal agencies were giving even more critical records to the imposters.
Who paid for it? Still a mystery
There is very little information about the alleged buyers of the data in this week's indictment, which says only that the data was used by "attorneys, insurance companies and collection companies to investigate the backgrounds of opposing parties' and witnesses and to uncover assets or income for satisfaction of debts."
The Torrellas and Berwick used various story-lines to get the information, often invoking some measure of desperation or emergency, according to the indictment. For example, the imposters might say they were at a hospital awaiting surgery, "but the hospital would not perform the operation until (it) received copies of tax returns," it said. In other cases, the defendants pretended to be "battered spouses who needed the information to avoid more beatings" or to avoid "having a child abducted," it said.
While the stories were extravagant, the prices were not. The indictment alleges that the defendants charged $130-$250 per year for tax information. $75-$125 for Social Security information, $100 for bank account balance data and $150 for five years of medical records.
Orders didn't take long to fill.
According to the indictment, on Jan. 3, a San Diego-based investigator requested "employment and earnings history as far back as possible." Five days later, the Torrellas allegedly provided federal income tax records from 2000 to 2004, forms that were given to them by the IRS, it said.
Four days later, President Bush signed into law a bill that made obtaining consumer phone records through pretexting expressly illegal.
Results in one day
Sometimes the results came even quicker. On Sept. 14, 2006, agents working for a Brooklyn-based detective agency called the Torrellas and asked for "10 years of asset information" on a subject, the indictment says. Two days later, they allegedly handed over\"information obtained from 1998 through 2005 Federal Income Tax Returns" to the Brooklyn firm.
"It was not clear precisely how the IRS records were obtained."
IRS officials said it would be inappropriate to discuss the allegations in the indictment.
Forms for obtaining past tax returns are available on the IRS Web site, but require the applicant to go through a fairly elaborate process. But "transcripts" of tax returns -- electronic summaries with the most-relevant information -- can be obtained by faxing a one-page form to the IRS. The form asks only for a Social Security Number and a signature.
An IRS official who asked not to be named said the agency does take additional steps to verify the authenticity of such requests, but would not discuss what those steps are, citing security concerns.
The indictment alleges the Torrellas were able to get other federal agencies to release private information.
For example, on Aug. 4, a Beaverton, Ore., firm ordered five years of employment history, a medical records search and a list of pharmacies used and prescriptions filled, it claims.
That same day, the Torrellas provided "details of wages reported to Social Security for 2002 through 2006, report of medical records for 2003, including prescriptions taken and emergency room visits," the indictment says.
The Social Security Administration's Inspector General's Office is investigating.
'Thousands of times a day'
Rob Douglas, who has testified before Congress about the issue of pretexting and personal information, said he wasn't surprised by the seeming ease with which the information described in the indictment was obtained.
"I tell people this is happening thousands of times across the country every day and people don't believe me," he said. "Well, here it is."
Douglas pointed to the congressional testimony of Al Schweitzer four years ago as offering the simple recipe for obtaining this kind of information. Schweitzer, who described himself as a former pretexter, said he used various "gags" to get the data he needed, and always followed a simple formula:
"Identify the piece of information you are after; identify who or what institution is the custodian of the information sought; based on real world situations or actual operational procedures of the target institution, figure out under what circumstances and to whom the desired information would be released; be that person under those circumstances."