Identity theft study reveals HSBC, BofA, Wamu top targets

Customers of HSBC, Bank of America, and Washington Mutual suffer the highest rates of identity theft in the banking industry, according to an investigative study released Wednesday by a UC Berkeley Law School researcher.

The Federal Trade Commission received over 245,000 reports of identity theft in 2006, but does not typically publish the names of the financial firms and companies listed in the reports. Through an extensive Freedom of Information Act request, Chris Hoofnagle, a staff attorney at UC Berkeley's Boalt School of Law, was able to get detailed records on the individual consumer complaints.

Hoofnagle received detailed information for three randomly chosen months in 2006: January, March, and September. These months included data from 88,560 complaints, with 46,262 names of institutions identified by victims.

Estimated Annual Incidents Per Billion in Deposits Among Largest US Banks (2006)

(Credit: With permission from Chris Hoofnagle)

Once he crunched the numbers, Hoofnagle discovered that HSBC has the highest rates of reported identity theft in the financial industry during 2006, when adjusted for billions of dollars in deposits. Bank of America and Washington Mutual came in a close second and third. According to Hoofnagle's stats, HSBC had 21 incidents of identity theft per billion dollars in deposits, Bank of America/MBNA had about 17, while Washington Mutual had 16. Online banking leader ING had the lowest rates in the industry, with just a single reported incident.

Technically, American Express and Capital One lead the pack--with 485 and 242 respective incidents per billion dollars in deposits. However, Hoofnagle excluded them from the graph due to the small scale of each company's banking operation (Amex's 7 billion in deposits compared with Bank of America's nearly 760 billion).

Outside of the financial services sector, telecom giants AT&T and Sprint suffered from more than 9,100 and 8,300 estimated reported cases of identity theft. As the firms do not publish the numbers of customers they serve, it was impossible for Hoofnagle to break these numbers down further.

While the FTC incidents that Hoofnagle examined were from 2006, a number of recent reports indicate that HSBC has recently been overwhelmed with a "a wave of banking fraud." Real numbers to back up these reports will not be available from the FTC for some time.

The levels of theft described by Hoofnagle's match up nicely with a 2007 report released by Cambridge University researchers, which revealed that Bank of America and Washington Mutual took the longest time to shut down phishing sites targeting the banks. Sites masquerading as BofA and Wamu typically stayed online for more than 100 hours, compared with less than two days for Chase and PayPal.

Finally, while the FTC publishes an annual identity theft report, it is not required to break down its figures and reveal the names of the most frequently victimized banks. While states like California have been able to pass significant pro-consumer data breach legislation, this is one area where states have little power. Incidents of identity theft are primarily reported to the FTC, and not to state attorneys general. To force the FTC to voluntarily publish such data, federal legislation will be required--something that is unlikely to happen.

Hoofnagle's 16-page study, with detailed numbers and graphs, can be found here.

[CESSNA150SKYPILOT]

Good for you for finding this out! Sometimes I think they're all in cahoots! I guess the only way is to write our congress persons and demand transparency in reporting by the FTC.

[bpapa9013]

CRAP, I have a vehicle loan with HSBC!

I have been learning that they are a really crappy lender since I took that loan. Apparently they don't just have a high rate of ID theft, but they are also shistey about changing the rate on "fixed rate" credit and not obeying minimum payment agreements on loans.

(Agree to a low introductory rate + fixed low minimum payment for X months of a 4X month loan= minimum payment will almost double the SECOND MONTH!! ***!?!)

I would avoid this bank like the plague, I am going to pay off my loan ASAP! (Fortunately it was just financing on a scooter so I should be able to pay it off in about 3 months!)

[gwilliamp]

These figures do not mean much without knowing how many customers or transactions the bank processed in the time period. If expressed as a percentage of customers or, even better, transactions they would better express the client vulnerability of each company.

[gcifra1]

I have reported my personal experience to HSBC:
They outsource the Customer Service calls to India etc. The call centers are packed with operators sitting so closely that you can hear the activity of several accounts. I am a captive audiance to numerous conversation where I can hear not only the operators but the customers they are talking to. There are obviously no cubicles and if so they are not to ensure privacy. Also they are trained with such canned answers that it is impossible to have a logical constructive conversation.
It is a HSBC is a Pygmy Bank !

[Bryan_Ansley]

What?s sad is that there is technology and services out there that are capable of stopping ID fraud before it has a chance to damage consumers and inflict losses on the banks. Many senior-level banking execs just don?t realize that they?re out there.

On Jan. 1, a new Federal Reserve Board regulation went into effect to combat this lack of knowledge. The rule gives bankers until November to implement ID theft protection programs that meet the Fed?s requirements, which require ?reasonable policies and procedures? for preventing ID theft, identifying ?red flag? activities, and notifying victims.

And the introduction of new and improved ID theft detection and prevention tools will help increase awareness, too. In a few weeks, my company is going to announce a new technology banks can use to protect their depositors. Essentially it will compare the location of the depositor (determined via their cell phone) with the location of the credit card transaction. If the two don?t match, the transaction is flagged so it can be checked out immediately.

My advice to banks: The ID protection space is huge and there are many different vendors and services, but you need to start researching and seriously consider implementing one. That?s the best way for them to protect their customers, and themselves.

Bryan Ansley
BAnsley@FNBmerchants.com
http://SecureIdentitySystems.com.

[geofbrewer]

It is amazing to me as large as HSBC is, they are unable to spend the money necessary to keep customer data safe. Of course, as a customer of one of their many subsidiaries, I'm not surprised. I'm afraid of a meltdown before I can close my accounts. Does the name Enron sound familiar? I thought another financial institution would beat them to Chapter 11/7. And to think when I started to deal with HSBC, I was blissfully ignorant of what was to come.

Many of these financial institutions outsource their operations overseas where they are not subject to the same regulatory standards including the protection of customer data. They also have large constituencies of illegal alien customers who are illegally given loans and other services without social security numbers or use stolen/fraudulent social security numbers. What easier way to illegally obtain social security numbers and other information to establish an aura of legality. Look at all the data thefts, breaches and so called losses at the height of the illegal immigration debate....Only a coincidence????? The government wants cheap illegal labor and illegal votes at any cost and will pursue any measure to achieve this.

[dudeman121]

H & R BLOCK USES HSBC FOR INSTANT TAX REFUND LOANS. Talk about risky business. Over the past few days, I've confirmed, verified by Lifelock (Identity Fraud protection Agency), that HSBC does not, or at least did not properly handle a "Fraud Alert" on applicant's credit report for a tax refund anticipation loan. This is pretty scarry considering that H & R Block, whom many of us trust to handle our most private financial info such as our taxes, associates our taxes with HSBC Bank. Wow!!!

[K2S1d]

You might read ?The Silent Crime? by Michael McCoy. He states that there are 5 major areas of identity theft and identity theft can?t be prevented. On page 191 he does a comparison of services. He states Pre-Paid Legal Services is ?Most robust with complete restoration, credit monitoring and access to attorneys 24/7.? You can order the book here http://stolendata.blogspot.com/2007_04_01_archive.html and find out more about the service here http://www.keithdsmith.com

[smsdes]

Had heard of the Bof A and WaMu problems, but never thought it would hit home.

My husband was checking our monthly online statement and saw 2 new accounts setup. he figured it was a glitch, but an hour later the accounts had taken $30,000 from a line of credit at Bof A and had then transfered $10,000 to a Wamu Account!!!
We are now fighting to get all the info and have had the police in our home for reports and lost time from work to deal with the banks.

Its more than just a simple crime,It effects the persons life for years!

I am on the west coast,and the theives from wha twe could tell are on the East coast.

I would love to hop a plane and personally hunt them down!!