Are you to blame for your child’s identity being stolen? (Case study)

You may or may not be familiar with previous posts of mine in regards to content I’ve been able to flesh out with Google, but one topic I haven’t covered yet in the manner that I plan to below is how someone can easily become responsible for their child’s identity being stolen, credit being ruined, etc. It’s becoming far too easy to have private information end up in Google’s index without you legitimately having any inkling that it could.

At any given moment, I could have a handful of Social Security numbers with which to wreak havoc. Unfortunately, it’s far too easy to find that information not just in Google, but other places as well. Even more unfortunate is how simple it is to connect the dots and have yourself an amazing personal profile built on an individual. Let this post serve as a cautionary tale for you and your loved ones (pass it on for them to read) and think twice before you so willingly store sensitive information anywhere but on your computer. And as for the title of this post? It will become clear in a moment.

[Related: Beware: Social Security numbers available online via indexed tax documents]

As a case study, I decided to see how much information I could dig up on a random person after discovering, via some advanced Google querying, their SSN residing in tax documents stored online.

So, what all is in a tax document? Income, SSN, name, address, and more. In and of itself, this is enough to cook up a nasty case of identity theft, but you can take it a step farther. In my case study, I randomly found the tax documents of a girl who is now 20+ years of age. Her father is to blame for placing them on their free server space allocated to them from their ISP — an easy mistake to make if you, like he, didn’t understand how the information could end up in Google. More on that in a bit.

Now, this particular case is especially bad, because accompanying the tax documents throughout other folders I found my way to was just about everything under the sun: scanned copies of the girl’s past driver’s licenses, current employer information, credit-related information, tons of family pics, bank account information, and more. And this is just from her. I won’t break down all the information the father had of his own there. Anyway, from this, I was able to locate this girl on Facebook, MySpace, LinkedIn, and more. And thanks to her MySpace alias being what it is, I was able to find her email address, forums she posts on, her eBay user account, her Etsy user account, and the list goes on.

Now, you don’t have to tell me how creepy that sounds, because I know how creepy that sounds. Obviously, I’m not some stalker guy who’s bent on, well, stalking someone, but if I was, I would have been in hog heaven. The stalking issue is a separate issue all on its own, in terms of the information you store online, but I wanted to see just how deep this rabbit hole went. And it didn’t take long to find out, either, what with maybe 30 minutes being spent, tops, to find everything that I did. By the end of my journey, I was both dumbfounded and depressed by the thought of this girl’s identity being capable of exploitation to this degree.

It goes without saying that it wasn’t difficult for me to find out how to contact her and inform her of all of this after everything I’d discovered.

But perhaps even worse than the aforementioned… and this is really the kicker… is this girl’s much younger sister, whose father claims her on his taxes. Right there in a tax document of his was her SSN and name. Is this young girl going to be in for a rude awakening the day she goes to apply for something requiring a credit check? What if she tries to land a job early on that requires a credit check? I can’t even begin to stress to you the alarming rate I see instances of this within documents I find, thus, the title of this post being what it is.

I explained all of this to the young woman I informed of my findings and urged her to reach out to her father and let him know (which I would have attempted to do had I not heard back from her within a couple of days).

Lo and behold, after hearing back from her the day after, I received an email from her father a few days later and he thanked me profusely for informing them of my findings. Understandably, he was quite shaken up and upset with himself, but even more than that, he was angry at his ISP. Now, you may be thinking that this guy’s the one who stored all of this information online, but I think he has a legitimate reason for being upset: his ISP hadn’t made it transparent enough that the server space allocated to their users is all open to search engine indexing. After all, he had to log into a portal which allowed him to store all of this information and he had absolutely no idea that the directory he stored files in even had a URL that could be directly accessed — much less without authentication.

The accessible URL looks something like this: http://www.randominternetisp.com/userdirectorytitle/~usernamehere/documentshere

Having been a user of his ISP for many years, and though terminology now exists in their user TOS in regards to storage space provided being accessible without authentication, he insists such was not the case previously in regards to such terminology existing in their TOS. I’m not here to play the blame game and choose sides between the father and the ISP, but whatever the case may be, the lesson here is clear: make sure you (or your parents/children/loved ones) understand how your information is going to be treated once you store it anywhere remotely, be it via server space allocated to you from your ISP, server space somewhere in the cloud (especially free services, like SkyDrive), or otherwise. Unfortunately, it’s only going to get easier for things like this to happen as remote storage becomes a more enticing and easily leveraged option for everyone.

So, files have been removed, and now, damage control is underway for this father and his two daughters. I’ve no idea if any damage has currently taken place with any of them credit-wise, but I won’t push the issue upon them any more by inquiring about it. Also, I’ve chosen not to name the ISP as of this moment due to their users’ directories all being accessible in the manner that they are currently. However, if you’re concerned enough to see if your ISP follows a similar practice, either head to your ISP’s home page and search through their support pages, or reach out to support via phone or email.

Where do you think the line exists these days between a service provider’s transparency and a paying customer’s ignorance or stupidity? I’m interested to read your feedback, so let us know your thoughts in the comments below!

-Stephen Chapman

Related Content:

• How to Become a Search Ninja: Harnessing the True Power of Google - Part 1
• Search ninja part 2: How to find older versions of software (and much more)
• Porn, piracy, and personal data: Universities providing more than just education
• Harvard.edu: An Ivy League pornographic playground
• Beware: Social Security numbers available online via indexed tax documents