Unsuspecting Iowans fall into cyberattack web

Instances in which Iowans' identities were stolen jumped a whopping 30 percent in one year, from a rate of 56 people for every 100,000 Iowans in 2014 to 73 a year later.

The growth of identity theft in Iowa mirrors what is happening nationwide. Thefts via the digital world — most of it happens on the internet — are on the rise as the crime evolves with technology. Yet many people making legitimate purchases online still have a false sense of security about their private financial information.

The result, a series of interviews for an IowaWatch-Simpson College journalism project revealed, is a feeling of intrusion and personal violation for cyber identity theft victims.

'I felt just devastated, I didn't know what all was affected,' said Christy Eichelberger, 51, of Altoona. Thieves stole her identity to make online purchases in 2003, and she wonders now how technological advances have made things even easier for cyber thefts.

Once inside a computer's network, hackers can view documents and confidential data and use them for their own greed. Such digital breaches have displaced the old way of obtaining personal data from unsuspecting consumers — going through their mail, said Susan Kerr, a consumer protection investigator with the Iowa Attorney General's Office.

The rate of thefts per 100,000 people is a standard that considers the population for jurisdictions reporting crime data. In 2015, Iowa recorded 2,214 total impersonation reports. It recorded 1,371 impersonations in 2011.

But 2,558 Iowa victims were involved in those cases, which means more than one victim was targeted in some instances.

Tracy Loynachan, a statistical research analyst at the Iowa Department of Public Safety, said the vast majority of the victims were individuals, but others were businesses, financial institutions or governments or were unknown.

'The fact that this happened seems so surreal to me and then it made me angry. There's a vulnerability that happens with this. The idea of trusting a system or trusting individuals gets compromised.'

- Elizabeth Bell of Fairfield,

Who lost $1,800 from her PayPal account to thieves earlier this year

In Eichelberger's case, thieves hacked her eBay account and stole $1,300. She told her bank as soon as she noticed something was wrong.

That marked the beginning of a long process of restoring and securing her financial accounts.

'There were extra steps that we had to take to make sure that I really was who I said I was,' she said.

Police told Eichelberger that identity theft is becoming huge and that people need to protect themselves, she said.

However, regaining your own personal information is difficult, said state Rep. Zach Nunn, R-Bondurant, a former director of cybersecurity on the National Security Council and a former national counterintelligence officer in the Obama administration.

It can mean getting new credit cards or even a new Social Security number and changing banking information.

'That stuff is not only time-consuming but it creates a real fear in the individual that, 'Hey, this happened once. How could it happen again?'' Nunn said.

The problem leaves banks and businesses with plenty of work to do, setting up firewalls and tests that consumers must pass to get into their systems. This makes hacking more difficult, but not impossible.

A specialized website for fighting identity theft, idtheftcenter.org, says your identity can be stolen even when you swipe your card at a gas pump and don't realize a reader — an illegal device made to steal card information that looks like part of the pump — is recording your information.

Or, thieves can steal personal information when you order something online, even though you thought the website was secure.

That's how thieves earlier this year stole $1,800 from the PayPal account of Elizabeth Bell, 49, of Fairfield.

'The fact that this happened seems so surreal to me and then it made me angry,' said Bell, a United Methodist minister serving three congregations in nearby Van Buren County, but who formerly worked in the credit and collections business. 'There's a vulnerability that happens with this. The idea of trusting a system or trusting individuals gets compromised.'

PROTECTIONS AND PUNISHMENTS

Kerr, from the Iowa Attorney General's Office, said you can help protect yourself by putting a security freeze on your credit reports, which restricts thieves from getting credit under your name. Three main companies — Equifax, Experian and TransUnion — do this.

Megan Stufflebeem, 29, of Des Moines, canceled her credit card and completed the necessary paperwork after $200 was stolen from her bank account in 2013. She said the process was painful.

'It took a good month or two before they were able to refund my money,' she said.

Iowa Code requires that anyone who owns or licenses computerized data containing a consumer's personal information for professional or vocational purposes must notify the Attorney General's Office within five business days about a security breach if it affects 500 people or more.

Thieves — if they are found — are charged depending on how much was stolen. First-degree theft covers property exceeding $10,000 and carries the maximum punishment for a Class C felony, which is up to 10 years in prison and a fine of up to $10,000.

Thefts in which less than $10,000 in value was stolen have varying degrees of lesser punishment, 30 days in jail, for instance, or a fine ranging from $65 to $6,250.

Rep. Nunn said Iowa lawmakers face a challenge when trying to legislate over crime in the internet's virtual world the same way they legislate over other crime.

'If someone breaks into the Bank of America (in a cyberattack), steals billions of dollars or disrupts the business flow of a major bank, it's very difficult to move to a physical crime in the same way if somebody broke into a bank and stole that money,' he said.

Kevin Anderson, the director of enterprise information protection at Farm Bureau Insurance, said he works with companies so that former employees no longer have access to a company's security system. But hackers sometimes try reaching current employees, Anderson said.

"There's a lot of crime that we don't know, specifically in the world of hacking. You're talking about a savvy hacker group, and there are groups. We have groups in America, and that's what they invest their time in: 'How can I financially benefit myself by getting into people's bank account?''

- Lt. Chris Scott

Des Moines Police Department

'They're willing to pay employees large sums of money to, basically, hack from the inside,' he said. 'So it's always a concern. It's a threat.'

However, most hacking attempts his company sees are by large-scale programs and bots, which are computer programs designed to do tasks in repetition.

The West Des Moines-based gas station chain Kum & Go has taken extensive measures to implement security methods and strategies, said Aaron Tekippe, an information technology security architect.

'We use firewalls, intrusion prevention systems, we have data loss prevention systems that actually watch network traffic to ensure that data doesn't actually leave our environment,' Tekippe said.

He would not say how much that costs.

'I think the attacks will become more frequent over time and as the attacks get more frequent, it would make sense it becomes more expensive,' he said.

Bringing online identity thieves to justice is complicated, especially when the suspects are overseas. Many times prosecutors in foreign jurisdictions don't care about U.S. cases, said Einaras von Gravrock, chief executive officer of CUJO Smart Firewall, a Los Angeles-based company that specializes in home and businesses internet security.

'The least of their worries is policing people who steal money from America, which is a shame, but that's the world we live in,' von Gravrock said. He said Russian law enforcement personnel, for example, wouldn't waste time pursuing charges for virtual attacks intended for locations outside of their jurisdictions.

'The bad guys throw away your money 6,000 miles away,' von Gravrock said. 'It's not necessarily blaming the Russian government. They have their own challenges.'

Lt. Chris Scott, who has served with the Des Moines Police Department since 2001, said catching internet identity thieves starts with knowing the crime has actually taken place.

'And there's a lot of crime that we don't know, specifically in the world of hacking,' he said. 'You're talking about a savvy hacker group, and there are groups. We have groups in America, and that's what they invest their time in: 'How can I financially benefit myself by getting into people's bank account?''

Scott knows how frustrating it is to have your identity stolen. He was an identity theft victim himself after someone stole and activated a credit card under his name and went on a spending spree in Texas.

That was in 2000. Seventeen years later, technology is more sophisticated but the same kind of bad guys exist, he said.

Ashley Smith, Hunter Hillygus, Erich Bogner and Clayton Bowers contributed to this report. This story was produced by the Iowa Center for Public Affairs Journalism-IowaWatch.org, a nonprofit, online news website that collaborates with Iowa news organizations to produce explanatory and investigative reporting.