

Ten private investigators in several states were indicted for identity theft this week after using pretexting methods similar to those used by Hewlett-Packard investigators to obtain the personal information of about 12,000 people. The investigators reportedly used lies and trickery as well as technology to obtain private financial, medical and tax information on targets that they were investigating for clients.

The clients who purchased the ill-gotten confidential records were other private investigators who were working on behalf of attorneys, law firms, collection agents, insurance companies and others. The PIs are being charged with conspiracy, wire fraud and aggravated identity theft. Authorities say that the clients who purchased the information from the investigators may also face charges. The indictment says the clients wanted to uncover information about people who were involved in lawsuits or claims against them.

According to prosecutors, this is only the second time – the H-P case being the first – that someone has been prosecuted for using pretexting to obtain confidential records. Pretexting involves using someone else's Social Security number, birthdate or other personal information to trick companies or government agencies into handing over private information about that individual. In the HP case, investigators used the method to obtain the phone call records of journalists and HP board members to determine who was leaking company information to the journalists.

The current case involves private investigators in Washington, California, Oregon, Texas and New York. In addition to pretexting, they and a few of their employees used voice-disguising technology and other technical methods to conceal their true identity to obtain information, according to one news report. They obtained information from state and federal agencies – such as unemployment insurance departments, the Social Security Administration and the IRS – as well as from banks, pharmacies and hospitals.

According to the indictment (PDF), to obtain tax returns, an investigator would call the IRS posing as the individual whose returns he wanted to obtain and claim that he needed copies of his tax returns because he'd just fired his bookkeeper for impropriety and needed to verify that the returns had been filed accurately.

To obtain medical and drug records, an investigator would call a pharmacy or hospital posing as a representative from a fictitious doctor's office and claim that he or she had been authorized to obtain a patient's prescription or hospitalization records.

The private investigators charged various amounts to their clients for the confidential information. One agency, for example, charged $100 for bank account information and $130-$250 for each tax return. Medical information about someone could be obtained for as little as $50, or $150 for a five-year comprehensive medical history.

Pretexting, of course, isn't a new method. In a story I wrote for Wired News in January 2006 before the H-P scandal broke, Rob Douglas an information security consultant, told me that pretexting was a dirty little secret among private investigators and one of the primary ways they had used to obtain information for years.

"No one likes to talk about who uses these records the most," he told me then, "but it's lawyers for the most part who created this market" and often claim ignorance of the ways in which the information they purchase is obtained.

See Also: