Everything

NYSEG loses social security numbers

NYSEG and RG&E collected customer social security numbers.  To clarify, these companies are do not issue credit cards – they provide gas and electricty.  Why do they need social security numbers?  The simple answer is that they don’t (more on that in a minute).  I am guessing that they collect them so that they can harm your credit score if you neglect to pay them.  So, put bluntly, you gain NOTHING by giving them your SSN.

I moved in to my current apartment in July 2011 and when I signed up for my utilities, one of the mandatory fields was my social security number.  I left it blank.  (In fact, I think I wrote “no way!”)  They still sent me a bill and they still get paid.  My old energy company in Minneapolis was the same way.  I always refused to give them my social security number and every time I talked to them, they told me it was required.  I never once gave it to them and they never once cut off my service.

The point is – don’t give people your social security number, even if they “require it.”

Let’s take a look at their letter

Now, I’ve attached a PDF of the letter below.  I’ve even run it though OCR so Google can find it easier.  I want to quote a line from their document:

While we have no evidence that such data has actually been misused, or that there was any malicious intent..

WTF is that?  The data were just stolen.  I’m not surprised that no one has confirmed that it hasn’t been misused yet. Let’s count the steps that you would need:

  1. Your data has to be sold to someone willing to commit identity fraud.
  2. They have to setup a line of credit in your name.
  3. It has to be approved.
  4. It then they have to draw on that line of credit.
  5. The account then has to become delinquent.
  6. The bank then has to send a warning letter to the victim demanding payment.
  7. The victim has to figure out that their identity was stolen
  8. find the source of the leaked information
  9. definitively prove that it was NYSEG that lost the information and they have to admit what happened.

OF COURSE IT HASN’T BEEN PROVEN YET.

The second half of that quote states that there was no malicious intent.  This is even more ludicrous than then first part. Do people steal SSNs because they like collecting strings of 9-digit numbers?  They steal them because they have value!  What kind of moron PR firm wrote that statement?  That is as dumb as saying that someone steals money because they like the look of it, not because they have any malicious intent.

From the day that the data were stolen until the day that every last NYSEG customer dies, someone will be at risk for identity theft.  This will be a perpetual problem for everyone involved.  We don’t get new SSNs when there is a data breach.  Instead we get a SINGLE YEAR of credit monitoring service that costs maybe $30/customer.

Do you know what I would do if I stole these numbers?  I’d let them age for a year.  Most of the victims will still be alive but you’ll get a higher yield once this monitoring service is over.

And NYSEG is a monopoly so they don’t have to care.

 

The letter:

 

NYSEG RG&E PO Box 483 Chanhassen, MN 55317-9678 Dear Valued Customer: January 23 , 2012
We take our responsibility to protect your personal data very seriously. For this reason, we are writing to inform you that earlier this month we discovered that an employee of an independent software development consulting firm (contracted by NYSEG and RG&E) allowed unauthorized access to one of our customer information systems. The customer records contain Social Security numbers, dates of birth and, in some cases, financial institution
account numbers. While we have no evidence that such data has actually been misused, or that there was any malicious intent, we are notifying you out of an abundance of caution so that you have the information and tools necessary to help detect and prevent any misuse of personal information. We have consulted with law enforcement and engaged computer forensics experts. Our investigation is ongoing and we will continue to provide law enforcement with our full assistance. Credit Monitoring Assistance Above all, we ask you to be vigilant in monitoring your credit and bank accounts for any sign of unauthorized activity. If you suspect any incidence of identity theft, please contact your local law enforcement agency or the Federal Trade Commission. As a precautionary measure, NYSEG and RG&E have arranged for Experian to offer you the option of a year of credit monitoring free of charge through ProtectMyIDTM. If you’d like to take advantage of this offer, you must enroll by April 30, 2012. You can activate your membership in two easy steps:
1. Visit the ProtectMyID website: www.protectmyid.com/NYSEGandRGE or call 1.877.736.4495 (toll-free) or 1.479.573.7373 (for international callers) to enroll. 2. Provide Your Activation Code: Your complimentary 12-month ProtectMyID membership includes: • Credit Report: A free copy of your Experian credit report. • Daily Credit Monitoring: Alerts you to suspicious activity including new inquiries, newly-opened accounts, delinquencies, or collections found on your Experian credit report. You can elect to receive alerts bye-mail, text message, or first class mail.
• Identity Theft Resolution: If you have been a victim of identity theft as a result of this situation, you will be assigned a dedicated, U.S.-based Experian Identity Theft Resolution Agent who will walk you through the fraud resolution process, from start to finish. • $1 Million Identity Theft Insurance*: As a ProtectMyID member, you are immediately covered by a $1 million insurance policy that can help you cover certain costs including lost wages, private investigator fees and unauthorized electronic fund transfers in the event of an identity theft incident. Support If you have questions, need help enrolling in the credit monitoring program, or feel that you may have an identity theft issue, assistance is available at 1.877.736.4495 (toll-free) or 1.479.573.7373 (for international callers), Monday through Friday, 9 a.m. to 9 p.m. (Eastern Time), and Saturday through Sunday, II a.m. to 8 p.m. In addition, you are entitled under U.S. law to order one free copy ofyour credit report every 12 months from each ofthe three nationwide credit bureaus. To order your free credit report, visit www.annualcreditreport.com or call 1.877.322.8228 (toll-free). Additional information about this matter is available on our websites – www.nyseg.com and www.rge.com. If you wish to learn more about ways to limit the risk of identity theft, such as fraud monitoring and security freezes on credit accounts, consider contacting the Federal Trade Commission or your state Attorney General. Federal Trade Commission: 600 Pennsylvania Avenue, NW Washington, DC 20580 1.877.IDTHEFT (1.877.438.4338) wwwftc.govlidtheft We take pride in serving you and apologize for any inconvenience or concern that this incident may cause. Please be assured that we take the privacy of customer data very seriously, and we remain dedicated to using our best efforts to regularly assess and adapt our physical, administrative and technical security measures in order to protect such data. Sincerely, Mark S. Lynch President NYSEG and RG&E • Identity theft insurance is underwritten by insurance company subsidiaries or affiliates of Chartis, Inc. The description herein is a summary and intended for infoImational purposes only and does not include all teIms, conditions and exclusions of the policies described. Please refer to the actual policies for tenns, conditions, and exclusions of coverage. Coverage may not be available in all jurisdictions.

13 Comments

  1. Interesting note – I have found a bunch of searches looking for a specific string of text coming to this site. I’m guessing (based on the search string and host name) that they NYSEG noticed this post. +1 🙂

      1. Talked to NYSEG about this today.
        They both say they are following (NY?) State regs in notifying customers of the breech. Then, they say they are offering the protectmyid monitoring service” for 1 year as a service to customers that is unrequired by the state because the investigation has not concluded that any harm has yet been done to customers. This is purportedly out of the goodness of NYSEG’s heart.

        I asked if 1 year was long enough. Their answer: They will make more services available as they learn the extent of the problem. I assume this means learning who sold what to whom.

  2. I just tried to go on line to sign up for my free year of credit monitoring. Guess what ? Site does not work – goes to a blank “this is not a link”. Then I spoke to someone on the phone. After she asked all my personal data questions including my social security number and my mothers maiden name, it occurred to me : Do I really want MORE of my personal data out in cyber space? I did not sign up. I wish I had never given MY ss# to NYSEG.

  3. the protectmyid web site is blank. I feel NYSEG and RGE should pay for any and all debts that come from their sloppiness. I feel to many company ask for our ss# and we should have the right to just say no NO NO NO they have know reason to have it. every time we have to give it to get a service we are putting our self’s at risk. As it was just proven once again.

  4. Tried to go on protectmyid.com/NYSEGandRGE and guess what. All I can get is the application for adding the protection to my shopping cart. No place to enter the Activation Code and no way to get around signing on for a subscription to the survice.

    Not only did NYSEGand RGE neglect having proper customer identification protection in place they are probably now reaping financial gain from the subscriptions being sold by the company supposedly free service that is going to protect me from the scam artists who may have my information in their hands right now. Nice to be in a position to not fear customers changing vendors, but also one that can charge what they want for the product and leave the protection of confidential information on the door step to be so easily taken.

    Nice job folks!!!!!!!

    1. Hi Brian, Just wanted to thank you for your concern with such a serious matter that I believe they are scaming us on. You helped me make my decision on giving out any other info than they already have. They send us to a website that is blank and so confusing and that is their way of saying they are concerned. I’m with Phil I truly believe they are out for a profit with the other company. I also believe that this is another way for them to get more info out of the millions of customer they have. DO THEY TRULY CARE HELL NO!! They would of never allowed it to happen if they did care. I’m on my own with dealing with this matter by not going thru them. Thanks again Brian for helping me make a decision on such a serious matter with our idenity. You gave me a wake up call on YES Why do they need our numbers when they are going to provide for us anyway and if the bill is not paid then they have the right to shut us down with or with out our SS#!!! I’m glad I ended up on your site and you allowed me to speak my reply!!!!!!!

  5. what recourse do we have? I also went to the site and could only sign up for the 15.95 per month service, no where does it reference a special deal with NYSEG. Has anyone actually done this successfully?

    Consumers are really at a loss as there are no options and NYSEG will not provide service without a SSN. We are kind of held hostage.

  6. This is BS, this system is not working. Does NYSEG have any laws to abide by or do they just make them up as they go to suit there needs? I’ve tried several times to log in on the site indicated with absolutely no luck.

Leave a Reply