Professor’s ID stolen; $22,000 gone

When University of Virginia professor Patrick Grant opened his mailbox on May 23 to find three letters from Bank of America informing him that they would not raise his credit limit, he knew his identity had been stolen.

“I got one of those gut-wrenching feelings that this is really, really wrong,” Grant said.

Grant, a professor of microchemistry and molecular genetics, had never asked Bank of America to raise the limit on his credit card.

Someone else must have done it. Someone else, he realized, must have access to his credit account.

In the hours that followed, a picture of what happened began to emerge.

Very quick and organized

Identity thieves in New York had opened a checking and savings account in Grant’s name, aided by his Social Security number and a fake New York driver’s license with his name on it. Using an online banking feature of the fraudulent checking account, the thieves hijacked Grant’s existing Bank of America credit card account.

They drained Grant’s credit card account by authorizing cash advance payments, which they then withdrew from an ATM. Over the course of nine or 10 days, the thieves obtained $22,000 with Grant’s credit card.

“It was clearly very organized and very quick,” Grant said.

It may be impossible to know where the crooks discovered Grant’s identity and Social Security number. However, Grant’s personal information — including his name and SSN — was exposed in two major data breaches at UVa.

Personal files accessed

In June 2007, the university discovered that hackers had managed to access records of 5,735 faculty members on 54 days between May 20, 2005, and April 19, 2007. The faculty members’ names, SSNs and dates of birth were compromised. Grant’s personal information was among the files that were accessed.

In April, a UVa employee brought home a laptop containing the names and SSNs of some 7,000 faculty, students and staff. The laptop was stolen out of the employee’s locked car. Once again, Grant’s personal data was included in the stolen files.

“We’ll probably never know where it came from or who did it. It may never be resolved,” Grant said. “The only thing I can say is that the information that was stolen from either of those occasions was sufficient for the thieves to do what they did to me. I know of only those two instances when my personal information has been stolen.”

When notified by the university that he might be at risk of identity theft, Grant immediately signed up for credit monitoring and placed a fraud alert on his credit report.

“Neither helped me at all,” he said. “I was sitting there thinking I’m OK because I did everything I was supposed to. But I wasn’t, as it turned out, protected at all.”

Credit monitoring notifies an account holder whenever someone attempts to open a new credit line, such as for a credit card, a home loan or a car loan, said Heather Greer, a spokeswoman for Experian, which tracks credit scores.

Thieves take control

In Grant’s case, the identity thieves never sought to open a new credit account. They managed to simply take control of Grant’s existing credit account.

The UVa Police Department and the FBI are investigating the theft of Grant’s identity.

Lt. Melissa Fielding of the UVa police said that detectives are making progress in the case, but no arrests have yet been made.

“We have an open-active investigation,” she said. “We are working on it. We have involved the FBI.”

Bank of America has informed Grant that it will not hold him responsible for the $22,000 that was stolen under his name. A bank spokesperson did not return a call for comment Friday.

Grant’s credit score may be in shambles after the ordeal. However, he can dispute the charges with the credit rating agencies and have it fixed, Greer said.

While Grant may not be liable for the $22,000 and his credit score may not be destroyed, the process has been a nightmare.

He spent hours on the phone with Bank of America trying to convince them that he was the true Patrick Grant. He had his credit card account frozen.

And the day after he discovered that his identity had been stolen and he could no longer use his credit card, he had to fly to England to spend time with his father who is dying of cancer. While there, he was unable to pay for his hotel or meals, having to instead rely on his mother.

“She had other things to worry about,” he said. “It was awful.”

Grant is the first UVa faculty member known to have his identity stolen in a case possibly connected to the university’s two high-profile data breaches.

He is worried that additional identity thefts may be on the horizon.

“I might be the only person to have this happen at UVa. Or I could just be the first of what could be thousands,” he said. “This could be happening right now to other people at UVa and they don’t even know about it.”

New policies on the way

UVa spokeswoman Carol Wood said the university is very concerned about Grant’s situation and is trying to “keep pressure” on the FBI to crack the case.

“It’s scary,” she said. “It’s terrible. We’re living in a crazy world.”

Identity theft has become increasingly common across the country in recent years. According to a November 2007 report by the Federal Trade Commission, 3.7 percent of all American adults — or 8.3 million people — had their identity stolen in 2005. These thefts totaled an estimated $15.6 billion in losses.

To help prevent future data breaches at UVa, the university is adding new security policies and strengthening existing ones.

In a few days, UVa will announce a policy on laptop security, said Shirley Payne, the university’s director for security coordination and policy.

The new policy will prohibit UVa employees from storing sensitive data on laptops, desktop computers or portable devices unless they have a compelling reason to do so, as well as permission from a dean, Payne said. In all cases, she added, the data must be encrypted.

“We felt that in light of what happened with the stolen laptop, we really needed to be more directive,” she said.

Grant wants UVa to alert its employees that credit monitoring and fraud alerts might not protect them from identity theft. To minimize risk, they need to actively watch their credit scores and bank accounts for odd activity.

“The people who did this, I get the feeling that they know how the system works,” he said.