Unsuspecting Iowans fall into cyberattack web


INDIANOLA, Iowa — Instances in which Iowans’ identity was stolen jumped a whopping 30 percent, from a rate of 56 people for every 100,000 Iowans in 2014 to 73 just a year later, in 2015.

Most of the thefts happened via the internet. The growth in Iowa mirrors what is happening nationwide. Thefts via the digital world are on the rise as the crime evolves with technology. Yet, many people making legitimate purchases online still have a false sense of security about their private financial information.

The result, a series of interviews for an IowaWatch-Simpson College journalism project revealed, is a feeling of intrusion and personal violation for cyber identity theft victims.

“I felt just devastated, I didn’t know what all was affected,” Christy Eichelberger, 51, of Altoona, said. Thieves stole her identity to make online purchases in 2003 and she wonders now how technological advances have made things easier for cyber identity thefts.

Once inside a computer’s network, hackers can view documents, files and confidential data and use them for personal gain. Susan Kerr, a consumer protection investigator with the Iowa Attorney General’s Office, said digital security breaches have displaced the old way of obtaining unsuspecting consumers’ information: going through mail to steal people’s information.

The rate per 100,000 is a standard that considers the population for jurisdictions reporting crime data. In 2015, Iowa recorded 2,214 total impersonation reports. It recorded 1,371 impersonations in 2011.

But 2,558 Iowa victims were involved in those 2015 cases, which means more than one victim was targeted in some incidents.

Tracy Loynachan, a statistical research analyst at the Iowa Department of Public Safety, said the vast majority of these victims were individuals, while the others were business, financial institutions, governments, unrecorded or unknown.

In Eichelberger’s case, thieves hacked her eBay account and stole $1,300 in August 2003. She told her bank as soon as she noticed something was wrong.

That marked the beginning of a long process to restore and secure her financial accounts. “There were extra steps that we had to take to make sure that I really was who I said I was,” she said.

Police told Eichelberger identity theft is becoming huge and that people need to protect themselves, she said.

The process of regaining personal information is difficult, said state Rep. Zach Nunn, R-Bondurant, a former director of cybersecurity on the National Security Council and a former national counterintelligence officer in the Obama administration. It can mean getting new credit cards or even a new Social Security number and changing your banking information.

“That stuff is not only time-consuming but it creates a real fear in the individual that, ‘Hey, this happened once. How could it happen again?’” Nunn said.

Nunn said the most important part of reclaiming an identity, and perhaps finding vindication, is finding out where the stolen information is being redistributed or sold so that illegal websites can be shut down. He also urged people to give information that can be used to convict criminals before the thieves do more harm.

The identity reclamation process leaves banks and businesses with plenty of work to do, setting up firewalls and tests that consumers must pass to get into their systems. This makes hacking more difficult but not impossible.

The Federal Bureau of Investigation’s website states that identity theft is falsely representing someone’s identity or position and acting like that person to gain advantages the person has, such as profit or privilege.

A specialized website for fighting identity theft, Idtheftcenter.org, states that your identity can be stolen when you swipe your debit or credit card at a gas pump and don’t realize a reader, which is a device made to steal card information that looks like part of the pump, is stealing your personal financial information.

Or, thieves can steal your personal information when you order something online, even though you thought doing so was safe.

That’s how thieves stole $1,800 from the PayPal account of the Rev. Elizabeth Bell, 49, of Fairfield, in February 2017.

“The fact that this happened seems so surreal to me and then it made me angry,” Bell, a United Methodist minister who formerly worked in the credit and collections business and who is appointed to three Van Buren County churches, said. “There’s a vulnerability that happens with this. The idea of trusting a system or trusting individuals gets compromised.”


Kerr said the only way to protect yourself from data breaches is by putting a security freeze on your credit reports. This restricts access to the reports. Three main companies — Equifax, Experian and TransUnion — do this.

Megan Stufflebeem, 29, of Des Moines, canceled her credit card and went through necessary paperwork after $200 was stolen from her bank account in 2013 but said the process was painful. “It took a good month or two before they were able to refund my money,” she said.

The Federal Trade Commission has free data security resources — including free publications, videos, and tutorials — to help businesses of any size protect their customers and meet their legal obligations.

Iowa Code requires that anyone who owns or licenses computerized data containing a consumer’s personal information for professional or vocational purposes must notify the Attorney General’s Office consumer protection division within five business days about a security breach if it affects 500 people or more.

Thieves are charged depending on how much in monetary value was stolen, with first-degree theft covering property exceeding $10,000 in value and carrying the maximum punishment for a Class C felony, which is up to 10 years in prison and a fine of up to $10,000.

Thefts in which less than $10,000 in value was stolen have varying degrees of lesser punishment, 30 days in jail, for instance, or a fine ranging from $65 to $6,250.

Nunn said Iowa lawmakers face a challenge when trying to legislate crime in the internet’s virtual world the same way they legislate other crime.

“The virtual world is not always mirrored and handled in the physical world,” Nunn said. “If someone breaks into the Bank of America (in a cyberattack), steals billions of dollars or disrupts the business flow of a major bank, it’s very difficult to move to a physical crime in the same way if somebody broke into a bank and stole that money.”

Kevin Anderson, director of enterprise information protection at Farm Bureau Insurance, said he works with companies so that former employees no longer have access to a company’s security system. But hackers try reaching current employees, said Anderson, who interfaces with businesses to make sure the company meets their cybersecurity needs.

“They’re willing to pay employees large sums of money to, basically, hack from the inside,” he said. “So it’s always a concern. It’s a threat.”

However, most hacking attempts his company sees are by large-scale programs and bots, which are computer programs designed to do tasks in repetition, at a rate of 2.1 million intrusions a month, Anderson said.

The West Des Moines, Iowa-based gas station chain Kum & Go has taken extensive measures to implement these methods and strategies in order to lower their costs, Aaron Tekippe, IT security architect, said.

“We use a combination of technologies to protect customer data,” Tekippe said. “We use firewalls, intrusion prevention systems, we have data loss prevention systems that actually watch network traffic to ensure that data doesn’t actually leave our environment.”

He would not say how much that costs.

However, “I would assume the problem will stay the same as far as expense goes or be more expensive,” he said. “I think the attacks will become more frequent over time and as the attacks get more frequent, it would make sense it becomes more expensive.”

Concern about cyber hacking has increased with reports that Russian hackers were behind a massive 2014 Yahoo data breach, in which information from a half-billion Yahoo users’ accounts was stolen.

Bringing online identity thieves to justice is complicated when the suspects are from overseas. Many times prosecutors in foreign jurisdictions don’t care about the U.S. case, said Einaras von Gravrock, chief executive officer of CUJO Smart Firewall, a Los Angeles-based company that specializes in home and businesses internet security.

“The least of their worries is policing people who steal money from America, which is a shame, but that’s the world we live in,” von Gravrock said. He said Russian law enforcement personnel, for example, won’t waste time pursuing charges for virtual attacks intended for locations outside of their jurisdictions.

“The bad guys throw away your money 6,000 miles away,” Gravrock said. “It’s not necessarily blaming the Russian government. They have their own challenges.”


Some high-profile cases of identity theft have hit not only Iowa but the nation and world.

In 2014, 70 million Target customers were affected by a data breach. Target reported that the stolen data included names, mailing addresses, phone numbers or email addresses.

In one of the biggest hacking incidents in 2007, thieves stole 94 million credit and debit card numbers from T.J. Maxx customers nationwide.

Kerr, at Iowa’s Attorney General’s Office, said data breaches such as these happen all the time to small credit processors and banks but do not make the kind of news large ones like those at Target and T.J. Maxx make.

“I think it boils down to crime that we know, crime that we don’t know, and there’s a lot of crime that we don’t know, specifically in the world of hacking,” Lt. Chris Scott, who has served with the Des Moines Police Department since 2001, said.

“You’re talking about a savvy hacker group, and there are groups. We have groups in America, and that’s what they invest their time in: ‘How can I financially benefit myself by getting into people’s bank account?’”

Scott knows how frustrating it is to have your identity stolen. He was an identity theft victim after someone stole and activated a credit card under his name and then went on a spending spree in Texas.

That was in 2000. Seventeen years later technology is more sophisticated, but the same kind of bad guys exist, he said.


Simple awareness can be a key to protecting your identity from thieves.

“It’s easy stuff like: have an antivirus on your computer, keep a close eye on your bank account, be careful where you’re using your cards,” Kurt Gocken, a network administrator for Simpson College and expert on email and internet scams.

Gocken said phishing emails and ransomware are common tools for the identity thief community.

Identity thieves send an email with a link for the receiver to click. When the receiver clicks, the ransomware executes code that encrypts the data on his or her hard drive. In order to unencrypt the data, the receiver has to pay the thief a sum of money.

“One of the most popular ones is they open up domain names and change it to corn because it looks like com,” he said. So they’ll mimic Wells Fargo’s website but they’ll make it so you’re going somewhere else. But it’s easy to mistake the URL.”

Gocken said another way to protect yourself is creating strong passwords and changing them often. “A more secure password would be longer, non-dictionary words. Something to do with names, usually is a good one,” he said.

The length of the password correlates with the strength, because each character added increases the number of possibilities the password could be. Gocken doesn’t recommend writing the passwords down, as someone can easily find them.

Susan Kerr, a consumer protection investigator with the Iowa Attorney General’s Office, warned against data breaches, said a person can protect a personal identity by putting a security freeze on credit reports from credit bureaus, notably Equifax, Experian and TransUnion.

The Federal Trade Commission’s Bureau of Consumer Protection tells consumers a credit freeze lets you restrict access to your credit report. Most creditors need to see your credit report before approving a new account. Without your approval, the identity thief won’t be able to take credit out in your name.

According to the U.S. Electronic Fund Transfer Act and Fair Credit Billing Act, identity theft victims have 60 days to report unauthorized transactions on their debit or credit card to the bank.

Rhonda Vry-Bills, senior director at IDShield, an Oklahoma-based international identity theft agency, said IDShield monitors each customer’s driver’s license, medical identity card, email account, passport, Social Security number, bank accounts and other information.

“Most people that are signing up for this membership are people that have already been affected by it. Typically more people are reactive,” Vry-Bills said.

Cybersecurity experts also offered these simple ways to protect yourself:

  • Never carry your Social Security number or Medicare card in your wallet.
  • Make a copy of all of your critical personal documents in case they are stolen.
  • If someone is asking for your Social Security number, ask why. Never give it unless it’s necessary.
  • Don’t put any important information in your phone because, if someone steals it, that person also will have that information.

If you are a victim of identity theft:

  • File a report with your local law enforcement agency and get a copy of the report.
  • Call one of the three national credit reporting bureaus (Equifax, Experian and Trans Union) to put a 90-day initial security alert on your credit reports. When you call one bureau, they will share the initial security alert with the others.
  • To request an extended fraud alert, complete an ID Theft Affidavit, which can be found on the Iowa government’s website. This fraud alert will remain in effect for seven years.

The Iowa Attorney General’s Office sends out a monthly newsletter focused on consumer protection with tips on how to further protect yourself from identity theft and other issues. Subscribe to the Consumer Focus here.

Hunter Hillygus and Ashley Smith contributed to this report.

This story was produced by the Iowa Center for Public Affairs Journalism-IowaWatch.org, a nonprofit, online news website that collaborates with Iowa news organizations to produce explanatory and investigative reporting.