While databases with pilfered confidential details are bought and sold, experts say banks and other supposedly reputable institutions are sometimes in on the scams.
A few years ago, someone took out a Hr 130,000 loan from a bank using Svitlana Pisotka’s identity.
Pisotka, however, didn’t know anything about it. She only found out recently, when a police officer called to tell her that her identity had been used by Lybid Credit Union to obtain the money.
“Somebody stole my passport data, personal identification code, forged my signature and got a huge chunk of money,” Pisotka, an economist from Kyiv, said. Later she learned she was not the only one: The same credit union somehow obtained and used personal information from more than 60 people to acquire bank loans.
The credit union mysteriously disappeared in 2009, along with its founders and Hr 12 million of depositors’ money.
Thousands of Ukrainians are victims of identity theft every year. According to the Interior Ministry, about 3 percent of bank loan applications are made with stolen identities. Many, like Pisotka, underestimate the danger of having their personal data stolen or leaked by unscrupulous guardians of the information.
Ukraine is, however, making its first steps to improve personal data protection. President Viktor Yanukovych signed a law on personal data protection on June 1. Legal experts say it’s a significant step towards European standards, but there is still room for improvement.
Identities bought, sold
Personal data is a pricey commodity. Criminals pay handsomely to get access to people’s identities and use the sensitive information for fraudulent activities, including the acquisition of bank loans, and to privatize land plots and other types of fraud.
Sometimes fraud is performed using a stolen passport with a new photo pasted in of the person coming to apply for a bank loan. But some ID thieves don’t have to do much work at all: They get other people to loan them passports and other documents for a small fee of Hr 100.
In 2008, a resourceful Kyiv student “borrowed” passports from his dorm roommates, and later the data was used to privatize expensive land plots in Kyiv suburbs.
“The problem is that most of the databases are poorly secured and it’s hard to trace an employee who accessed it, copied and disseminated the data in a malicious way.”
– Denys Kovryzhenko, legal program director at Kyiv-based Legislative Initiative Laboratory think tank.
But the easiest way by far to obtain personal data in bulk is to visit Petrivka book market or Karavayevy Dachi gadgets market in Kyiv and buy a CD.
The hottest buys are the databases of Ukraine’s State Tax Administration, containing personal and business information, and the Technical Inventory Bureau database with property ownership and other records.
The more entries a database has, and the more “exclusive” and up-to-date it is, the more it will cost. Prices for an average database vary from several hundred dollars to $1,000. Incidentally, $1,000 is also the standard payoff to the police if you’re caught selling this type of product, according to Petrivka vendors.
But if the case gets to court, the culprit can get either a Hr 850 fine, two years of correctional work, or six months in jail if convicted, according to Denys Kovryzhenko, legal program director at Kyiv-based Legislative Initiative Laboratory think tank. Those who leaked the database can also be punished, but rarely are because law enforcers have trouble proving their involvement.
“The problem is that most of the databases are poorly secured and it’s hard to trace an employee who accessed it, copied and disseminated the data in a malicious way,” Kovryzhenko of the Legislative Initiative Laboratory said. “In Western countries, for example, each entry to a database is easy to trace – who accessed it, what information they were looking for and what was copied or printed out. We have neither any adequate mechanisms of digitized data protection, nor proper internal control.”
While the new law should help, privacy experts say even tougher legislation is needed. “It just declares basic principles of data collection, maintenance and processing,” Kovryzhenko said.
“The law establishes an agency that will be in charge of all databases containing personal data, but there is no clear definition of the scope of its powers. The mode of cooperation with other database holders, like the Tax Administration, for example, is not clear.”
Furthermore, the safety of people’s personal data will fully depend on the quality of work of the agency that will be regulating all aspects of data processing.
Blaming victims
To add insult to injury, victims of identity theft are liable for fraud until they can prove otherwise.
In America, banks would waive the liability for the ID theft, you just need to quickly notify them. So a person won’t lose his or her money, it’s just a big hassle.”
– Adam Levitin, professor of the Georgetown University School of Law in Washington, D.C.
The process is time-consuming and requires filing claims, explanations and assessments by various experts.
Pisotka has gone through the entire process. The assessment she hated the most was from a handwriting expert, who required her to copy seven standard pages of text by hand.
“Two of those pages were extracts from the Criminal Code, including the article that regulates document fraud. The officers who investigated my case have a brilliant sense of humor,” Pisotska said.
U.S. banks, unlike Ukrainian ones, do not blame the victim. However, Americans with stolen identities have suffered damage to their credit-rating scores – an all-important barometer of how creditworthy a person is. Such ratings are not in use in Ukraine.
In America, “banks would waive the liability for the ID theft, you just need to quickly notify them. So a person won’t lose his or her money, it’s just a big hassle,” said Adam Levitin, professor of the Georgetown University School of Law in Washington, D.C.
A colleague of Levitin, professor Edward Janger of the Brooklyn School of Law said that the banks suffer huge losses caused by unauthorized transactions, but they investigate the major cases only. “Nobody would investigate a $200 drain, as the cost of investigation is pretty high,” Janger said. “The banks though are externalizing some of the risks on the merchants [in case of unauthorized online purchase].”
To make matters worse, law enforcers say some Ukrainian banks serve as accomplices to the crime by turning a blind eye when forged documents are used, or when discrepancies appear in signatures.
And several major Ukrainian banks are not helping public understanding or discussion of the increasingly important topic. Many refused to comment on fraud investigation procedures, citing “internal security rules.”
Happy ending
‘If the investigation shows that your signature was forged, they can start searching for the wrongdoers who did it and applied [for a loan] and also search for ths bank employees who assisted them.”
– Denys Kovryzhenko, legal program director at Kyiv-based Legislative Initiative Laboratory think tank.
Despite all the trouble, Pisotka’s story had a happy ending. She managed to prove that she had nothing to do with the Lybid affair.
Kovryzhenko said the long process is the only way to ensure the correct person is punished. “Financial institutions can’t waive liability just because a person says he or she is not liable. Otherwise, a lot of bank clients would use this trick, and the bank would have to prove the opposite,” he said.
“That’s why people have to undergo those assessments. If the investigation shows that your signature was forged, they can start searching for the wrongdoers who did it and applied [for a loan] and also search for ths bank employees who assisted them. The procedure can cause inconveniences to ID theft victims, but they are the most affected parties, so they should cooperate with the investigation.”
Staff writers Marie Shamota and Olesia Oleshko can be reached at
