Yahoo! News – Your Statements Went Where?
By Griff Witte, Washington Post Staff Writer
Last May, Ryan Pirozzi visited his mailbox in Edina, Minn., and found it overflowing with more than a dozen bank statements.
All were made out to his address. All held sensitive information about various accounts.
He just wishes some of them had been his.
Because of a few wayward keystrokes by a clerk at a bank processing center, Pirozzi has for nine months received the financial statements of scores of strangers, many of whom are Washington area residents and all of whom had had Wachovia Corp. escrow accounts.
Pirozzi tried desperately to get the problem fixed once the first batch arrived last spring, but he says that no one at the bank or at a local title company that helped establish the accounts took action on his repeated calls. It was only in the past few weeks, after Pirozzi began receiving strangers’ tax forms and after inquiries from a Washington Post reporter, that both companies began to investigate.
“I potentially have access to their Social Security (news – web sites) numbers and their names. I also have their bank account numbers. That’s very private information,” Pirozzi said. “I don’t know what I could do with all of that — I don’t have a criminal mind. But there are definitely opportunities.”
Privacy experts agree.
“This is a raft of sensitive financial information that would be an identity thief’s dream,” said Travis Plunkett, legislative director of the Consumer Federation of America.
Experiences like Pirozzi’s are rare in an industry that depends on sophisticated computers and software to shuffle billions of transactions a day. But it nevertheless points to the vulnerabilities in systems that have become so highly automated that small errors in the management of databases can quickly become amplified into major security breaches, consumer advocates say. They say, too, that the lack of a prompt response from the companies involved reflects a broader problem with financial institutions not doing all they can to safeguard their clients’ private information.
And when that happens, fraud can result. Identity theft topped the Federal Trade Commission’s list of fraud complaints for the fifth year in a row in 2004. A 2003 FTC study showed that 27.3 million Americans had been victims of identity theft in the previous five years, including nearly 10 million in the previous year alone.
After a week of investigating the episode, Wachovia acknowledged late last month that one of its clerks had made a mistake in entering Pirozzi’s address, causing the company’s computer system to link it with many other customers who, like Pirozzi, bought real estate through Walker Title and Escrow Co. of Fairfax.
Wachovia said that, overall, 86 statements or tax forms were mistakenly sent to Pirozzi, including information on 73 individuals. Pirozzi said the number of pieces of mail was significantly higher, closer to 140.
“Wachovia takes the protection of sensitive information very seriously,” said Sandy Deem, a company spokeswoman. “It was an isolated incident that was very unusual. We have taken steps to prevent it from happening in the future.”
Deem noted that the vast majority of the accounts were already closed by the time the statements were sent to Pirozzi. Established simply to hold the escrow deposits on their new condominium purchase, most of them had zero balances.
Alan Walker, president of Walker Title, said the problem lay with Wachovia. “The bank sends the statements out,” he said. “We don’t have anything to do with that.” Walker said he didn’t find out about the episode until Jan. 24 and that had he known sooner, “it would have been dealt with right away.”
Deem said on Friday that Wachovia has now contacted or attempted to contact everyone whose financial documents were misdirected, even though the bank does not believe anyone’s private information was misused.
Beth Givens, director of the Privacy Rights Clearinghouse in San Diego, said the bank should have done that much earlier.
Givens said this case demonstrates that identity theft doesn’t always stem from people being careless with their financial information; the institutions that people trust with that information can be just as negligent. Although the worst didn’t happen here, information gleaned from misdirected mail can wind up on the black market, sold to the highest bidder.
There have been instances, Givens said, in which mail processing systems misfire and match each address with a name that’s one off from the correct name. In those situations, she said, hundreds or even thousands of pieces of mail can go to the wrong address. But those kinds of mistakes are usually noticed and corrected quickly.
Pirozzi’s case, she said, is remarkable for how long it went undetected.
“They’re putting all of these people at risk,” Givens said. “The person on the receiving end here was honest. But he might not have been.”
Pat Derwinski shudders at the thought.
Derwinski, a real estate agent who lives in McLean, was among those whose 1099 form, a document that lists her Social Security number, showed up last month in Pirozzi’s mailbox. “It is very, very scary,” she said. “I’ve had a couple of clients in the past year go through identity theft. It’s a horrifying situation.”
Derwinski and Pirozzi have never met. But they do have one thing in common: They both bought condominiums in Northern Virginia last year, and they both had Wachovia escrow accounts after using Walker to handle the closing.
Pirozzi, 30, an Air Force veteran, and his wife bought a unit at the Continental in Ballston but quickly sold it after he took a job in Minnesota as a financial analyst with a national retailer last spring. With the sale complete, Pirozzi thought he had put the whole thing behind him.
Then one day soon after the move he checked his mail and found a bank statement from Wachovia. He opened it and was puzzled to find information on an account that was not his own. “I looked, and it wasn’t my name. But it was my address,” he said.
Pirozzi thought maybe the name was that of one of his new home’s previous owners. But as he began sorting through the rest of his mail that day, he said he “noticed a consistent theme.”
That first month, he said, he received several dozen statements that all listed his address but someone else’s name. Pirozzi first called Wachovia, hoping they could quickly resolve the matter and get the mail redirected to its rightful owners.
Instead, he got bounced from person to person, number to number, automated system to automated system.
Eventually, he talked to someone who claimed to have an answer. “They said it was all Walker’s fault,” he recounted. “I talked to Walker, and they said it was all Wachovia’s fault.”
So it went, month after month. When Pirozzi started receiving other people’s 1099 tax forms in January, he sent an e-mail to several high-level officials at Walker Title explaining the situation and demanding that someone intervene to stop the torrent of misdirected mail. He got no response.
The e-mail, Pirozzi was later told, had been blocked by a company spam filter and no one at Walker had received it.
Pirozzi had not opened a single misdirected letter after the first one, and instead began dropping them back in the mail after scrawling on each envelope: “Return to sender. Please don’t send me other people’s banking information.”
“It took me an hour every month,” he said.
Deem said Wachovia had begun to correct customers’ addresses as the returned envelopes piled up, but the full scale and source of the problem were not discovered until late last month.
Chris Hoofnagle, associate director of the Electronic Privacy Information Center, said it would not be difficult for Wachovia to put safeguards in place to catch this kind of error before large numbers of statements get mailed to the wrong person.
“It should be rather obvious when a bank sends 20 statements to the same address that there’s a problem,” he said. “But small errors can be magnified when you’re dealing with very large institutions. This is not your neighborhood bank.”
Hoofnagle said that while he has not heard of a situation like Pirozzi’s before, there have been other cases of small computer glitches having a big effect on the financial information of a specific set of consumers. Three years ago in Montgomery County, for instance, a mistake at Washington Mutual Mortgage Corp. resulted in tax payments not being correctly applied to 800 mortgagees’ property taxes. Most homeowners learned of the problem only when they received county notices saying that they were behind on their property taxes and that their homes might be sold off. The county later sent out letters of apology and assurances that no one’s home was on the auction block.
In Pirozzi’s case, a large number of people at a condominium in Falls Church, the Broadway, were affected. Bob Butchko, president of the homeowners association, said residents received a discount if they used the developers’ preferred choice, Walker, to close on their units. To secure a unit in the new building, prospective buyers placed deposits that were held in a Wachovia escrow account. Butchko said he doesn’t recall receiving any correspondence from Wachovia once the account was established. “I didn’t see anything from them,” Butchko said.
Last month, his 1099 form reporting interest earned on the escrow account was delivered to Pirozzi’s mailbox. Asked if he was angry about his information going to someone else, Butchko said, “That goes without saying.”
He was not the only one. Pirozzi cannot believe the kind of documents that have been dumped in his mailbox month after month.
“Financial information is so private,” he said. “Or, at least, it’s supposed to be.”
One day in mid-January, Pirozzi checked his mailbox expecting to turn up more of other people’s mail. Sure enough, that was what he found. But mixed in was a strange sight: an envelope from Wachovia with his address and his name. It was his 1099.
“That was the first piece of correspondence we received from them that was actually for us,” Pirozzi said.
Staff researchers Karl Evanzz and Carmen Chapin contributed to this report.
Bankwatch 