FTC Suit Accuses Net Firm of Stealing Personal Data

Tackling a data theft problem that authorities say has found an expanding market on the Internet, the Federal Trade Commission on Wednesday filed its first suit against an online “information broker” accused of tricking banks out of sensitive customer information.

The suit accuses Denver-based Touch Tone Information Inc. of “pretexting,” or having employees pose as bank customers in a ruse to obtain account balances and other personal data. The company is accused of deceptive trade practices.

Touch Tone allegedly marketed its ability to obtain such data on a Web site that features an array of private investigation services.

FTC officials said there are more than 100 similar investigation firms on the Internet, though it’s unclear how many of them engage in pretexting. Privacy experts say the proliferation of Internet sites marketing such personal data, whether obtained from legitimate sources or through illegal means, is a growing source of concern.

Robert Pitofsky, chairman of the FTC, described the Touch Tone case as “a particularly pernicious invasion of consumers’ privacy.” In its suit, filed in U.S. District Court in Denver, the FTC is seeking to force the company to surrender any profit it has earned from the illegal practice, and an injunction barring the firm from such activities.

James P. Rapp, owner of Touch Tone, conceded in a phone interview that his firm has made pretext calls to banks and said he would agree to stop. But he also portrayed the practice as a common and necessary mechanism for helping deserving clients.

“My job is to help people collect their debts,” Rapp said. “Women with ex-husbands who don’t pay child support come to me to find information. We’re here to help people.”

Rapp and his wife, Regana L. Rapp, were named in the suit after an elaborate sting operation that involved cooperation from banking industry executives who agreed to have their personal accounts serve as bait. The cooperating banks included Bank One Corp. of Chicago, Washington Mutual Inc. of Seattle and Wachovia Corp. of Atlanta.

FTC attorneys said the agency, through a private investigator, hired Touch Tone to track down financial records on four banking officials whose positions weren’t disclosed. In each case, FTC attorneys said, Touch Tone came back with detailed and accurate information on their accounts and balances.

Touch Tone employees obtained the information, FTC attorneys said, by calling the various banks armed with addresses, Social Security numbers and other information on the targeted subjects that helped them trick bank employees into disclosing sensitive data over the telephone.

“Pretexting is the oldest trick in the book,” said Beth Givens, director of Privacy Rights Clearinghouse in San Diego. “But the Internet has forced the FTC to take a look at these firms because their Web sites brag about their information-gathering prowess.”

David Medine, associate director of financial practices at the FTC, said Touch Tone advertised its ability to unearth sensitive financial data on its Web site, which the company took down Wednesday.

“The Internet has made this a much more prominent industry than ever before,” Medine said, because it is such an affordable marketing tool for companies that wouldn’t ordinarily have a national reach.

But Rapp said his company relied very little on business generated over the Net and that the bulk of its more than 1,000 clients have come through referrals. He said his company has 24 employees, offices in Seattle and Missoula, Mont., and revenue of about $1.5 million a year.

*

* ONLINE CREDIT THEFT: Online buyers report credit card theft, apparently due to security gap. C3