US Passport Agency contractor stole applicants’ data to steal their identities

Three women from Houston, Texas, stand accused of engaging in an identity theft scheme in which one of them, a contract employee of the Department of State Passport Agency, was in charge of stealing personally identifiable information of persons applying for a passport.

The information was then used to create counterfeit identification documents, which the other two women would use to successfully impersonate the affected individuals in order to fraudulently obtain commercial lines of credit and to purchase iPhones, iPads and other electronic merchandise.

This scheme went on for over five years.

There are no more details about how Chloe McClendon, the Passport Agency contractor, exfiltrated the personal data in question, but according to The Washington Post, the US Passport Agency has decided last month to ban both federal employees and private contractors from bringing devices equipped with a camera into the offices where they review and process requests for passports.

Apparently, this decision was influenced by the Houston incident, indicating that McClendon likely took pictures of private information on passports.

Technically, banning devices with cameras won’t stop determined insiders from stealing information.

As Rob Arnold, president of the National Federation of Federal Employees Local 1998 that represents Passport Agency workers nationwide, pointed out, they can still use a pen and paper to write the information down and exfiltrate it that way. They can also fax the information or simply memorize it, then write it down once they are home.

Federal employees and contractors are vetted before being allowed to perform work that includes dealing with this type of information, but preventing this type of incident from ever happening again seems impossible.

Another problem in this particular case might be cost cutting. According to Arnold, in the last few years the Passport Agency has been employing contractors to do jobs that used to be higher responsibility government posts.

The insider threat is a notoriously difficult problem to solve, because insiders can have different motives for doing what they do. When money is the main motive, insiders usually set up a quiet way to steal and use (or sell) confidential or proprietary information.

Jim Gogolinski, Senior Threats Researcher at Trend Micro, wrote a helpful overview of the malicious insider problem, and offered some advice on how to prevent and mitigate the insider threat.