RadioShack Rep Used Customer Data To File False Tax Returns. Why Is RadioShack Even Still Collecting SS Numbers?

Written by Evan Schuman
July 25th, 2012

When a Radio Shack call center representative was sentenced to prison on Monday (July 23), it was because she had pled guilty to filing false tax returns to collect refunds. The information she needed to create bogus tax returns, including valid Social Security numbers, came from Radio Shack customers with whom she had worked. But why was Radio Shack collecting and storing Social Security numbers in the first place?

Turns out the call center rep, Youlanda Rochelle Wright, was collecting Social Security numbers as part of RadioShack’s then deal with Dish Networks. Dish apparently required those numbers when giving new customers credit. Given the bad publicity coming from this 6.5-year prison sentence for a onetime RadioShack customer service rep accused of ripping off her customers, it might be time to call for strict IT rules on refusing to store ultra-sensitive data, such as Social Security numbers.

Why not borrow a tactic from payment security and use a token? Or perhaps require partners to collect such data themselves? Or send those customers to a site for capturing that data in a way customer service reps cannot access?

Wright’s attorney, Catherine Dunnavant, argued that if chains like RadioShack want to avoid such problems, deciding to never collect this type of data is a good place to start. “This was really tempting. It’s crazy easy,” Dunnavant said about her client’s ability to craft complete tax returns solely using what RadioShack gave to her. “I believe it was too easy.”

Chains such as RadioShack would never consider storing payment-card data in the clear, lest they be hit by both PCI and the Federal Trade Commission (FTC). Heck, the courts have even forced retailers to give up on asking for ZIP codes at checkout. But the absence of PCI-like rules for privacy data has left a huge vacuum. IT must deal with this issue through policy. By the way, encryption wouldn’t have helped in this case because the accused apparently wrote down the numbers as they were told to her. The only cure is to simply not accept the numbers.


4 Comments | Read RadioShack Rep Used Customer Data To File False Tax Returns. Why Is RadioShack Even Still Collecting SS Numbers?

  1. Jim Huguelet Says:

    Without knowing all of the details of the specific case, it seems more likely the defendant did not use previously-stored data – she simply captured what she wanted on a piece of paper on her desk as she was working with the customers to obtain the information in the first place. Thus, it isn’t a “data at rest” issue – but a “data capture” issue.

    As alluded to, the best way to handle this sort of situation is to have the agent briefly transfer the customer to an IVR system when the appropriate time in the call occurs so that he/she can enter their SSN via their phone’s keypad – then have the call transferred back to the live agent when this is done. It’s fairly straight-forward to implement and takes the agent out of the loop on data capture.

  2. Evan Schuman Says:

    Agreed. As the story said: “Encryption wouldn’t have helped in this case because the accused apparently wrote down the numbers as they were told to her. The only cure is to simply not accept the numbers.”

  3. A reader Says:

    The problem is that identity data has value. If it wasn’t SSN, what would you have them ask for in order to extend credit to an unknown person? No matter what information the industry asks for, the same information can be copied and abused.

    The technical answer is a chip embedded in your Orwellian identity card. Is the personal cost of privacy worth the price of corporate security?

  4. Dan Stiel Says:

    Another issue apparently overlooked regarding social security numbers is the comfort level with giving/accepting the last four digits as some holy grail over identity validation. Anyone armed with this tidbit of info can wreak havoc on both consumer and data gatekeepers. I’m surprised more attention hasn’t been paid to this.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.