Thorny Issues Surround Corporate ID Theft

Recent case highlights evolving threat

July 2009


To administrators who approve thousands of payments to state vendors each year, the requests must not have seemed that unusual—two companies writing the West Virginia state auditor’s office, asking that compensation owed for their services be paid into new bank accounts. Standard bureaucratic paperwork was in place: the requests were made on company letterhead, and they included tax identification numbers, sample checks, and even signatures from the companies’ CEOs.

It was only after the auditor’s office deposited the money—three separate installments totaling nearly $2 million—that the government agency realized it had been had. Those tax identification numbers were stolen, the checks bogus, the signatures forged. Somehow the funds ended up overseas.. Speaking to reporters at a May 4 press conference, Auditor Glen Gainer contended that the state was not obligated to reimburse the vendors involved. "We did our job," he said. "We did what was expected of us within the rules and policies and procedures."

For Deloitte Services, a New York City consulting firm, and Sedgwick Claims Management Services, companies later identified as the scheme’s victims, it was an all-too-personal introduction to corporate identity theft, a phenomenon that’s been on the law enforcement radar for years and that made a popular splash as news of the West Virginia case showed up in national headlines. 

A grand jury later charged a North Carolina woman, 33-year-old Angella Muthoni Chegge-Kraszeski, with conspiracy to engage in illegal monetary transactions. The indictment brought against her in a U.S. District Court in West Virginia lays out the details of her alleged scheme. With the help of accomplices, Chegge-Kraszeski is accused of having opened bank accounts for two companies—Deloitte and the consulting firm Unisys—in Minneapolis. The indictment alleges that “persons unknown to the grand jury” printed “Company eVendor agreement” forms from the West Virginia Auditor’s web site and filled them out on behalf of legitimate vendors Deloitte and Unisys, directing the state to directly deposit funds owed to the companies to the Minneapolis accounts under Chegge-Kraszeski’s control. In the Deloitte case, the state did so, wiring $919,916. Subsequently, Chegge-Kraszewski is believed to have made several transfers of money out of the account and into that of a bank in Kenya as well as written a check to “Christina Clay,” a fake identity she adopted. 

From the criminal point of view, defrauding corporations makes good economic sense. Like people, businesses have legal identities that can be manipulated for financial gain—in many cases, more gain than could possibly be offered by credit lines of mere individuals. But gauging the frequency of corporate identity theft is tricky, says Betsy Broder, assistant director of the Federal Trade Commission’s division of privacy and identity protection. “Part of the problem is that there is no central way to view the problem,” Broder wrote in a recent e-mail to Identity Theft 911. The FTC, which currently tracks identity theft of individuals through a national complaint database as well as annual surveys, has no way of tracking corporate versions of the crime.

Several years ago, the President’s Identity Theft Task Force, a committee comprised of leaders from 17 federal agencies, including the Office of the Attorney General, the Department of the Treasury and the FTC, recommended enactment of federal legislation that would criminalize identity theft against an organization. Currently, prosecutors may pursue such crimes under any number of existing state or federal laws, like wire or mail fraud, Broder says. Though introduced as part of a bill approved by the Senate, the recommendation to create a federal business identity theft law was never approved by the full Congress.

As it’s typically used in the media, the term corporate identity theft can refer to any number of scenarios. In the simplest cases, perpetrators use corporate identities to open fraudulent lines of credit. That’s what San Clemente, Calif., resident Michael Jerome Brown is accused of having done in December 2006, when he allegedly stole the identity of the now-defunct Back Tee Golf in the city of Roseville, near Sacramento. Brown allegedly obtained an American Express corporate account in the company’s name and racked up more than $100,000 in debt, using the card to purchase cell phones, Blackberries and more, according to the Orange County Register. 

He also allegedly set up fake companies in various cities to obtain corporate lines of credit, going so far as renting offices for some of them. He used these companies to open accounts with credit card companies, phone service providers and other companies. In total, his alleged fraud amounted to $450,000 in illegally obtained goods and services. In October 2007, he pleaded not guilty in Orange County Superior Court to 18 felonies and five counts of identity theft.

The case in West Virginia is a bit more complex, however, because it deals not with credit but actual cash—compensation legitimately owed to vendors who, like everyone, must ultimately look out for their bottom line. Two million dollars is not chump change, and as Fordham University law Professor Joel Reidenberg points out in a recent Associated Press article, the case deals with an area of state law that probably “isn’t well-developed.” It also underlines the perpetually conflicting values of privacy versus freedom of information. Few would want state government contracts held under a veil of secrecy, and yet greater access to vendor information for the general public also means greater access to the criminal element. There is a balance to be struck, though finding it won’t be easy. Speaking to the press in the wake of the West Virginia incident, Gainer mentioned that similar fraud attempts have also been made against the governments of Florida, Massachusetts, Maine and North Carolina.