500+ SSNs Escape NJ Lawyers Pellegrino & Feldstein
FOR IMMEDIATE RELEASE: February 11, 2008 UPDATED: February 26, 2008Media Contact: Aaron Titus
(202) 681-1686
DENVILLE, New Jersey. Confidential consumer information somehow escaped the New Jersey law offices of Collections Lawyers Pellegrino & Feldstein, and ended up posted on several websites. The Liberty Coalition discovered cached versions of an Excel file that contained the full names, social security numbers, dates of birth, addresses, account numbers, and financial information of more than 530 individuals who had interactions with Pellegrino & Feldstein in approximately 2004-2005. It also includes notes about highly private subjects, including medical conditions and employment information. The list, named "newportfolio.xls," was posted on a number of websites, including rjrsolutions.com, cliftonrealtor.com, vdiiorio.com, cliftonrealestate.com, and anthonyc21.com on or before October 8, 2007. Although it was deleted prior to December 6, 2007, copies remained in at least two search engine caches as late as February, 2008.
All but 10 of the individuals affected by this exposure live in New Jersey. The Liberty Coalition contacted several of the victims and their attorneys, and found that the list originated from LT Asset Recovery, LLC, who in turn hired Pellegrino & Feldstein. Several victims have e-mailed the Liberty Coalition to indicate that LT Asset Recoverty and Pellegrino & Feldstein's business agents are the same person, Michael Pellegrino.
The Liberty Coalition notified the New Jersey State Attorney General, and filed an ethics complaint against Michael Pellegrino on February 15, 2008, which reads in pertinant part,
"Confidential financial and personal information of more than 530 New Jersey residents somehow escaped the stewardship of the New Jersey law offices of Collections Lawyers Pellegrino & Feldstein, and ended up posted on several websites....The Liberty Coalition has not received an official response.
"We contacted Pellegrino & Feldstein on December 10, 2007 by e-mail. I was subsequently contacted by counsel representing Pellegrino & Feldstein. The lawyer I spoke with made no commitments that his clients would take any specific action. We have no evidence that Pellegrino & Feldstein did or did not act in accordance with New Jersey breach notification laws.
"By allowing this information to be posted online, Pellegrino & Feldstein has put these individuals at extreme risk of identity theft, fraud, and other forms of danger. At the very least, the law firm should bear the financial consequences of protecting the 530+ individuals from identity theft by purchasing ID theft protection services in their behalf.
"Only a portion of the original Excel file was cached, and there is strong evidence to suggest that the original Excel file contained as many as 800 names with attendant sensitive personal information...."
[UPDATE: December 26, 2008] On December 9, 2008, Michael Pellegrino contacted the Liberty Coalition by phone, offering to make RJR Solutions (the web hosting providers immediately responsible for the breach) pay for identity theft protection services. We responded:
I commend you for your offer to make RJR Solutions pay for identity theft protection services...On Tuesday, December 12, 2008, Mr. Pellegrino e-mailed a draft copy of a letter from RJR Solutions to victims, and asked for my feedback "ASAP" before they sent it out. The letter read:
Though ID Theft protection is prudent, I fear that your sudden change of heart, 14 months after the original breach, may be too little too late. Moreover, this action fails to address the 15 points [of law and fact] outlined in my [earlier] letter.... Consequently, we reiterate the original complaint.
This letter is to inform you that a file containing your social security number had been accessible via the Internet for a brief time. The file was immediately removed once discovered and searches made through out the Internet for any potential copies on archive web sites. Much time and energy has been expended from the time of discovery throughout 2008 to make certain that this information is not available online.Since the draft letter was factually deficient and offered no real help to victims, we composed a suggested form letter which gave a more factually complete description of the event. To date, it is unknown whether RJR or Pellegrino & Feldstein have utilized any version of the example letter.
This file was originally located on a secure and private online work area for a client and had inadvertently been moved to a non-secured location during several website upgrades. Although the exposure to the file was very limited with regard to time and quantity of information, we are notifying you in case you are not using a credit monitoring service. In general, credit monitoring services are something that we recommend to all individuals.
Sincerely,
RJR Solutions, Inc.
Department of Internet Security
On Chrismas Eve the Liberty Coalition received a 20-page confidential report from the New Jersey District X Ethics Committee dated December 15, 2008, which found "no evidence of unethical conduct that would warrant filing a complaint" against Pellegrino & Feldstein. The matter was dismissed by the New Jersey Bar Ethics Committee, and closed.
Individuals affected by this exposure should immediately visit www.nationalidwatch.org and search for their names, to confirm what types of personal information were exposed. NationalIDWatch.org has a list of recommended steps victims should take.
About NationalIDWatch.org
National ID Watch is a search engine for personal information breaches. Sponsored by the Washington, DC non-profit Liberty Coalition, NationalIDWatch.org provides more than a million free personalized Identity Exposure Reports™ as a public service.
Each Identity Exposure Report (IXR) documents what types of personal information were exposed (such as Social Security Numbers, Birth Dates, Addresses, etc.), without revealing them. Each IXR also details the situation surrounding each exposure, and contact information of those responsible for the breach. Armed with this information, victims can further investigate, take action, or correct harm.