Massachusetts Attorney General, Victim of an iTunes Scam, Says She’ll Demand Answers

Massachusetts Attorney General Martha Coakley said on Tuesday that her office would be inquiring into long-standing complaints about fraudulent purchases that leverage Apple’s popular online music store.

Massachusetts Attorney General Martha Coakley said on Tuesday that her office would be inquiring into long-standing complaints about fraudulent purchases that leverage Apple’s popular online music store.

In a lunchtime address to business and technology leaders in Massachusetts, Coakley said she was a victim of identity theft in recent months, and that her stolen credit card information was used to make fraudulent iTunes purchases. When asked (by Threatpost) about whether such fraud constitutes a reportable event under the Bay State’s strict data breach notification law, Coakley said that her office would be looking into that question and demanding answers from Cupertino, California based Apple, which has steadfastly refused to comment, or report the breaches to Massachusetts regulators.

Coakley was speaking before an audience of technology and business leaders at an inaugural lunch for Massachusetts’ Advanced Cyber Security Center (ACSC). Coakley said that her investment in protecting consumers from identity theft was personal, acknowledging that her bank account was emptied after cyber criminals stole her debit card information during a ski trip to New Hampshire. It was not the first time Coakley had mentioned the incident in public. After skimming the card info, Coakley said the thieves attempted to use it to purchase a laptop from Dell Computer, which detected the fraudulent transaction and contacted Coakley. Not so Apple, whose iTunes media store was used to make a slew of transactions that emptied the Attorney General’s account.

Informed of the well documented pattern of fraud through iTunes, in which stolen credit cards or bogus iTunes gift cards are matched with compromised iTunes accounts and used to purchase merchandise, Coakley said she wasn’t aware of the larger pattern, but that it could be a reportable offense under the State’s data privacy law. She promised her office would be contacting Apple for more information that very afternoon – a statement that received hearty applause from the audience.

Despite the tough tone, Coakley’s speech was tailored more to a business audience wary of burdensome enforcement of State data privacy laws, including the State’s data breach notification law and 201 CMR 17, the Massachusetts Data Protection Law. That law took effect in March, 2010 but the first fine under the law was issued in March of 2011 to Briar Group, a Boston-area restaurant chain that showed gross negligence in securing its networks and handling customers’ credit card numbers.

Coakley said that companies that attempt, in good faith, to adhere to the State’s privacy laws have little to fear in the way of fines or prosecution. However, organizations that flaunt the law or ignore the need for data security should count themselves warned.

Describing her office as the first line of defense for consumers, Coakley said her office was pursuing a “common sense” approach to enforcement and notification. Large breaches, such as the hack of Massachusetts retailer TJX, warrant an all out effort to notify the public. In the case of smaller breaches, Coakley said her office wanted to work with victim organizations to make sure that holes in their defenses and IT security practice are addressed.

The Attorney General said her office has received around 480 data breach notifications so far in 2011, and 1,166 since the law took effect in March, 2010 – suggesting that the incidence of data breaches is holding steady, despite a tough economy. The vast majority of those breaches are small in nature. Eighty two percent of disclosed breaches affected fewer than 100 people, and just 4% affected between 1,000 and 10,000 people. Similarly, hacking incidents only made up a quarter of the reported breaches, with another quarter due to inadvertent human error, Coakley said.

The State’s breach notification law, dubbed 201 CMR 17, sets clear guidelines for the types of incidents that constitute reportable breaches. Any incident resulting in “the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data” that creates a “substantial risk of identity theft or fraud against a resident of the commonwealth” need to be disclosed, as well as combinations of personal information, such as a name and credit card number, must be reported. That would seem to describe the use of Coakley’s credit card information on iTunes. However, its is unclear whether Apple actually holds the data used to process the transaction on iTunes, or whether the purchases are merely “pass through” transactions about which Apple has no knowledge or visibility, according to a source within the Attorney General’s Office. 

Suggested articles


  • Copy Editor on

    "… organizations that flaunt the law …"

    should be 

    "… organizations that flout the law …"

    or, if insisting on flaunt, perhaps

    "… organizations that flaunt their transgressions of the law …"

    Otherwise, a fine article!

  • Anonymous on

    So, let me get this right... She failed to protect her credit card information or report it to the proper people right away and its APPLES FAULT???

    Generally once a card is reported stolen, the purchases are then refunded and the card is dead. She might consider a new bank rather than wasting tax payers money on a suit against apple.

  • zato on

    This article is intentional anti-Apple propaganda. The headline is a lie. The woman had her creditcard info stolen, there is no iTunes "scam". 

  • Anonymous on

    Just using itunes cards.

    There problem fixed.

  • Anonymous on

    Like the last commenter, I see nothing here that would suggest that Apple would be have an issue with the state law.

    In every case that I have ever seen, these iTunes scams are caused by someone's credit card info being stolen.  Usually this is because they have a virus infected PC, other times because they've been phished.  But there is zero evidence that Apple's servers have been breached.

    A large ticket item purchase such as a laptop will usually raise red flags.  So of course Coakley is going to be contacted about laptop purchase.  But credit card companies are much less likely to raise a flag about small purchases.  And that's exactly what we have here.  And if the credit card company isn't raising a flag, there's not a lot Apple can do.

    I feel bad for Coakley, being a victim of identify theft sucks.  But she seems to be blaming the wrong party and this article fails to make that distinction.

  • Jo Dean on

    rotfl, you have to admit that is some pretty funny stuff dude.

  • Jill on

    I had the i-tunes fraud happen to me recently. I had i-tunes gift card credits on my i-tunes account which were wiped out by someone who somehow got my login info and bought Texas HoldEm Poker chips and changed the shipping address on my i-tunes account. I-tunes took care of it shortly after notifying them and luckily I did not have a credit card associated with my account. If you google i-tunes fraud, you'll see a lot of people have their credit cards associated with their i-tunes account accessed or better yet, someone sets up a credit card in their name, changes their address info and racks up a bunch of charges. I-tunes is pretty slow on notifying you when your account has been changed or when someone adds an authorized computer to your account. I got a notice that my account was accessed, an unfamiliar computer was added as an authororised computer to my account and my shipping address was changed. I felt they should have required me to confirm all of this before any changes were made. Then 12 hours later I got a notice that my account had been charged (and depleted) for poker chips. I have a first generation video i-pod, so there is no way I could even play poker on it. I-tunes is very aware of this problem and does not seem to be doing anything about stopping it.

  • David on

    My credit card number was used fraudulently to make attempted i tunes transactions. It looks to me as if there is a high frequency of i tunes purchases being made when credit card numbers are being tried for the first time by thieves.

    Apparently online sales outlets' servers (or servers of web hosting providers) can be compromised such that credit card information from online purchases can be sent to criminals' computers. The i tunes purchase attempt can occur within hours of the online transaction apparently. Why would a criminal first try to buy i tunes instead of something more desirable? (I have  no interest in buying i tunes and my bank knows it).

  • Hamranhansenhansen on

    Apple did not buy VISA or MasterCard … yet. They are not responsible for credit card fraud you may suffer. You could just as easily have seen charges via vending machines or any other automated credit card payment system. You do not have to link a credit card to iTunes. You can buy an iTunes Gift Card at supermarkets and drug stores and link that. Then if your credit card information is compromised, that will not result in any iTunes purchases. Also, people should be aware that you must use a unique password for every single account you have. If you use "bluebell" at 2 different accounts, you have just given out your password to each account to the maintainer of the other account. You need to get an app like 1 Password for iPhone that can store a list of all your accounts and passwords in an encrypted "safe deposit box" in your phone. Then you can use really good unique passwords on all accounts. If not, you are low-hanging fruit, you will get scammed at some point.
  • Anonymous on

    I feel fairly confident that thousands of other Massachusetts residents have been victims of identity theft prior to this incident. So why isn't it a huge issue until the attorney general becomes a victim?

    Politics at its best. Nothing happens until it "becomes personal". Action should have been taken when the first case was reported. Waiting until the attorney general herself is a victim is negligent.

  • Anonymous on

    Seems to me that the only thing she is a victim of is her own carelessness and stupidity.

  • Anonymous on

    She is a victim of credit/debit card theft.  Theft and fraud are different things.  There is no iTunes scam.  Some bad guys stole her card number and bought songs on iTunes.  They could have just as easily bought women's underwear from Amazon.

    She's embarrassed she got taken (never use debit cards online), and now she wants to make someone pay.  Who better to target than a huge corporation with gobs of liquid cash?

  • Anonymous on

    There is no breach of security at the iTunes store.  Thieves stole her card info during a ski trip in NH, it was not hacked from iTunes.  There is no breach for Apple to report.  Maybe she should focus on where the actual theft occurred - during her ski trip, eh?

  • Anonymous on

    How about this, I made a purchase at an Apple store used my card and the next weekend Sunday to be exact at 5:36 AM a purchase was made at the Itunes store for 1 cent was approved and then the assult began. Many small $30.00 to $45.00 purchases were made at the iTunes store ending up costing more than several hundred dollars. Question how was I supposed to A: know about this happening   B:contact my bank to question this activity ? I contacted the iTunes people and all I got was sorry, yada yada yada nothing we can do. YEAH as long as the $$$$$$$ keeps rolling in, makes NO difference where it's comming from. By the way, I am a very happy Apple user with 3 computers, an iPad and an iPod. Bad is bad no mater who you are.

  • Michael Brian Bentley on

    In order to effect a change to an iTunes account, buy content and install it on a local machine, they don't necessarily need the credit card number, they just need an account password. How are they skimming the password? I am not seeing a lot of phishing attempts to obtain an iTunes password. Lots of World of Warcraft attempts, but not iTunes.

    If they have your credit card information, how do they get the iTunes account information?

    Are they able to access the credit card information by logging into your iTunes account?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.