At just 4 years old, Kevin Barnaby Jr. has already had two Capital One credit card accounts, $941 in debt, and a $2,911 federal tax lien put on his credit reports. But Kevin, known in his family as KJ, isn’t a financial delinquent — one of his family members stole his identity.
KJ’s estranged father used the child’s social security number to open credit cards, racking up the debts before KJ’s third birthday, according to a December lawsuit and a BuzzFeed News review of the child’s April and May 2016 credit reports. KJ's mother, Trina Patterson, filed the suit in US District Court for the Southern District of New York; it alleges that three credit bureaus — Experian, TransUnion, and Equifax — violated fair credit reporting laws by distributing inaccurate credit information about KJ to creditors. Patterson also alleges the companies failed to ensure their credit reports’ accuracy and to investigate her disputes over the inaccurate information on KJ’s reports.
Patterson told BuzzFeed News the credit report showed the toddler’s father, Kevin Barnaby Sr., used the cards to buy his current wife an engagement ring. “It was hurtful,” she said. “I asked [him] to buy a car seat for [KJ] and [he] wouldn’t do it.”
Barnaby Sr., who was convicted of felony identity theft in July 2017, did not respond to a request for comment. Experian, Equifax, and TransUnion declined to comment to BuzzFeed News on the allegations in the lawsuit. Experian and Equifax also have not responded to the complaint. TransUnion denied the allegations in a court filing on Jan. 26.
KJ’s experience is not an uncommon one — it's just that child identity theft is poorly documented and poorly policed. And while creditors and credit bureaus do try to help victims of identity theft clear their credit reports of errors after they’ve been defrauded, their systems are flawed in ways that make children particularly vulnerable targets.
A 2011 Carnegie Mellon CyLab Security & Privacy Institute survey found that 10% of people under 18 had at least one other person using their social security number to open accounts, including lines of credit and utility accounts. That’s far higher than the 0.2% rate for adults. And a 2008 study from Javelin Strategy & Research, a finance research group, found that 3% of children were victims of identity theft.
“We don’t have good statistics on the scope of child identity theft,” Eva Velasquez, president and CEO of the Identity Theft Resource Center, told BuzzFeed News. “But it’s common enough that we hear from people on a regular basis, either parents who are calling us because they somehow found out their children’s information has been used, or kids themselves call us when they are getting a student loan or car loan and find out they have credit history that’s precluding them from moving forward with their lives.”
Minors are attractive targets for identity theft. Because of their young age, they have clean credit reports and often don't discover the theft until they reach adulthood and apply for credit, John Krebs, identity theft program manager with the Federal Trade Commission, told BuzzFeed News. And their social security number and other personal information is easily available to family members — so easily available that there are cases of parents secretly using their adult children's information to open lines of credit.
Hailee, a 23-year-old community college student in Pennsylvania, told BuzzFeed News she is working off $500 in debt on a credit card she didn't know existed until recently. Her mother opened the account in her name in 2015 and used it to replace a broken air conditioner. Hailee said she didn't discover the account until Wells Fargo began pestering her about late payments.
“I wasn’t making that much money,” said Hailee, who asked to be identified by her first name only. “If [my mom] had just asked me in the first place, I would’ve seen if there was anything I could do to help out. Instead, I find out one day that I’m $500 in debt.”
Hilary O’Byrne, a Wells Fargo spokesperson, told BuzzFeed News it could not comment on Hailee’s account, but it has “extensive security measures to protect customers from fraudulent activity.” But it doesn’t discuss security procedures in detail, “as doing so could jeopardize their effectiveness.”
Hailee said she feels betrayed by her mother’s actions, but she’s not going to file charges. “I would never send my mom to jail or put her in a situation where she has to go to court,” she said. “It’s hard in these times to remember your parents love you and it sucks you’re being taken advantage of.”
This form of identity theft is not always malicious, Chi Chi Wu, an attorney with the National Consumer Law Center, told BuzzFeed News. “A lot of times parents are desperate,” she said. “The heat has been shut off, the light has been shut off. You can’t get service with your own information, so they use a child’s identity to get service.”
Krebs at the FTC said this kind of fraud “may be different from running up a bunch of credit card bills, but is the impact the same? Yes.”
So how exactly did Capital One issue two credit cards using a toddler’s social security number, and why has it been such a battle to clear KJ’s credit history? At least part of the explanation lies in banks’ methods for verifying credit applicants’ identities, which leave loopholes that fraudsters can exploit.
A 1974 federal privacy law bars banks and credit bureaus from accessing a federally maintained social security number database, so these institutions rely on their own methods to check credit applicants’ identities. If they wanted to be more vigilant, banks could verify customers’ identities by having them sign a form and submitting it to the Social Security Administration, according to a Government Accountability Office report. But the report noted the process can take up to a week, and “the industry has a business interest in making the process efficient and expeditious for the customer.”
Regardless of that option, the social security number “is sort of irrelevant,” Robert Gellman, a privacy and information policy consultant based in Washington, DC, told BuzzFeed News about KJ’s case. “What [the bank] needed more than a social security number is the proper date of birth.”
Robert Smith, a privacy expert and publisher of Privacy Journal, told BuzzFeed News that consumer credit advocates have long pushed for credit bureaus to consider multiple data points, besides a social security number, to verify a person’s identity. (Rhode Island is one exception. There, credit bureaus must verify applicants’ identities using a second identifier in addition to a social security number. But the majority of states don’t require this.)
“It’s credit bureaus that are the careless ones, to use social security numbers” to verify someone’s identity, said Smith. “Credit bureaus can do better.”
TransUnion said it uses “sophisticated algorithms” to match consumer data based on a combination of available factors, including names, addresses, date of birth, and social security number. Equifax and Experian did not respond to a request for comment on whether they check applicant data besides a social security number when issuing credit reports.
But even with their sophisticated algorithms, credit bureaus’ system of relying on credit applications to collect social security numbers and build credit reports has flaws, as KJ’s case demonstrates.
“Credit thieves have figured this out — if you apply for credit in the name of the innocent person, the innocent person’s name will come back, and [the bank] will open a credit account,” said Smith. “It seems so simple a problem, with not a hard solution, but credit bureaus just ignore it.”
Credit bureaus’ reporting systems are notoriously plagued by misinformation. A 2012 Federal Trade Commission report found that 26% of sampled consumers had at least one error on their credit reports, which could be anything from an erroneous credit inquiry to a late payment. Another form of these inaccuracies is called a “mixed file,” which happens when a credit bureau relies on insufficient criteria to match information from a creditor to a consumer's file and mixes one person’s information with that of another person who may share a similar name.
About 4% of credit files created by a certain unnamed credit reporting agency exhibited signs of a mixed file, according to a 2004 FTC report. “A figure of 4% may not seem like a lot, but I wouldn't call that rare,” said Wu. “Remember, [that’s] 8 million people.”
Kevin Mallon, the attorney for KJ’s mother, told BuzzFeed News that he suspects Barnaby Sr. used his own date of birth, combined with his son’s social security number, to open the accounts.
Capital One told BuzzFeed News that the information in the credit report matched the details on the credit card application. BuzzFeed News confirmed that the date of birth on the credit card application was that of an adult.
The bank said that after determining fraud had been committed, it immediately closed KJ’s credit card accounts and contacted the credit reporting agencies to remove the accounts from the minor’s credit file. Capital One declined to provide details about how it prevents identity theft and child identity theft. But the bank told BuzzFeed News, "We apply various verification checks when issuing credit cards to protect consumers from fraud and identity theft. Protecting customer and account information is a top priority at Capital One."
“It’s obviously awful that any parent would seek to steal their child’s identity, but part of the problem here is that it does not appear that the credit reporting agencies have policies in place to prevent the issuance of credit reports on minor children,” Mallon said.
Children born after 2011, like KJ, are particularly vulnerable to fraud because they are issued a randomized social security number, which makes it difficult for financial institutions to confirm their identities, according to the GAO report. And after these children have been defrauded, it’s difficult for them to clear their credit because banks assume the identity thief, who was the first person to use the social security number, is its true owner.
After Patterson alerted Equifax, Experian, and TransUnion in April and May 2016 that her toddler-aged son’s information had been used to open credit lines, Experian and TransUnion placed fraud alerts on his reports. The updated reports they gave Patterson reflected KJ’s true age, but the fraudulent credit cards were still listed as of April 2016, according to Patterson’s lawsuit.
According to Mallon, the credit bureaus didn’t act when Patterson alerted them to fraud, and they only removed some of the credit inquiries and cards from KJ’s reports after Capital One asked them to clear the accounts. Even then, Mallon said Experian didn’t remove some incorrect details in KJ’s report until after Patterson filed the lawsuit, and Mallon said he hasn’t seen any evidence that TransUnion ever fixed KJ’s report.
Patterson initially encountered more challenges with Equifax and ChexSystems, a consumer reporting company that has been dismissed as a defendant in the lawsuit. Equifax refused to send KJ’s report, explaining that the “proof of your identity does not match the information we currently have on your credit file,” according to the lawsuit. Patterson alleges Equifax failed to further investigate her dispute on KJ’s behalf or to add a fraud alert to KJ’s file. And when Patterson first requested a copy of KJ’s credit file from ChexSystems, it said it couldn’t send his report until it saw a copy of KJ’s driver’s license. Eventually, it sent the full report.
If Experian, Equifax, and TransUnion have measures in place specifically to prevent child identity theft, it's unclear what they are. The three bureaus declined to respond to questions about their credit approval process, what procedures they have to protect against this type of identity theft, and how they issued credit reports that included a toddler's social security number and an adult’s date of birth. TransUnion told BuzzFeed News parents can use its child identity theft resource page to place a freeze on their children’s credit reports “in all 50 states at no cost." Meanwhile, Experian offers an identity protection service to families with children — for $19.99 a month.
Credit bureaus are working on implementing a National Consumer Assistance Plan by March 2018, which aims to make it easier to correct errors on credit reports. But for now, children like KJ have limited options when it comes to clearing their identities. Kids like him can work with creditors and convince them that a debt has been opened using stolen information and try to come to a resolution, or they can pay the debt and live with the consequences. Otherwise, a victim’s only recourse to shed fraudulent debt is by involving the law.
Yechezkel Rodal, an attorney with Rodal Law in Dania Beach, Florida, told BuzzFeed News lawsuits involving a family member’s identity theft usually fizzle out once victims learn they must file a police report and prosecute their family member in court.
“This is a very delicate situation,” Rodal said. “In general, families who are still on speaking terms don’t choose to prosecute each other.”
And even in cases like KJ’s, where the victim and defrauding family member are estranged, clearing a child’s credit history is no easy process. KJ’s father was convicted of identity theft, but it was an onerous process for Patterson to try to clear her son’s credit history. And she’s still embroiled in a lawsuit against the credit bureaus. Still, she’s thankful that she caught these errors before KJ grows up.
“It’s hurtful,” said Patterson. “They should have better laws for this. I’m sure I’m not the first person to have their child’s credit taken. We have way too much technology for this to still be a situation.” ●
This story has been updated to include additional comment from Capital One.