Steal your own identity

Rule of thumb: Most work PCs contain personal data.

Quick Vote

What do you think about the $250 relief payment proposed for seniors?

• It's a good idea
• It's not enough
• It's too much

or View results

Pocket books

Netbooks are models of portability. But can you stare at those little screens all day? Our reviewer put three to the test.

View photos

(Fortune Small Business) -- Todd Feinman spent more than a decade breaking into the computer systems of Fortune 100 companies. Not for his own nefarious purposes, though. The former director at PricewaterhouseCoopers was paid to test corporate security systems. He succeeded in breaching them 80% of the time.

Each time, he found the same gold mine of data -- Social Security and credit-card numbers, direct-deposit bank account data, addresses, passwords - hiding in the nooks and crannies of employee computers.

"No matter which computers we broke into, there was an unbelievable amount of personal information on them," says Feinman, 35. "Even those of the CEOs."

Bad guys know this. Last year alone, more than 10 million Americans had their identity stolen, according to research firm Javelin Strategy. The total value of stolen personal data will hit $1.6 billion next year, IDC Research projects. Feinman's brainstorm: software that lets you hack into your own machine, mimicking what identity thieves would do and alerting you to the presence of vulnerable data on your hard drive.

In 2006 he launched a company to develop his self-hacking application, which he named Identity Finder. Once it sniffs out sensitive information on your machine, the software lets you decide whether to eliminate it or to encrypt it to protect yourself.

Since then, many of Identity Finder's features have been imitated by dominant IT security players Symantec (SYMC, Fortune 500) and McAfee (MFE). But Identity Finder's key advantage has been its simplicity. An individual user can install and easily run the app, for $10 (per Mac) or $20 (per PC). Feinman also sells an enterprise version that performs data audits on corporate networks and costs up to $500,000.

Justin Klein Keane, a senior information security specialist at the University of Pennsylvania, reviewed competing applications for a year before buying Identity Finder for 2,000 of the university's staff. University campuses tend to be big targets for hackers, Keane says, because they maintain open networks with limited security, transient user bases and plenty of personal information on numerous faculty PCs.

This year thieves stole computers at Northern Kentucky University, taking the Social Security numbers of hundreds of students and faculty.

"Even if just a few numbers get stolen, you are required to notify these people and offer them credit-monitoring services at no charge," Keane says. "It's a very expensive proposition."

Universities drove early sales at 22-employee Identity Finder, based in New York City. Then the recession started to bite. By May of this year Feinman knew he had to change tack. He was in a bidding war with Symantec and McAfee for a university with 28,000 computers -- and was on the verge of losing the sale.

Feinman gathered his key management team for a daylong strategy session. Their solution: tiered pricing for organizations with tight budgets. A stripped-down version of the software would cost 20% less.

It worked. Identity Finder nabbed that key customer. By August it had sealed 45 other deals with universities, government agencies and large businesses. Now Feinman expects 2009 revenues to surpass his $5 million projection and hit $7.5 million -- up nearly 100% since last year.

Experts don't expect the market to shrink anytime soon. Many small businesses save customer credit-card information unencrypted on their PCs.

"People are sloppy when it comes to managing their information," says Kevin Beaver, a consultant for Principle Logic, an Atlanta company that runs security tests for corporations. "They don't know what they have and how it's at risk."

But 43 U.S. states have passed laws requiring companies to notify customers if there's a security breach in which personal information is compromised.

"It's not worth the hazard to your reputation," Feinman says. "We will be distraught the day we see one of our customers in the headlines for a data breach. We're trying to help them stay one step ahead of the criminals."