CHARLOTTESVILLE -- When University of Virginia professor Patrick Grant opened his mailbox on May 23 to find three letters from Bank of America informing him that it would not raise his credit limit, he knew his identity had been stolen.

"I got one of those gut-wrenching feelings that this is really, really wrong," Grant said.

Grant, a professor of microchemistry and molecular genetics, had never asked Bank of America to raise the limit on his credit card.

Someone else, he realized, must have access to his credit account.

In the hours that followed, a picture of what happened began to emerge.

Identity thieves in New York had opened a checking and savings account in Grant's name, aided by his Social Security number and a fake New York driver's license with his name on it. Using an online banking feature of the fraudulent checking account, the thieves hijacked Grant's existing Bank of America credit-card account.

They drained Grant's credit-card account by authorizing cash-advance payments, which they then withdrew from an ATM. Over the course of nine or 10 days, the thieves obtained $22,000 with Grant's credit card.

"It was clearly very organized and very quick," Grant said.

. . .

It may be impossible to know where the crooks discovered Grant's identity and Social Security number. However, Grant's personal information -- including his name and Social Security number -- was exposed in two major data breaches at U.Va.

In June 2007, the university discovered that hackers had managed to access records of 5,735 faculty members on 54 days between May 20, 2005, and April 19, 2007. The faculty members' names, Social Security numbers and dates of birth were compromised. Grant's personal information was among those files.

In April, a U.Va. employee brought home a laptop containing the names and Social Security numbers of some 7,000 faculty, students and staff. The laptop was stolen out of the employee's locked car. Once again, Grant's personal data was included in the stolen files.

"We'll probably never know where it came from or who did it. It may never be resolved," Grant said. "The only thing I can say is that the information that was stolen from either of those occasions was sufficient for the thieves to do what they did to me. I know of only those two instances when my personal information has been stolen."

. . .

When notified by the university that he might be at risk of identity theft, Grant immediately signed up for credit monitoring and placed a fraud alert on his credit report.

"Neither helped me at all," he said. "I was sitting there thinking I'm OK because I did everything I was supposed to. But I wasn't, as it turned out, protected at all."

Credit monitoring notifies an account holder whenever someone attempts to open a new credit line, such as for a credit card, a home loan or a car loan, said Heather Greer, a spokeswoman for Experian, which tracks credit scores.

In Grant's case, the identity thieves never sought to open a new credit account. They managed to simply take control of Grant's existing credit account.

The U.Va. Police Department and the FBI are investigating the theft of Grant's identity.

Lt. Melissa Fielding of the U.Va. police said detectives are making progress in the case, but no arrests have been made.

"We have an open-active investigation," she said. "We are working on it. We have involved the FBI."

Bank of America has informed Grant that it will not hold him responsible for the $22,000 that was stolen under his name. A bank spokesperson did not return a call for comment Friday.

Grant's credit score may be in shambles after the ordeal. However, he can dispute the charges with the credit-rating agencies and have it fixed, Greer said.

. . .

While Grant may not be liable for the $22,000 and his credit score may not be destroyed, the process has been a nightmare.

He spent hours on the phone with Bank of America trying to convince them that he was the true Patrick Grant. He had his credit-card account frozen.

And the day after he discovered that his identity had been stolen and he could no longer use his credit card, he had to fly to England to spend time with his father, who is dying of cancer. While there, he was unable to pay for his hotel or meals, having instead to rely on his mother.

"She had other things to worry about," he said. "It was awful."

Grant is the first known U.Va. faculty member to have his identity stolen in a case possibly connected to the university's two high-profile data breaches.

He is worried that additional identity thefts may be on the horizon.

"I might be the only person to have this happen at U.Va. Or I could just be the first of what could be thousands," he said. "This could be happening right now to other people at U.Va. and they don't even know about it."

U.Va. spokeswoman Carol Wood said the university is very concerned about Grant's situation and is trying to "keep pressure" on the FBI to crack the case.

"It's scary," she said. "It's terrible. We're living in a crazy world."

. . .

Identity theft has become increasingly common across the country in recent years. According to a November 2007 report by the Federal Trade Commission, 3.7 percent of all American adults -- or 8.3 million people -- had their identity stolen in 2005. These thefts totaled an estimated $15.6 billion in losses.

To help prevent future data breaches at U.Va., the university is adding security policies and strengthening existing ones. In a few days, it will announce a policy on laptop security, said Shirley Payne, the university's director for security coordination and policy.

The new policy will prohibit U.Va. employees from storing sensitive data on laptops, desktop computers or portable devices unless they have a compelling reason to do so, as well as permission from a dean, Payne said. In all cases, she added, the data must be encrypted.

"We felt that in light of what happened with the stolen laptop, we really needed to be more directive," she said.

Grant wants U.Va. to alert its employees that credit monitoring and fraud alerts might not protect them from identity theft. To minimize risk, they need to actively watch their credit scores and bank accounts for odd activity.

"The people who did this, I get the feeling that they know how the system works," he said.
Brian McNeill is a staff writer at The Daily Progress in Charlottesville.