The scam is alleged to have been started by a help desk employee at Teledata Communications, a New York-based company that provides banks and other companies with credit reports from rating agencies Equifax, Experian and TransUnion. The operative is alleged to have passed on passwords and codes on 30,000 individuals to his co-conspirators in return for a $30 fee per credit report.

These were then used to transfer funds to bogus accounts and redirect cards and cheques to fictitious addresses. Police have arrested two other men on charges of mail fraud and wire fraud.

News of the scam prompted a statement by industry lobby group the Smart Card Alliance attacking the use of password protection at credit agencies for securing information systems and databases.

"The ease with which passwords can be stolen and distributed puts the integrity of virtually all of our nation's information systems at risk," says Randy Vanderhoof, executive director of the Smart Card Alliance. "Any system where access is protected only by passwords is rich with fraud possibilities."

He points to best practice initiatives at Schlumberger, Microsoft, Shell and the United States Treasury Department for the presentation of both a highly secure smart card and a personal password before information and networks are accessed.

The Alliance states: "Those executives that rely solely on password protection, like the nation's three leading credit agencies, are presenting an increasingly unacceptable level of risk to their customers and American consumers. If protection of clients and consumers is not sufficient motivation, they should perhaps think about the potential risk to shareholders from class action lawsuits related to information system security failures."