Slashdot Mirror
ChoicePoint Data Stolen By Imposters
swight1701 writes "Criminals posing as legitimate businesses have accessed critical personal data stored by ChoicePoint Inc., a firm that maintains databases of background information on virtually every U.S. citizen. The incident involves a wide swath of consumer data, including names, addresses, Social Security numbers, credit reports and other information. ChoicePoint notified between 30,000 and 35,000 consumers in California that their personal data may have been accessed by "unauthorized third parties." No obvious notice appears to be on their website."
No Place To Hide
It was truely disturbing. Now that we're permanently at war with the Forces Of Evil (terrorists, for now) people should get used to not having any privacy. Sigh.
No Place to Hide: Behind the Scenes of Our Emerging Surveillance Society
People opposed to the Bush victory in 2000 claim that ChoicePoint may have aided in voter disenfranchisement.
*This is not an endorsement of the linked site or the opinions expressed there. I just recall these claims from a Slashdot submission I made a couple years ago related to this.
Someday, you're going to die. Get over it.
Remember the Florida election of 2000 when a private database company scrubbed thousands of eligible voters from the rolls? Well now one of the co-founders of Database Technologies is back in the headlines -- he's working with law enforcement agents in Florida to create what may soon expand into a national surveillance system. We talk with privacy expert Wayne Madsen, investigative reporter Greg Palast and a top intelligence official from the state of Florida.
s .h tm
8 /0 7/1427223
When is Joe Six pack going to wake up to the fact that in secret the government has conspired to create a dossier on every citzen in this country and this is who they hired to do it:
Hank Asher then creates the MATRIX as a state level network version of the TIA office. Essentially continuing the TIA office, but freeing it from congressional oversight and federal whistleblower protections. He admits smuggling millions of dollars worth of cocaine in 1981 and 1982. Coincidentally at the time when the Iran-Contra dealings were in full swing.
But this is only speculation. Could there be more of a link between illegal dealings between Hank Asher and the republican party? OF COURSE THERE IS!
In 1992, Asher founded Database Technologies, which later merged with ChoicePoint. In 1999, he founded Seisint Inc. by merging two companies. He is still on Seisint's board of directors, and continues to play an active role in the company.During the 2000 presidential election ChoicePoint, gave Florida officials a list with the names of 8,000 ex-felons to "scrub" from their list of voters. But it turns out none on the list were guilty of felonies, only misdemeanors.
So there we have it. We went from having a domestic spying agency run by a five time felon to having the same domestic spying program sans congressional oversight and whistle blower protections run by a convicted drug smuggler who has proven that he'll break the law to further the republican agenda.
http://www.oldamericancentury.org/oh_republican
A Florida law enforcement data-sharing network is about to go national. In the name of counterterrorism, the Departments of Justice and Homeland Security are pouring millions of dollars into the system to expand it to local law enforcement agencies across the nation. It's called Matrix, which stands for Multistate Anti-Terrorism Information Exchange. According to the Washington Post, the computer network accesses information that has always been available to investigators but brings it together and enables police to access it with extraordinary speed. Civil liberties and privacy groups say the Matrix system dramatically increases the ability of local police to snoop on individuals.
http://www.democracynow.org/article.pl?sid=03/0
The Florida company that built the database was founded by the man behind ChoicePoint and Database Technologies. The companies administered the contract that stripped thousands of African Americans from the Florida voter roles before the 2000 election.
Although narrower in scope than John Poindexter's controversial Terrorist Global Information Awareness program, Matrix may serve a similar purpose because it provides unprecedented access to US residents regardless of their criminal background. And states are eager to participate in the new program. On Tuesday, the Department of Homeland Security announced plans to launch a pilot program in state law enforcement data-sharing among Virginia, Maryland, Pennsylvania and New York.
oh, *that* choicepoint... well at least we know that the data stolen was 99% inaccurate. right?
It's a good start, but I don't think it goes far enough. There's no requirement to publically acknowledge break-ins, only that individuals be notified. For instance, T-Mobile has yet to publically fess up for their year-long security breach and show no signs of ever doing so.
according to a new federal law, The Fair and Accurate Credit Transactions Act (passed in Dec 2003) you are entitled to a free comprehensive credit report yearly. The big three have an official website at www.annualcreditreport.com (no link b/c they reject unofficial referals) where you can claim your report. (though its not available yet for the mid and eastern states, it will be by the end of 2005).
Supposing my identity stolen and used for fraudelent activity. If we could trace the identity theft back to ChoicePoint, could they be held liable (in any sense of the word)?
Ordinarily in a case like this a class action would be brought against the company. The "Class Action Fairness Act" will shift class actions from state to federal court. Ostensibly this was done to prevent venue shopping- where you look for the state with the most favorable laws for your class action suit- but it also has the nice property that federal courts rarely agree to hear class action lawsuits, citing differences in state law. The Act effectively puts an end to all class action suits without explicitly banning them.
If you're a victim of identity theft because your Social Security number was compromised by ChoicePoint, you'll have to hire a lawyer yourself, prove that the identity theft was a result of ChoicePoint's negligence, and your case will be heard separately from those filed by any other plantiffs.
For the most part, Choicepoint deals in public records...items that are available to the general public (if you have the time, energy, and knowledge of where to look).
However, there is some data they possess which isn't public records (DMV records mostly) which require special privledges to access. I would hope that they actually review who has access to that information, and not give it out to persons without legitimate needs.
I think the main concern is that fact that this data is aggregated for use, without any sort of controls on who can see it, and for what reason.
-merlyn
Well, from a legal standpoint, it certainly does. If there is no law in your state requiring them to do so, then legally they don't have that obligation to you. Morally, I believe they are obligated to, but morality isn't the same as legality now is it?
When they lose the data, as far as they are concerned they have lost some of their business information (ie. someone accessed their data without paying).
That the data is about you, and could be damaging to you is incosequential to them. Anyone could have bought the data from them anyway.
Engineering is the art of compromise.
For some more info on ChoicePoint, check out this article from a couple months ago in the Washington Post. I was surprised it was seen here on Slashdot too. Gives a little more background on what they do and how they do it.
I mod down all the "free iPod"-sig losers.
Also, there are lots of foreign people in the U.S. and elsewhere who have U.S. bank accounts but no SS #. I suspect that banks assign these people arbitrary generated numbers. Perhaps you can go to a bank, tell them you're from Scotland or Uruguay or the South Pole and just open an account without the damn SS number. Of course they may demand a passport.
Now here's an interesting bit of trivia. You can change your social security number. It's free and you have to apply, with proof of identity, and also supply a reason why the change is needed. It can be a change of name, threat of domestic violence, identity theft, or even because the numbers are offensive to your religious beliefs. I suppose the latter reason is the best way to change your SS # arbitrarily. However, they say they keep your old number on file and cross referenced, so it may be that someone with your old number could still cause you grief.
it's = "it is"; its = possessive. E.g., it's flapping its wings.
The databases basically involve public records from every county in a state describing ownership, professional licenses, et cetera. They often include every piece of information involved in submitting a request for some type of certification. Land deeds, for example, are in there, as well as contractor's licenses. A lot of that information is public record, but the stuff that isn't is the address (that's sometimes but very rarely public) and sometimes social security number. If you can establish that someone was at a certain address, and get a social from that address, hopefully correlating it with another address and matching (or near-matching) social security number, then you can look that ssn up in connection with all kinds of other items. This can connect them to any number of other people who you can bother for their phone number.
Eventually, you can find property, and depending on what state it's in you can sometimes take it away. California makes it pretty hard to do that kind of stuff to someone; you can't take away a home which is also a business, for example, and you can't take away someone's primary automobile -- unless you're the lien holder, that is. Or, well, the federal government.
Notice above I said something about a near-matching SSN? All of this stuff is near-matching. The problem is that someone might write their name (or other information) carefully in one place and illegibly in another. They might of course also forget or "forget" the number and misenter it. Finally, let us not forget the wonders of data entry and the errors therein. Some forms are OCR'd (anything typed) and some were probably hand entered. The record only goes back so far as well, but it's generally pretty far.
Anyway, anyone with a business that has a reason to need to do that kind of thing can get access to those databases. They can tell what you were doing with it, so if you do something naughty, they could tell.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I think you're picking up the wrong end of the problem here.
4 9834,00.html
It's not that these data should be legally kept private to prevent fraud, though there's an argument that they should on privacy grounds.
Rather, it's the fact that the US financial system is so lax on security in general. Australia is a good example of how this sort of thing is handled elsewhere. If you want a credit card or bank account, you need to provide 100 points of identification, which can be made up of a variety of ID items. Here's an example:
http://www.national.com.au/Business_Solutions/0,,
It's not a foolproof system, but it means that identity theft happens a lot less often in Australia than it does in the US.
Fraud is a cost of business to credit card companies
as a holder of a merchant account, I can say that you're full of shit. WE bear the brunt of fraud (a.k.a. "Chargebacks")... not only do we lose the money, but we get charged a nice little fee along with it. (usually around $30-40).
oh yeah, and get more than $x percent chargebacks in a year, your account goes *poof*
The IRS is way ahead of you, that's what ITINs and ATINs are for.
No, it does not have to be an SSN just because you are eligible for one. It (in practice anyway) has to be an SSN if you *have* one, but if you don't you can almost always use a Tax ID. You do have to apply for that one, however.
There are a lot of websites about living without an SSN (or just without revealing yours), and while it isn't easy, it isn't impossible either. Frankly, you don't need banks anymore these days. It may have its problems, but PayPal makes a very decent bank if you are forced to use it as such. The real problem is with employment: it can be very hard to get some jobs without an SSN.
Living off the grid, however, is a real option if you aren't using a bank account. If you do local work for cash and freelance work online (less than $600 per employer per year), you already have a 25%-30% head start over everyone else, who pays 15.3% in SS/Medicare and 10%-15% in income taxes. That means you can work 3/4 as hard as everyone else and enjoy the same lifestyle, all while doing less paperwork. Not everyone's cup of tea, but the chances of ever having a problem with the IRS are nil. They would far rather nail people that are on the grid AND not paying taxes, because it's a heck of a lot easier. Plus, they tend to know beforehand how much $$ they can recover.
I'm sorry I don't have time to check facts thoroughly, but here in Italy, personal information does belong to the individual. I think this legislation comes from EU directives.
Basically, you don't own the actual © to the information being stored, but you own all rights to it, except what I'll call "commercial exploitation."
In other words, any company requiring you to hand over personal data (even just name and DoB) must publish a notice in which it officially states it complies with current law, and a legally-binding policy of use of the data (this is similar to the US, AFAIK.) Such policy, here, must include a document which specifies the security measures the company has taken to protect the data, down to a description of their IT systems and "practices," and/or a list of people entitled to access and use these data.
However, the difference is you may officially ask for removal or change of the information from any form of database the company may have, at any time. They have a limited time to comply, and you only need to send snail mail to exercise your rights.
For credit information, AFAIK Italy has a centralized, governmental database for those with officially bad credit (sorry, don't know the legal English term.) Not sure if you have the same rights over it. However, if any bank or commercial institution keeps a copy of the database (possibly with additional information), it must ask for the individuals' permission, and its database must comply with the above legislation.
This doesn't solve the problem of what happens if your data is stolen. However, it gives you the right to withdraw any and all information from a company if it doesn't meet your requirements for trust. Or again, it allows you to erase any and all information from the databases when you're no longer interested in the company's services.
Of course, the fact it requires you to send official snail mail discourages most laypersons from a thorough "personal data management." However, the possibility is there.
As someone noted, Choicepoint/Database Technologies are the guys who were paid to scrub Felons from the Florida list of eligible voters before the 2000 & 2004 elections. If you live here you read about em in the papers constantly for shady activity, & they were in a few documentaries about the elections. They were paid an insane amount of money ($4 million no bid contract, see Jeb Bush, FL governor) for what they did, and did a horrible job in return. A few of the problems were they only matched parts of names, not whole names, gender, race, etc...so a black guy w/ a partial name match to a white felon would be unable to vote. This ended up disenfranchising thousands of black voters (frequently democrats) in the 2000 election where Bush only won by 500-600 votes in the state, which led to him winning the election.
At least until Blair and Clarke finish butchering the law to suit their own agenda, this sort of incident occuring in Europe would be almost impossible. The Data Protection Act would prevent ChoicePoint from allowing anyone other than you (besides law enforcement, with warrent) access to your personal information without your explicit consent. For example, when I graduated last summer, I had to sign a DPA waiver so that the University were permitted to release my grades to any potential employers who wanted to look at them in the course of a job application. Of course, all the new government databases in the UK that tie in with our glorious proposed national ID card scheme will be exempt from the DPA, but everyone else in the EU is still bound by it.
A few years ago I applied for a mortgage, and got refused because the bank did a credit check with Experian, Experian told them I wasn't on the electoral register, so the bank turned me down. I knew I was on the electoral register, and had been for years. I went to the local council for my previous residence, and the helpful council officer checked my record, and even let me come round the desk and look at her screen to see my record. I phoned Experian "I know I am on the electoral register for this address" (Experian) "no, sorry sir, this isn't on your record" (me) "I'm looking at my name on the electoral register, I'm just handing you over to the council officer who will confirm" (nice govt. officer): "yes, he is" (Experian "ahh... we'll look into that" (me): "cheers, I've been turned down already for a mortgage, are there any other parts of my credit records you should be checking?".
I really recommend that anybody in the UK who is about to buy a house/car/other significant credit transaction to ask for their records first. Which of course costs you money that goes into the credit agencies pockets. It's a corrupt system, and there's nothing we can do about it. Private companies running (ruining?) peoples' lives. "Sue the company" might be ok for you big shots but I was on low wages then and I'm a student now. One day I'll be working again and the first thing I got to do is use *my time* and *my money* to unpick *their mistakes*. Experian's mistake f*cked up my life, be wary people.
I keep fraud notices on my credit reports AT ALL TIMES. It is a slight hassle when I do want to open a new account, but that is so damn rare that it's worth the extra protection. I just wish the credit file locking option would be legislated nationwide.
I live in Belgium. You know, the little country all of slashdot flamed or pitied because we got an electronic ID card.
... that has personal information about me, must let me see it and modify it on simple request. If they want to give information to other companys, they have to mention that, and a simple request by me forbids them to do it (most shop's request-for-information-forms have a checkbox you can mark, and it is OK if you just write "i do't want this" on the other forms).
The interesting point is: We don't have this problem: All the points mentioned about the electronic ID, or about the fact we have to have an ID, are THEORETICAL. In practice, this doesn't happen. As I read again and again on slashdot, in the country of the theoretically free people, lots of really ugly stuff happens again and again.
Maybe you should all come and live here, as we have some interesting laws and habits that protect humans:
* Every company, shop,
*Almost nobody is allowed to even ask for my ID card. The police can (they do when they check if you drive drunk, but i saw on TV how USA police asked for a SSN or drivers licence, so it is not really different there). Some high-ranked people on the trains are allowed to check it to see if you are e.g. not to old to get a ticket for young people. They are not allowed to write anuthing down about it. These are the only people that ever requested my ID,and in both circumstances, it is quite rare.
* It is not possible to steal money from my bank card by knowing it's number, as it is protected by a secret code. This is not perfect, but it works quite well and misuses are never so big as to have 30.000 victims)
So i would ask all the USA-inhabitants to stop whining about ID cards until you know what you are talking about. Your governement brainwashes you to believe you are free by pointing to facts like 'you have no ID - please forget about the SSN', but stories like this prove you wrong. Belgium is by no means perfect, but I'd much rather have my ID card than come over to the USA and suffer under your 'freedom'.
For those of you feeling especially lazy, feel free to copy this and send it off to consumer.center@choicepoint.com
I just read the MSNBC article, http://www.msnbc.msn.com/id/6969799/, about how large quantities of personal information were stolen from your databases and became concerned. Therefore, as I am not a resident of California, and thus you will not voluntarily be informing me of whether I am affected, I would like to request that you provide me with assurances that my information was not compromised.
If I do not receive a response from you within a week I will be contacting my lawyer and asking him to pursue this matter further.
Thank you in advance for your cooperation