Slashdot Mirror
ChoicePoint Data Stolen By Imposters
swight1701 writes "Criminals posing as legitimate businesses have accessed critical personal data stored by ChoicePoint Inc., a firm that maintains databases of background information on virtually every U.S. citizen. The incident involves a wide swath of consumer data, including names, addresses, Social Security numbers, credit reports and other information. ChoicePoint notified between 30,000 and 35,000 consumers in California that their personal data may have been accessed by "unauthorized third parties." No obvious notice appears to be on their website."
Supposing my identity stolen and used for fraudelent activity. If we could trace the identity theft back to ChoicePoint, could they be held liable (in any sense of the word)?
Paul Grosfield - the quicker picker upper.
California, population approx 30 million, or 1/10 of the US population.
So, the number of stolen identies is probably closer to 300,000 to 350,000. Only California has a law that forces companies to disclose these kinds of risks to personal data, but I think it's a fairly safe assumption that the theives didn't target just California records (in fact, if they wanted to use them for identity theft, it would make more sense to excluse California records because those indidivuals would be on alert).
So, potentially one in every one hundred people in the US now has their electronic profile available for identify theft. That's a scary (although I'll admit unlikely) idea.
Closing question...what exactly is the f'ing differences between a "legitamate" company accessing this ChoicePoint database an an "illegimate" company? Wouldn't theft of database access be just as much a risk? If Sam's Wholesale Cookies can browse through the database, concievable so can any employee of Sam's Wholesale Cookies or anyone who breaks into a Same's Wholesale Cookies computer. Is there not a single person in all of government who sees the folly of having all the eggs in one basket? Not even a secure basket...the free sample basket by the front door of the mall.
- JoeShmoe
.
-- I wonder which will go down in history as the bigger failure: the War on Drugs or the War on Filesharing
2. The incident happened months ago, and ChoicePoint just got permission from law enforcement to disclose the incident.
I would say it's pretty likely they wouldn't report data thefts about people in other states...
It's not wasting time, I'm educating myself.
I RTFA and it says that ChoicePoint aggregates my information and sells it. I interpret "aggregates" as it crawls through and acquires my personal information without my knowledge. I never signed anything saying ChoicePoint can keep and handle my information how they see fit, nor did I receive anything that says some company has my information so I know. Am I alone in saying that no company should be able to profit off of my existance? If that's not bad enough that ChoicePoint has made a living selling my information of which I won't see a dime, now criminals have my personal information and now I have to stay on guard to see if the criminals do anything notably bad in my name.
This whole companies' existance and screwup just stamps out all notions of privacy I had, now not only theives profitted from me without even notifying/asking me, but now criminals can benefit from my existance too.
I used to work at a mortgage insurance agency as a temp doing data entry. I would see 100 or so SSN a day. They don't track who enters what data so I could of easily wrote down a few SSNs along with the person name, phone number, address, etc without anyone knowing I had done it. Even if they make extra-super-duper-sure that they people accessing the information are legit, there is absolutely no assurance that the person handling your information is honest.
Speaking is NOT communication
By the way, don't you recognize this particular company? Same one that helped BushCo purge all those voters in 2000. I think they got out of the voter purging business before 2004, but I haven't really been tracking it.
Off topic, really, but I have to vent. They screwed my wife out of a job this year. We were recently married and they failed her background check on her name on file with the credit bureaus not matching the name on her application. They also dragged ass fixing the problem and had a policy in place to NOT notify they potential employer that they had made a mistake.
There is no intrinsic requirement here for the bank to know more than the source and destination account numbers and how to examine the certificate for authenticity. The bank has no reason to know how much money you have in other banks, or anything beyond the fact that this account number has enough money to cover the requested transfer. (Your other example is almost exactly the same, but with the transfer coming from your employer to an account you have specified.)
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
OK - long story made short, I live here in South Florida and was looking for a job sometime in the fall of 2001. Seisint placed a wanted ad on monster for a Unix Systems Administrator.
I sent my resume and never got response back from them. Being unemployed, and having a little time in my schedule, I started doing some nmap probes (just regular tcp scans) on their network. It was mostly curiousity at first, but I was shocked at how many open ports and machines were sitting there on the internet. Sure enough I found a Windows box with file-sharing on. Curiousity got the best of me, and I tried accessing the 'C$' share on this box with "Administrator" (nopassword) . It worked.
Okay, so as it turned out this machine had cuteftp installed on it, and the user had the passwords to his ftp sites in a (quasi-encrypted) file. I don't remember the file name, nor do I remember the version of CuteFTP they were using, but there was a cheap script-kiddie type program I found that 'decrypted' the passwords in this cuteftp file. (It took no time at all, cuteftp probably used something really stupid like XOR..) I found this user's passwords to something like 8 production oracle servers in that file. (The password was the same on all boxes - and I remember the user names being a little different , so for all I know root on those boxes was the same as all the other passwords)
Not wanting to cross any further boundrys than I already had, I figured I'd send my findings to Seisint, and see if that got them more interested in my application. In fact in had! They wanted to talk to me and hear more about what I had to say regarding their network - For a number of reasons (I decided to go back to school mostly) I declined and told some dude from the IT department over the phone the whole story from above. In hindsight , I was lucky they didn't get federal investigators involved (back then there was no homeland security! Nowadays I could be labeled a terrorist) .
Yeah I know this is slashdot, and you all don't know me from shit, but I have the old emails somewhere I think. If anyone ever needed them for anything, I would go back and look for them. In all of this, I believe most of these large data repositories have shockingly poor secuirty procedures, I'm shocked there aren't more thefts like this one happening on a regular basis.
An identifier. An SSN is an ID, not a verification. It is useful because there can be, and are, collisons of names, which is the primary method of identifying someone. So you take a name + an SSN and there is nearly a zero chance of a collison (even more so if you add a birthdate). As you note, however, it needs to be assumed that this is known, is public. I wouldn't attmept to use my name to verify my identity, why would I use my SSN?
Companies need to get on the stick and use other verification measures. Using an SSN as na ID # is fine, not as a password, that needs to be something else not related to identity.
Everyone reading this story should take a few minutes out of their day and call ChoicePoint, and ask them a few, um, "point"ed questions. According to their page at http://www.choicepoint.com/privacy.html you can call them at 1-877-301-7097. Call them up, take some of their precious time (they're taking yours, it's only fair) and phone bill, and ask them directly if your private, personal information was involved in this theft. I'll be doing so tomorrow, and making as much of a pain of myself as I can. Supervisor, here I come!
GStreamer - The only way to stream!
I don't know about the rest of the world; but Argentina grants it's citizens a consitutional right called "Habeas Data", which, in a nutshell, specifies that every individual owns his personal information and it can't be disclosed or abused without his consent. This includes medical records, bank accounts, work historials and so. Knowing that most modern constitutions are based on the US one, i thought something similar would be available to Americans.
It's usually paired with another consitutional right called "Habeas corpus", which ensures freedom of movement in the country and grants rights against detention without due process.
Although the posting notes that the company has notified several thousand Californians, don't take this as suggesting that the damage is limited to Californians. From the article:
"California law requires firms to disclose such incidents to the state's consumers when they are discovered. It is the only state with such a requirement but such data thefts are rarely limited to a single geographic area."
Time to start lobbying some other states' legislatures, perhaps.