Slashdot Mirror
ChoicePoint Data Stolen By Imposters
swight1701 writes "Criminals posing as legitimate businesses have accessed critical personal data stored by ChoicePoint Inc., a firm that maintains databases of background information on virtually every U.S. citizen. The incident involves a wide swath of consumer data, including names, addresses, Social Security numbers, credit reports and other information. ChoicePoint notified between 30,000 and 35,000 consumers in California that their personal data may have been accessed by "unauthorized third parties." No obvious notice appears to be on their website."
The article further quotes ChoicePoint spokesman Chuck Jones:
Why the hell are they allowed to keep a dossier on me if they don't have any mechanism in place to allow them to track how it is used and by whom? This is insane!The correct solution to this problem, IMNSHO, is for the courts to determine that personal, financial, and credit records relating to an individual are the COPYRIGHTED PROPERTY OF THAT INDIVIDUAL, and may not be provided to any other party without the owner's explicit consent. Not a blanket consent to provide the data to anyone inquiring, but specific consent to provide it to XYZ Corporation.
I really enjoy how the graphic on the front page of their site reads: "Smarter decisions. Safer world."
It's pretty silly.
Run over someone with my car, i am responsable, and it's a crime. Even if i didn't mean to.
Companys should be held responsable for the data they hold.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
Supposing my identity stolen and used for fraudelent activity. If we could trace the identity theft back to ChoicePoint, could they be held liable (in any sense of the word)?
Paul Grosfield - the quicker picker upper.
The story says that these things "are seldom limited to a single geographic area" ...
SO WHO THE FUCK ELSE HAD THEIR INFO STOLEN!? WHAT STATES!?
We want to know! NOW! Why are they refusing to disclose vital information? I'd be VERY angry to find out that someone committed identity theft, these people knew of the stolen info, and they didn't tell me.
i am a soviet space shuttle
Next big issue is going to be medical records online. While having such information in once location could be of great benefit to doctors and hospitals around the world, there are also dangers as well, like your HMO, employers, or if your a public figure, the media getting their hands on otherwise private medical records.
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
That's bad, isn't it. Yes, that's bad.
My credit is so poor that stealing my identiy is only going to hurt them. I mean they think they are gettign a free ride, but when Rocko breaks down their door looking for past due payments boy will they be in for a suprise, hell this might be the best thing to ever happen to me!
Incidents such as these are actually rather rare. People abusing information collected either through neglect or in other ways is not as common as proper use.
All those foolish people who protested the collection and sale of personal data of private citizens should be ashamed since the prosperity of this country depends greatly on the efficiency of business. And if you don't like it in this country any more go some place better! There isn't any place better you say? Then shoot yourself now because there's nothing you individuals can do to change things to your liking anyway.
(The preceding was stated as an opposite to my actual feelings on the matter to illustrate how ridiculous I feel the opposing view might be. There are no acceptable losses when it comes to privacy and the right of everyone to keep what they have earned. Loss of privacy opens the door for unscrupulous people to do bad things and reduces an individual's ability to protect one's self.)
They say "Criminals posing as legitimate businesses have accessed critical personal data stored by ChoicePoint Inc."
If the data was that critical and personal, why was it available to "legitamate businesses" in the frist place?
Are a set of articles of incorporation and a pile of money all I need to 'legitimately' access "databases of background information on virtually every U.S. citizen"?
No Place To Hide
It was truely disturbing. Now that we're permanently at war with the Forces Of Evil (terrorists, for now) people should get used to not having any privacy. Sigh.
California, population approx 30 million, or 1/10 of the US population.
So, the number of stolen identies is probably closer to 300,000 to 350,000. Only California has a law that forces companies to disclose these kinds of risks to personal data, but I think it's a fairly safe assumption that the theives didn't target just California records (in fact, if they wanted to use them for identity theft, it would make more sense to excluse California records because those indidivuals would be on alert).
So, potentially one in every one hundred people in the US now has their electronic profile available for identify theft. That's a scary (although I'll admit unlikely) idea.
Closing question...what exactly is the f'ing differences between a "legitamate" company accessing this ChoicePoint database an an "illegimate" company? Wouldn't theft of database access be just as much a risk? If Sam's Wholesale Cookies can browse through the database, concievable so can any employee of Sam's Wholesale Cookies or anyone who breaks into a Same's Wholesale Cookies computer. Is there not a single person in all of government who sees the folly of having all the eggs in one basket? Not even a secure basket...the free sample basket by the front door of the mall.
- JoeShmoe
.
-- I wonder which will go down in history as the bigger failure: the War on Drugs or the War on Filesharing
C'mon! Does every story on /. have to be about Micro$oft?
you had me at #!
The government is one of ChoicePoint's largest customers, so you can be certain that there will be zero rules and regulations imposed on ChoicePoint or similar companies. Nor will you see any changes to the Fair Credit Reporting Act, which affords no penalty to companies that report wrong information on individuals other than once proven incorrect, it is removed.
If this incident doesn't create intense public outrage and a rash of calls to legislators demanding change, then I doubt there will ever be changes that protect individual identity and information.
Furthermore, I would propose that every individual that finds ChoicePoint's egregious lack of security reprehensible, to draft a letter demanding a full explanation and any details relating to whether or not their information has been stolen. I don't expect this company to come clean, but just imagine the hassle of having to reply to hundreds of thousands of letters.
Maybe having to deal with thousands of peeved off consumers will clean up their act.
I highly doubt they would refuse to report that data had been stolen from other states, just because they don't have do.
I very much doubt that they're willing to do this. They're only providing any notification becuase they're required by law to do so; left to their own devices they would ignore it entirely.
People opposed to the Bush victory in 2000 claim that ChoicePoint may have aided in voter disenfranchisement.
*This is not an endorsement of the linked site or the opinions expressed there. I just recall these claims from a Slashdot submission I made a couple years ago related to this.
Someday, you're going to die. Get over it.
Remember the Florida election of 2000 when a private database company scrubbed thousands of eligible voters from the rolls? Well now one of the co-founders of Database Technologies is back in the headlines -- he's working with law enforcement agents in Florida to create what may soon expand into a national surveillance system. We talk with privacy expert Wayne Madsen, investigative reporter Greg Palast and a top intelligence official from the state of Florida.
s .h tm
8 /0 7/1427223
When is Joe Six pack going to wake up to the fact that in secret the government has conspired to create a dossier on every citzen in this country and this is who they hired to do it:
Hank Asher then creates the MATRIX as a state level network version of the TIA office. Essentially continuing the TIA office, but freeing it from congressional oversight and federal whistleblower protections. He admits smuggling millions of dollars worth of cocaine in 1981 and 1982. Coincidentally at the time when the Iran-Contra dealings were in full swing.
But this is only speculation. Could there be more of a link between illegal dealings between Hank Asher and the republican party? OF COURSE THERE IS!
In 1992, Asher founded Database Technologies, which later merged with ChoicePoint. In 1999, he founded Seisint Inc. by merging two companies. He is still on Seisint's board of directors, and continues to play an active role in the company.During the 2000 presidential election ChoicePoint, gave Florida officials a list with the names of 8,000 ex-felons to "scrub" from their list of voters. But it turns out none on the list were guilty of felonies, only misdemeanors.
So there we have it. We went from having a domestic spying agency run by a five time felon to having the same domestic spying program sans congressional oversight and whistle blower protections run by a convicted drug smuggler who has proven that he'll break the law to further the republican agenda.
http://www.oldamericancentury.org/oh_republican
A Florida law enforcement data-sharing network is about to go national. In the name of counterterrorism, the Departments of Justice and Homeland Security are pouring millions of dollars into the system to expand it to local law enforcement agencies across the nation. It's called Matrix, which stands for Multistate Anti-Terrorism Information Exchange. According to the Washington Post, the computer network accesses information that has always been available to investigators but brings it together and enables police to access it with extraordinary speed. Civil liberties and privacy groups say the Matrix system dramatically increases the ability of local police to snoop on individuals.
http://www.democracynow.org/article.pl?sid=03/0
The Florida company that built the database was founded by the man behind ChoicePoint and Database Technologies. The companies administered the contract that stripped thousands of African Americans from the Florida voter roles before the 2000 election.
Although narrower in scope than John Poindexter's controversial Terrorist Global Information Awareness program, Matrix may serve a similar purpose because it provides unprecedented access to US residents regardless of their criminal background. And states are eager to participate in the new program. On Tuesday, the Department of Homeland Security announced plans to launch a pilot program in state law enforcement data-sharing among Virginia, Maryland, Pennsylvania and New York.
2. The incident happened months ago, and ChoicePoint just got permission from law enforcement to disclose the incident.
I would say it's pretty likely they wouldn't report data thefts about people in other states...
It's not wasting time, I'm educating myself.
...can see your social security number, your credit report, your addresses...
...anytime they want...
...um...
...whew?
....have similar problems of their very own.
Someone had to do it.
I RTFA and it says that ChoicePoint aggregates my information and sells it. I interpret "aggregates" as it crawls through and acquires my personal information without my knowledge. I never signed anything saying ChoicePoint can keep and handle my information how they see fit, nor did I receive anything that says some company has my information so I know. Am I alone in saying that no company should be able to profit off of my existance? If that's not bad enough that ChoicePoint has made a living selling my information of which I won't see a dime, now criminals have my personal information and now I have to stay on guard to see if the criminals do anything notably bad in my name.
This whole companies' existance and screwup just stamps out all notions of privacy I had, now not only theives profitted from me without even notifying/asking me, but now criminals can benefit from my existance too.
Apparently the only defense against this kind of thing is to have really bad credit.
I used to work at a mortgage insurance agency as a temp doing data entry. I would see 100 or so SSN a day. They don't track who enters what data so I could of easily wrote down a few SSNs along with the person name, phone number, address, etc without anyone knowing I had done it. Even if they make extra-super-duper-sure that they people accessing the information are legit, there is absolutely no assurance that the person handling your information is honest.
Speaking is NOT communication
Rather than taking extreme measures to ensure that social security numbers are kept private, people need to simply stop pretending that a social security number is some sort of magic password that can be used to prove that someone is who they claim to be. SSNs should be treated about the same as phone numbers; assume that everyone has one, but also assume that everyone knows it.
"The firm was only given clearance by law enforcement officials to disclose the incident two weeks ago, Lee said"
Now why exactly would they need permission to tell me (if I were a CA resident) that I should be worried about my data being misused? The certainly didn't need any cop's permission to amass it, not to hand it to a "legitimate" customer.
Ben Masel: 51,282 votes for US Senate in the Wisconsin Democratic Primary
When they lose the data, as far as they are concerned they have lost some of their business information (ie. someone accessed their data without paying).
That the data is about you, and could be damaging to you is incosequential to them. Anyone could have bought the data from them anyway.
Engineering is the art of compromise.
here are links to the last time they were mentioned on slashdot and my comment on them at that time. these guys just keep getting slimier.
Who is going to jail over this?
If the answer is "no one", then it will happen again.
org.slashdot.post.SignatureNotFoundException: ewg
The use of SSN as a PIN amazes me. The security relying way to much on the fact that no-one is suppose to have access to your SSN. If you get your SSN I can go say my wallet was stolen and you need to have new ID's made. Then get a stack of credit cards in your name. In a couple of days I'll be more you than you are. With so many people requesting to see you SSN in everyday life. This is a serious threat. My girlfriend was even asked to give up her SSN when she paid with a check at a grocery store because she was out of state.
The real problem is there's no public/private key separation. Your credit card number is a secret key, but must be shared in order to do business with it. Ditto for checking account numbers which make direct deposit possible. The reason boils down to sheer laziness on the part of credit issuers. When there's a problem they can soak the merchants and/or customers, so they haven't bothered to fix the system.
That solves your bank deposit problem. Public/private key separation would solve most of the problems.
As far as repeatedly entering addresses--come on, that's easy. Browsers have a wallet-like feature which fills it in on demand. There's no need for the provider (netflix) to store the information, and they should refrain from doing so.
So far as taxes are concerned--of course you have to give personal info for H&R Block to process them, but the grandparent means it should be treated as your property. You may leave valuables with a bank safety deposit box, but the bank does not own them. It is a steward. Its rights obviously don't extend to sharing information about what you've deposited with others.
seems awfully sure of his facts.
But I don't see his references in those articles. No links (and I know there are plenty of people who link him). Very few names.
I can sort of understand the lack of names, although it leaves me with questions. People do get scared.
But then he complains about HAVA, and he doesn't say why, except to wave his hands and say it's bad. He could at least put a link in to an article explaining the problems, even if he doesn't want to spend words in that article on the issues.
I can rant, too. But at least I can put a link or two in when it will help explain things.
The lack of explanation, even though I know HAVA was an exercise in how not to help voters, leaves me unconvinced on the other charges.
Do we really want change, or do we just want a bad guy to vent at?
If there's no explanation, charges are forgotten as soon as the TV catches the attention.
One more thing. This one hurts, but getting scared does not protect your rights. You look at the examples we have in the Ukraine and many other countries. People are putting their future on the line for freedom. But in the US, people want the freedoms without the costs.
Real freedom is not free as in beer.
An identifier. An SSN is an ID, not a verification. It is useful because there can be, and are, collisons of names, which is the primary method of identifying someone. So you take a name + an SSN and there is nearly a zero chance of a collison (even more so if you add a birthdate). As you note, however, it needs to be assumed that this is known, is public. I wouldn't attmept to use my name to verify my identity, why would I use my SSN?
Companies need to get on the stick and use other verification measures. Using an SSN as na ID # is fine, not as a password, that needs to be something else not related to identity.
Everyone reading this story should take a few minutes out of their day and call ChoicePoint, and ask them a few, um, "point"ed questions. According to their page at http://www.choicepoint.com/privacy.html you can call them at 1-877-301-7097. Call them up, take some of their precious time (they're taking yours, it's only fair) and phone bill, and ask them directly if your private, personal information was involved in this theft. I'll be doing so tomorrow, and making as much of a pain of myself as I can. Supervisor, here I come!
GStreamer - The only way to stream!
Their website. The link to "Latest News" "Record Revenew"
What could be more telling. NO, ASSHOLES, that's NOT THE LATEST NEWS.
If one ever needed evidence of the lying, cheating, dishonorable aspect of American Capitalism, this is it.
Dickheads. Suspender wearing, Blackberry toating, power lunching, lay-offing, ass-kissing, pro-activly cocksucking DICKHEADS.
I can't stand it any more. Where's my Prozac (TM)?. These fuckwads are hurting my buzz.
Mod down people who tell people how to mod in their sigs
How would THEY take the transaction tax off?
;-/
Otherwise, perfectly described Swiss bank anonymous account... "But think about the CHILDREN!"...
Yes, tehre are technical means, and then there are financial/political "considerations". I wish it would happen ike you describe, but, really, a snowball chance in hell it will, agreed?
Paul
The article points out that "Lee said law enforcement officials have so far advised the firm that only Californians need to be notified.", so I'm guessing that there are probably another 300,000, or so, nationwide who will not be notified by the company. A few other really high-profile types might get a notice, but I'm betting that no more than a couple dozen non-Californian SlashDot readers will get notices.
Does anybody else want to call and ask and see if they even get an answer? (I don't live in the US, so I probably don't count, statistically speaking.)
Free Software: Like love, it grows best when given away.
I'm sorry I don't have time to check facts thoroughly, but here in Italy, personal information does belong to the individual. I think this legislation comes from EU directives.
Basically, you don't own the actual © to the information being stored, but you own all rights to it, except what I'll call "commercial exploitation."
In other words, any company requiring you to hand over personal data (even just name and DoB) must publish a notice in which it officially states it complies with current law, and a legally-binding policy of use of the data (this is similar to the US, AFAIK.) Such policy, here, must include a document which specifies the security measures the company has taken to protect the data, down to a description of their IT systems and "practices," and/or a list of people entitled to access and use these data.
However, the difference is you may officially ask for removal or change of the information from any form of database the company may have, at any time. They have a limited time to comply, and you only need to send snail mail to exercise your rights.
For credit information, AFAIK Italy has a centralized, governmental database for those with officially bad credit (sorry, don't know the legal English term.) Not sure if you have the same rights over it. However, if any bank or commercial institution keeps a copy of the database (possibly with additional information), it must ask for the individuals' permission, and its database must comply with the above legislation.
This doesn't solve the problem of what happens if your data is stolen. However, it gives you the right to withdraw any and all information from a company if it doesn't meet your requirements for trust. Or again, it allows you to erase any and all information from the databases when you're no longer interested in the company's services.
Of course, the fact it requires you to send official snail mail discourages most laypersons from a thorough "personal data management." However, the possibility is there.
This may actually be preferable to a class action. What you wouldn't want to happen in this case is for lots of people to sign their rights away (absolving ChoicePoint of future liability) in exchange for a check that arrives in the mail later to the tune of $53.47 or something that will seem inconsequential once your identity is stolen. Although depending on the egregiousness of the fault, the sum may be greater than that, and it may be in this case. But the point is moot- there will be no class action.
If this happened to me, I'd monitor my credit report closely and lawyer up personally on ChoicePoint's ass the minute anything weird showed up. Everyone complains that people sue too much. But when a corporation leaves your ass flapping in the wind like this, what other redress is there? We should be so lucky that individuals still have the right to sue corporations when they screw us over- things won't stay like this for long.
As someone noted, Choicepoint/Database Technologies are the guys who were paid to scrub Felons from the Florida list of eligible voters before the 2000 & 2004 elections. If you live here you read about em in the papers constantly for shady activity, & they were in a few documentaries about the elections. They were paid an insane amount of money ($4 million no bid contract, see Jeb Bush, FL governor) for what they did, and did a horrible job in return. A few of the problems were they only matched parts of names, not whole names, gender, race, etc...so a black guy w/ a partial name match to a white felon would be unable to vote. This ended up disenfranchising thousands of black voters (frequently democrats) in the 2000 election where Bush only won by 500-600 votes in the state, which led to him winning the election.
At least until Blair and Clarke finish butchering the law to suit their own agenda, this sort of incident occuring in Europe would be almost impossible. The Data Protection Act would prevent ChoicePoint from allowing anyone other than you (besides law enforcement, with warrent) access to your personal information without your explicit consent. For example, when I graduated last summer, I had to sign a DPA waiver so that the University were permitted to release my grades to any potential employers who wanted to look at them in the course of a job application. Of course, all the new government databases in the UK that tie in with our glorious proposed national ID card scheme will be exempt from the DPA, but everyone else in the EU is still bound by it.
A few years ago I applied for a mortgage, and got refused because the bank did a credit check with Experian, Experian told them I wasn't on the electoral register, so the bank turned me down. I knew I was on the electoral register, and had been for years. I went to the local council for my previous residence, and the helpful council officer checked my record, and even let me come round the desk and look at her screen to see my record. I phoned Experian "I know I am on the electoral register for this address" (Experian) "no, sorry sir, this isn't on your record" (me) "I'm looking at my name on the electoral register, I'm just handing you over to the council officer who will confirm" (nice govt. officer): "yes, he is" (Experian "ahh... we'll look into that" (me): "cheers, I've been turned down already for a mortgage, are there any other parts of my credit records you should be checking?".
I really recommend that anybody in the UK who is about to buy a house/car/other significant credit transaction to ask for their records first. Which of course costs you money that goes into the credit agencies pockets. It's a corrupt system, and there's nothing we can do about it. Private companies running (ruining?) peoples' lives. "Sue the company" might be ok for you big shots but I was on low wages then and I'm a student now. One day I'll be working again and the first thing I got to do is use *my time* and *my money* to unpick *their mistakes*. Experian's mistake f*cked up my life, be wary people.
As a matter of fact, even supplying personal data to third parties is outright verboten without a solid reason to do so. (And no, money grubbing greed is not considered a solid reason, legally)
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
I keep fraud notices on my credit reports AT ALL TIMES. It is a slight hassle when I do want to open a new account, but that is so damn rare that it's worth the extra protection. I just wish the credit file locking option would be legislated nationwide.
I created my address by purchasing a house and moving into it. I created my credit history by obtaining credit, using it, and paying it off (or not). I created my salary history by getting a job and drawing a salary. I created my education history, GPA, major, minor, and concentration by getting an education. I created this message. I created my marital status. I created my child, though they are creating original art of his own in the form of barf stains and poopy diapers. I created my driving record in the car I purchased (thereby creating a transaction). I created a trip to Alaska last year. I created the purchase of several souvenirs while there. I created a speeding ticket near Healey, though I will concede that the public has the right to know what sorts of idiots they are sharing the road with and place that in thee public domain.
I created every single item in that database through my own actions. Any score, categorization, or classification created from that data is a derivative work. Who the hell are they to act like they have more of a right to it than I do?
This is not my sandwich.
PR Problems?
Thousands of people are denied their democratic rights, thousands more have their personal details illicitly accessed, and you call it "PR Problems" ?
"Oh, but it WILL affect their PR!"
Yes, but that is not where the problem lies. The problem lies in the company not being capable of doing its job.
b3 4phr41d 0f my 4bov3-4v3r4g3 c0mpu73r kn0wI3dg3!
MadDwarf
Although the posting notes that the company has notified several thousand Californians, don't take this as suggesting that the damage is limited to Californians. From the article:
"California law requires firms to disclose such incidents to the state's consumers when they are discovered. It is the only state with such a requirement but such data thefts are rarely limited to a single geographic area."
Time to start lobbying some other states' legislatures, perhaps.
...Is to make credit bureaus and data aggregators like Choicepoint liable for inappropriate data dissemination.
These companies are in a position of responsibility, but they don't seem to take it very seriously. The credit bureaus have already bribed their way into legislation that makes it your responsibility to correct errors in their data, not them. If we don't act now, they'll bribe (excuse me, I mean "make campaign donations") and get a free pass on handing out your data to the Russian mafia, too. I say make them liable for monetary damages, instead.
Institute it, and watch how fast their security improves. The attitude of: "Oh well, its not our problem" would be a thing of the past. OR somebody would sue them bankrupt. Either way, the consumer wins.
Plus, the idea of suing these bastards into bankruptcy appeals to me because of Choicepoint's role in George W. Bush's 2000 coup.
Who did what now?
Not so long ago, I was surprisingly refused credit. In fairness, that part wasn't Experian's fault; it was down to an automated address database that didn't recognise the correct form of my address and decided I didn't exist. However, during the follow-up enquiries with the credit card company who'd turned me down, I obtained a copy of my credit record from Experian. There were so many minor inaccuracies it was scary. The best bit was when, at 17:05 after speaking to someone there for five minutes (after about a half-hour on hold), I was asked "whether it really matters, because I'm supposed to go home at 5". I was speechless, and for me that's saying something. ;-)
The really disturbing thing is that despite our actually pretty good data protection rules in the UK (the Data Protection Act does have some teeth, and thus far the Office of the Information Commissioner has proved to be very level-headed and apolitical in its actions) the entire credit and finance industry has basically managed to exempt itself. The credit agencies are allowed to keep files on me without my permission. Those files are obviously grossly inaccurate and poorly maintained, but if I lose out on something because of the bad information I have no recourse. (Well, I can add a "notice of correction" to the file after the fact, after getting a copy of my record at my own expense.) If a financial group turns you down for credit, they basically don't have to tell you anything, other than (a) whether an automated credit scoring system was used (in which case they do have to offer you a reassessment by a real human being) and (b) which credit reference agency/agencies they used.
Now, I'm not a big fan of credit in the first place. I always liked the advice to read "credit" as "debt": "3 years' interest free debt!", "I have a $50mil debt limit on my card!" etc. But in our society today, credit can be a useful tool when used judiciously, and if a market that is fundamental to the way our society currently works is to be allowed to regulate itself to the extent that it currently does, it has to be reasonable about fixing its mistakes. Otherwise, screw 'em, and let fly the lawsuits that everyone else would be subject to if they made the same sort of mistake with the same consequences.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
As an attorney, I would suggest that there is already adequate support in the law for an action against Choice Point. As some posters have already noted, the cost of litigation would prevent individuals from suing separately--the solution in such cases is to file an action on behalf of all those affected. This is called a "class action".
Of course GWB is pushing for "Tort Reform" to eliminate class action lawsuits in the United States.
It doesn't require a tin foil hat to see why this is such a priority for him when a major ally to his campaign is clearly in the sites for such a lawsuit.