Slashdot Mirror
ChoicePoint Data Stolen By Imposters
swight1701 writes "Criminals posing as legitimate businesses have accessed critical personal data stored by ChoicePoint Inc., a firm that maintains databases of background information on virtually every U.S. citizen. The incident involves a wide swath of consumer data, including names, addresses, Social Security numbers, credit reports and other information. ChoicePoint notified between 30,000 and 35,000 consumers in California that their personal data may have been accessed by "unauthorized third parties." No obvious notice appears to be on their website."
The article further quotes ChoicePoint spokesman Chuck Jones:
Why the hell are they allowed to keep a dossier on me if they don't have any mechanism in place to allow them to track how it is used and by whom? This is insane!The correct solution to this problem, IMNSHO, is for the courts to determine that personal, financial, and credit records relating to an individual are the COPYRIGHTED PROPERTY OF THAT INDIVIDUAL, and may not be provided to any other party without the owner's explicit consent. Not a blanket consent to provide the data to anyone inquiring, but specific consent to provide it to XYZ Corporation.
I really enjoy how the graphic on the front page of their site reads: "Smarter decisions. Safer world."
It's pretty silly.
Run over someone with my car, i am responsable, and it's a crime. Even if i didn't mean to.
Companys should be held responsable for the data they hold.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
Supposing my identity stolen and used for fraudelent activity. If we could trace the identity theft back to ChoicePoint, could they be held liable (in any sense of the word)?
Paul Grosfield - the quicker picker upper.
The story says that these things "are seldom limited to a single geographic area" ...
SO WHO THE FUCK ELSE HAD THEIR INFO STOLEN!? WHAT STATES!?
We want to know! NOW! Why are they refusing to disclose vital information? I'd be VERY angry to find out that someone committed identity theft, these people knew of the stolen info, and they didn't tell me.
i am a soviet space shuttle
Next big issue is going to be medical records online. While having such information in once location could be of great benefit to doctors and hospitals around the world, there are also dangers as well, like your HMO, employers, or if your a public figure, the media getting their hands on otherwise private medical records.
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
My credit is so poor that stealing my identiy is only going to hurt them. I mean they think they are gettign a free ride, but when Rocko breaks down their door looking for past due payments boy will they be in for a suprise, hell this might be the best thing to ever happen to me!
Incidents such as these are actually rather rare. People abusing information collected either through neglect or in other ways is not as common as proper use.
All those foolish people who protested the collection and sale of personal data of private citizens should be ashamed since the prosperity of this country depends greatly on the efficiency of business. And if you don't like it in this country any more go some place better! There isn't any place better you say? Then shoot yourself now because there's nothing you individuals can do to change things to your liking anyway.
(The preceding was stated as an opposite to my actual feelings on the matter to illustrate how ridiculous I feel the opposing view might be. There are no acceptable losses when it comes to privacy and the right of everyone to keep what they have earned. Loss of privacy opens the door for unscrupulous people to do bad things and reduces an individual's ability to protect one's self.)
They say "Criminals posing as legitimate businesses have accessed critical personal data stored by ChoicePoint Inc."
If the data was that critical and personal, why was it available to "legitamate businesses" in the frist place?
Are a set of articles of incorporation and a pile of money all I need to 'legitimately' access "databases of background information on virtually every U.S. citizen"?
No Place To Hide
It was truely disturbing. Now that we're permanently at war with the Forces Of Evil (terrorists, for now) people should get used to not having any privacy. Sigh.
California, population approx 30 million, or 1/10 of the US population.
So, the number of stolen identies is probably closer to 300,000 to 350,000. Only California has a law that forces companies to disclose these kinds of risks to personal data, but I think it's a fairly safe assumption that the theives didn't target just California records (in fact, if they wanted to use them for identity theft, it would make more sense to excluse California records because those indidivuals would be on alert).
So, potentially one in every one hundred people in the US now has their electronic profile available for identify theft. That's a scary (although I'll admit unlikely) idea.
Closing question...what exactly is the f'ing differences between a "legitamate" company accessing this ChoicePoint database an an "illegimate" company? Wouldn't theft of database access be just as much a risk? If Sam's Wholesale Cookies can browse through the database, concievable so can any employee of Sam's Wholesale Cookies or anyone who breaks into a Same's Wholesale Cookies computer. Is there not a single person in all of government who sees the folly of having all the eggs in one basket? Not even a secure basket...the free sample basket by the front door of the mall.
- JoeShmoe
.
-- I wonder which will go down in history as the bigger failure: the War on Drugs or the War on Filesharing
C'mon! Does every story on /. have to be about Micro$oft?
you had me at #!
The government is one of ChoicePoint's largest customers, so you can be certain that there will be zero rules and regulations imposed on ChoicePoint or similar companies. Nor will you see any changes to the Fair Credit Reporting Act, which affords no penalty to companies that report wrong information on individuals other than once proven incorrect, it is removed.
If this incident doesn't create intense public outrage and a rash of calls to legislators demanding change, then I doubt there will ever be changes that protect individual identity and information.
Furthermore, I would propose that every individual that finds ChoicePoint's egregious lack of security reprehensible, to draft a letter demanding a full explanation and any details relating to whether or not their information has been stolen. I don't expect this company to come clean, but just imagine the hassle of having to reply to hundreds of thousands of letters.
Maybe having to deal with thousands of peeved off consumers will clean up their act.
I highly doubt they would refuse to report that data had been stolen from other states, just because they don't have do.
I very much doubt that they're willing to do this. They're only providing any notification becuase they're required by law to do so; left to their own devices they would ignore it entirely.
People opposed to the Bush victory in 2000 claim that ChoicePoint may have aided in voter disenfranchisement.
*This is not an endorsement of the linked site or the opinions expressed there. I just recall these claims from a Slashdot submission I made a couple years ago related to this.
Someday, you're going to die. Get over it.
Remember the Florida election of 2000 when a private database company scrubbed thousands of eligible voters from the rolls? Well now one of the co-founders of Database Technologies is back in the headlines -- he's working with law enforcement agents in Florida to create what may soon expand into a national surveillance system. We talk with privacy expert Wayne Madsen, investigative reporter Greg Palast and a top intelligence official from the state of Florida.
s .h tm
8 /0 7/1427223
When is Joe Six pack going to wake up to the fact that in secret the government has conspired to create a dossier on every citzen in this country and this is who they hired to do it:
Hank Asher then creates the MATRIX as a state level network version of the TIA office. Essentially continuing the TIA office, but freeing it from congressional oversight and federal whistleblower protections. He admits smuggling millions of dollars worth of cocaine in 1981 and 1982. Coincidentally at the time when the Iran-Contra dealings were in full swing.
But this is only speculation. Could there be more of a link between illegal dealings between Hank Asher and the republican party? OF COURSE THERE IS!
In 1992, Asher founded Database Technologies, which later merged with ChoicePoint. In 1999, he founded Seisint Inc. by merging two companies. He is still on Seisint's board of directors, and continues to play an active role in the company.During the 2000 presidential election ChoicePoint, gave Florida officials a list with the names of 8,000 ex-felons to "scrub" from their list of voters. But it turns out none on the list were guilty of felonies, only misdemeanors.
So there we have it. We went from having a domestic spying agency run by a five time felon to having the same domestic spying program sans congressional oversight and whistle blower protections run by a convicted drug smuggler who has proven that he'll break the law to further the republican agenda.
http://www.oldamericancentury.org/oh_republican
A Florida law enforcement data-sharing network is about to go national. In the name of counterterrorism, the Departments of Justice and Homeland Security are pouring millions of dollars into the system to expand it to local law enforcement agencies across the nation. It's called Matrix, which stands for Multistate Anti-Terrorism Information Exchange. According to the Washington Post, the computer network accesses information that has always been available to investigators but brings it together and enables police to access it with extraordinary speed. Civil liberties and privacy groups say the Matrix system dramatically increases the ability of local police to snoop on individuals.
http://www.democracynow.org/article.pl?sid=03/0
The Florida company that built the database was founded by the man behind ChoicePoint and Database Technologies. The companies administered the contract that stripped thousands of African Americans from the Florida voter roles before the 2000 election.
Although narrower in scope than John Poindexter's controversial Terrorist Global Information Awareness program, Matrix may serve a similar purpose because it provides unprecedented access to US residents regardless of their criminal background. And states are eager to participate in the new program. On Tuesday, the Department of Homeland Security announced plans to launch a pilot program in state law enforcement data-sharing among Virginia, Maryland, Pennsylvania and New York.
2. The incident happened months ago, and ChoicePoint just got permission from law enforcement to disclose the incident.
I would say it's pretty likely they wouldn't report data thefts about people in other states...
It's not wasting time, I'm educating myself.
...can see your social security number, your credit report, your addresses...
...anytime they want...
...um...
...whew?
I RTFA and it says that ChoicePoint aggregates my information and sells it. I interpret "aggregates" as it crawls through and acquires my personal information without my knowledge. I never signed anything saying ChoicePoint can keep and handle my information how they see fit, nor did I receive anything that says some company has my information so I know. Am I alone in saying that no company should be able to profit off of my existance? If that's not bad enough that ChoicePoint has made a living selling my information of which I won't see a dime, now criminals have my personal information and now I have to stay on guard to see if the criminals do anything notably bad in my name.
This whole companies' existance and screwup just stamps out all notions of privacy I had, now not only theives profitted from me without even notifying/asking me, but now criminals can benefit from my existance too.
Apparently the only defense against this kind of thing is to have really bad credit.
I used to work at a mortgage insurance agency as a temp doing data entry. I would see 100 or so SSN a day. They don't track who enters what data so I could of easily wrote down a few SSNs along with the person name, phone number, address, etc without anyone knowing I had done it. Even if they make extra-super-duper-sure that they people accessing the information are legit, there is absolutely no assurance that the person handling your information is honest.
Speaking is NOT communication
Rather than taking extreme measures to ensure that social security numbers are kept private, people need to simply stop pretending that a social security number is some sort of magic password that can be used to prove that someone is who they claim to be. SSNs should be treated about the same as phone numbers; assume that everyone has one, but also assume that everyone knows it.
When they lose the data, as far as they are concerned they have lost some of their business information (ie. someone accessed their data without paying).
That the data is about you, and could be damaging to you is incosequential to them. Anyone could have bought the data from them anyway.
Engineering is the art of compromise.
The use of SSN as a PIN amazes me. The security relying way to much on the fact that no-one is suppose to have access to your SSN. If you get your SSN I can go say my wallet was stolen and you need to have new ID's made. Then get a stack of credit cards in your name. In a couple of days I'll be more you than you are. With so many people requesting to see you SSN in everyday life. This is a serious threat. My girlfriend was even asked to give up her SSN when she paid with a check at a grocery store because she was out of state.
The real problem is there's no public/private key separation. Your credit card number is a secret key, but must be shared in order to do business with it. Ditto for checking account numbers which make direct deposit possible. The reason boils down to sheer laziness on the part of credit issuers. When there's a problem they can soak the merchants and/or customers, so they haven't bothered to fix the system.
That solves your bank deposit problem. Public/private key separation would solve most of the problems.
As far as repeatedly entering addresses--come on, that's easy. Browsers have a wallet-like feature which fills it in on demand. There's no need for the provider (netflix) to store the information, and they should refrain from doing so.
So far as taxes are concerned--of course you have to give personal info for H&R Block to process them, but the grandparent means it should be treated as your property. You may leave valuables with a bank safety deposit box, but the bank does not own them. It is a steward. Its rights obviously don't extend to sharing information about what you've deposited with others.
An identifier. An SSN is an ID, not a verification. It is useful because there can be, and are, collisons of names, which is the primary method of identifying someone. So you take a name + an SSN and there is nearly a zero chance of a collison (even more so if you add a birthdate). As you note, however, it needs to be assumed that this is known, is public. I wouldn't attmept to use my name to verify my identity, why would I use my SSN?
Companies need to get on the stick and use other verification measures. Using an SSN as na ID # is fine, not as a password, that needs to be something else not related to identity.
Everyone reading this story should take a few minutes out of their day and call ChoicePoint, and ask them a few, um, "point"ed questions. According to their page at http://www.choicepoint.com/privacy.html you can call them at 1-877-301-7097. Call them up, take some of their precious time (they're taking yours, it's only fair) and phone bill, and ask them directly if your private, personal information was involved in this theft. I'll be doing so tomorrow, and making as much of a pain of myself as I can. Supervisor, here I come!
GStreamer - The only way to stream!
The article points out that "Lee said law enforcement officials have so far advised the firm that only Californians need to be notified.", so I'm guessing that there are probably another 300,000, or so, nationwide who will not be notified by the company. A few other really high-profile types might get a notice, but I'm betting that no more than a couple dozen non-Californian SlashDot readers will get notices.
Does anybody else want to call and ask and see if they even get an answer? (I don't live in the US, so I probably don't count, statistically speaking.)
Free Software: Like love, it grows best when given away.
As someone noted, Choicepoint/Database Technologies are the guys who were paid to scrub Felons from the Florida list of eligible voters before the 2000 & 2004 elections. If you live here you read about em in the papers constantly for shady activity, & they were in a few documentaries about the elections. They were paid an insane amount of money ($4 million no bid contract, see Jeb Bush, FL governor) for what they did, and did a horrible job in return. A few of the problems were they only matched parts of names, not whole names, gender, race, etc...so a black guy w/ a partial name match to a white felon would be unable to vote. This ended up disenfranchising thousands of black voters (frequently democrats) in the 2000 election where Bush only won by 500-600 votes in the state, which led to him winning the election.
A few years ago I applied for a mortgage, and got refused because the bank did a credit check with Experian, Experian told them I wasn't on the electoral register, so the bank turned me down. I knew I was on the electoral register, and had been for years. I went to the local council for my previous residence, and the helpful council officer checked my record, and even let me come round the desk and look at her screen to see my record. I phoned Experian "I know I am on the electoral register for this address" (Experian) "no, sorry sir, this isn't on your record" (me) "I'm looking at my name on the electoral register, I'm just handing you over to the council officer who will confirm" (nice govt. officer): "yes, he is" (Experian "ahh... we'll look into that" (me): "cheers, I've been turned down already for a mortgage, are there any other parts of my credit records you should be checking?".
I really recommend that anybody in the UK who is about to buy a house/car/other significant credit transaction to ask for their records first. Which of course costs you money that goes into the credit agencies pockets. It's a corrupt system, and there's nothing we can do about it. Private companies running (ruining?) peoples' lives. "Sue the company" might be ok for you big shots but I was on low wages then and I'm a student now. One day I'll be working again and the first thing I got to do is use *my time* and *my money* to unpick *their mistakes*. Experian's mistake f*cked up my life, be wary people.
As a matter of fact, even supplying personal data to third parties is outright verboten without a solid reason to do so. (And no, money grubbing greed is not considered a solid reason, legally)
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
Although the posting notes that the company has notified several thousand Californians, don't take this as suggesting that the damage is limited to Californians. From the article:
"California law requires firms to disclose such incidents to the state's consumers when they are discovered. It is the only state with such a requirement but such data thefts are rarely limited to a single geographic area."
Time to start lobbying some other states' legislatures, perhaps.
...Is to make credit bureaus and data aggregators like Choicepoint liable for inappropriate data dissemination.
These companies are in a position of responsibility, but they don't seem to take it very seriously. The credit bureaus have already bribed their way into legislation that makes it your responsibility to correct errors in their data, not them. If we don't act now, they'll bribe (excuse me, I mean "make campaign donations") and get a free pass on handing out your data to the Russian mafia, too. I say make them liable for monetary damages, instead.
Institute it, and watch how fast their security improves. The attitude of: "Oh well, its not our problem" would be a thing of the past. OR somebody would sue them bankrupt. Either way, the consumer wins.
Plus, the idea of suing these bastards into bankruptcy appeals to me because of Choicepoint's role in George W. Bush's 2000 coup.
Who did what now?