ChoicePoint Data Stolen By Imposters

← Back to Stories (view on slashdot.org)

ChoicePoint Data Stolen By Imposters

Posted by timothy on Monday February 14, 2005 @02:06PM from the smarter-decisions-safer-world dept.

swight1701 writes "Criminals posing as legitimate businesses have accessed critical personal data stored by ChoicePoint Inc., a firm that maintains databases of background information on virtually every U.S. citizen. The incident involves a wide swath of consumer data, including names, addresses, Social Security numbers, credit reports and other information. ChoicePoint notified between 30,000 and 35,000 consumers in California that their personal data may have been accessed by "unauthorized third parties." No obvious notice appears to be on their website."

20 of 381 comments (clear)

Ineptness to the point of being evil by Eric+Smith · 2005-02-14 14:07 · Score: 5, Insightful

The MSNBC article quotes the consumer notification:
You should continue to check your credit reports frequently for the next year.
If I get the notification, I'm going to request that ChoicePoint pay the costs for me to subscribe to unlimited credit report access from all three credit bureaus. IIRC, that costs about $100/year for each bureau. Since it's ChoicePoint's screwup, I shouldn't have to pay the costs necessary for early detection of fraud in my credit report.
The article further quotes ChoicePoint spokesman Chuck Jones:
But ChoicePoint has no way of knowing whether anyone's personal information actually has been accessed
Why the hell are they allowed to keep a dossier on me if they don't have any mechanism in place to allow them to track how it is used and by whom? This is insane!
The correct solution to this problem, IMNSHO, is for the courts to determine that personal, financial, and credit records relating to an individual are the COPYRIGHTED PROPERTY OF THAT INDIVIDUAL, and may not be provided to any other party without the owner's explicit consent. Not a blanket consent to provide the data to anyone inquiring, but specific consent to provide it to XYZ Corporation.
1. Re:Ineptness to the point of being evil by LostCluster · 2005-02-14 14:16 · Score: 5, Insightful
  
  The correct solution to this problem, IMNSHO, is for the courts to determine that personal, financial, and credit records relating to an individual are the COPYRIGHTED PROPERTY OF THAT INDIVIDUAL, and may not be provided to any other party without the owner's explicit consent. Not a blanket consent to provide the data to anyone inquiring, but specific consent to provide it to XYZ Corporation.
  
  Courts aren't going to help you with that at all. The copyright on information belongs to the writer, not the subject of the piece. Just think what your copyright concept would do to the news media...
2. Re:Ineptness to the point of being evil by yog · 2005-02-14 14:31 · Score: 5, Insightful
  
  This is really scary.
  
  The thing that bothers me is that some data is unchangeable, e.g. US social security #, date of birth, and mother's maiden name. Once it's out there, you're screwed.
  
  Once someone has this data they can really do a number on you because that's all most commercial sites seem to require in terms of validation. They can take out credit cards in your name, perhaps even access your bank account if they have access to your checking account number.
  
  I think that eventually, and unfortunately, there's gonna have to be a law. No organization except the social security administration should be allowed to store our SS #, for example. Heck, at the rate things are going, they may have to start allowing people to change their SS # to start fresh.
  
  A friend never allows her SS # to be used for anything. Not banks, not schools, not health insurance. They squawk and scream and threaten and she stands firm. No, she says, you can't have it. It's only for her retirement, not for generic identification purposes. So far she has successfully evaded spreading her most precious identifying information all over the internet in god knows how many incompetently coded and poorly safeguarded databases. Massachusetts also allows one to use a generated code instead of SS # on drivers licenses.
  
  This thing is really out of hand. Of course, it's going to cost credit card companies millions of dollars when bogus bills start bouncing, and that's probably when the powers that be finally wake up and address the problem.
  
  --
  it's = "it is"; its = possessive. E.g., it's flapping its wings.
3. Re:Ineptness to the point of being evil by eh2o · 2005-02-14 14:39 · Score: 5, Informative
  
  according to a new federal law, The Fair and Accurate Credit Transactions Act (passed in Dec 2003) you are entitled to a free comprehensive credit report yearly. The big three have an official website at www.annualcreditreport.com (no link b/c they reject unofficial referals) where you can claim your report. (though its not available yet for the mid and eastern states, it will be by the end of 2005).
4. Re:Ineptness to the point of being evil by Riddlefox · 2005-02-14 14:58 · Score: 5, Insightful
  
  Very insightful, and I agree that we need a legal principle that personal information belongs to the individual--but I think we should go farther. I think we should require that the personally-identifiable personal information only be stored on the computer of the person who owns it--and that the authorities need to show probable cause and get a search warrant before they have any acces to it. However, a lot of it should be covered under the Fifth Amendment, too.
  Just out of curiousity, how do you propose that I store personally identifiable information such as my name and address on a computer owned by me when I wish to make a purchase online? How can I have my paycheck electronically deposited into my banking account if my employer can't store my personal information? How is H&R Block going to prepare my taxes for me if they can't enter any of my information on a computer that I don't own? Am I going to have to tell Netflix my name and address and credit card info every single time I want another movie?
5. Re:Ineptness to the point of being evil by mingot · 2005-02-14 15:04 · Score: 5, Interesting
  
  By the way, don't you recognize this particular company? Same one that helped BushCo purge all those voters in 2000. I think they got out of the voter purging business before 2004, but I haven't really been tracking it.
  
  Off topic, really, but I have to vent. They screwed my wife out of a job this year. We were recently married and they failed her background check on her name on file with the credit bureaus not matching the name on her application. They also dragged ass fixing the problem and had a policy in place to NOT notify they potential employer that they had made a mistake.
if i *accidentally* ... by GNUALMAFUERTE · 2005-02-14 14:12 · Score: 5, Insightful

Run over someone with my car, i am responsable, and it's a crime. Even if i didn't mean to.

Companys should be held responsable for the data they hold.

--
WTF am I doing replying to an AC at 5 A.M on a Friday night?
1. Re:if i *accidentally* ... by ScrewMaster · 2005-02-14 14:48 · Score: 5, Insightful
  
  More importantly, they should be held responsible for what happens to people when that stored information is stolen or otherwise misused. And if the punishing of that company for its negligence forces it out of business ... tough. It simply isn't enough to say, "Sorry, and oh, by the way, we've implemented some new security policies so this shouldn't happen again. We hope. Once again, sorry for the inconvenience." Really, it's more akin to collecting all kinds of flammable and explosive materials and storing them in a rickety old warehouse in the middle of a populated area. You shouldn't be able to get off with an apology and a promise to do better when that warehouse explodes, flattens the nearby buildings and kills a bunch of people.
  
  Does that sound like an extreme example? Perhaps it is. But lives can be shattered in other ways besides being blown to bits. And I'm sure there will be a few deaths involved, as people with medical conditions suddenly find themselves without means, because some identity thief just bought himself a brand new house at their expense. No, the Information Age is proving to carry some serious risks, and those risks are largely due to cavalier treatment of personal data.
  
  I'm not sure what it will take before some standards are put in place, with appropriate penalties for failure to maintain them. Probably won't happen now, with "tort reform" on the way and limits being placed on class-action lawsuits. Certainly not in the corporate-friendly period we find ourselves in. Hell, the government can't even enforce quality-of-service standards on the damn phone companies anymore. But at some point, enough people (enough voters) are going to get hurt by this problem that something will have to be done. The only question is whether the cure will be worse than the disease.
  
  --
  The higher the technology, the sharper that two-edged sword.
Legal question by mctk · 2005-02-14 14:12 · Score: 5, Interesting

Supposing my identity stolen and used for fraudelent activity. If we could trace the identity theft back to ChoicePoint, could they be held liable (in any sense of the word)?

--
Paul Grosfield - the quicker picker upper.
1. Re:Legal question by MillionthMonkey · 2005-02-14 14:54 · Score: 5, Informative
  
  Supposing my identity stolen and used for fraudelent activity. If we could trace the identity theft back to ChoicePoint, could they be held liable (in any sense of the word)?
  
  Ordinarily in a case like this a class action would be brought against the company. The "Class Action Fairness Act" will shift class actions from state to federal court. Ostensibly this was done to prevent venue shopping- where you look for the state with the most favorable laws for your class action suit- but it also has the nice property that federal courts rarely agree to hear class action lawsuits, citing differences in state law. The Act effectively puts an end to all class action suits without explicitly banning them.
  
  If you're a victim of identity theft because your Social Security number was compromised by ChoicePoint, you'll have to hire a lawyer yourself, prove that the identity theft was a result of ChoicePoint's negligence, and your case will be heard separately from those filed by any other plantiffs.
poor credit score keeps me safe. by isbhod · 2005-02-14 14:15 · Score: 5, Funny

My credit is so poor that stealing my identiy is only going to hurt them. I mean they think they are gettign a free ride, but when Rocko breaks down their door looking for past due payments boy will they be in for a suprise, hell this might be the best thing to ever happen to me!
The real problem here isn't the break-in... by Anonymous Coward · 2005-02-14 14:16 · Score: 5, Insightful

They say "Criminals posing as legitimate businesses have accessed critical personal data stored by ChoicePoint Inc."

If the data was that critical and personal, why was it available to "legitamate businesses" in the frist place?
Are a set of articles of incorporation and a pile of money all I need to 'legitimately' access "databases of background information on virtually every U.S. citizen"?
1. Re:The real problem here isn't the break-in... by AndroidCat · 2005-02-14 14:47 · Score: 5, Funny
  
  They're only criminals because they didn't pay for their access, duh. ;)
  
  --
  One line blog. I hear that they're called Twitters now.
Re:So who ELSE is affected!? by LostCluster · 2005-02-14 14:19 · Score: 5, Insightful

They're only telling the California residents because only California has a state law that requires notification... sound like a law that needs to be passed in 49 other states.
"Criminals posing as legitimate businesses" by toby · 2005-02-14 14:19 · Score: 5, Funny

C'mon! Does every story on /. have to be about Micro$oft?

--
you had me at #!
Re:Thats only what they are required to report by Koiu+Lpoi · 2005-02-14 14:22 · Score: 5, Funny

I highly doubt they would refuse to report that data had been stolen from other states, just because they don't have do.
Where's the Upside? by LighthouseJ · 2005-02-14 14:53 · Score: 5, Interesting

I RTFA and it says that ChoicePoint aggregates my information and sells it. I interpret "aggregates" as it crawls through and acquires my personal information without my knowledge. I never signed anything saying ChoicePoint can keep and handle my information how they see fit, nor did I receive anything that says some company has my information so I know. Am I alone in saying that no company should be able to profit off of my existance? If that's not bad enough that ChoicePoint has made a living selling my information of which I won't see a dime, now criminals have my personal information and now I have to stay on guard to see if the criminals do anything notably bad in my name.

This whole companies' existance and screwup just stamps out all notions of privacy I had, now not only theives profitted from me without even notifying/asking me, but now criminals can benefit from my existance too.
Re:Do a little quick math by drinkypoo · 2005-02-14 15:33 · Score: 5, Informative

U.S. Law allows for certain types of personal information to be made available to people for certain reasons, such as the collection of debts. The databases are very interesting to look at (which I have done legitimately in the course of attempting to collect some debts, when my father was working for a company that did that. I found it distasteful and went out of my way to avoid calling anyone, and just doing computer searches...)
The databases basically involve public records from every county in a state describing ownership, professional licenses, et cetera. They often include every piece of information involved in submitting a request for some type of certification. Land deeds, for example, are in there, as well as contractor's licenses. A lot of that information is public record, but the stuff that isn't is the address (that's sometimes but very rarely public) and sometimes social security number. If you can establish that someone was at a certain address, and get a social from that address, hopefully correlating it with another address and matching (or near-matching) social security number, then you can look that ssn up in connection with all kinds of other items. This can connect them to any number of other people who you can bother for their phone number.
Eventually, you can find property, and depending on what state it's in you can sometimes take it away. California makes it pretty hard to do that kind of stuff to someone; you can't take away a home which is also a business, for example, and you can't take away someone's primary automobile -- unless you're the lien holder, that is. Or, well, the federal government.
Notice above I said something about a near-matching SSN? All of this stuff is near-matching. The problem is that someone might write their name (or other information) carefully in one place and illegibly in another. They might of course also forget or "forget" the number and misenter it. Finally, let us not forget the wonders of data entry and the errors therein. Some forms are OCR'd (anything typed) and some were probably hand entered. The record only goes back so far as well, but it's generally pretty far.
Anyway, anyone with a business that has a reason to need to do that kind of thing can get access to those databases. They can tell what you were doing with it, so if you do something naughty, they could tell.

--
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Put the slashdot effect to good use by Omega+Hacker · 2005-02-14 17:29 · Score: 5, Interesting

Everyone reading this story should take a few minutes out of their day and call ChoicePoint, and ask them a few, um, "point"ed questions. According to their page at http://www.choicepoint.com/privacy.html you can call them at 1-877-301-7097. Call them up, take some of their precious time (they're taking yours, it's only fair) and phone bill, and ask them directly if your private, personal information was involved in this theft. I'll be doing so tomorrow, and making as much of a pain of myself as I can. Supervisor, here I come!

--
GStreamer - The only way to stream!
Experian (in UK) also screws you : my experience by fantomas · 2005-02-14 21:43 · Score: 5, Informative

Experian is a company in the UK (I believe they may be USian) that holds credit information, and is used by many UK companies to check credit records.
A few years ago I applied for a mortgage, and got refused because the bank did a credit check with Experian, Experian told them I wasn't on the electoral register, so the bank turned me down. I knew I was on the electoral register, and had been for years. I went to the local council for my previous residence, and the helpful council officer checked my record, and even let me come round the desk and look at her screen to see my record. I phoned Experian "I know I am on the electoral register for this address" (Experian) "no, sorry sir, this isn't on your record" (me) "I'm looking at my name on the electoral register, I'm just handing you over to the council officer who will confirm" (nice govt. officer): "yes, he is" (Experian "ahh... we'll look into that" (me): "cheers, I've been turned down already for a mortgage, are there any other parts of my credit records you should be checking?".

I really recommend that anybody in the UK who is about to buy a house/car/other significant credit transaction to ask for their records first. Which of course costs you money that goes into the credit agencies pockets. It's a corrupt system, and there's nothing we can do about it. Private companies running (ruining?) peoples' lives. "Sue the company" might be ok for you big shots but I was on low wages then and I'm a student now. One day I'll be working again and the first thing I got to do is use *my time* and *my money* to unpick *their mistakes*. Experian's mistake f*cked up my life, be wary people.