Slashdot Mirror
ChoicePoint Identity Theft Fallout Widens
dstates writes "A unique California law forced ChoicePoint to reveal that a break-in had compromised accounts revealing personal information on 40,000 southern californians and leading to more than 750 cases of identity theft. The company initially denied that the break-in compromised consumers outside of California, but CNN is now reporting that 110,000 accounts nationally have been compromised. 'The irony appears to be that ChoicePoint has not done its own due diligence in verifying the identities of those 'businesses' that apply to be customers,' said Beth Givens, director of the Privacy Rights Clearinghouse. 'They're not doing the very thing they claim their service enables their customers to achieve.'"
I emailed Choicepoint demanding an explanation. here is the response:
From: CorpMktg.Communications@choicepoint.com
ChoicePoint was recently a victim of organized fraud, and we understand
this news may be cause for concern.
A very small number of criminals posed as legitimate companies in order to
gain access to personal information about consumers. When the fraud was
discovered, access to information was immediately discontinued and the
authorities were notified.
ChoicePoint has acted quickly to address the circumstances that led to the
unauthorized access, and we are committed to our core principles of working
to create a safer, more secure society through the responsible use of
information while ensuring the protection of personal privacy.
We are sending letters to affected consumers whose information may have
been accessed. If you do not receive a letter from us, you have not been
affected.
If you have not received a letter but are still concerned, here are some
actions you can take to help protect yourself from misuse of information.
If you think you have been the victim of identity theft, you should place a
fraud alert on your credit report by contacting any one of the three credit
bureaus listed below. As soon as one credit bureau confirms your fraud
alert, the other two bureaus will automatically be notified to place fraud
alerts on your credit report, and all three reports will be sent to you
free of charge.
Equifax
800-525-6285
P.O. Box 740241
Atlanta, GA 30374-0241
www.equifax.com
Experian
888-397-3742
P.O. Box 9532
Allen, TX 75013
www.experian.com
TransUnion - Fraud Victim Assistance Division
800-680-7289
P.O. Box 6790
Fullerton, CA 92864-6790
www.transunion.com
When you receive your credit reports, review them carefully. Look for
inquiries you did not initiate, accounts you did not open, and unexplained
debts on the accounts you did open. If there are accounts or charges you
did not authorize, immediately notify the credit bureau by telephone and in
writing.
You should also confirm that information such as your Social Security
number, address(es), first and last names, middle initial and employers are
correct. Errors in this information are often the warning signs of identity
theft, although some inaccuracies may be due to simple mistakes. If you
discover inaccuracies in your report, you should also notify the credit
bureau as soon as possible so the information can be investigated.
You should continue to check your credit reports frequently for the next
year to make sure no new fraudulent activity has occurred.
Finally, if you have discovered errors or suspicious activity on your
credit report, you should consider immediately contacting any credit card
companies with whom you have an account and inform them about the activity.
You should make sure they have your correct information on file and that
any changes to the account were made by you.
If you would like to learn more about your consumer information, you may
visit our consumer site at www.choicetrust.com.
Thank you,
ChoicePoint Corporate Marketing
Just wait for a letter from a law firm informing you that you are a member of the class action suit against ChoicePoint.
optional additional steps:
2. Do nothing.
3. Profit!!!
Actually, you can receive a copy of your profile.
This page on the ChoicePoint web site points to Choicetrust. (Insert joke about the mane choice here)
From the Choicepoint web site:
FACT Act Compliance
The Fair and Accurate Credit Transactions Act (FACT Act) was enacted in 2003 and amends the Fair Credit Reporting Act (FCRA), a federal law that regulates, in part, who is permitted to access your consumer report information and how it can be used. The FACT Act entitles consumers to obtain one free copy of his/her consumer file from certain consumer reporting agencies during each 12-month period.
ChoicePoint has three separate companies that maintain consumer files that are subject to the free disclosure requirement: C.L.U.E. Inc. maintains information on insurance claims histories, ChoicePoint WorkPlace Solutions Inc. maintains employment history information, and Resident Data Inc. maintains tenant history information. Each of these companies designed an easy process for consumers to request their free file disclosure.
Please note that a consumer file does not necessarily exist for you with any one of the three companies. For example, if you have not filed a claim with your auto or home insurance company during the last five years, we will not have a report on you. If you have not applied for employment with a customer that we serve, we likely will not have an employment history report on you. If you have not submitted a residential lease application with a customer that we serve, we will likely not have a tenant history report on you.
To request copies of your claims history report, visit www.ChoiceTrust.com or call 1-866-312-8076.
To request a copy of your employment history report, call 1-866-312-8075.
To request a copy of your tenant history report, call 1-877-448-5732.
If you would prefer to send your request by mail, please send your name and address to the appropriate address below. A report request form will be sent to you to complete and return.
For claims history reports:
ChoicePoint Consumer Disclosure Center
P.O. Box 105295
Atlanta, GA 30348
For employment history reports:
ChoicePoint WorkPlace Solutions Consumer Disclosure Center
P.O. Box 105292
Atlanta, GA 30348
For tenant history reports:
Resident Data Consumer Disclosure Center
P.O. Box 850126
Richardson, TX 75085-0126
"Live Free or Die." Don't like it? Then keep out of the USA
Strike 3 I guess for them. They got into a boatload o' trouble in 03' for "acquiring" :) 250M records from various Latin American countries without their knowledge. Never hit the media widespread though.
It's a shame too. It took five of us to develop atxi.com, and they raked in a ton' o' cash from the gvt.
This news won't hurt them all too much.
We need to have laws that changed that prevent private companies from collecting data, or requesting data on citizens unless the person concerned permits it. I know the credit scores are important yada, yada, but its our data, and we should own it. Companies that profit from our data should be required to take our permission to collect and distribute it.
Any fellow californians interested in starting a initiative for this? Especially those who know how to go about it- I don't!
That they're announcing that they're 'only' informing 100,000 other US residents can be explained in any of the following ways:
- The attacks were focused on CA residents, for some reason.
- They have only identified 100,000 people this week, and there's another 3 weeks of work to do.
- They are willfully underreporting the actual numbers and hoping that nobody will do the research to prove them wrong.
- Given that the law doesn't require them to inform everybody who got hit, they're only informing those non CA residents who got hit the worst. 2/3 of the people who would have been informed under CA law will never know...
The most interesting information is between the lines. Learn to read there more often. ("Diplomacy is the art of telling a lion 'Nice kitty kitty' while you search for a big rock. Media relations is doing for a company what a diplomat does for a country.")Sometimes boldness is in fashion. Sometimes only the brave will be bold.
California, at lesat, has stalking laws that makes it a criminal offense to follow another person around etc. Now we need laws that would make it illegal for companies to stalk, archive, or release personal financial records to third parties. In particular it should be be legal for any person or corporation, such as a bank, that reports financial matters about a person to the IRS to request or store social security numbers. The rest should be subject for severe penalties. I suppose that the companies would then just move off shore, thoug.
We in Southern Califonia were advised that we should watch our credit reports for unusual activity to detect identity theft. That activity might be a request for a credit report from Honest John's Automobile sales in Texas. You can get a free credit report once a year from each credit agency - the rest you pay for. Great.
Nate
Actually it goes alot further than that... including:
ChoicePoint buys up state (and probably federal) government records like nobody's business. Most States sell all these records directly or indirectly to ChoicePoint.
Having said that, most States also have (or I would assume they have, I know mine does) privacy statutes which restrict how this information can be used.n (e.g. no purchase by or reselling to telemarketers!)
Please google choicepoint florida election 2000 http://www.google.com/search?hl=en&q=choicepoint+f lorida+election+2000/. That should reassure you that they have your best interest at heart
is if someone looked up on Choicepoint, say, the CEO and other high-ranking executives and posted all their personal information here.
The karmic justice of these clowns having to spend substantial time and money trying to protect their credit history and whatnot would be priceless.
I'm not advocating that anyone should do this. I just think it would be justice because we're certainly not going to see any otherwise.
Er, actually, the very same Freedom of Information Act that grants you the right to look at the records that the government keeps about YOU also grants ChoicePoint the right to obtain those self same records. See here.
Ita erat quando hic adveni.
The ChoicePoint security fiasco is part of a larger problem -- the fact that companies dealing in personal data are not providing adequate security and that they are not well regulated. What makes matters worse is that ChoicePoint is increasingly supplying its information to the government, including the FBI and IRS.
. 16.04.html
t al-Person.htm
Back in December 2004, I along with the Electronic Privacy Information Center wrote a letter to the FTC arguing that the FTC should open an investigation of ChoicePoint: http://www.epic.org/privacy/choicepoint/fcraltr12
This letter might be of interest, as it explains the extensiveness of the data companies like ChoicePoint have and how it affects people's lives.
I also argued in my new book, THE DIGITAL PERSON: TECHNOLOGY AND PRIVACY IN THE INFORMATION AGE, that identity theft and other privacy problems are caused not by technology but by irresponsible business practices. Everybody seems to be saying that in today's world of information technology, privacy is dead. The culprit is technology, and since it is foolish to believe that it can be stopped, there's little hope. I argue that this isn't the case. The culprit is government and business practices. There's a "digital person" that is a counterpart to people, not composed of flesh and blood but of bits and bytes of personal information gathered together in databases. The digital person is a representation of ourselves in the world of computers. But this is only part of the story. Increasingly, decisions about us are made by looking to our digital person. What happens to our digital person in the digital world is increasingly having effects in realspace to our real person. It is this problem that I explore, and I argue that the answer is regulating government and businesses - not technology. For those interested in learning more, I encourage you to read the FTC letter as well as my book. Here's the book's website: http://www.law.gwu.edu/facweb/dsolove/Solove-Digi
ChoicePoint used to be part of Equifax. It's based in Atlanta. They seperated from Equifax 7-8 years ago into their own company. Like the Credit Reporting Agencies it makes money from sellin gyour personal information.
I used to work for Trans Union's version of the company that was name TU-Dateq. We specialized in the Insurance industry, very similiar to their CLUE database.
Depending on what kind of access they gave these clients, they could have even gotten your credit reports.
Even 8-9 years ago when I worked in this industry there was software for insurance providers that would pull your credit report, accident information, as well as your motor vehicle report. And put this all into one little form.
I haven't followed the industry in a while, but I believe Dateq got swallowed up by ChoicePoint. But there are many other companies just like this with huge databases on your personal information, and these companies link them all together.
Where does this information come from, your insurance companies all send in the information. That's part of the agreement for them to be able to research you, is that they have to participate.
It's all pretty slimy.
Anonymous Coward
After all, this is the same company that put him in the White House in the first place. Or have you forgotten that he claims to have won by 500 votes while ChoicePoint helped disenfranchise thousands of primarily Democratic voters.
Bunk. ChoicePoint (actually, Database Technologies, which was later bought by ChoicePoint) was contracted to generate the felon list that was mandated by a new 1998 Florida law, and this law was designed to compensate for an imperfect list. It clearly placed the burdon of verifying the names on the individual county election supervisors, and over half of them didn't even use the list at all.
The end result? When the USCCR held hearings, they were unable to find a single person that was actually disenfranchised because of the felon list.
If somebody was wrongly identified as a felon and wrongly prevented from voting because of that (and this is a big "if"), the blame lies solely with the election supervisor of the county that he/she lives in.
"The defense of freedom requires the advance of freedom" - George W Bush
Unfortunately, this is very unlikely to happen in the United States.
While doing research for my graduate thesis on, among other things, privacy law, I found several quotes from high-ranking US politicians where they explicitly stated that they believed that US citizens did not have the right to ownership of their own personal data. Quite a bad stat if Americans wish to have personal data protection laws similar to those in Europe.
People say I'm crazy, I got diamonds on the soles of my shoes...
I am the lead software arc for a competitor of Choicepoint's and, although I do feel this situation is extremely serious and understand why people are pissed off, find it odd anyone would demand that Choicepoint be closed, CEO jailed, etc...
.. but wait, can't the organizations verify information themselves going through county and state govt records? The answer, even if you throw away the cost, time and materials and added personnel, is no, not completely. Here's why. When people apply for a job, volunteer or anything else that requires their past be investigated, there is always a spot for your current address and sometimes a spot for your previous addresses. It used to be that the company you are applying with took your word that you lived where you said you lived and they only investigated those counties, states, etc... If you committed a crime in a county you didn't want revealed, you simply didn't fill it out. Nowadays, regardless of what you put on the application, all of your previous addresses will be discovered and searched (depending how many back the searching company is willing to pay for -- usually 3 to 5). This is a very valuable service and out of reach for companies and organizations that don't specialize in this type of research. Speaking as a father and not a background researcher, I'm glad that the Girl Scouts (using Choicepoint) screen every volunteer in this fashion . I'd think you all would be too.
Regardless of the privacy issues, someone is going to store, manage and sell your information because it fills a valuable need in a whole host of circumstances. It is vitally important to verify someone's background prior to oferring a job or accepting volunteers. This isn't just job justification here. It goes without saying that you cannot allow convicted thieves to work a cash register job or child molesters to volunteer for the Cub Scouts (two things that are surprisingly common). Ah
Now bear in mind that I'm not defending Choicepoint. Hell, it would benefit me greatly if they were closed down. I do find their account setup procedures to be unbelievably remiss. We require DUNS number, plus corp bank account/history/references and articles of incorp (if applicable) and will not establish an account without them (even then account is ran in audit state for two months to ensure compliance). Keep in mind that if your organization wants run credit reports or motor vehicle searches, then there is an entire mountain of paperwork that must be completed, filed and approved by state DOT and the three credit companies. We also require client certs from integration clients and store no info in our db that isn't encrypted. I believe Choicepoint does the same. The way I understand that the info was compromised was that fake accounts were set up, a list of names was purchased from somewhere, and those names were then searched (either credit report or skip trace or some other identifying report) to obtain the information. Choicepoint's failure lay in social engineering and poor account verification practices.
What it comes down to is, someone is going to keep and store your information. Would you rather it was the govt with its track record of managing security and accuracy or private industry? Me, I'll take private industry.
Alex
What's even more ironic is that their CISO won the 2004 ISE Information Security Executive of the Year award for the state of Georgia.