Slashdot Mirror
ChoicePoint Identity Theft Fallout Widens
dstates writes "A unique California law forced ChoicePoint to reveal that a break-in had compromised accounts revealing personal information on 40,000 southern californians and leading to more than 750 cases of identity theft. The company initially denied that the break-in compromised consumers outside of California, but CNN is now reporting that 110,000 accounts nationally have been compromised. 'The irony appears to be that ChoicePoint has not done its own due diligence in verifying the identities of those 'businesses' that apply to be customers,' said Beth Givens, director of the Privacy Rights Clearinghouse. 'They're not doing the very thing they claim their service enables their customers to achieve.'"
ChoicePoint: "Who goes there?"
Voice: "Thurston Howell III"
ChoicePoint: "A likely story!"
Voice: "Sherlock Holmes"
ChoicePoint: "We weren't born yesterday!"
Voice: "Landshark"
ChoicePoint: "That's better, here's 35,000 files, let us know if you need anymore."
A feeling of having made the same mistake before: Deja Foobar
Serirously- this isn't paperclips these people are selling ITS YOUR PERSONAL DATA. They need to be closed, and whoever responsible needs to go to jail- and everyone involved in covering up the crime deserves to live in poverty for the rest of their fucking lives.
Well, funny that you mention that. What computer cracker goes into a network and *only* steals the data for 1 state?? No one! Choicepoint was flat out lieing and being unfair to the consumer by stating that only California was affected. It was only when the heat was turned on them by the news media & the internet bloggers that they admitted that more people were affected & would be notified.
How does someone determine if Choicepoint had data on them?
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
What really upsets me is how they originally denied that anyone outside of California had their informaion comprimised.
If they did that, it would cost them business. That would cost them profit. They're a company. Next question?
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
"leading to more than 750 cases of identity theft." I wonder how many total cases of identity theft this incident will cause.
The only way to know is to notify all people that had their identity stolen. All 50 states need to have a ID theft law like California.
Either way, how many more times do things like this need to occur before people will become widely convinced that companies such as these need to be more thoroughly scrutinized?
Freedom to fear. Freedom from thought. Freedom to kill.
I guess the War on Terror really is about freedom!
This is what you get when consumer information is obtained and stored behind a cloak of secrecy. This is what you get when privacy laws are not enforced or valued. This is what you get when the standard consumer is ignorant and apathetic to the importance of person information.
"The company initially denied that the break-in compromised consumers outside of California"
Did they actually deny that no one outside of California was compromised, or was it just that they weren't legally obligated to inform anyone outside of the state? From Monday's story, I got the distinct impression that it was the latter (i.e., no legal obligation), rather than outright deception. Regardless, it's still a really crappy thing to have happened.
(on a personal note, given that the break-in happened months ago, and i just got my yearly free credit reports from the 3 agencies and didn't see anything suspicious, I guess I'm a lucky SoCalifornian...)
I emailed Choicepoint demanding an explanation. here is the response:
From: CorpMktg.Communications@choicepoint.com
ChoicePoint was recently a victim of organized fraud, and we understand
this news may be cause for concern.
A very small number of criminals posed as legitimate companies in order to
gain access to personal information about consumers. When the fraud was
discovered, access to information was immediately discontinued and the
authorities were notified.
ChoicePoint has acted quickly to address the circumstances that led to the
unauthorized access, and we are committed to our core principles of working
to create a safer, more secure society through the responsible use of
information while ensuring the protection of personal privacy.
We are sending letters to affected consumers whose information may have
been accessed. If you do not receive a letter from us, you have not been
affected.
If you have not received a letter but are still concerned, here are some
actions you can take to help protect yourself from misuse of information.
If you think you have been the victim of identity theft, you should place a
fraud alert on your credit report by contacting any one of the three credit
bureaus listed below. As soon as one credit bureau confirms your fraud
alert, the other two bureaus will automatically be notified to place fraud
alerts on your credit report, and all three reports will be sent to you
free of charge.
Equifax
800-525-6285
P.O. Box 740241
Atlanta, GA 30374-0241
www.equifax.com
Experian
888-397-3742
P.O. Box 9532
Allen, TX 75013
www.experian.com
TransUnion - Fraud Victim Assistance Division
800-680-7289
P.O. Box 6790
Fullerton, CA 92864-6790
www.transunion.com
When you receive your credit reports, review them carefully. Look for
inquiries you did not initiate, accounts you did not open, and unexplained
debts on the accounts you did open. If there are accounts or charges you
did not authorize, immediately notify the credit bureau by telephone and in
writing.
You should also confirm that information such as your Social Security
number, address(es), first and last names, middle initial and employers are
correct. Errors in this information are often the warning signs of identity
theft, although some inaccuracies may be due to simple mistakes. If you
discover inaccuracies in your report, you should also notify the credit
bureau as soon as possible so the information can be investigated.
You should continue to check your credit reports frequently for the next
year to make sure no new fraudulent activity has occurred.
Finally, if you have discovered errors or suspicious activity on your
credit report, you should consider immediately contacting any credit card
companies with whom you have an account and inform them about the activity.
You should make sure they have your correct information on file and that
any changes to the account were made by you.
If you would like to learn more about your consumer information, you may
visit our consumer site at www.choicetrust.com.
Thank you,
ChoicePoint Corporate Marketing
Tell me one person who would be against putting these executives in JAIL. They were entrusted with data on almost every human being in the United States and they FAILED US. Get the stake, timbers, gasoline, and matches. Heaven knows I am ready for blood.
These kinds of California "sunshine" laws are also the only reason we found out about Enron before it took the whole US economy, not just Houston, down with it. Enron was required by California law, under their misnamed "deregulation" system, to open its books, because it was supplying a lot of energy to Californians. Enron refused, claiming that, as a Texas company, it was not under California jurisdiction. That was when Governor Davis famously asked the Federal Department of Energy to step in, to resolve this interstate conflict. The DOE refused to referee, and Davis eventually found other means to force open Enron's books. When they were reviewed, not only was $8B in California overcharges revealed, but the entire network of Enron debt-laundering was exposed. As well as the rest of their system-gaming that took them out.
California is far from perfect. But their 35M consumers are unusually well protected by laws in the public interest. The economy of California scale forces car makers around the country, and around the world, to comply with their higher standards. Perhaps we will see California's own self interest protect us from other scams like these, as we all get closer to the Golden State.
--
make install -not war
I love the way marketing companies have more access to my personal information than I do. Moreover, they're among the "legitimate" businesses who the company claims it sells information to -- any dick and harry spammer joint can be called a "marketing company". In other words, if you have enough money to pour down their gullet, you have the information.
The company says its records enable law enforcers to track down serial killers and have helped find 822 missing children.
Yeah, since they help children, they cannot be an irresponsible company.
"The topic of the responsible use of information is a vital one to our society ... we support a national debate on this very topic," ChoicePoint President Doug Curling said.
Classic tangential marketspeak response from the president.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
Just wait for a letter from a law firm informing you that you are a member of the class action suit against ChoicePoint.
optional additional steps:
2. Do nothing.
3. Profit!!!
Well, I just got your credit report from the 3 agencies, and I feel obliged to tell you that with an average FICO score of 559, you probably shouldn't be calling yourself lucky.
500GB of disk, 5TB of transfer, $5.95/mo
Looks like their stock is still doing ok. Although that could change come Monday. Graph
Do really dense people warp space more than others?
Checkpoint Client Verification = Did the check clear? Is yes then WELCOME ABOARD!
Actually, you can receive a copy of your profile.
This page on the ChoicePoint web site points to Choicetrust. (Insert joke about the mane choice here)
From the Choicepoint web site:
FACT Act Compliance
The Fair and Accurate Credit Transactions Act (FACT Act) was enacted in 2003 and amends the Fair Credit Reporting Act (FCRA), a federal law that regulates, in part, who is permitted to access your consumer report information and how it can be used. The FACT Act entitles consumers to obtain one free copy of his/her consumer file from certain consumer reporting agencies during each 12-month period.
ChoicePoint has three separate companies that maintain consumer files that are subject to the free disclosure requirement: C.L.U.E. Inc. maintains information on insurance claims histories, ChoicePoint WorkPlace Solutions Inc. maintains employment history information, and Resident Data Inc. maintains tenant history information. Each of these companies designed an easy process for consumers to request their free file disclosure.
Please note that a consumer file does not necessarily exist for you with any one of the three companies. For example, if you have not filed a claim with your auto or home insurance company during the last five years, we will not have a report on you. If you have not applied for employment with a customer that we serve, we likely will not have an employment history report on you. If you have not submitted a residential lease application with a customer that we serve, we will likely not have a tenant history report on you.
To request copies of your claims history report, visit www.ChoiceTrust.com or call 1-866-312-8076.
To request a copy of your employment history report, call 1-866-312-8075.
To request a copy of your tenant history report, call 1-877-448-5732.
If you would prefer to send your request by mail, please send your name and address to the appropriate address below. A report request form will be sent to you to complete and return.
For claims history reports:
ChoicePoint Consumer Disclosure Center
P.O. Box 105295
Atlanta, GA 30348
For employment history reports:
ChoicePoint WorkPlace Solutions Consumer Disclosure Center
P.O. Box 105292
Atlanta, GA 30348
For tenant history reports:
Resident Data Consumer Disclosure Center
P.O. Box 850126
Richardson, TX 75085-0126
"Live Free or Die." Don't like it? Then keep out of the USA
I'm an Oregonian... so you know it takes a lot for me to say anything nice about California but...
I just want to thank California for their identity fraud laws that force businesses to disclose when an unauthorized person has accessed records illegally. If it weren't for that, we probably wouldn't know anything about this.
Maybe this is nitpicking, but could we please go back to saying "citizens" instead of "consumers?" Because consumers take whatever crap you give them. Citizens don't.
And yes, I live in California and yes I've RTFA, this is just an angry response not a true question.
Apparently 110,000 people already did.
We need to have laws that changed that prevent private companies from collecting data, or requesting data on citizens unless the person concerned permits it. I know the credit scores are important yada, yada, but its our data, and we should own it. Companies that profit from our data should be required to take our permission to collect and distribute it.
Any fellow californians interested in starting a initiative for this? Especially those who know how to go about it- I don't!
They were reporting California because they had absolutely no choice in the matter because of legal requirements in California. It's a very good thing for all people who have information at Choicepoint that California has that law. Otherwise I have little doubt any of us would know about it.
I do wonder if it would be beneficial to indentity thieves to expressly avoid stealing information about California residents to limit knowledge of their efforts. If those 100K people weren't notified by Choicepoint, it'd give them a lot more freedom to exploit that pile of information.
This sig has been temporarily disconnected or is no longer in service
That they're announcing that they're 'only' informing 100,000 other US residents can be explained in any of the following ways:
- The attacks were focused on CA residents, for some reason.
- They have only identified 100,000 people this week, and there's another 3 weeks of work to do.
- They are willfully underreporting the actual numbers and hoping that nobody will do the research to prove them wrong.
- Given that the law doesn't require them to inform everybody who got hit, they're only informing those non CA residents who got hit the worst. 2/3 of the people who would have been informed under CA law will never know...
The most interesting information is between the lines. Learn to read there more often. ("Diplomacy is the art of telling a lion 'Nice kitty kitty' while you search for a big rock. Media relations is doing for a company what a diplomat does for a country.")Sometimes boldness is in fashion. Sometimes only the brave will be bold.
Bush just signed a bill to curb class action lawsuits. link to full story below:
1
http://abcnews.go.com/Politics/wireStory?id=51277
Before condemning all of ChoicePoint look at all of the good things they have done like solving hundreds of rape cases, finding missing children, and doing the DNA tests of thousands of crimes. This incident is the result of one offices mistakes and I don't think it is representative of who they are as a whole. If someone wants information bad enough the'll get it. Look at how many times the CIA's website has been hacked into.
California, at lesat, has stalking laws that makes it a criminal offense to follow another person around etc. Now we need laws that would make it illegal for companies to stalk, archive, or release personal financial records to third parties. In particular it should be be legal for any person or corporation, such as a bank, that reports financial matters about a person to the IRS to request or store social security numbers. The rest should be subject for severe penalties. I suppose that the companies would then just move off shore, thoug.
We in Southern Califonia were advised that we should watch our credit reports for unusual activity to detect identity theft. That activity might be a request for a credit report from Honest John's Automobile sales in Texas. You can get a free credit report once a year from each credit agency - the rest you pay for. Great.
Nate
Meanwhile, in that Bastion of Truth, Justice and the Liberty, Washington DC, George W. Bush signs The Class Action Fairness Act of 2005
<sarcasm>at least america is safe from gay weddings</sarcasm>
A feeling of having made the same mistake before: Deja Foobar
Does anyone else realize that this is the same company that essentially handed over the 2000 election to George W. Bush? They are the ones who were hired by the florida voting commission to compare the data on federal criminals in the US with those in FL so that the FL federal criminals couldn't vote. Only they botched (on purpose?) it up completely and had a 5% accuracy rate resulting in thousands of voters (mostly black) getting turned away at the polls. Coincidentally (yeah, right) they were awarded a 60 million dollar data sorting job in Iraq once the war started. Funny, if they failed so miserably in FL why would you reward them with a bid in Iraq? This company is a joke.
is if someone looked up on Choicepoint, say, the CEO and other high-ranking executives and posted all their personal information here.
The karmic justice of these clowns having to spend substantial time and money trying to protect their credit history and whatnot would be priceless.
I'm not advocating that anyone should do this. I just think it would be justice because we're certainly not going to see any otherwise.
Must MILLIONS of US citizens have their personal information warehoused, prostituted, and subject to theft because of the comparatively few that it may have helped? This is one case where I believe the cost FAR outweighs the benefit.
Of course: *I* was the person reading it. Totally interconnected conspiracy theories that span history and the globe are Rorschach tests. But I can tell when I don't need to read any more, except to skim for any new tropes. If it had mentioned the "faked Moon landings" early on, I probably wouldn't have even noticed the Rothschild canard.
The real consparicies aren't nearly as convoluted. This one was posted in response to the Enron/California conspiracy, very recent (ongoing, under Schwarzenegger) and very close to home. And not nearly as apocalyptic or all-encompassing. It's probably the kind of self-destructive response our society has to manageable details about immediate threat conspiracies: start hauling in all the grand schemes, which turns off the group to the immediacy of the one under consideration. If we didn't react with such ADD to apparent conspiracies, we'd actually manage to expose and eliminate some, sometimes. Instead, we're cursed with innuendo and fools who prey on our worst weaknesses, a smokescreen for the criminals.
--
make install -not war
The ChoicePoint security fiasco is part of a larger problem -- the fact that companies dealing in personal data are not providing adequate security and that they are not well regulated. What makes matters worse is that ChoicePoint is increasingly supplying its information to the government, including the FBI and IRS.
. 16.04.html
t al-Person.htm
Back in December 2004, I along with the Electronic Privacy Information Center wrote a letter to the FTC arguing that the FTC should open an investigation of ChoicePoint: http://www.epic.org/privacy/choicepoint/fcraltr12
This letter might be of interest, as it explains the extensiveness of the data companies like ChoicePoint have and how it affects people's lives.
I also argued in my new book, THE DIGITAL PERSON: TECHNOLOGY AND PRIVACY IN THE INFORMATION AGE, that identity theft and other privacy problems are caused not by technology but by irresponsible business practices. Everybody seems to be saying that in today's world of information technology, privacy is dead. The culprit is technology, and since it is foolish to believe that it can be stopped, there's little hope. I argue that this isn't the case. The culprit is government and business practices. There's a "digital person" that is a counterpart to people, not composed of flesh and blood but of bits and bytes of personal information gathered together in databases. The digital person is a representation of ourselves in the world of computers. But this is only part of the story. Increasingly, decisions about us are made by looking to our digital person. What happens to our digital person in the digital world is increasingly having effects in realspace to our real person. It is this problem that I explore, and I argue that the answer is regulating government and businesses - not technology. For those interested in learning more, I encourage you to read the FTC letter as well as my book. Here's the book's website: http://www.law.gwu.edu/facweb/dsolove/Solove-Digi
Attention all K-Mart Shoppers... that Bar-B-Q you are smelling is your collective butts in the fire.
After undermining all sane separations between state, religion, and commerce, we find ourselve in what can only be described as a Nation of the Corporation, By the Corporation, and For the Corporation. You may now bow to your corporate masters.
Our founding fathers saw government as a detestable necessity, so they wisely hamstrung it seven ways come Sunday, to keep it at bay. By giving corporations the same rights as "REAL FLESH AND BLOOD PEOPLE", without the same accontabilitiies or limitations, we created a monster. That monster was further allowed free access to influence and ultimately control our government. That brings us where we are today.
A nation where your privacy is a farce, virtually nonexistent, while government and corporations alike enjoy almost complete opacity.
Just last week a Federal Judge ruled in favor of the Governor of Maryland, in a suit involving reporters from the Sun Times being frozen out of press meetings. The Judge ruled that "the paper wrongly asserted a greater right to access to government officials than private citizens have. The right to publish news is expansive. However, the right does not carry with it the unrestrained right to gather information,"
In short, A political leader, your elected representative, has the right to inform only those he likes or feels fit to inform. That and your primary organ of political enlightenment, the press, has no special right to garner information on your behalf. Add to that the recent $400,000 charge for FIA documents against the justice department, and the Gannon/Guckert debacle at the White House this week, and it's clear... the Government is hell bent on having it's citizens standing naked in the streets, stripped of every right to privacy and personal dignity, while they plot and practice "God only knows what" with complete impunity.
The information disaster at ChoicePoint underlines the complete disregard that business and the Government have for the needs and the rights of every day citizens. Recent leaks suggest the final number of people exposed may exceed 400,000. If the government were working on your behalf, you would certainly see heads rolling immediately. However, I suspect you'll see none of that. The government is using these very companies to perform an endrun around the constitution, filling up government dosiers with information collected by these very companies, at the same time lucrative government contracts and multimillion dollar campaign funds are trading hands.
We're at a critical time in history. Benito Mussolini defined fascism as "The Corporate State". Looking at the historical analysis of the last century, there's good reason why conservative and liberal law makers, educators in law and political science, and men of conscience around the world are calling the United States a fascist state. One of the certain casualties in such a government, are the rights and freedom of the individual. We still have a tremendous amount of infrastructure that protects us, and as bad as things are, no single person has yet amassed so much power that our government can be easily toppled. We're however in extreme danger. It'll take all our commitment, and every kind of contribution we as citizens can make, to bring our government back into it's proper place as an engine designed to promote the advancement of freedom, and justice. The alternative is too grim for words.
Genda
I am the lead software arc for a competitor of Choicepoint's and, although I do feel this situation is extremely serious and understand why people are pissed off, find it odd anyone would demand that Choicepoint be closed, CEO jailed, etc...
.. but wait, can't the organizations verify information themselves going through county and state govt records? The answer, even if you throw away the cost, time and materials and added personnel, is no, not completely. Here's why. When people apply for a job, volunteer or anything else that requires their past be investigated, there is always a spot for your current address and sometimes a spot for your previous addresses. It used to be that the company you are applying with took your word that you lived where you said you lived and they only investigated those counties, states, etc... If you committed a crime in a county you didn't want revealed, you simply didn't fill it out. Nowadays, regardless of what you put on the application, all of your previous addresses will be discovered and searched (depending how many back the searching company is willing to pay for -- usually 3 to 5). This is a very valuable service and out of reach for companies and organizations that don't specialize in this type of research. Speaking as a father and not a background researcher, I'm glad that the Girl Scouts (using Choicepoint) screen every volunteer in this fashion . I'd think you all would be too.
Regardless of the privacy issues, someone is going to store, manage and sell your information because it fills a valuable need in a whole host of circumstances. It is vitally important to verify someone's background prior to oferring a job or accepting volunteers. This isn't just job justification here. It goes without saying that you cannot allow convicted thieves to work a cash register job or child molesters to volunteer for the Cub Scouts (two things that are surprisingly common). Ah
Now bear in mind that I'm not defending Choicepoint. Hell, it would benefit me greatly if they were closed down. I do find their account setup procedures to be unbelievably remiss. We require DUNS number, plus corp bank account/history/references and articles of incorp (if applicable) and will not establish an account without them (even then account is ran in audit state for two months to ensure compliance). Keep in mind that if your organization wants run credit reports or motor vehicle searches, then there is an entire mountain of paperwork that must be completed, filed and approved by state DOT and the three credit companies. We also require client certs from integration clients and store no info in our db that isn't encrypted. I believe Choicepoint does the same. The way I understand that the info was compromised was that fake accounts were set up, a list of names was purchased from somewhere, and those names were then searched (either credit report or skip trace or some other identifying report) to obtain the information. Choicepoint's failure lay in social engineering and poor account verification practices.
What it comes down to is, someone is going to keep and store your information. Would you rather it was the govt with its track record of managing security and accuracy or private industry? Me, I'll take private industry.
Alex