Congress to Investigate ChoicePoint

twzop writes "I just saw a story on the CBS evening news about the previously posted story about ChoicePoint, Inc. in Atlanta, GA getting hacked and US citizens' data being compromised. The story stated that Congress was going to get involved by investigating the scandal and that there was a large class action lawsuit against the private firm."

damage size?

[c0dedude]

What was the size of the data leaked? I've seen figures vary, I'm wondering if anyone knows, including ChoicePoint.

Re:damage size?

[Shakrai]

I'm from a private company, and I'm here to help myself without your consent.

I work in the goddamn insurance industry (IT; not sales; I'm not completely evil) and even my co-workers think Choicepoint are a bunch of evil thieving bastards.

My own personal experience with them revolved around the three weeks it took to get them to remove accidents that my sister had on her own automobile policy (i.e: no relation to me!) off of my CLUE report. They claimed that they showed up on my CLUE report because her SSN is only two digits removed from mine.

In the process of trying to get this fixed so that I wouldn't be surcharged for my sisters accidents they stonewalled me and generally tried to walk all over me. Every time we would change something they would need to generate a new clue report. But they could only generate those reports overnight. Apparently the computer system that allows an insurance company to get a copy of your CLUE report in about 15 seconds only allows one copy of the consumer version of that report to be generated -- and it takes several hours for them to generate it.

Furthermore I take exception to the fact that they listed an accident that I had under my parents policy (borrowed car while mine was in the shop). Perhaps I sign away my own rights when I buy my own insurance policy but I don't recall signing anything with my parents insurance company when I borrowed the car that authorized them to release my personal information (SSN/lic #) to Choicepoint. Where the hell is the outrage? I'm sick and tired of companies stockpiling information on me without permission.

In a fair world they wouldn't be allowed to release that sort of information to some data clearinghouse. So what if the insurance industry can't verify your accident record? If you lie to them then it's insurance fraud (felony in most states) and your policy is null and void. Why can't they use that as an enforcement mechanism rather then enriching the likes of Choicepoint and the big-three credit reporters?

Bah! End rant...

Not the first time with Choicepoint

[Wheresmywig]

What I find odd about the reportage of this story is that noone seems to be pointing out that Choicepoint was also responsible for providing Florida with some of the data it used to strip people from the voter rolls back in 2000. That wasn't exactly good either.

It's about Time

[tepp]

Choicepoint - and their competitors such as TransUnion, have become unrelegated "authorities" on people's personal data for far too long. A leak like this was inevitable. Honestly, I think our data has leaked before, but because only California has a (recently made) law dictating that victims must be told of such losses, nobody was informed when it happened in the past.

I'm not normally a "Big brother is watching you" kind of girl, but the amount of power these companies have over our lives - the ability to deny us life, home, and auto insurance, to get a home or auto loan, to even get a job! - is insane. Especially when you try to correct inaccurate information and they refuse to accept it! For example, I don't rent, I own my own house. But for years I've tried to correct that - and my status, which is married, not single - and have had them tell me flat out that THEIR data is correct and I must be dreaming about my husband & house...

Screwed by ChoicePoint

[Agent+R]

Can anyone tell me why ChoicePoint never did any deeper background checks on their clients knowing full well that identity theft is at an all time high? Didn't they have enough time to ramp up their security protocols to prevent this sort of thing from happening? Plus, who the !@#$% gave ChoicePoint permission to gather data on me?

Funny, ChoicePoint kind of reminds me of what Microsoft wants to do with their .NET establishment. Gather all personal info on one database. Currrently, it's a mistake to put all the eggs in one basket.

ChoicePoint has many tentacles

[tbuckner]

This ID theft fiasco is but the tip of the iceberg. ChoicePoint helped throw Florida voters off the registration lists in the infamous 2000 election, and made a pretty penny off 9-11. God knows what else they're up to. See http://www.gregpalast.com/ Quote: "For ChoicePoint, with its 15-billion-plus records on every living and dying being in the United States, Ground Zero would become a profit center lined with gold. Contracts would gush forth from War on Terror fever not hurt by the fact that ChoicePoint did something for George W. Bush that the voters would not: select him as our president." Full article at http://www.gregpalast.com/detail.cfm?artid=356&row =0

NoChoicePoint

[MillionthMonkey]

From Bruce Schneier:

ChoicePoint protects its data, but only to the extent that it values it. The hundreds of millions of people in ChoicePoint's databases are not ChoicePoint's customers. They have no power to switch credit agencies. They have no economic pressure that they can bring to bear on the problem. Maybe they should rename the company "NoChoicePoint."
The upshot of this is that ChoicePoint doesn't bear the costs of identity theft, so ChoicePoint doesn't take those costs into account when figuring out how much money to spend on data security....Until ChoicePoint feels those costs -- whether through regulation or liability -- it has no economic incentive to reduce them.

Mitigating damages

[Skapare]

Why is it such a concern that something as benign as a 10 digit number, plus information that can be found in the phone book, should be of such a concern? One reason is that armed with such a small amount of information, someone can do a tremendous amount of harm to people, and the companies those people do business with.

Someone can get a driver's license in your name, and build a bad driving record, or worse, in your name. And the state will insist it is you. The affected state will file this with your state, and your own state may cancel your driver's license because it looks like you moved to the other state. In extreme situations you could be arrested.

Someone can get a bank account in your name. Then with these checks that have your SSN and address on them, make a hundred fraudulent purchases totaling tens of thousands of dollars, on an account they probably stuck just $250 in to get it open. This will ruin your rating with banks, which is kept by a separate reporting agency not subject to the same reviews as the 3 big credit reporting agencies are.

There are many other kinds of examples, including opening credit accounts. The common problem in all of these is the assumption that by having certain information, the person with it must actually be you. Those of us familiar with security protocols already know that having the very information you give to someone else to show who you are, enables who you just gave it to to masquerade as you. Most people are honest but a slight few are dishonest. Theft of identity information has been happening for decades but it is only now becoming so widespread that politicians and lawmakers are no longer going to be able to hide their head under the carpet and pretend it doesn't exist in order to avoid the hard choices they will have to make.

And remember, this is identity theft; it is not authenticity theft. Identity only says who you are. We need to stop businesses and governments from assuming that identity is authenticity.

Close Enough For Government Work

[Doc+Ruby]

I wonder if they'll ask Hank Asher, who started the company (and DataBase Technologies), about his cocaine flights into Florida for Iran/Contra. Or how John Poindexter (of Iran/Contra) got them that fat contract for TIA, and saved it as the secret MATRIX program when TIA got too hot for Congress. Or about that Florida voter-purge list, with over 40K legitimate Florida voters prevented from voting in 2000, and again in 2004. Maybe Asher will have some answers that won't get the coincidence theorists freaking out about how this one company could be so lucky for so long with the same people.

Re:Trust me, its not just ChoicePoint.

[ScrewMaster]

In reality, the law SHOULD be that you have full access to YOUR information, and can correct provable, factual parts that are incorrect.

Absolutely, and I would add that there should be a stiff penalty if a data aggregator denies a citizen that ability, and such denial results in a crime.

I really cant answer if they should be selling this data...

Sure you can! Think about how this came about, and where it's going.

Originally, collecting and maintaining the so-called "credit history" on individual citizens was all about risk avoidance. That's still the case, of course. Businesses have always maintained records about past customers, so that they could then decide how, and if, to do business with said customers in the future. That's been true since we kept records carved on rocks or stamped in clay. The problem came in when business realized, with the advent of the mainframe, telecommunications and vast, cheap, readily-accessible storage that they could share this information with each other, thus dividing the risk. Thus was born the credit bureau. To my mind, the whole concept of the credit bureau is on ethically shaky ground anyway ... do business have the right to defend themselves against the normal costs of doing business, by placing their own customers at risk? Is this a justifiable tradeoff? Given the number of lives destroyed by the credit system over the years, I'd be inclined to say no ... it's usurious at best, and usury is illegal. Or used to be, at any rate.

So where are we now? Well, what has changed is that the demand is no longer just for security (customer "x" wants to buy product "y", give me yes/no on the transaction) but for the actual information used to make such decisions ... the financial history itself. I understand that companies like ChoicePoint actually acquire more detailed information than the traditional credit bureaus. So now we have an entirely different can of worms. In fact, in their eagerness to sell our personal histories (and sell us out) to companies that want to use that information to sell us other products, they have brought us to the brink of rendering the entire system useless (or at least, too dangerous to be trusted by the average citizen.)

ChoicePoint and similar organizations concentrate private information to a degree that makes it very, very dangerous to the individual by its mere existence. And then ... they sell it! Perhaps if the banking system were more robust, held more intrinsic safeguards, it might be different. Given how little information is required to perform an act of identity theft, however, I am personally unnerved by the idea of this data being used not simply to verify my creditworthiness, but sold on the open market to anyone meeting ChoicePoint's (apparently) minimal standards.

In answer to your question, I would say, "no", ChoicePoint should not be allowed to do what they do. I mean, they are taking chances with the financial lives of millions of Americans, who in return get ... nothing. That to me is the mark of a morally bankrupt business model, which if it isn't illegal probably ought to be.