Slashdot Mirror
Congress to Investigate ChoicePoint
twzop writes "I just saw a story on the CBS evening news about the previously posted story about ChoicePoint, Inc. in Atlanta, GA getting hacked and US citizens' data being compromised. The story stated that Congress was going to get involved by investigating the scandal and that there was a large class action lawsuit against the private firm."
What was the size of the data leaked? I've seen figures vary, I'm wondering if anyone knows, including ChoicePoint.
Since when has this country used intellectual elite as a pejorative term?
It's just congress getting ready to solicity another round of bribes...err campaign contributions. How many Enron executives are in jail again? Yeah.
Before we get too excited about the possibility of justice, let's remember that it's only a crime if it wasn't a rich person that did it.
The Washington Post has an article(reg required) today about Beth Plowman, a Damascus international public health adviser, was shocked when she discovered that a $27,240 arbitration judgment had been levied against her for credit card charges incurred by an identity thief who bought sporting goods all across Europe.
I do a lot of computer security work in my area, and trust me when I say that many, many places have either no or woefully inadequate security present.
One place I did a job for actually had a symbol AP in the ceiling of the factory, login: Symbol, pass: (blank) and unencrypted transfers. The domain admin acct (win2k) had no password, and guest was active. They also bungled up a RAS so that anybody that knew that number had "root".
Those were just external security issues.. It took 50 hours to barely fix their problems.
Still, problems are abound just like that: No or bad security. Many times, it has to do with plain laziness, not thinking anybody cares about us, just not knowing, or trying to do security and maintainence without understanding.
Another amazing this is how well modem-scanners work these days... Back in the day, all the security nuts cared about dial-back and other things... Now, everybody thinks of always-on internet so you need a firewall. Not so. Many machines have dialup gateways or interfaces in which most are just not configured. Even (to my knowledge, I use freeBSD and linux) Windows RAS server has dialback capability.
Now, why Congress wants to scrutnize them, well.. Wonder if they've secured THEIR wireless network since I was in DC...
What I find odd about the reportage of this story is that noone seems to be pointing out that Choicepoint was also responsible for providing Florida with some of the data it used to strip people from the voter rolls back in 2000. That wasn't exactly good either.
Choicepoint - and their competitors such as TransUnion, have become unrelegated "authorities" on people's personal data for far too long. A leak like this was inevitable. Honestly, I think our data has leaked before, but because only California has a (recently made) law dictating that victims must be told of such losses, nobody was informed when it happened in the past.
I'm not normally a "Big brother is watching you" kind of girl, but the amount of power these companies have over our lives - the ability to deny us life, home, and auto insurance, to get a home or auto loan, to even get a job! - is insane. Especially when you try to correct inaccurate information and they refuse to accept it! For example, I don't rent, I own my own house. But for years I've tried to correct that - and my status, which is married, not single - and have had them tell me flat out that THEIR data is correct and I must be dreaming about my husband & house...
Tepp
This is the third time my identity has been stolen this week...I loose my damn dog and keys less then i loose my identity!!!
On a more serious note: Big brother
So if big brother, has like all this information on us (creditcard numbers places we freq eat and stupid random intel like that), then what if THEY get hacked? Wouldnt that mean hell for everybody thats ever been in america? I could only imagine standing in line at a public school to get my friggin id back, but how would they validate whose who? if theres no pictures, oculd you just steal somebody's drivers liscence or wallet and say that your them?
Your skill in reading has increased by one point!
Choicepoint CEO personal info here.
It is too easy for companies to be careless with people's personal data and it will take a serious threat of penalty to make them put in extra expense and effort to guard it properly. The same kind that make airlines so carefull about safety i.e. closing down the shop type of penalty.
Can anyone tell me why ChoicePoint never did any deeper background checks on their clients knowing full well that identity theft is at an all time high? Didn't they have enough time to ramp up their security protocols to prevent this sort of thing from happening? Plus, who the !@#$% gave ChoicePoint permission to gather data on me?
.NET establishment. Gather all personal info on one database. Currrently, it's a mistake to put all the eggs in one basket.
Funny, ChoicePoint kind of reminds me of what Microsoft wants to do with their
!@#$% whole-grain cereal. When I want fiber, I eat some wicker furniture. - G. Carlin
This ID theft fiasco is but the tip of the iceberg. ChoicePoint helped throw Florida voters off the registration lists in the infamous 2000 election, and made a pretty penny off 9-11. God knows what else they're up to. See http://www.gregpalast.com/ Quote: "For ChoicePoint, with its 15-billion-plus records on every living and dying being in the United States, Ground Zero would become a profit center lined with gold. Contracts would gush forth from War on Terror fever not hurt by the fact that ChoicePoint did something for George W. Bush that the voters would not: select him as our president." Full article at http://www.gregpalast.com/detail.cfm?artid=356&row =0
I didn't know anybody watched cbs anymore...
Schneier wrote about this in his blog.
...just my 2 gil.
Why is it such a concern that something as benign as a 10 digit number, plus information that can be found in the phone book, should be of such a concern? One reason is that armed with such a small amount of information, someone can do a tremendous amount of harm to people, and the companies those people do business with.
Someone can get a driver's license in your name, and build a bad driving record, or worse, in your name. And the state will insist it is you. The affected state will file this with your state, and your own state may cancel your driver's license because it looks like you moved to the other state. In extreme situations you could be arrested.
Someone can get a bank account in your name. Then with these checks that have your SSN and address on them, make a hundred fraudulent purchases totaling tens of thousands of dollars, on an account they probably stuck just $250 in to get it open. This will ruin your rating with banks, which is kept by a separate reporting agency not subject to the same reviews as the 3 big credit reporting agencies are.
There are many other kinds of examples, including opening credit accounts. The common problem in all of these is the assumption that by having certain information, the person with it must actually be you. Those of us familiar with security protocols already know that having the very information you give to someone else to show who you are, enables who you just gave it to to masquerade as you. Most people are honest but a slight few are dishonest. Theft of identity information has been happening for decades but it is only now becoming so widespread that politicians and lawmakers are no longer going to be able to hide their head under the carpet and pretend it doesn't exist in order to avoid the hard choices they will have to make.
And remember, this is identity theft; it is not authenticity theft. Identity only says who you are. We need to stop businesses and governments from assuming that identity is authenticity.
now we need to go OSS in diesel cars
ChoicePoint sold data to customers that turned out to be criminals. These criminal customers did not "hack" into the system, they were granted paid access to it. At best/worst the criminals did a bit of social engineering to appear as a legitimate business. Otherwise the feat involved no technological illegitimate access. I think that is the scariest part of the story.
Two wrongs don't make a right, but three lefts do.
Because of this political debt, the Congress will block any serious investigation of Choicepoint.
ChoicePoint data theft widens to 145,000 people
Class action lawsuits were essentially outlawed by the Rupublican Congress and President Bush this week. Nobody will ever get any damages from Choicepoint.
No electrons were harmed creating this post, though some may have been subjected to electrical and/or magnetic fields.
Class dismissed. (As in the "no class" action suit.)
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
I wonder if they'll ask Hank Asher, who started the company (and DataBase Technologies), about his cocaine flights into Florida for Iran/Contra. Or how John Poindexter (of Iran/Contra) got them that fat contract for TIA, and saved it as the secret MATRIX program when TIA got too hot for Congress. Or about that Florida voter-purge list, with over 40K legitimate Florida voters prevented from voting in 2000, and again in 2004. Maybe Asher will have some answers that won't get the coincidence theorists freaking out about how this one company could be so lucky for so long with the same people.
--
make install -not war
"never gave your company permission to use any public record that belongs to me in a profiteering method."
That's because you don't have the authority to give that permission. Public records belong to the public.
Bill Clinton: Pimp we can believe in. - The Shirt!!!
You are not a ChoicePoint customer. ChoicePoint cares NOTHING about you. You are a number in a database, with a bunch of corresponding fields. Unless you've paid ChoicePoint for their services, you mean absolutely nothing to this company.
Furthermore, people keep complaining that their information got stolen. It's not your information. It's ChoicePoint's information. It belongs to them, and to the people that purchase access to it from them. They took the time to collect and aggregate it, and they own it. The fact that it may or may not directly affect your life for better or worse in substantial ways does not even enter the equation.
Obviously, there is something fundamentally wrong here that needs to be corrected. In my opinion, information should be held by an organization specicially authorized by the government to do so. The information should be encrypted and secured, and leaks should be punishable by prison time. A standard, open algorithm should be created, to convert the information into a simple number (like a "credit score.") Companies pay for access to these scores. Only upon showing direct need, in a court of law, should specific information be given to specific companies, under strict confidentiality. If a particular company needs to know a specific detail about all of their customers, they can petition to be granted access to that information only, under the same confidentiality agreement.
Furthermore, individuals should be given unfettered access to their own information, on request. (Identity verification should be draconian here.) Individuals should have the right to challenge an inaccuracy, and to provide documentation disproving it.
Granted, it may have some issues of its own, but at least it's a step up from "give everyone's most intimate financial details to every company that pays us a nickel." Any thoughts?
Formerly GNU/Anonymous Coward. This message has been determined to cause cancer in laboratory animals.
- over 3 million Americans had fraudulent ID theft (the worse kind), and 10 million total had some type of ID theft
- ID theft victims spent a total of 300 million hours "fixing" their problems.
- Fraudulent ID theft averaged $10,000 stolen. The total cost of all ID theft is $50 billion.
- the monetary cost to fix fraudulent ID theft averages $1,200 per ID victim.
But in reading this report the bias that "businesses are the true victims" shows up. The $5 billion in costs to the identity victim (and 300 million hours of time) is described as "Individuals whose information is misused bear only a small percentage of the cost of ID Theft" (pg 6). That's a bad way of thinking about it for several reasons:- 300 million hours of victims' time = 300 million hours of research and investigative time = a 'donation' of at least a few billion dollars.
- The ID theft victim gets hit with real and lasting costs. Companies get to write off their losses, or use insurance and pass their costs on to consumers. A year after ID theft is discovered, the theft is just a blip in a spreadsheet to the companies where the stolen identity was used. The victim will still be writing letters, finding new ramifications, and losing time and sleep over the matter.
- Those 300 million hours also = stress, lost time from work, family, charities, plus also extra medical expenses.
- "15 percent of ID Theft victims reported that their personal information was misused in nonfinancial ways. The most common such use reported was to present the victim's name and identifying information when someone was stopped by law enforcement authorities or was charged with a crime." What's the cost of your kid seeing you arrested because someone else used your name? Not to mention...
- Now that the government gets data from Choicepoint and others, and because the government has no legal responsibility to find or fix bad data in its files, the rest of your life could be hobbled by bad data and you won't quite know why.
So basically Choicepoint and the credit card reporting agencies are creating a "public bad." Like polluters, they force other people and companies to bear the cost of problems they've created. 300 million hours and $5 billion dollars would = fantastic security finished in months if the companies themselves had to pay these costs. Instead, 10 million people are forced to do their own cleanup work, and the fact that 9.999 million people have already done the job doesn't make it any easier for you when you're the victim.Id Theft can be extremely painful to resolve.
I had (regular) mail stolen from my mail box (before I realized how bad it is to actually use your mailbox for outgoing mail), at first I thought it was a post office screw up, but several months later, I got a call from a bank employee who just completed a transaction which he thought was fishy. He asked my if I had just cashed a four figure check there. When I told him that I hadn't he warned me that somebody was stealing my Identity. I called my credit card companies to get new cards and security added to my accounts, contacted all of the big three credit agencies and got a hold put on my credit, contacted the local police.
The next thing I knew it was raining collection notices on me.
This guy was printing checks with my name and driver's liscense number. For Id, he had a printer which could create fake driver's liscenses with all of my information, but his face and description.
Fortunately, I was lucky, this guy got pulled over for a faulty brake light and the officer looked into the car and saw over a dozen driver's liscenses on the back seat of his car, all with his picture on them, but different names. The officers told me that I was the one in a hundred whose Identity Thief was caught.
Now, 8 years later, I can share some lessons with you. Trust me, you don't want any of this to happen to you, arguing with collection agencies is no fun at all, they assume that everybody is a slimeball.
1) Get a shredder. Get two in case the first one breaks. Shred everything that has anything that can identify you. Id Theives also dumpster and dump dive to look for your information, don't give them any help. shred shred shred...
2) Get your annual credit report from the big three credit bureaus. Take the time to review it, carefully. They each have a formal procedure for clearing up problems. Follow it to correct your information. They can be reached here http://www.creditreporting.com/
3) Check your credit and bank statements, you never know what they have on you or when they get it.
4) If it does happen to you, file a police report immediately. This report number is your best defense against the onslaught of collection agencies that will soon be banging down your door.
Clearly, the more aggregated information can be, the higher the value because those using it do not have to look so far to get other, related facts about a subject.
Perhaps the form of regulation on the topic of information security for these large clearinghouses should be to keep as much information isolated as possible...so that even if there is a fault, the effects are minimized.
This approach works in plenty of scenarios as far as contingency planning and fault tolerance goes. Faults and failures can occur, but in this case, the owners of the information should work towards containment for the sake of those they are representing (that is, those they have data about).
I am interested to see how the proposals for regulating this industry emerge, or if they will be squelched by various lobbies. We'll see.
The right-wing anti-liberty^H^Hals have been spreading the meme lately that you never had a right to privacy, contrary to the fourth amendment. Their argument is that the Constitution only limits what the government can do, so that Choicepoint and their ilk are not obligated to respect your right to privacy.
IANAL but I notice that the Civil Rights Act of 1964 gives the power 'to authorize the Attorney General to institute suits to protect constitutional rights in public facilities'. This is the law that makes it illegal for a privately owned diner, for example, which caters to the general public to require blacks to stand while eating. It seems obvious to me that a credit reporting agency which collects information about unsuspecting members of the general public should be held to the same laws as that diner. The attourney general should be authorized, in my opinion, to protect us from violations of our constitutional rights by that credit agency.
Liberals call everyone Nazis yet they are the closest thing to it.
I just heard from them, after 3 emails and noting I was contacting my state's AG, I got a reply saying all my data was being deleted at my request. :)
:)
Just be persistent, firm, refrain from profanity, and send a letter to your state's AG complaining of the company....
Worked for me.
The first time I got an email back saying I had to use a Do Not call list from the DMA website, but I replied back to that email with a firm request that I wanted my data OFF their servers. Of course, I have no way of knowing they did it, but it is nice that my firm letter notifying my state's AG of their practices was enough of an incentive to get them to do something.
It's the Stay-Puft Marshmallow Man.
According to my friend (he works at a smaller company that competes with Choicepoint), this is how things are looking from his perspective:
Ultimately, there may be some protocols legislated to protect information, but these will be feel good measures more than adequate protection (most will be geared towards consolidation with data companies suggesting regulations). The bottom line will be what types of services different companies can provide, and how accurate/specific those databases will be. Anticipate several smaller companies coming in with very specific information (such as workman comp/insurance claims) to be sold.
Those smaller companies are not really looking to be profitable of themselves, but are looking for larger companies to buy them outright. In that respect, government regulation against sharing information becomes moot as the market consolidates. Everyone is waiting to see what regulations come about so they can plan their next move. Most are coordinating lobbying efforts to get favorable terms.
The companies that secure the most databases become the major players (look at Choicepoint's history of acquisitions to see how they got into such a dominating position), and they will wield their own political power.
The databases will not go away. They will just consolidate. They are too important to government as well as business. Security becomes a secondary issue when so much information is available under one roof. It becomes a single point of failure to the only game in town. Why should they care?
There will be no confidentiality agreements. More than likely, you will see government contracting these companies for info.
In short, information does indeed want to free. But this time it will be your information and short of armed revolt, there ain't much you can do about it.
ChoicePoint/DBT originally produced a list of about 8000 voters to remove from the electoral rolls. Katherine Harris got back to them and told them to widen the net - by omitting a few data integrity requirements, such as middle names, dates of birth, and dates and details of their convictions - and assured ChoicePoint that they needn't worry about the number of false positives in the list. This increased the size of the list to about 58,000 voters, more than half of whom were African-Americans.
When the fraud was officially investigated, ChoicePoint admitted to a false-positive rate of up to 15%, which was already far in excess of Bush's lead in the Florida poll. Later, an independent investigation showed an error rate of more than 90% - some 55,000 voters, some 30,000 of whom were black.
This is a flat-out lie. Read some first-hand accounts of voter disenfranchisement for yourselves. Voters were erroneously scrubbed from the electoral roll, were not adequately notified in advance, tried to vote anyway and were turned away - simple as that.It's surprising how many people don't know this when it's actually very well documented; in fact, the story broke long before the election actually took place. My suggestion to the doubters is to watch Unprecedented: The 2000 Presidential Election , a very thorough documentary on the topic.
Attack its weak point for massive damage!
In partnership with to Hank Asher, Floridian Iran/Contra coke pilot, ChoicePoint was founded by Derek Smith, whose DNA analysis company scored a multimillion dollar contract to identify victims from Ground Zero samples.
--
make install -not war
Now that Congress is looking into it, I can sleep better at night!
Change "request" to DEMAND , send it certified snail mail, and send a copy to your lawyer (and inform Choicepoint in the letter that you're doing so.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Apparently, some of the choice point executives knew there was going to be quite a bit of fallout over this. This morning's Atlanta Journal/Constitution (reg. required - Google cache anyone?) is reporting that:
I'm not tense. I'm just terribly, terribly, alert.
By ROBERT LUKE, MATT KEMPNER
The Atlanta Journal-Constitution
Published on: 02/25/05
Thirteen days after the arrest of a suspect in the ChoicePoint identity theft case -- and more than three months before the problem surfaced publicly -- the company's top two executives began selling their stock.
Since the sales began in November, ChoicePoint CEO Derek Smith and President Douglas Curling have sold 472,000 ChoicePoint shares worth nearly $21 million, according to the executives' Securities and Exchange Commission filings.
Smith said Thursday that he did not know about the security breach at the Alpharetta-based company until well after he began selling the stock. Curling was not available for comment Thursday.
The stock sales -- for what the executives described as estate planning and asset diversification -- continued this week, even as ChoicePoint's shares began to tumble nearly 10 percent. The identity theft was disclosed publicly only last week.
ChoicePoint chief marketing officer James Lee said outside advisers suggested continuing with the trading program. "Their advice is that the program is fine, even in light of the recent events," he said.
"If you are trying to make the case that this is somehow insider trading, you are going down the wrong road," Lee said.
The selling of stock by Smith, the CEO, and Curling, the company's president, normally wouldn't raise eyebrows, since the sales were part of a prearranged stock trading plan allowed under SEC rules.
Lee said ChoicePoint's board approved the stock trading plan on Oct. 26, the day before police in Los Angeles -- after being tipped off by ChoicePoint -- made their only arrest in a case that has become the biggest security breach in the company's history. ChoicePoint is notifying about 145,000 people that their personal information -- possibly including their Social Security numbers and credit reports -- may have been sold to identity thieves.
Smith and Curling have been selling shares of their company's stock weekly since Nov. 9, when their Rule 10b5-1 trading plans took effect. The plans expire in April.
SEC inquiry likely
In an interview with Journal-Constitution reporters Thursday, Smith said he first found out about the identity theft problem in late December or January, which would be about two months after the company notified California law enforcement officials.
Smith said his stock sales aren't inappropriate.
"I didn't do anything that I had any belief that was inappropriate or whatever," he said. "To the extent that it gives any impression of anything that I knew or the company knew that would have weighted on the value of the stock, then that would be unfortunate. Because it certainly isn't true."
A lawyer familiar with the enforcement of federal securities laws thinks an inquiry by the Securities and Exchange Commission is inevitable.
"Even with this public statement that he did not know until January about the problems in California does not mean that the SEC will not ask questions anyway," said Jacob S. Frenkel, chairman of the securities enforcement and white-collar practice at the Shulman, Rogers, Gandal, Pordy & Ecker law firm in Rockville, Md.
"The SEC will not only ask him, but they also will ask everybody who knew about the information, including what they told others and when they told them," said Frenkel, a former SEC enforcement lawyer and federal prosecutor. "They are going to look at anybody who may have traded the stock."
Smith said he has not been contacted by the SEC about the stock sales.
Smith and Curling have sold about 64 percent of the total 737,380 shares they have until April to sell under the plan, after exercising employee stock options permitting them to acquire the shares at various prices. The prices they paid for the stock were significantly below the market price at the time of sale, allowing the executives to make significan
I'm not tense. I'm just terribly, terribly, alert.
I would expect that his group of people would know by now not to take everything they read in the news at face value. Since that does not seem to be the case, I would just like to correct several errors of fact in this blurb about the ChoicePoint incident. First of all, ChoicePoint did not get hacked. There was no breach of our network and no internal or customer information was compromised. Second, ChoicePoint is not a private firm; we are a public company and trade on NYSE as CPS. Third, I think it erroneous to call this a 'scandal' as ChoicePoint did nothing illegal. We ourselves were a victim of fraud, and we are working very closely with law enforcement to continue to track down and prosecute the perpetrators of this crime. Finally, we ourselves are, and have been for years, encouraging a national discussion on this industry and strongly support independent regulation.
h tml
As others have mentioned, we have notified about 145,000 people nationwide that their information might have been compromised and we have, at our own expense, purchased tri-bureau credit reports and a one year credit monitoring service for each of them. We also, as our CEO has said in interview, are not ruling anything out in terms of what we may do to further assist those who do fall victims of identity theft. Please, if you have more questions on what is going on and what ChoicePoint is doing about it please visit http://www.choicepoint.com/news/statement_0205_1.
A couple other bits of note:
There are laws in place, namely the FCRA (Federal Fair Credit Reporting Act), that do already regulate what constitutes permissible purposes for information to be disclosed. We operate very strictly by these regulations already in place. In addition, the FACT Act, which went into effect in 2004, mandates that consumers may obtain free copies of their reports and may, as they always have been able to, contest items they believe to be inaccurate. You can visit www.choicetrust.com to review your personal records kept by ChoicePoint.
And for those of you who are interested in some of the work ChoicePoint does to fulfill our vision of creating a safer and more secure society through the responsible use of information:
-We, as previously noted, operate the CLUE (Comprehensive Loss Underwriting Exchange) database to which insurance underwriters contribute claims data so that they can more accurately assess risk to keep premiums low.
-We operate Volunteer Select, a service for non profit organizations. Background checks may be purchased at cost (ChoicePoint makes no profit) on volunteers to ensure that a convicted child molester two weeks out of jail will not be able to volunteer to work with young children (a real example).
-We operate ChoicePoint Cares which funds DNA testing to solve cold cases and process rape kits that local municipalities cannot afford to process on their own. Our funding has lead to several convictions and has helped to free those wrongly imprisoned.
-We operate ADAM an alert program that had lead to the safe return of more than 800 missing and kidnapped children.