Slashdot Mirror

← Back to Stories (view on slashdot.org)

Congress to Investigate ChoicePoint

Posted by CowboyNeal on from the inquiries-and-enquiries dept.

twzop writes "I just saw a story on the CBS evening news about the previously posted story about ChoicePoint, Inc. in Atlanta, GA getting hacked and US citizens' data being compromised. The story stated that Congress was going to get involved by investigating the scandal and that there was a large class action lawsuit against the private firm."

23 of 259 comments (clear)

  1. damage size? by c0dedude · · Score: 4, Interesting

    What was the size of the data leaked? I've seen figures vary, I'm wondering if anyone knows, including ChoicePoint.

    --
    Since when has this country used intellectual elite as a pejorative term?
    1. Re:damage size? by Anonymous Coward · · Score: 4, Informative

      It is unlikely anyone can know for sure how much leaked. I believe it happened that they traced some identify theft back to a fictitous company that paid for access to choice point. During this investigation they found other fictitous companies registered with choice point. Do they know all the queries made by the fictitous companies? possible... Have they found all the fictitous companies?

    2. Re:damage size? by Shakrai · · Score: 5, Interesting

      I'm from a private company, and I'm here to help myself without your consent.

      I work in the goddamn insurance industry (IT; not sales; I'm not completely evil) and even my co-workers think Choicepoint are a bunch of evil thieving bastards.

      My own personal experience with them revolved around the three weeks it took to get them to remove accidents that my sister had on her own automobile policy (i.e: no relation to me!) off of my CLUE report. They claimed that they showed up on my CLUE report because her SSN is only two digits removed from mine.

      In the process of trying to get this fixed so that I wouldn't be surcharged for my sisters accidents they stonewalled me and generally tried to walk all over me. Every time we would change something they would need to generate a new clue report. But they could only generate those reports overnight. Apparently the computer system that allows an insurance company to get a copy of your CLUE report in about 15 seconds only allows one copy of the consumer version of that report to be generated -- and it takes several hours for them to generate it.

      Furthermore I take exception to the fact that they listed an accident that I had under my parents policy (borrowed car while mine was in the shop). Perhaps I sign away my own rights when I buy my own insurance policy but I don't recall signing anything with my parents insurance company when I borrowed the car that authorized them to release my personal information (SSN/lic #) to Choicepoint. Where the hell is the outrage? I'm sick and tired of companies stockpiling information on me without permission.

      In a fair world they wouldn't be allowed to release that sort of information to some data clearinghouse. So what if the insurance industry can't verify your accident record? If you lie to them then it's insurance fraud (felony in most states) and your policy is null and void. Why can't they use that as an enforcement mechanism rather then enriching the likes of Choicepoint and the big-three credit reporters?

      Bah! End rant...

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
    3. Re:damage size? by Shakrai · · Score: 4, Informative

      You're assuming there was an accident, and that he was at fault. CLUE (Comprehensive Loss Underwriting Exchange) reports are reports containing CLAIMS information provided by cooperating insurance companies

      You explained it better then I could. In my instance I was driving home from work in lousy weather and got run off the road by a snowplow. My choice was to hit the snowplow (in a Dodge Neon) or hit the guardrail. I called the police but was informed that it would take them over an hour to get to me so I choose to proceed without a police report.

      The bottom line being that there was no information of public record from this accident. And when I talked on the phone to the CSR from my parents insurance company I certainly don't recall giving her permission for them to disclose my information to Choicepoint. If they wanted to report the fact that my parents had a claim then fine (I'm sure they signed something when they bought the policy saying that their carrier could do this) -- but they had no right to include my SSN and NYS DMV id number on that report. I signed nothing for the claim (my interaction with them was limited to the aforementioned phone call) and I certainly signed nothing that authorized them to release my information. Yet I am told by my lawyer and by Choicepoint that I can't do a damn thing about it.

      Your summary of CLUE reports was dead on BTW. Insurance companies love them -- most independent agents hate them. We also hate credit reports being used for underwriting - as a quick example without going too far off topic: My girlfriend has had a lousy run with accidents and tickets lately. She has a speeding >20mph, a following too close (with accident) and a traffic device (with accident) tickets. She also had a license suspension (too many points) back in November. Yet she gets into a better rating tier then I do with the exact same insurance company because her credit is better then mine. I've had one ticket in my entire time behind the wheel (missed a no u-turn sign) and the aforementioned accident. I have never filed a claim on my own policy (aforementioned accident was parents car). I also have three years more experience and a defensive driver course. Which one of us is more likely to get into an accident? Yet who pays more for his policy -- without the physical damage coverage that she carries?

      Damn the man I say.

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
  2. And that is just the beginning of the nightmare by schwit1 · · Score: 5, Informative

    The Washington Post has an article(reg required) today about Beth Plowman, a Damascus international public health adviser, was shocked when she discovered that a $27,240 arbitration judgment had been levied against her for credit card charges incurred by an identity thief who bought sporting goods all across Europe.

  3. Not the first time with Choicepoint by Wheresmywig · · Score: 5, Interesting

    What I find odd about the reportage of this story is that noone seems to be pointing out that Choicepoint was also responsible for providing Florida with some of the data it used to strip people from the voter rolls back in 2000. That wasn't exactly good either.

  4. It's about Time by tepp · · Score: 4, Interesting

    Choicepoint - and their competitors such as TransUnion, have become unrelegated "authorities" on people's personal data for far too long. A leak like this was inevitable. Honestly, I think our data has leaked before, but because only California has a (recently made) law dictating that victims must be told of such losses, nobody was informed when it happened in the past.

    I'm not normally a "Big brother is watching you" kind of girl, but the amount of power these companies have over our lives - the ability to deny us life, home, and auto insurance, to get a home or auto loan, to even get a job! - is insane. Especially when you try to correct inaccurate information and they refuse to accept it! For example, I don't rent, I own my own house. But for years I've tried to correct that - and my status, which is married, not single - and have had them tell me flat out that THEIR data is correct and I must be dreaming about my husband & house...

    --
    Tepp
  5. Screwed by ChoicePoint by Agent+R · · Score: 5, Interesting

    Can anyone tell me why ChoicePoint never did any deeper background checks on their clients knowing full well that identity theft is at an all time high? Didn't they have enough time to ramp up their security protocols to prevent this sort of thing from happening? Plus, who the !@#$% gave ChoicePoint permission to gather data on me?

    Funny, ChoicePoint kind of reminds me of what Microsoft wants to do with their .NET establishment. Gather all personal info on one database. Currrently, it's a mistake to put all the eggs in one basket.

    --
    !@#$% whole-grain cereal. When I want fiber, I eat some wicker furniture. - G. Carlin
  6. ChoicePoint has many tentacles by tbuckner · · Score: 4, Interesting

    This ID theft fiasco is but the tip of the iceberg. ChoicePoint helped throw Florida voters off the registration lists in the infamous 2000 election, and made a pretty penny off 9-11. God knows what else they're up to. See http://www.gregpalast.com/ Quote: "For ChoicePoint, with its 15-billion-plus records on every living and dying being in the United States, Ground Zero would become a profit center lined with gold. Contracts would gush forth from War on Terror fever not hurt by the fact that ChoicePoint did something for George W. Bush that the voters would not: select him as our president." Full article at http://www.gregpalast.com/detail.cfm?artid=356&row =0

  7. Re:Trust me, its not just ChoicePoint. by Anonymous Coward · · Score: 5, Insightful

    This is very interesting, but didn't ChoicePoint sell this personal information to the people that "stole" it? The issue is that people were buying credit reporting services from choicepoint, since choicepoint is in the business of selling this data to companies. The people who stole this data just posed as real companies, and choicepoint didn't do their homework and check on the black hats' bona fidus.

    This is not a hacker issue; no one is claiming a computer was rooted or compromised or that some kid with a script was punching passwords into choicepoint's web site. Choicepoint was selling this data, and the they were human engineered into selling the data to people who had malign intent.

    The issue is wether anyone should be selling this stuff AT ALL.

  8. Bruce Schneier by Shamashmuddamiq · · Score: 4, Informative

    Schneier wrote about this in his blog.

    --
    ...just my 2 gil.
  9. NoChoicePoint by MillionthMonkey · · Score: 4, Interesting
    From Bruce Schneier:
    ChoicePoint protects its data, but only to the extent that it values it. The hundreds of millions of people in ChoicePoint's databases are not ChoicePoint's customers. They have no power to switch credit agencies. They have no economic pressure that they can bring to bear on the problem. Maybe they should rename the company "NoChoicePoint."
    The upshot of this is that ChoicePoint doesn't bear the costs of identity theft, so ChoicePoint doesn't take those costs into account when figuring out how much money to spend on data security....Until ChoicePoint feels those costs -- whether through regulation or liability -- it has no economic incentive to reduce them.
  10. Mitigating damages by Skapare · · Score: 5, Interesting

    Why is it such a concern that something as benign as a 10 digit number, plus information that can be found in the phone book, should be of such a concern? One reason is that armed with such a small amount of information, someone can do a tremendous amount of harm to people, and the companies those people do business with.

    Someone can get a driver's license in your name, and build a bad driving record, or worse, in your name. And the state will insist it is you. The affected state will file this with your state, and your own state may cancel your driver's license because it looks like you moved to the other state. In extreme situations you could be arrested.

    Someone can get a bank account in your name. Then with these checks that have your SSN and address on them, make a hundred fraudulent purchases totaling tens of thousands of dollars, on an account they probably stuck just $250 in to get it open. This will ruin your rating with banks, which is kept by a separate reporting agency not subject to the same reviews as the 3 big credit reporting agencies are.

    There are many other kinds of examples, including opening credit accounts. The common problem in all of these is the assumption that by having certain information, the person with it must actually be you. Those of us familiar with security protocols already know that having the very information you give to someone else to show who you are, enables who you just gave it to to masquerade as you. Most people are honest but a slight few are dishonest. Theft of identity information has been happening for decades but it is only now becoming so widespread that politicians and lawmakers are no longer going to be able to hide their head under the carpet and pretend it doesn't exist in order to avoid the hard choices they will have to make.

    And remember, this is identity theft; it is not authenticity theft. Identity only says who you are. We need to stop businesses and governments from assuming that identity is authenticity.

    --
    now we need to go OSS in diesel cars
    1. Re:Mitigating damages by Sancho · · Score: 5, Insightful

      This is identity infringement. Or is it actually "theft" when people do it to content owners?

      Can't have it both ways, Slashdotters.

  11. ChoicePoint NOT hacked by G4from128k · · Score: 5, Insightful

    ChoicePoint sold data to customers that turned out to be criminals. These criminal customers did not "hack" into the system, they were granted paid access to it. At best/worst the criminals did a bit of social engineering to appear as a legitimate business. Otherwise the feat involved no technological illegitimate access. I think that is the scariest part of the story.

    --
    Two wrongs don't make a right, but three lefts do.
  12. 145,000 by js7a · · Score: 4, Informative
    Five posts and nobody's answered the question? It's not as if you aren't directly connected to a zillion ways to find it.

    ChoicePoint data theft widens to 145,000 people

    1. Re:145,000 by sphealey · · Score: 4, Insightful

      Well, that number has been "widening" every time ChoicePoint makes a "choice" to reveal more details. Currently the number is 145,000, which I believe is up from 120,000 and 20,000.

      The public certainly doesn't know the number. My guess is ChoicePoint (a) knows it is higher (b) doesn't know the total.

      sPh

  13. Close Enough For Government Work by Doc+Ruby · · Score: 5, Interesting

    I wonder if they'll ask Hank Asher, who started the company (and DataBase Technologies), about his cocaine flights into Florida for Iran/Contra. Or how John Poindexter (of Iran/Contra) got them that fat contract for TIA, and saved it as the secret MATRIX program when TIA got too hot for Congress. Or about that Florida voter-purge list, with over 40K legitimate Florida voters prevented from voting in 2000, and again in 2004. Maybe Asher will have some answers that won't get the coincidence theorists freaking out about how this one company could be so lucky for so long with the same people.

    --

    --
    make install -not war

  14. Re:It's about Time-Security puncture. by creysoft · · Score: 5, Insightful

    You are not a ChoicePoint customer. ChoicePoint cares NOTHING about you. You are a number in a database, with a bunch of corresponding fields. Unless you've paid ChoicePoint for their services, you mean absolutely nothing to this company.

    Furthermore, people keep complaining that their information got stolen. It's not your information. It's ChoicePoint's information. It belongs to them, and to the people that purchase access to it from them. They took the time to collect and aggregate it, and they own it. The fact that it may or may not directly affect your life for better or worse in substantial ways does not even enter the equation.

    Obviously, there is something fundamentally wrong here that needs to be corrected. In my opinion, information should be held by an organization specicially authorized by the government to do so. The information should be encrypted and secured, and leaks should be punishable by prison time. A standard, open algorithm should be created, to convert the information into a simple number (like a "credit score.") Companies pay for access to these scores. Only upon showing direct need, in a court of law, should specific information be given to specific companies, under strict confidentiality. If a particular company needs to know a specific detail about all of their customers, they can petition to be granted access to that information only, under the same confidentiality agreement.

    Furthermore, individuals should be given unfettered access to their own information, on request. (Identity verification should be draconian here.) Individuals should have the right to challenge an inaccuracy, and to provide documentation disproving it.

    Granted, it may have some issues of its own, but at least it's a step up from "give everyone's most intimate financial details to every company that pays us a nickel." Any thoughts?

    --
    Formerly GNU/Anonymous Coward. This message has been determined to cause cancer in laboratory animals.
  15. 10 million victims lose 300 million hours... by geekotourist · · Score: 4, Insightful
    The FTC IDTheft website has this 2003 report filled with statistics:
    • over 3 million Americans had fraudulent ID theft (the worse kind), and 10 million total had some type of ID theft
    • ID theft victims spent a total of 300 million hours "fixing" their problems.
    • Fraudulent ID theft averaged $10,000 stolen. The total cost of all ID theft is $50 billion.
    • the monetary cost to fix fraudulent ID theft averages $1,200 per ID victim.
    But in reading this report the bias that "businesses are the true victims" shows up. The $5 billion in costs to the identity victim (and 300 million hours of time) is described as "Individuals whose information is misused bear only a small percentage of the cost of ID Theft" (pg 6). That's a bad way of thinking about it for several reasons:
    • 300 million hours of victims' time = 300 million hours of research and investigative time = a 'donation' of at least a few billion dollars.
    • The ID theft victim gets hit with real and lasting costs. Companies get to write off their losses, or use insurance and pass their costs on to consumers. A year after ID theft is discovered, the theft is just a blip in a spreadsheet to the companies where the stolen identity was used. The victim will still be writing letters, finding new ramifications, and losing time and sleep over the matter.
    • Those 300 million hours also = stress, lost time from work, family, charities, plus also extra medical expenses.
    • "15 percent of ID Theft victims reported that their personal information was misused in nonfinancial ways. The most common such use reported was to present the victim's name and identifying information when someone was stopped by law enforcement authorities or was charged with a crime." What's the cost of your kid seeing you arrested because someone else used your name? Not to mention...
    • Now that the government gets data from Choicepoint and others, and because the government has no legal responsibility to find or fix bad data in its files, the rest of your life could be hobbled by bad data and you won't quite know why.
    So basically Choicepoint and the credit card reporting agencies are creating a "public bad." Like polluters, they force other people and companies to bear the cost of problems they've created. 300 million hours and $5 billion dollars would = fantastic security finished in months if the companies themselves had to pay these costs. Instead, 10 million people are forced to do their own cleanup work, and the fact that 9.999 million people have already done the job doesn't make it any easier for you when you're the victim.
  16. It can takes years to fix this sort of thing... by Anonymous Coward · · Score: 5, Insightful

    Id Theft can be extremely painful to resolve.

    I had (regular) mail stolen from my mail box (before I realized how bad it is to actually use your mailbox for outgoing mail), at first I thought it was a post office screw up, but several months later, I got a call from a bank employee who just completed a transaction which he thought was fishy. He asked my if I had just cashed a four figure check there. When I told him that I hadn't he warned me that somebody was stealing my Identity. I called my credit card companies to get new cards and security added to my accounts, contacted all of the big three credit agencies and got a hold put on my credit, contacted the local police.

    The next thing I knew it was raining collection notices on me.

    This guy was printing checks with my name and driver's liscense number. For Id, he had a printer which could create fake driver's liscenses with all of my information, but his face and description.

    Fortunately, I was lucky, this guy got pulled over for a faulty brake light and the officer looked into the car and saw over a dozen driver's liscenses on the back seat of his car, all with his picture on them, but different names. The officers told me that I was the one in a hundred whose Identity Thief was caught.

    Now, 8 years later, I can share some lessons with you. Trust me, you don't want any of this to happen to you, arguing with collection agencies is no fun at all, they assume that everybody is a slimeball.

    1) Get a shredder. Get two in case the first one breaks. Shred everything that has anything that can identify you. Id Theives also dumpster and dump dive to look for your information, don't give them any help. shred shred shred...

    2) Get your annual credit report from the big three credit bureaus. Take the time to review it, carefully. They each have a formal procedure for clearing up problems. Follow it to correct your information. They can be reached here http://www.creditreporting.com/

    3) Check your credit and bank statements, you never know what they have on you or when they get it.

    4) If it does happen to you, file a police report immediately. This report number is your best defense against the onslaught of collection agencies that will soon be banging down your door.

  17. Re:Trust me, its not just ChoicePoint. by ScrewMaster · · Score: 4, Interesting

    In reality, the law SHOULD be that you have full access to YOUR information, and can correct provable, factual parts that are incorrect.

    Absolutely, and I would add that there should be a stiff penalty if a data aggregator denies a citizen that ability, and such denial results in a crime.

    I really cant answer if they should be selling this data...

    Sure you can! Think about how this came about, and where it's going.

    Originally, collecting and maintaining the so-called "credit history" on individual citizens was all about risk avoidance. That's still the case, of course. Businesses have always maintained records about past customers, so that they could then decide how, and if, to do business with said customers in the future. That's been true since we kept records carved on rocks or stamped in clay. The problem came in when business realized, with the advent of the mainframe, telecommunications and vast, cheap, readily-accessible storage that they could share this information with each other, thus dividing the risk. Thus was born the credit bureau. To my mind, the whole concept of the credit bureau is on ethically shaky ground anyway ... do business have the right to defend themselves against the normal costs of doing business, by placing their own customers at risk? Is this a justifiable tradeoff? Given the number of lives destroyed by the credit system over the years, I'd be inclined to say no ... it's usurious at best, and usury is illegal. Or used to be, at any rate.

    So where are we now? Well, what has changed is that the demand is no longer just for security (customer "x" wants to buy product "y", give me yes/no on the transaction) but for the actual information used to make such decisions ... the financial history itself. I understand that companies like ChoicePoint actually acquire more detailed information than the traditional credit bureaus. So now we have an entirely different can of worms. In fact, in their eagerness to sell our personal histories (and sell us out) to companies that want to use that information to sell us other products, they have brought us to the brink of rendering the entire system useless (or at least, too dangerous to be trusted by the average citizen.)

    ChoicePoint and similar organizations concentrate private information to a degree that makes it very, very dangerous to the individual by its mere existence. And then ... they sell it! Perhaps if the banking system were more robust, held more intrinsic safeguards, it might be different. Given how little information is required to perform an act of identity theft, however, I am personally unnerved by the idea of this data being used not simply to verify my creditworthiness, but sold on the open market to anyone meeting ChoicePoint's (apparently) minimal standards.

    In answer to your question, I would say, "no", ChoicePoint should not be allowed to do what they do. I mean, they are taking chances with the financial lives of millions of Americans, who in return get ... nothing. That to me is the mark of a morally bankrupt business model, which if it isn't illegal probably ought to be.

    --
    The higher the technology, the sharper that two-edged sword.
  18. This is so wrong, it's frightening by roesti · · Score: 4, Informative
    While the generation of the "purge list" did have a legal basis - namely, that ex-felons were ineligible to vote - the process of generating the list was an enormous debacle.

    ChoicePoint/DBT originally produced a list of about 8000 voters to remove from the electoral rolls. Katherine Harris got back to them and told them to widen the net - by omitting a few data integrity requirements, such as middle names, dates of birth, and dates and details of their convictions - and assured ChoicePoint that they needn't worry about the number of false positives in the list. This increased the size of the list to about 58,000 voters, more than half of whom were African-Americans.

    When the fraud was officially investigated, ChoicePoint admitted to a false-positive rate of up to 15%, which was already far in excess of Bush's lead in the Florida poll. Later, an independent investigation showed an error rate of more than 90% - some 55,000 voters, some 30,000 of whom were black.

    The USCCR was unable to identify a single voter that was incorrectly prevented from voting because of the felon list.
    This is a flat-out lie. Read some first-hand accounts of voter disenfranchisement for yourselves. Voters were erroneously scrubbed from the electoral roll, were not adequately notified in advance, tried to vote anyway and were turned away - simple as that.

    It's surprising how many people don't know this when it's actually very well documented; in fact, the story broke long before the election actually took place. My suggestion to the doubters is to watch Unprecedented: The 2000 Presidential Election , a very thorough documentary on the topic.

    --
    Attack its weak point for massive damage!