| « Lighter Security | Main | Hunter S. Thompson's Dead » |
Choicepoint is now mailing notices to more than 100,000 Americans whose personal data might have been improperly sold to scammers who persuaded the nation's premier identity verification and background check company that they were legitimate businesses.
The notices are now going even to those who fall outside of a California law that requires such disclosure.
Robert O'Harrow, Jr. of the Washington Post has a great round-up and advances the story in his piece.
One of the nation's biggest information services has begun warning more than 100,000 people across the country they may be targets of fraud, following disclosures the company inadvertently sold personal and financial records to fraud artists apparently involved in a massive identity theft scheme.ChoicePoint Inc. electronically delivered thousands of reports containing names, addresses, Social Security numbers, financial information and other details to people in the Los Angeles area posing as officials in legitimate debt collection, insurance and check-cashing businesses.
At least 700 victims have had their mailing addresses changed, apparently by people connected to the scheme, authorities said. Identity thieves often change the addresses of victims in order to gain control of credit card offers and other mail. No one knows the extent of the fraud or the financial impact, authorities said. Only one suspect has been arrested. [...]
Company officials said they were sending out more letters to 110,000 addresses throughout the country that may be connected to the reports delivered to the fraudsters.
"We have reason to believe your personal information may have been obtained by unauthorized third parties, and we deeply regret any inconvenience this event may cause you," the letters say.
Authorities said the number of records involved may go higher as the investigation continues. "This is way far more reaching," said Los Angeles Sheriff's Department Lt. Robert Costa, commander of an identity theft unit. "I believe that when we're done it will be more than a half million nationally. It's huge."
Alpharetta, Ga.-based ChoicePoint maintains databases with billions of records about nearly every adult in America, including credit reports and criminal records. Over the past seven years, it has acquired more than 50 other information companies. Like others in the industry, the company routinely sells dossiers to police, lawyers, reporters and intelligence and homeland security officials across the Internet.
[...]
The ChoicePoint case began unfolding last fall. Initially, company employees assumed the requests for information were legitimate, because the applicants appeared to work at registered companies in the Hollywood area. But company investigators noticed that applications for access to the company's massive databases were coming from Kinko's stores, sometimes via fax machines.
A ChoicePoint official said dossiers, possibly including thousands of credit reports, were delivered to personal computers over the World Wide Web or mailed to suspects who had opened close to 50 accounts with the company. The reports, including credit reports, typically cost between $5 and $17, company officials said.
[...]
Investigators still do not know the extent to which the information was used or resold. They have been receiving assistance from postal inspectors. But the case has not gone as smoothly as investigators would have liked. Police said that's in part because ChoicePoint did not appear willing to quickly share information about the case, an allegation the company denies.
"We've been following up on leads while waiting for ChoicePoint," said Costa, the sheriff's department investigator who leads the Southern California High Tech Task Force's identity theft detail.
ChoicePoint spokesman James Lee said the company learned for the first time yesterday the case involved people in states outside California. He said the company has done everything it can to bolster security immediately and help with the investigation. The company also is considering "fundamental changes" in security procedures and customer authentication.
"We're not to blame, but we're taking responsibility," Lee said. "The people committing the fraud were smarter and quicker than we were.
"It's a wake-up call," he said. "Everybody needs to be ever vigilant and diligent."
A wake-up call, indeed.
Vigilance and diligence in this case would mean opting-out of Choicepoint's database, but that's not possible.
You can't opt-out.
So how is one supposed to be vigilant then?
Posted by Ryan Singel at February 17, 2005 12:56 PM
Trackback PingsTrackBack URL for this entry:
http://www.secondaryscreening.net/cgi-bin/mt-tb.cgi/120
Elsewhere it has been noted that they are only sending notices to California residents, since only California has any legal requirement for them to do so. The rest of the country is just screwed -- if their data were stolen they will not be notified.
Clearly, this points to the need for more regulation, since Choicepoint is not playing fairly with the rest of the country.
Posted by: John Ashcroft at February 17, 2005 06:07 PM
"How is one supposed to be vigilant?"
Why, it's obvious. Set up a fake company to pull your own records now and again.
;)
Posted by: Adam Shostack at February 18, 2005 08:43 AM
This is an interesting take on the situation. It's the damn SS# that is the problem:
http://www.economicsdaily.com/2005/02/its-not-really-identity-theft.html
Posted by: Rudy Giuliani at February 26, 2005 11:27 AM