Using an old-fashioned con, thieves posing as legitimate businesses wereable to extract the personal information of thousands of consumers fromChoicePoint, which stores Social Security numbers, credit reports, addressesand other data for the vast majority of Americans.
The company sells the information to local, state and federal governmentagencies and insurance and financial institutions, among others. It said the thieves used stolen identities to create fake businesses as fronts and then bought the information from ChoicePoint.
Information brokers such as ChoicePoint have been criticized by consumerprivacy advocates, who say the information is handled too cavalierly. TheElectronic Privacy Information Center (EPIC), a public interest researchcenter, only two weeks ago warned the Federal Trade Commission about what it called unjustified access to commercial databases. EPIC also questioned whether ChoicePoint’s auditing procedures were adequate.
ChoicePoint said it has begun sending letters to 35,000 Californians, but a spokesman said there may be as many as 100,000 victims nationwide. California is the only state that requires companies to inform consumers ifthey may be the victims of identity theft.
Jonathan Penn, principal analyst for identity and security at Forrester Research, issued a harsh assessment of ChoicePoint.”Being a custodian of such aggregated data, ChoicePoint is anextremely obvious target,” he said. “They should have network perimeter securitymeasures, insider security measures, encryption measures, strongauthentication, customer ID verification and many other procedures toavoid this security incident, breach of trust and business loss.”
“And what ChoicePoint is doing now, how they’re handling it, ishorrible,” Penn added. “The good example of how to respond has been set by Wells Fargoand its recent data theft problem. But ChoicePoint is doing the minimumrequired and making statements that are patently absurd, i.e. [claiming that] only thedata of California residents — coincidentally, the only peoplewhom they’re required to notify — has been stolen.”
Consumer advocates voiced similar concerns.”We strongly encourage ChoicePoint to notify every individual whose data was compromised in this scam,” AdamLevin, chairman of Identity Theft 911 and former director of the New Jersey Division of Consumer Affairs, told TechNewsWorld.
“Identity theft knows no borders, and there’s no telling where this information has gone or how it will beexploited. What we do know is that the people affected must be toldthey’re at risk so they can take measures to protect themselves.”
The Los Angeles Sheriff’s Department, FBI and the U.S. Postal InspectorsOffice are cooperating on the case.
Arrests May Be Coming
Linda Foley, executive director of the Californian non-profit Identity TheftResource Center, told TechNewsWorld that sheriff’s deputies have severalsuspects who, she said, are “more than likely repeat offenders.” She saidshe expected “the next news in this case would be of some arrests.”
The Atlanta Journal-Constitution reported that Olatunji Oluwatosin, 41, aNigerian national, was arrested Oct. 27 by deputies when he allegedly triedto retrieve a fax he believed to be from ChoicePoint. He is scheduled toappear Thursday in Los Angeles County Court.
Big Picture Issue
There was no hacking involved, nor was the company lax in following itspolicies, Foley said.
“ChoicePoint did follow their policy,” she said. “ChoicePoint did duediligence here. Unfortunately we have a criminal population that is verysmart.” She added that once you have stolen the identity of a person with aclean record it is very easy to get a business identification number.
Because businesses and governments want to be able to access vast stores ofpersonal information, the issue is not likely to be resolved easily.
“The problem is more systemic than it is specifically a ChoicePointproblem,” Foley said. “Sometimes individuals want as much information asthey can get on another person. As an employer, I want to know as much as Ican about someone I’m hiring, especially if it’s in a sensitive area. It’s agovernmental decision about whether this is going to be allowed or not.”
Victims can put alerts on their credit reports that would require creditagencies to contact them when anyone tries to use their report. A morerestrictive option is a credit freeze, in which the consumer would have to”thaw” report by calling a special number and using a PIN code to allowaccess to the report.