ChoicePoint Data Stolen By Imposters

swight1701 writes "Criminals posing as legitimate businesses have accessed critical personal data stored by ChoicePoint Inc., a firm that maintains databases of background information on virtually every U.S. citizen. The incident involves a wide swath of consumer data, including names, addresses, Social Security numbers, credit reports and other information. ChoicePoint notified between 30,000 and 35,000 consumers in California that their personal data may have been accessed by "unauthorized third parties." No obvious notice appears to be on their website."

Ineptness to the point of being evil

[Eric Smith (4379)]

The MSNBC article quotes the consumer notification:

You should continue to check your credit reports frequently for the next year.

If I get the notification, I'm going to request that ChoicePoint pay the costs for me to subscribe to unlimited credit report access from all three credit bureaus. IIRC, that costs about $100/year for each bureau. Since it's ChoicePoint's screwup, I shouldn't have to pay the costs necessary for early detection of fraud in my credit report.

The article further quotes ChoicePoint spokesman Chuck Jones:

But ChoicePoint has no way of knowing whether anyone's personal information actually has been accessed

Why the hell are they allowed to keep a dossier on me if they don't have any mechanism in place to allow them to track how it is used and by whom? This is insane!

The correct solution to this problem, IMNSHO, is for the courts to determine that personal, financial, and credit records relating to an individual are the COPYRIGHTED PROPERTY OF THAT INDIVIDUAL, and may not be provided to any other party without the owner's explicit consent. Not a blanket consent to provide the data to anyone inquiring, but specific consent to provide it to XYZ Corporation.

Re:Ineptness to the point of being evil

[shanen (462549)]

Very insightful, and I agree that we need a legal principle that personal information belongs to the individual--but I think we should go farther. I think we should require that the personally-identifiable personal information only be stored on the computer of the person who owns it--and that the authorities need to show probable cause and get a search warrant before they have any acces to it. However, a lot of it should be covered under the Fifth Amendment, too.

Probably won't happen, however. In fact, we are going in the other direction and the companies that hold your data legally "own" it in most cases.

By the way, don't you recognize this particular company? Same one that helped BushCo purge all those voters in 2000. I think they got out of the voter purging business before 2004, but I haven't really been tracking it.

Re:Ineptness to the point of being evil

[Riddlefox (798679)]

Very insightful, and I agree that we need a legal principle that personal information belongs to the individual--but I think we should go farther. I think we should require that the personally-identifiable personal information only be stored on the computer of the person who owns it--and that the authorities need to show probable cause and get a search warrant before they have any acces to it. However, a lot of it should be covered under the Fifth Amendment, too.

Just out of curiousity, how do you propose that I store personally identifiable information such as my name and address on a computer owned by me when I wish to make a purchase online? How can I have my paycheck electronically deposited into my banking account if my employer can't store my personal information? How is H&R Block going to prepare my taxes for me if they can't enter any of my information on a computer that I don't own? Am I going to have to tell Netflix my name and address and credit card info every single time I want another movie?

Limits on personal information...

[by Anonymous Coward]

The real problem is there's no public/private key separation. Your credit card number is a secret key, but must be shared in order to do business with it. Ditto for checking account numbers which make direct deposit possible. The reason boils down to sheer laziness on the part of credit issuers. When there's a problem they can soak the merchants and/or customers, so they haven't bothered to fix the system.

That solves your bank deposit problem. Public/private key separation would solve most of the problems.

As far as repeatedly entering addresses--come on, that's easy. Browsers have a wallet-like feature which fills it in on demand. There's no need for the provider (netflix) to store the information, and they should refrain from doing so.

So far as taxes are concerned--of course you have to give personal info for H&R Block to process them, but the grandparent means it should be treated as your property. You may leave valuables with a bank safety deposit box, but the bank does not own them. It is a steward. Its rights obviously don't extend to sharing information about what you've deposited with others.

Re:Ineptness to the point of being evil

[shanen (462549)]

Actually, in theory there is no reason for the bank to know anything about you, even including your name or address. I'll construct a simple concrete scenario around your example of an online purchase:

1. Go to Web site and log in (or otherwise establish your identity--I actually think a secure system should really have at least two security elements of something you have and something you know, but this is getting off the topic here).
2. Select the merchandise and order it.
3. The store contacts your computer for payment information.
4. Your computer asks for confirmation that you made the order.
5. After confirmation, your computer returns a bank number, an account number, and an authorization to withdraw some money.
6. The store contacts the bank and asks for money.
7. For extra security, the bank might double-check with your computer again. (Just an example of what should be user-controllable security settings that could be included in the certificate. If you were really paranoid, you might insist that the bank doublechecks directly with you, especially for larger purchases, but in that case the certificate would also need to include some personal information about you and how to contact you. Your decision whether or not to do that, however.)
8. Money is transferred to the store.
9. The store contacts your computer again, confirms payment and asks for the shipment information.
10. Merchandise is shipped.

There is no intrinsic requirement here for the bank to know more than the source and destination account numbers and how to examine the certificate for authenticity. The bank has no reason to know how much money you have in other banks, or anything beyond the fact that this account number has enough money to cover the requested transfer. (Your other example is almost exactly the same, but with the transfer coming from your employer to an account you have specified.)

Re:Ineptness to the point of being evil

[DrSkwid (118965)]

> Merchandise is shipped.

where to? no-one knows your address

Re:Ineptness to the point of being evil

[mingot (665080)]

By the way, don't you recognize this particular company? Same one that helped BushCo purge all those voters in 2000. I think they got out of the voter purging business before 2004, but I haven't really been tracking it.

Off topic, really, but I have to vent. They screwed my wife out of a job this year. We were recently married and they failed her background check on her name on file with the credit bureaus not matching the name on her application. They also dragged ass fixing the problem and had a policy in place to NOT notify they potential employer that they had made a mistake.

Experian (in UK) also screws you : my experience

[fantomas (94850)]

Experian is a company in the UK (I believe they may be USian) that holds credit information, and is used by many UK companies to check credit records.

A few years ago I applied for a mortgage, and got refused because the bank did a credit check with Experian, Experian told them I wasn't on the electoral register, so the bank turned me down. I knew I was on the electoral register, and had been for years. I went to the local council for my previous residence, and the helpful council officer checked my record, and even let me come round the desk and look at her screen to see my record. I phoned Experian "I know I am on the electoral register for this address" (Experian) "no, sorry sir, this isn't on your record" (me) "I'm looking at my name on the electoral register, I'm just handing you over to the council officer who will confirm" (nice govt. officer): "yes, he is" (Experian "ahh... we'll look into that" (me): "cheers, I've been turned down already for a mortgage, are there any other parts of my credit records you should be checking?".

I really recommend that anybody in the UK who is about to buy a house/car/other significant credit transaction to ask for their records first. Which of course costs you money that goes into the credit agencies pockets. It's a corrupt system, and there's nothing we can do about it. Private companies running (ruining?) peoples' lives. "Sue the company" might be ok for you big shots but I was on low wages then and I'm a student now. One day I'll be working again and the first thing I got to do is use *my time* and *my money* to unpick *their mistakes*. Experian's mistake f*cked up my life, be wary people.

Data ownership

[EmbeddedJanitor (597831)]

The problem with this is that *you* don't own the data kept about you. You might have the right to view the data, but you don't own it. Since just about forever, various companies have been tracking various info about people (buying habits, credit history etc). They track these for their benefit (and their customers) - not yours.

When they lose the data, as far as they are concerned they have lost some of their business information (ie. someone accessed their data without paying).

That the data is about you, and could be damaging to you is incosequential to them. Anyone could have bought the data from them anyway.

Re:Data ownership

[Lisandro (799651)]

I don't know about the rest of the world; but Argentina grants it's citizens a consitutional right called "Habeas Data" [warwick.ac.uk], which, in a nutshell, specifies that every individual owns his personal information and it can't be disclosed or abused without his consent. This includes medical records, bank accounts, work historials and so. Knowing that most modern constitutions are based on the US one, i thought something similar would be available to Americans.

It's usually paired with another consitutional right called "Habeas corpus", which ensures freedom of movement in the country and grants rights against detention without due process.

Re:Ineptness to the point of being evil

[LostCluster (625375)]

The correct solution to this problem, IMNSHO, is for the courts to determine that personal, financial, and credit records relating to an individual are the COPYRIGHTED PROPERTY OF THAT INDIVIDUAL, and may not be provided to any other party without the owner's explicit consent. Not a blanket consent to provide the data to anyone inquiring, but specific consent to provide it to XYZ Corporation.

Courts aren't going to help you with that at all. The copyright on information belongs to the writer, not the subject of the piece. Just think what your copyright concept would do to the news media...

Re:Ineptness to the point of being evil

[yog (19073)]

This is really scary.

The thing that bothers me is that some data is unchangeable, e.g. US social security #, date of birth, and mother's maiden name. Once it's out there, you're screwed.

Once someone has this data they can really do a number on you because that's all most commercial sites seem to require in terms of validation. They can take out credit cards in your name, perhaps even access your bank account if they have access to your checking account number.

I think that eventually, and unfortunately, there's gonna have to be a law. No organization except the social security administration should be allowed to store our SS #, for example. Heck, at the rate things are going, they may have to start allowing people to change their SS # to start fresh.

A friend never allows her SS # to be used for anything. Not banks, not schools, not health insurance. They squawk and scream and threaten and she stands firm. No, she says, you can't have it. It's only for her retirement, not for generic identification purposes. So far she has successfully evaded spreading her most precious identifying information all over the internet in god knows how many incompetently coded and poorly safeguarded databases. Massachusetts also allows one to use a generated code instead of SS # on drivers licenses.

This thing is really out of hand. Of course, it's going to cost credit card companies millions of dollars when bogus bills start bouncing, and that's probably when the powers that be finally wake up and address the problem.

Re:Ineptness to the point of being evil

[yog (19073)]

Banks require your social security number for tax reporting purposes.

You have a point there and I am not sure how she deals with banks; maybe she keeps all her money in Canadian banks.

Also, there are lots of foreign people in the U.S. and elsewhere who have U.S. bank accounts but no SS #. I suspect that banks assign these people arbitrary generated numbers. Perhaps you can go to a bank, tell them you're from Scotland or Uruguay or the South Pole and just open an account without the damn SS number. Of course they may demand a passport.

Now here's an interesting bit of trivia. You can change [ssa.gov] your social security number. It's free and you have to apply, with proof of identity, and also supply a reason why the change is needed. It can be a change of name, threat of domestic violence, identity theft, or even because the numbers are offensive to your religious beliefs. I suppose the latter reason is the best way to change your SS # arbitrarily. However, they say they keep your old number on file and cross referenced, so it may be that someone with your old number could still cause you grief.

Re:Ineptness to the point of being evil

[damiangerous (218679)]

Also, there are lots of foreign people in the U.S. and elsewhere who have U.S. bank accounts but no SS #. I suspect that banks assign these people arbitrary generated numbers.

The IRS is way ahead of you, that's what ITINs and ATINs [irs.gov] are for.

Re:Ineptness to the point of being evil

[lordkuri (514498)]

Fraud is a cost of business to credit card companies

as a holder of a merchant account, I can say that you're full of shit. WE bear the brunt of fraud (a.k.a. "Chargebacks")... not only do we lose the money, but we get charged a nice little fee along with it. (usually around $30-40).

oh yeah, and get more than $x percent chargebacks in a year, your account goes *poof*

Re:Ineptness to the point of being evil

[eh2o (471262)]

according to a new federal law, The Fair and Accurate Credit Transactions Act (passed in Dec 2003) you are entitled to a free comprehensive credit report yearly. The big three have an official website at www.annualcreditreport.com (no link b/c they reject unofficial referals) where you can claim your report. (though its not available yet for the mid and eastern states, it will be by the end of 2005).

Will you even get a notice?

[Stephen Samuel (106962)]

35,000 Californians will get notices because California law requires it.

The article points out that "Lee said law enforcement officials have so far advised the firm that only Californians need to be notified.", so I'm guessing that there are probably another 300,000, or so, nationwide who will not be notified by the company. A few other really high-profile types might get a notice, but I'm betting that no more than a couple dozen non-Californian SlashDot readers will get notices.

Does anybody else want to call and ask and see if they even get an answer? (I don't live in the US, so I probably don't count, statistically speaking.)

I enjoy...

[softspokenrevolution (644206)]

I really enjoy how the graphic on the front page of their site reads: "Smarter decisions. Safer world."

It's pretty silly.

if i *accidentally* ...

[GNUALMAFUERTE (697061)]

Run over someone with my car, i am responsable, and it's a crime. Even if i didn't mean to.

Companys should be held responsable for the data they hold.

Re:if i *accidentally* ...

[ScrewMaster (602015)]

More importantly, they should be held responsible for what happens to people when that stored information is stolen or otherwise misused. And if the punishing of that company for its negligence forces it out of business ... tough. It simply isn't enough to say, "Sorry, and oh, by the way, we've implemented some new security policies so this shouldn't happen again. We hope. Once again, sorry for the inconvenience." Really, it's more akin to collecting all kinds of flammable and explosive materials and storing them in a rickety old warehouse in the middle of a populated area. You shouldn't be able to get off with an apology and a promise to do better when that warehouse explodes, flattens the nearby buildings and kills a bunch of people.

Does that sound like an extreme example? Perhaps it is. But lives can be shattered in other ways besides being blown to bits. And I'm sure there will be a few deaths involved, as people with medical conditions suddenly find themselves without means, because some identity thief just bought himself a brand new house at their expense. No, the Information Age is proving to carry some serious risks, and those risks are largely due to cavalier treatment of personal data.

I'm not sure what it will take before some standards are put in place, with appropriate penalties for failure to maintain them. Probably won't happen now, with "tort reform" on the way and limits being placed on class-action lawsuits. Certainly not in the corporate-friendly period we find ourselves in. Hell, the government can't even enforce quality-of-service standards on the damn phone companies anymore. But at some point, enough people (enough voters) are going to get hurt by this problem that something will have to be done. The only question is whether the cure will be worse than the disease.

Re:if i *accidentally* ...

[EEBaum (520514)]

And if the punishing of that company for its negligence forces it out of business ... tough.

So long as they don't have a "Going Out of Business" sale...

Legal question

[mctk (840035)]

Supposing my identity stolen and used for fraudelent activity. If we could trace the identity theft back to ChoicePoint, could they be held liable (in any sense of the word)?

Re:Legal question

[MillionthMonkey (240664)]

Supposing my identity stolen and used for fraudelent activity. If we could trace the identity theft back to ChoicePoint, could they be held liable (in any sense of the word)?

Ordinarily in a case like this a class action would be brought against the company. The "Class Action Fairness Act" will shift class actions from state to federal court. Ostensibly this was done to prevent venue shopping- where you look for the state with the most favorable laws for your class action suit- but it also has the nice property that federal courts rarely agree to hear class action lawsuits, citing differences in state law. The Act effectively puts an end to all class action suits without explicitly banning them.

If you're a victim of identity theft because your Social Security number was compromised by ChoicePoint, you'll have to hire a lawyer yourself, prove that the identity theft was a result of ChoicePoint's negligence, and your case will be heard separately from those filed by any other plantiffs.

So who ELSE is affected!?

[Buran (150348)]

The story says that these things "are seldom limited to a single geographic area" ...

SO WHO THE FUCK ELSE HAD THEIR INFO STOLEN!? WHAT STATES!?

We want to know! NOW! Why are they refusing to disclose vital information? I'd be VERY angry to find out that someone committed identity theft, these people knew of the stolen info, and they didn't tell me.

Re:So who ELSE is affected!?

[LostCluster (625375)]

They're only telling the California residents because only California has a state law that requires notification... sound like a law that needs to be passed in 49 other states.

Re:So who ELSE is affected!?

[drinkypoo (153816)]

Actually, this is what happens when the system becomes too objective. The reason we make it subjective is that we are attempting to make things fair. The problem with that is that outside of a fascism it is impossible to make it so, because you cannot reliably enforce all of the laws equally and appropriately. Instead of appointing people we can trust to public offices and other positions of importance, we attempt to construct a system of law that will accurately address every situation. It does not typically believe in mitigating circumstances except in situations where it feels that everyone has done wrong.

Anyway, this is the prison we built for ourselves, and as a result the fact that you happen to live in another state means they do have less obligation to you, as that word has any actual meaning anyway. Otherwise we'd be within our rights to march down there with torches and pitchforks and perforate 'em.

Welcome to the downside...

[ducomputergeek (595742)]

of our information driven world. Something like this was bound to happen eventually and highlights something that really needs to be brought back into the focus of public discource: just how much information should be readily available. Your credit score now is one of your most valuable assets and something you rarely heard about five or ten years ago. Now its mentioned every 30 seconds. Because of the ease of gaining this information, employers, and just about anyone can get your credit score even if legally the shouldn't be.

Next big issue is going to be medical records online. While having such information in once location could be of great benefit to doctors and hospitals around the world, there are also dangers as well, like your HMO, employers, or if your a public figure, the media getting their hands on otherwise private medical records.

poor credit score keeps me safe.

[isbhod (556556)]

My credit is so poor that stealing my identiy is only going to hurt them. I mean they think they are gettign a free ride, but when Rocko breaks down their door looking for past due payments boy will they be in for a suprise, hell this might be the best thing to ever happen to me!

Acceptable losses

[erroneus (253617)]

Incidents such as these are actually rather rare. People abusing information collected either through neglect or in other ways is not as common as proper use.

All those foolish people who protested the collection and sale of personal data of private citizens should be ashamed since the prosperity of this country depends greatly on the efficiency of business. And if you don't like it in this country any more go some place better! There isn't any place better you say? Then shoot yourself now because there's nothing you individuals can do to change things to your liking anyway.

(The preceding was stated as an opposite to my actual feelings on the matter to illustrate how ridiculous I feel the opposing view might be. There are no acceptable losses when it comes to privacy and the right of everyone to keep what they have earned. Loss of privacy opens the door for unscrupulous people to do bad things and reduces an individual's ability to protect one's self.)

The real problem here isn't the break-in...

[by Anonymous Coward]

They say "Criminals posing as legitimate businesses have accessed critical personal data stored by ChoicePoint Inc."

If the data was that critical and personal, why was it available to "legitamate businesses" in the frist place?
Are a set of articles of incorporation and a pile of money all I need to 'legitimately' access "databases of background information on virtually every U.S. citizen"?

Re:The real problem here isn't the break-in...

[AndroidCat (229562)]

They're only criminals because they didn't pay for their access, duh. ;)

Excellent!

[by Anonymous Coward]

Well, this is really excellent news. American Radio Works did a show partially covering ChoicePoint's data gathering activities recently:

No Place To Hide [publicradio.org]

It was truely disturbing. Now that we're permanently at war with the Forces Of Evil (terrorists, for now) people should get used to not having any privacy. Sigh.

Do a little quick math

[JoeShmoe (90109)]

California, population approx 30 million, or 1/10 of the US population.

So, the number of stolen identies is probably closer to 300,000 to 350,000. Only California has a law that forces companies to disclose these kinds of risks to personal data, but I think it's a fairly safe assumption that the theives didn't target just California records (in fact, if they wanted to use them for identity theft, it would make more sense to excluse California records because those indidivuals would be on alert).

So, potentially one in every one hundred people in the US now has their electronic profile available for identify theft. That's a scary (although I'll admit unlikely) idea.

Closing question...what exactly is the f'ing differences between a "legitamate" company accessing this ChoicePoint database an an "illegimate" company? Wouldn't theft of database access be just as much a risk? If Sam's Wholesale Cookies can browse through the database, concievable so can any employee of Sam's Wholesale Cookies or anyone who breaks into a Same's Wholesale Cookies computer. Is there not a single person in all of government who sees the folly of having all the eggs in one basket? Not even a secure basket...the free sample basket by the front door of the mall.

- JoeShmoe
.

Re:Do a little quick math

[drinkypoo (153816)]

U.S. Law allows for certain types of personal information to be made available to people for certain reasons, such as the collection of debts. The databases are very interesting to look at (which I have done legitimately in the course of attempting to collect some debts, when my father was working for a company that did that. I found it distasteful and went out of my way to avoid calling anyone, and just doing computer searches...)

The databases basically involve public records from every county in a state describing ownership, professional licenses, et cetera. They often include every piece of information involved in submitting a request for some type of certification. Land deeds, for example, are in there, as well as contractor's licenses. A lot of that information is public record, but the stuff that isn't is the address (that's sometimes but very rarely public) and sometimes social security number. If you can establish that someone was at a certain address, and get a social from that address, hopefully correlating it with another address and matching (or near-matching) social security number, then you can look that ssn up in connection with all kinds of other items. This can connect them to any number of other people who you can bother for their phone number.

Eventually, you can find property, and depending on what state it's in you can sometimes take it away. California makes it pretty hard to do that kind of stuff to someone; you can't take away a home which is also a business, for example, and you can't take away someone's primary automobile -- unless you're the lien holder, that is. Or, well, the federal government.

Notice above I said something about a near-matching SSN? All of this stuff is near-matching. The problem is that someone might write their name (or other information) carefully in one place and illegibly in another. They might of course also forget or "forget" the number and misenter it. Finally, let us not forget the wonders of data entry and the errors therein. Some forms are OCR'd (anything typed) and some were probably hand entered. The record only goes back so far as well, but it's generally pretty far.

Anyway, anyone with a business that has a reason to need to do that kind of thing can get access to those databases. They can tell what you were doing with it, so if you do something naughty, they could tell.

"Criminals posing as legitimate businesses"

[toby (759)]

C'mon! Does every story on /. have to be about Micro$oft?

No Changes Forthcoming

[zentec (204030)]

The government is one of ChoicePoint's largest customers, so you can be certain that there will be zero rules and regulations imposed on ChoicePoint or similar companies. Nor will you see any changes to the Fair Credit Reporting Act, which affords no penalty to companies that report wrong information on individuals other than once proven incorrect, it is removed.

If this incident doesn't create intense public outrage and a rash of calls to legislators demanding change, then I doubt there will ever be changes that protect individual identity and information.

Furthermore, I would propose that every individual that finds ChoicePoint's egregious lack of security reprehensible, to draft a letter demanding a full explanation and any details relating to whether or not their information has been stolen. I don't expect this company to come clean, but just imagine the hassle of having to reply to hundreds of thousands of letters.

Maybe having to deal with thousands of peeved off consumers will clean up their act.

Remember the Florida election of 2000 ?

[furballphat (514726)]

Remember the Florida election of 2000 when a private database company scrubbed thousands of eligible voters from the rolls? Well now one of the co-founders of Database Technologies is back in the headlines -- he's working with law enforcement agents in Florida to create what may soon expand into a national surveillance system. We talk with privacy expert Wayne Madsen, investigative reporter Greg Palast and a top intelligence official from the state of Florida.

When is Joe Six pack going to wake up to the fact that in secret the government has conspired to create a dossier on every citzen in this country and this is who they hired to do it:

Hank Asher then creates the MATRIX as a state level network version of the TIA office. Essentially continuing the TIA office, but freeing it from congressional oversight and federal whistleblower protections. He admits smuggling millions of dollars worth of cocaine in 1981 and 1982. Coincidentally at the time when the Iran-Contra dealings were in full swing.
But this is only speculation. Could there be more of a link between illegal dealings between Hank Asher and the republican party? OF COURSE THERE IS!

In 1992, Asher founded Database Technologies, which later merged with ChoicePoint. In 1999, he founded Seisint Inc. by merging two companies. He is still on Seisint's board of directors, and continues to play an active role in the company.During the 2000 presidential election ChoicePoint, gave Florida officials a list with the names of 8,000 ex-felons to "scrub" from their list of voters. But it turns out none on the list were guilty of felonies, only misdemeanors.

So there we have it. We went from having a domestic spying agency run by a five time felon to having the same domestic spying program sans congressional oversight and whistle blower protections run by a convicted drug smuggler who has proven that he'll break the law to further the republican agenda.

http://www.oldamericancentury.org/oh_republicans .h tm

A Florida law enforcement data-sharing network is about to go national. In the name of counterterrorism, the Departments of Justice and Homeland Security are pouring millions of dollars into the system to expand it to local law enforcement agencies across the nation. It's called Matrix, which stands for Multistate Anti-Terrorism Information Exchange. According to the Washington Post, the computer network accesses information that has always been available to investigators but brings it together and enables police to access it with extraordinary speed. Civil liberties and privacy groups say the Matrix system dramatically increases the ability of local police to snoop on individuals.

http://www.democracynow.org/article.pl?sid=03/08 /0 7/1427223

The Florida company that built the database was founded by the man behind ChoicePoint and Database Technologies. The companies administered the contract that stripped thousands of African Americans from the Florida voter roles before the 2000 election.

Although narrower in scope than John Poindexter's controversial Terrorist Global Information Awareness program, Matrix may serve a similar purpose because it provides unprecedented access to US residents regardless of their criminal background. And states are eager to participate in the new program. On Tuesday, the Department of Homeland Security announced plans to launch a pilot program in state law enforcement data-sharing among Virginia, Maryland, Pennsylvania and New York.

Re:Remember the Florida election of 2000 ?

[brighton (561425)]

OK - long story made short, I live here in South Florida and was looking for a job sometime in the fall of 2001. Seisint placed a wanted ad on monster for a Unix Systems Administrator.

I sent my resume and never got response back from them. Being unemployed, and having a little time in my schedule, I started doing some nmap probes (just regular tcp scans) on their network. It was mostly curiousity at first, but I was shocked at how many open ports and machines were sitting there on the internet. Sure enough I found a Windows box with file-sharing on. Curiousity got the best of me, and I tried accessing the 'C$' share on this box with "Administrator" (nopassword) . It worked.

Okay, so as it turned out this machine had cuteftp installed on it, and the user had the passwords to his ftp sites in a (quasi-encrypted) file. I don't remember the file name, nor do I remember the version of CuteFTP they were using, but there was a cheap script-kiddie type program I found that 'decrypted' the passwords in this cuteftp file. (It took no time at all, cuteftp probably used something really stupid like XOR..) I found this user's passwords to something like 8 production oracle servers in that file. (The password was the same on all boxes - and I remember the user names being a little different , so for all I know root on those boxes was the same as all the other passwords)

Not wanting to cross any further boundrys than I already had, I figured I'd send my findings to Seisint, and see if that got them more interested in my application. In fact in had! They wanted to talk to me and hear more about what I had to say regarding their network - For a number of reasons (I decided to go back to school mostly) I declined and told some dude from the IT department over the phone the whole story from above. In hindsight , I was lucky they didn't get federal investigators involved (back then there was no homeland security! Nowadays I could be labeled a terrorist) .

Yeah I know this is slashdot, and you all don't know me from shit, but I have the old emails somewhere I think. If anyone ever needed them for anything, I would go back and look for them. In all of this, I believe most of these large data repositories have shockingly poor secuirty procedures, I'm shocked there aren't more thefts like this one happening on a regular basis.

Yeah, thank goodness only AUTHORIZED third parties

[loggia (309962)]

...can see your social security number, your credit report, your addresses...

...anytime they want...

...um...

...whew?

Where's the Upside?

[LighthouseJ (453757)]

I RTFA and it says that ChoicePoint aggregates my information and sells it. I interpret "aggregates" as it crawls through and acquires my personal information without my knowledge. I never signed anything saying ChoicePoint can keep and handle my information how they see fit, nor did I receive anything that says some company has my information so I know. Am I alone in saying that no company should be able to profit off of my existance? If that's not bad enough that ChoicePoint has made a living selling my information of which I won't see a dime, now criminals have my personal information and now I have to stay on guard to see if the criminals do anything notably bad in my name.

This whole companies' existance and screwup just stamps out all notions of privacy I had, now not only theives profitted from me without even notifying/asking me, but now criminals can benefit from my existance too.

defense?

[Maskirovka (255712)]

Apparently the only defense against this kind of thing is to have really bad credit.

Lets all laugh at security

[Toloran (858954)]

I used to work at a mortgage insurance agency as a temp doing data entry. I would see 100 or so SSN a day. They don't track who enters what data so I could of easily wrote down a few SSNs along with the person name, phone number, address, etc without anyone knowing I had done it. Even if they make extra-super-duper-sure that they people accessing the information are legit, there is absolutely no assurance that the person handling your information is honest.

A better solution

[nasor (690345)]

Rather than taking extreme measures to ensure that social security numbers are kept private, people need to simply stop pretending that a social security number is some sort of magic password that can be used to prove that someone is who they claim to be. SSNs should be treated about the same as phone numbers; assume that everyone has one, but also assume that everyone knows it.

It needs to be treated as what it is:

[Sycraft-fu (314770)]

An identifier. An SSN is an ID, not a verification. It is useful because there can be, and are, collisons of names, which is the primary method of identifying someone. So you take a name + an SSN and there is nearly a zero chance of a collison (even more so if you add a birthdate). As you note, however, it needs to be assumed that this is known, is public. I wouldn't attmept to use my name to verify my identity, why would I use my SSN?

Companies need to get on the stick and use other verification measures. Using an SSN as na ID # is fine, not as a password, that needs to be something else not related to identity.

SSN is the real problem

[havarv (786263)]

The use of SSN as a PIN amazes me. The security relying way to much on the fact that no-one is suppose to have access to your SSN. If you get your SSN I can go say my wallet was stolen and you need to have new ID's made. Then get a stack of credit cards in your name. In a couple of days I'll be more you than you are. With so many people requesting to see you SSN in everyday life. This is a serious threat. My girlfriend was even asked to give up her SSN when she paid with a check at a grocery store because she was out of state.

Put the slashdot effect to good use

[Omega Hacker (6676)]

Everyone reading this story should take a few minutes out of their day and call ChoicePoint, and ask them a few, um, "point"ed questions. According to their page at http://www.choicepoint.com/privacy.html [choicepoint.com] you can call them at 1-877-301-7097. Call them up, take some of their precious time (they're taking yours, it's only fair) and phone bill, and ask them directly if your private, personal information was involved in this theft. I'll be doing so tomorrow, and making as much of a pain of myself as I can. Supervisor, here I come!

Just to remove some ambiguity from the posting...

[Angostura (703910)]

Although the posting notes that the company has notified several thousand Californians, don't take this as suggesting that the damage is limited to Californians. From the article:

"California law requires firms to disclose such incidents to the state's consumers when they are discovered. It is the only state with such a requirement but such data thefts are rarely limited to a single geographic area."

Time to start lobbying some other states' legislatures, perhaps.

Re:Thats only what they are required to report

[Koiu Lpoi (632570)]

I highly doubt they would refuse to report that data had been stolen from other states, just because they don't have do.

Re:Thats only what they are required to report

[Eric Smith (4379)]

Then let them publicly deny that any data has been stolen relating to residents of other states.

I very much doubt that they're willing to do this. They're only providing any notification becuase they're required by law to do so; left to their own devices they would ignore it entirely.

Re:Thats only what they are required to report

[FuzzyDaddy (584528)]

1. Lee [Choicepoint spokesperson] said law enforcement officials have so far advised the firm that only Californians need to be notified.

2. The incident happened months ago, and ChoicePoint just got permission from law enforcement to disclose the incident.

I would say it's pretty likely they wouldn't report data thefts about people in other states...