ChoicePoint Data Stolen By Imposters 381
swight1701 writes "Criminals posing as legitimate businesses have accessed critical personal data stored by ChoicePoint Inc., a firm that maintains databases of background information on virtually every U.S. citizen. The incident involves a wide swath of consumer data, including names, addresses, Social Security numbers, credit reports and other information. ChoicePoint notified between 30,000 and 35,000 consumers in California that their personal data may have been accessed by "unauthorized third parties." No obvious notice appears to be on their website."
Ineptness to the point of being evil (Score:5, Insightful)
The article further quotes ChoicePoint spokesman Chuck Jones:
Why the hell are they allowed to keep a dossier on me if they don't have any mechanism in place to allow them to track how it is used and by whom? This is insane!The correct solution to this problem, IMNSHO, is for the courts to determine that personal, financial, and credit records relating to an individual are the COPYRIGHTED PROPERTY OF THAT INDIVIDUAL, and may not be provided to any other party without the owner's explicit consent. Not a blanket consent to provide the data to anyone inquiring, but specific consent to provide it to XYZ Corporation.
Re:Ineptness to the point of being evil (Score:3, Insightful)
if i *accidentally* ... (Score:5, Insightful)
Companys should be held responsable for the data they hold.
Welcome to the downside... (Score:5, Insightful)
Next big issue is going to be medical records online. While having such information in once location could be of great benefit to doctors and hospitals around the world, there are also dangers as well, like your HMO, employers, or if your a public figure, the media getting their hands on otherwise private medical records.
Re:Ineptness to the point of being evil (Score:5, Insightful)
Probably won't happen, however. In fact, we are going in the other direction and the companies that hold your data legally "own" it in most cases.
By the way, don't you recognize this particular company? Same one that helped BushCo purge all those voters in 2000. I think they got out of the voter purging business before 2004, but I haven't really been tracking it.
Acceptable losses (Score:4, Insightful)
All those foolish people who protested the collection and sale of personal data of private citizens should be ashamed since the prosperity of this country depends greatly on the efficiency of business. And if you don't like it in this country any more go some place better! There isn't any place better you say? Then shoot yourself now because there's nothing you individuals can do to change things to your liking anyway.
(The preceding was stated as an opposite to my actual feelings on the matter to illustrate how ridiculous I feel the opposing view might be. There are no acceptable losses when it comes to privacy and the right of everyone to keep what they have earned. Loss of privacy opens the door for unscrupulous people to do bad things and reduces an individual's ability to protect one's self.)
Re:Ineptness to the point of being evil (Score:5, Insightful)
Courts aren't going to help you with that at all. The copyright on information belongs to the writer, not the subject of the piece. Just think what your copyright concept would do to the news media...
The real problem here isn't the break-in... (Score:5, Insightful)
If the data was that critical and personal, why was it available to "legitamate businesses" in the frist place?
Are a set of articles of incorporation and a pile of money all I need to 'legitimately' access "databases of background information on virtually every U.S. citizen"?
Re:So who ELSE is affected!? (Score:5, Insightful)
No Changes Forthcoming (Score:5, Insightful)
If this incident doesn't create intense public outrage and a rash of calls to legislators demanding change, then I doubt there will ever be changes that protect individual identity and information.
Furthermore, I would propose that every individual that finds ChoicePoint's egregious lack of security reprehensible, to draft a letter demanding a full explanation and any details relating to whether or not their information has been stolen. I don't expect this company to come clean, but just imagine the hassle of having to reply to hundreds of thousands of letters.
Maybe having to deal with thousands of peeved off consumers will clean up their act.
Re:if i *accidentally* ... (Score:2, Insightful)
Re:Thats only what they are required to report (Score:5, Insightful)
I very much doubt that they're willing to do this. They're only providing any notification becuase they're required by law to do so; left to their own devices they would ignore it entirely.
Re:Ineptness to the point of being evil (Score:5, Insightful)
The thing that bothers me is that some data is unchangeable, e.g. US social security #, date of birth, and mother's maiden name. Once it's out there, you're screwed.
Once someone has this data they can really do a number on you because that's all most commercial sites seem to require in terms of validation. They can take out credit cards in your name, perhaps even access your bank account if they have access to your checking account number.
I think that eventually, and unfortunately, there's gonna have to be a law. No organization except the social security administration should be allowed to store our SS #, for example. Heck, at the rate things are going, they may have to start allowing people to change their SS # to start fresh.
A friend never allows her SS # to be used for anything. Not banks, not schools, not health insurance. They squawk and scream and threaten and she stands firm. No, she says, you can't have it. It's only for her retirement, not for generic identification purposes. So far she has successfully evaded spreading her most precious identifying information all over the internet in god knows how many incompetently coded and poorly safeguarded databases. Massachusetts also allows one to use a generated code instead of SS # on drivers licenses.
This thing is really out of hand. Of course, it's going to cost credit card companies millions of dollars when bogus bills start bouncing, and that's probably when the powers that be finally wake up and address the problem.
Yeah, thank goodness only AUTHORIZED third parties (Score:4, Insightful)
Re:if i *accidentally* ... (Score:5, Insightful)
Does that sound like an extreme example? Perhaps it is. But lives can be shattered in other ways besides being blown to bits. And I'm sure there will be a few deaths involved, as people with medical conditions suddenly find themselves without means, because some identity thief just bought himself a brand new house at their expense. No, the Information Age is proving to carry some serious risks, and those risks are largely due to cavalier treatment of personal data.
I'm not sure what it will take before some standards are put in place, with appropriate penalties for failure to maintain them. Probably won't happen now, with "tort reform" on the way and limits being placed on class-action lawsuits. Certainly not in the corporate-friendly period we find ourselves in. Hell, the government can't even enforce quality-of-service standards on the damn phone companies anymore. But at some point, enough people (enough voters) are going to get hurt by this problem that something will have to be done. The only question is whether the cure will be worse than the disease.
Re:Ineptness to the point of being evil (Score:3, Insightful)
Fraud is a cost of business to credit card companies, the only way that the credit card companies would actually pay the price here would be if people actually stopped using them. Short of that drastic and unlikely occurrence any level of theft and fraud will be absorbed and paid by the customer.
Re:Ineptness to the point of being evil (Score:5, Insightful)
Just out of curiousity, how do you propose that I store personally identifiable information such as my name and address on a computer owned by me when I wish to make a purchase online? How can I have my paycheck electronically deposited into my banking account if my employer can't store my personal information? How is H&R Block going to prepare my taxes for me if they can't enter any of my information on a computer that I don't own? Am I going to have to tell Netflix my name and address and credit card info every single time I want another movie?
A better solution (Score:5, Insightful)
Re:Ineptness to the point of being evil (Score:3, Insightful)
We need a full investigation. ChoicePoint's liability could be enormous. It is clear a cover-up may be going on.
It's time to Arthur Andersen [findlaw.com] these bastards out of business.
Re:So who ELSE is affected!? (Score:4, Insightful)
Anyway, this is the prison we built for ourselves, and as a result the fact that you happen to live in another state means they do have less obligation to you, as that word has any actual meaning anyway. Otherwise we'd be within our rights to march down there with torches and pitchforks and perforate 'em.
Jail (Score:3, Insightful)
Who is going to jail over this?
If the answer is "no one", then it will happen again.
Limits on personal information... (Score:4, Insightful)
That solves your bank deposit problem. Public/private key separation would solve most of the problems.
As far as repeatedly entering addresses--come on, that's easy. Browsers have a wallet-like feature which fills it in on demand. There's no need for the provider (netflix) to store the information, and they should refrain from doing so.
So far as taxes are concerned--of course you have to give personal info for H&R Block to process them, but the grandparent means it should be treated as your property. You may leave valuables with a bank safety deposit box, but the bank does not own them. It is a steward. Its rights obviously don't extend to sharing information about what you've deposited with others.
Re:if i *accidentally* ... (Score:3, Insightful)
I do like your idea of providing some accountability. The problem is that the audit trail could be pretty damn long, but that's okay
Greg Palast (Score:2, Insightful)
But I don't see his references in those articles. No links (and I know there are plenty of people who link him). Very few names.
I can sort of understand the lack of names, although it leaves me with questions. People do get scared.
But then he complains about HAVA, and he doesn't say why, except to wave his hands and say it's bad. He could at least put a link in to an article explaining the problems, even if he doesn't want to spend words in that article on the issues.
I can rant, too. But at least I can put a link or two in when it will help explain things.
The lack of explanation, even though I know HAVA was an exercise in how not to help voters, leaves me unconvinced on the other charges.
Do we really want change, or do we just want a bad guy to vent at?
If there's no explanation, charges are forgotten as soon as the TV catches the attention.
One more thing. This one hurts, but getting scared does not protect your rights. You look at the examples we have in the Ukraine and many other countries. People are putting their future on the line for freedom. But in the US, people want the freedoms without the costs.
Real freedom is not free as in beer.
Re:Ineptness to the point of being evil (Score:3, Insightful)
Re:Jail (Score:3, Insightful)
Re:Data ownership (Score:3, Insightful)
For example, before all this computerization, if you wanted to borrow some money, you told the bank about who you borrowed from in the past, and they would check to see what those people said about the loans and your repayments. You might claim to own a particular piece of land as collateral, but they would check with the property ownership records to see what was really going on.
Nowadays, you might try to borrow some money only to find out that some outfit like ChoicePoint has leaked your personal information, and someone used that data to "borrow" your identity--and now the bank thinks you've already borrowed twice that much. ChoicePoint says "Our data, our mistake, your tough luck." Even worse in the case when they helped disqualify legitimate voters because they were paid to do so... Reminds me of the joke about the "creative" accountant: "You want to know how much is 2 plus 2? Well... How much do you *want* it to be?"
I really think we should have the right to store our own data on our own computers, and if I heard of a country with that kind of law, I'd be thinking very seriously about moving. I really can't imagine that all of the personal data about me is more than the 250 GB of HDD I currently own. Possession is nine points of the law, as they say. If you need to check on me, ask me for permission, and I'll decide whether or not I'm willing to let you look at the data, and you better have a good reason. For example, you might want to check some of my (computerized) records before deciding whether or not to loan me some money.
Right now the data is "out there", somewhere, and no one really knows what happens to any of it. Even worse, the amount of recorded personal data is increasing very rapidly...
Re:if i *accidentally* ... (Score:3, Insightful)
If that internal security policy didn't exist, on the other hand, the company deserves everything it gets.
It is possible to implement systems with "good enough" security, if you're willing to spend the cash on it. And it's also possible to implement internal systems with "good enough" systems of trust and physical security to prevent regular thefts of valuable materials. Banks have been doing it successfully for a long time, and where the systems fall down there are backup plans intended to deal with the fallout. I don't lose the contents of my bank account when a branch gets cleaned out. The fact that this level of thought and attention is not being paid to personal information suggests that - basically - the incentive to do it does not exist. Let's make it exist.
Re:Data ownership (Score:3, Insightful)
The problem with this is that *you* don't own the data kept about you...When they lose the data, as far as they are concerned they have lost some of their business information
Which is why most developed countries have privacy legislation. "Ownership", in the context of personal information, is about the extent to which individuals can exert control over what happens to that data. Ownership doesn't (or shouldn't) reside with the business alone.
That the data is about you, and could be damaging to you is incosequential to them.
Which is why I support laws that make organisations take responsibility for the personal data in their custody. It's always puzzled me that the US, such a beacon of individual freedoms in most regards, is so weak in this area.
You forgot one thing... (Score:3, Insightful)
Otherwise, perfectly described Swiss bank anonymous account... "But think about the CHILDREN!"...
Yes, tehre are technical means, and then there are financial/political "considerations". I wish it would happen ike you describe, but, really, a snowball chance in hell it will, agreed?
Paul
Will you even get a notice? (Score:5, Insightful)
The article points out that "Lee said law enforcement officials have so far advised the firm that only Californians need to be notified.", so I'm guessing that there are probably another 300,000, or so, nationwide who will not be notified by the company. A few other really high-profile types might get a notice, but I'm betting that no more than a couple dozen non-Californian SlashDot readers will get notices.
Does anybody else want to call and ask and see if they even get an answer? (I don't live in the US, so I probably don't count, statistically speaking.)
Re:Beowolf Lawsuits (Score:3, Insightful)
If this happened to me, I'd monitor my credit report closely and lawyer up personally on ChoicePoint's ass the minute anything weird showed up. Everyone complains that people sue too much. But when a corporation leaves your ass flapping in the wind like this, what other redress is there? We should be so lucky that individuals still have the right to sue corporations when they screw us over- things won't stay like this for long.
Re:Ineptness to the point of being evil (Score:5, Insightful)
where to? no-one knows your address
Re:Choicepoint/DBT have had many PR problems befor (Score:2, Insightful)
Thousands of people are denied their democratic rights, thousands more have their personal details illicitly accessed, and you call it "PR Problems" ?
"Oh, but it WILL affect their PR!"
Yes, but that is not where the problem lies. The problem lies in the company not being capable of doing its job.
Ultimate consumer-friendly solution (Score:4, Insightful)
These companies are in a position of responsibility, but they don't seem to take it very seriously. The credit bureaus have already bribed their way into legislation that makes it your responsibility to correct errors in their data, not them. If we don't act now, they'll bribe (excuse me, I mean "make campaign donations") and get a free pass on handing out your data to the Russian mafia, too. I say make them liable for monetary damages, instead.
Institute it, and watch how fast their security improves. The attitude of: "Oh well, its not our problem" would be a thing of the past. OR somebody would sue them bankrupt. Either way, the consumer wins.
Plus, the idea of suing these bastards into bankruptcy appeals to me because of Choicepoint's role in George W. Bush's 2000 coup.
Me too - UK rules are scary (Score:3, Insightful)
Not so long ago, I was surprisingly refused credit. In fairness, that part wasn't Experian's fault; it was down to an automated address database that didn't recognise the correct form of my address and decided I didn't exist. However, during the follow-up enquiries with the credit card company who'd turned me down, I obtained a copy of my credit record from Experian. There were so many minor inaccuracies it was scary. The best bit was when, at 17:05 after speaking to someone there for five minutes (after about a half-hour on hold), I was asked "whether it really matters, because I'm supposed to go home at 5". I was speechless, and for me that's saying something. ;-)
The really disturbing thing is that despite our actually pretty good data protection rules in the UK (the Data Protection Act does have some teeth, and thus far the Office of the Information Commissioner has proved to be very level-headed and apolitical in its actions) the entire credit and finance industry has basically managed to exempt itself. The credit agencies are allowed to keep files on me without my permission. Those files are obviously grossly inaccurate and poorly maintained, but if I lose out on something because of the bad information I have no recourse. (Well, I can add a "notice of correction" to the file after the fact, after getting a copy of my record at my own expense.) If a financial group turns you down for credit, they basically don't have to tell you anything, other than (a) whether an automated credit scoring system was used (in which case they do have to offer you a reassessment by a real human being) and (b) which credit reference agency/agencies they used.
Now, I'm not a big fan of credit in the first place. I always liked the advice to read "credit" as "debt": "3 years' interest free debt!", "I have a $50mil debt limit on my card!" etc. But in our society today, credit can be a useful tool when used judiciously, and if a market that is fundamental to the way our society currently works is to be allowed to regulate itself to the extent that it currently does, it has to be reasonable about fixing its mistakes. Otherwise, screw 'em, and let fly the lawsuits that everyone else would be subject to if they made the same sort of mistake with the same consequences.
Re:Will you even get a notice? (Score:4, Insightful)
Now, that data is going to worth a lot of money to someone. There are going to be individuals on that list who could have more $100k stolen each, ergo, the data is worth a multiple of that.
But what if someone leaked it? Disgruntled employees or clients, other blackhats, cleaners, anyone? How wide would a 100MB csv spread on Kazaa? Given the precedent set by spammers, nearly all of those victims could be exploited.
Anyone want to guess the political, economic and cultural impact of 1 in every 10 US citizens becoming bankrupt or even destitute in a matter of months? If it doesn't happen this time, its a ticking time-bomb for the future.
A radical redesign of the modern approach to financial security is overdue.
Class Action Lawsuit Opportunity! (Score:1, Insightful)
Re:Data ownership (Score:3, Insightful)
Well, he's entitled not to tell anyone. People can change, you know. This can happen, but now the involved executive has the right to initiate legal actions.
What if a reporter learns that a politician has secret bank accounts where huge sums of money are regularly received?
In that case, he would most certainly be trialed, but the money in question wouldn't really be his - or atleast earned legally. A right comes with responsabilities; it's not an umbrella to break the law. A court would most probably decide the right doesn't legally apply. I'm not a lawyer in any sense, but that's pretty much how i recall it from school, were we discussed this.
See, the idea behind the right is to protect sensitive personal data. For example, a company can't investigate my medical background unless i let them to if they want to hire me. You can't go harvesting peoples' personal data like if you were collecting stamps because nowadays information is a valued thing, not tangible, but valued. Your personal information is as much yours as it is your car or house.