ChoicePoint Data Stolen By Imposters 381
swight1701 writes "Criminals posing as legitimate businesses have accessed critical personal data stored by ChoicePoint Inc., a firm that maintains databases of background information on virtually every U.S. citizen. The incident involves a wide swath of consumer data, including names, addresses, Social Security numbers, credit reports and other information. ChoicePoint notified between 30,000 and 35,000 consumers in California that their personal data may have been accessed by "unauthorized third parties." No obvious notice appears to be on their website."
Legal question (Score:5, Interesting)
So who ELSE is affected!? (Score:4, Interesting)
SO WHO THE FUCK ELSE HAD THEIR INFO STOLEN!? WHAT STATES!?
We want to know! NOW! Why are they refusing to disclose vital information? I'd be VERY angry to find out that someone committed identity theft, these people knew of the stolen info, and they didn't tell me.
Do a little quick math (Score:5, Interesting)
So, the number of stolen identies is probably closer to 300,000 to 350,000. Only California has a law that forces companies to disclose these kinds of risks to personal data, but I think it's a fairly safe assumption that the theives didn't target just California records (in fact, if they wanted to use them for identity theft, it would make more sense to excluse California records because those indidivuals would be on alert).
So, potentially one in every one hundred people in the US now has their electronic profile available for identify theft. That's a scary (although I'll admit unlikely) idea.
Closing question...what exactly is the f'ing differences between a "legitamate" company accessing this ChoicePoint database an an "illegimate" company? Wouldn't theft of database access be just as much a risk? If Sam's Wholesale Cookies can browse through the database, concievable so can any employee of Sam's Wholesale Cookies or anyone who breaks into a Same's Wholesale Cookies computer. Is there not a single person in all of government who sees the folly of having all the eggs in one basket? Not even a secure basket...the free sample basket by the front door of the mall.
- JoeShmoe
.
Re:Ineptness to the point of being evil (Score:1, Interesting)
Re:Thats only what they are required to report (Score:5, Interesting)
2. The incident happened months ago, and ChoicePoint just got permission from law enforcement to disclose the incident.
I would say it's pretty likely they wouldn't report data thefts about people in other states...
The powers that be.... (Score:3, Interesting)
Where's the Upside? (Score:5, Interesting)
This whole companies' existance and screwup just stamps out all notions of privacy I had, now not only theives profitted from me without even notifying/asking me, but now criminals can benefit from my existance too.
Before you OH NOE, there's a solution. (Score:1, Interesting)
It's heavy handed, sure. You're effecitvely DOS'ing yourself, and things may take longer to open windows, etc.. But better safe than sorry.
Lets all laugh at security (Score:4, Interesting)
"Law Enforcement Clearance?" (Score:3, Interesting)
Now why exactly would they need permission to tell me (if I were a CA resident) that I should be worried about my data being misused? The certainly didn't need any cop's permission to amass it, not to hand it to a "legitimate" customer.
Re:Ineptness to the point of being evil (Score:5, Interesting)
Off topic, really, but I have to vent. They screwed my wife out of a job this year. We were recently married and they failed her background check on her name on file with the credit bureaus not matching the name on her application. They also dragged ass fixing the problem and had a policy in place to NOT notify they potential employer that they had made a mistake.
a blast from the past (Score:3, Interesting)
Re:So who ELSE is affected!? (Score:2, Interesting)
This is a great time to hunker down and read Harry Frankfurt's essay "On Bullshit." [jelks.nu]
This fellow James Lee is the Jackson Pollock of bullshit artists. I can see how this statement cound get the parent's goat: "Lee said law enforcement officials have so far advised the firm that only Californians need to be notified."
Of course, because California is the only state that requires notification. Duh.
You read his statements and they stick out like a sore thumb, in opposition to the universe as you know it. You wonder if he is either incompetent or lying. But it's really neither, he bullshitting you. This is what Frankfurt says:
Re:if i *accidentally* ... (Score:3, Interesting)
The question is, what is a reasonable effort to maintain the safety of your data? If a company is making a good faith effort to keep their systems up to date with the latest patches, you probably don't have a reasonable case to sue them. I haven't seen anything that suggests their protection of people's data is analagous to "a rickety old warehouse in the middle of a populated area."
Don't get me wrong; it bugs me that there are companies whose sole purpose is to gather up whatever data they can find on me and sell it to whoever gives them money for it. One thing I would really love to see is a requirement that any data in their database have an attributed path back to the source of the information, so I know who is selling it to them.
Similarly, I'd love to see a law that requires any company who sends out junk mail to include in that mail a list of where they got a person's information from. If a magazine or web site knew that selling your information to a mailing list was going to cause their name to show up on all junk mail received from that mailing list (and transitively from any other mailing lists that that list was incorporated into) I suspect far fewer companies would be so eager to sell people's data for a quick buck.
Re:Ineptness to the point of being evil (Score:3, Interesting)
It isn't nearly as simple as that.
Photographers require a release from models they shoot, similarly with tv shows (watch any of those reality shows and you'll occasionally see people who were filmed but would not sign a release, their faces and any other personally identifiable information is blurred out). So while copyright in the photo or film is owned by the shooter, I believe that it is considered a derivative of the subjects themselves. There could easily be a specific section of the copyright code that deals with this as a special case, I just don't recall any.
So, I think it is reasonable to consider personal records as a rough equivalent of a photograph of that person as they certainly are derived from the actual personal details that in part make up that person. (Then we get into the sticky territory of copyrighting facts.)
Re:if i *accidentally* ... (Score:3, Interesting)
Let's say I run an online job market site. IIS backed with SQL server. A blackhat hacker uses an unknown exploit to break in, unauthenticated, to IIS. He then leverages this account to steal SQL credentials (or he uses an unknown SQL vulnerability) and downloads every resume we have on the system.
You're telling me that I should be charged with a crime?
To further your car analogy, you're saying if, while driving, my factory-faulty bumper comes off and brains a passing pedestrian that I should be liable? OK, maybe not, because I didn't know about it. How bout this: Ford tells me that my bumper might fly off, and that I have to take it to a mechanic ASAP. I decide to do it after work, but on the way to work, *thump*, I kill a pedestrian with my faulty bumper.
See the problem? It's not black and white.
Re:Ineptness to the point of being evil (Score:3, Interesting)
I don't think there's any coincidence that my local coffee shop raised all their prices about the same time they started accepting credit cards, and I appreciate that my favorite local CD store charges a buck fifty per CD extra if you pay with credit cards - that way, I don't have to subsidize other peoples' credit card use when I pay cash.
That said, with the way retailers have to bear the brunt of the damage when someone commits credit card fraud, I am absolutely amazed that almost no stores have a policy of requiring a picture ID with a credit card. If I ran a store, cashiers would get fired for not carding people who want to buy things with credit cards.
Re:Ineptness to the point of being evil (Score:5, Interesting)
There is no intrinsic requirement here for the bank to know more than the source and destination account numbers and how to examine the certificate for authenticity. The bank has no reason to know how much money you have in other banks, or anything beyond the fact that this account number has enough money to cover the requested transfer. (Your other example is almost exactly the same, but with the transfer coming from your employer to an account you have specified.)
Re:Remember the Florida election of 2000 ? (Score:4, Interesting)
OK - long story made short, I live here in South Florida and was looking for a job sometime in the fall of 2001. Seisint placed a wanted ad on monster for a Unix Systems Administrator.
I sent my resume and never got response back from them. Being unemployed, and having a little time in my schedule, I started doing some nmap probes (just regular tcp scans) on their network. It was mostly curiousity at first, but I was shocked at how many open ports and machines were sitting there on the internet. Sure enough I found a Windows box with file-sharing on. Curiousity got the best of me, and I tried accessing the 'C$' share on this box with "Administrator" (nopassword) . It worked.
Okay, so as it turned out this machine had cuteftp installed on it, and the user had the passwords to his ftp sites in a (quasi-encrypted) file. I don't remember the file name, nor do I remember the version of CuteFTP they were using, but there was a cheap script-kiddie type program I found that 'decrypted' the passwords in this cuteftp file. (It took no time at all, cuteftp probably used something really stupid like XOR..) I found this user's passwords to something like 8 production oracle servers in that file. (The password was the same on all boxes - and I remember the user names being a little different , so for all I know root on those boxes was the same as all the other passwords)
Not wanting to cross any further boundrys than I already had, I figured I'd send my findings to Seisint, and see if that got them more interested in my application. In fact in had! They wanted to talk to me and hear more about what I had to say regarding their network - For a number of reasons (I decided to go back to school mostly) I declined and told some dude from the IT department over the phone the whole story from above. In hindsight , I was lucky they didn't get federal investigators involved (back then there was no homeland security! Nowadays I could be labeled a terrorist) .
Yeah I know this is slashdot, and you all don't know me from shit, but I have the old emails somewhere I think. If anyone ever needed them for anything, I would go back and look for them. In all of this, I believe most of these large data repositories have shockingly poor secuirty procedures, I'm shocked there aren't more thefts like this one happening on a regular basis.
It needs to be treated as what it is: (Score:5, Interesting)
Companies need to get on the stick and use other verification measures. Using an SSN as na ID # is fine, not as a password, that needs to be something else not related to identity.
Put the slashdot effect to good use (Score:5, Interesting)
Re:Data ownership (Score:5, Interesting)
It's usually paired with another consitutional right called "Habeas corpus", which ensures freedom of movement in the country and grants rights against detention without due process.
Basic principle of the EU directive (Score:4, Interesting)
As a matter of fact, even supplying personal data to third parties is outright verboten without a solid reason to do so. (And no, money grubbing greed is not considered a solid reason, legally)
I *did* create it! (Score:3, Interesting)
I created my address by purchasing a house and moving into it. I created my credit history by obtaining credit, using it, and paying it off (or not). I created my salary history by getting a job and drawing a salary. I created my education history, GPA, major, minor, and concentration by getting an education. I created this message. I created my marital status. I created my child, though they are creating original art of his own in the form of barf stains and poopy diapers. I created my driving record in the car I purchased (thereby creating a transaction). I created a trip to Alaska last year. I created the purchase of several souvenirs while there. I created a speeding ticket near Healey, though I will concede that the public has the right to know what sorts of idiots they are sharing the road with and place that in thee public domain.
I created every single item in that database through my own actions. Any score, categorization, or classification created from that data is a derivative work. Who the hell are they to act like they have more of a right to it than I do?
Just to remove some ambiguity from the posting... (Score:5, Interesting)
Although the posting notes that the company has notified several thousand Californians, don't take this as suggesting that the damage is limited to Californians. From the article:
"California law requires firms to disclose such incidents to the state's consumers when they are discovered. It is the only state with such a requirement but such data thefts are rarely limited to a single geographic area."
Time to start lobbying some other states' legislatures, perhaps.
The Shrub pushes for Tort Reform (Score:2, Interesting)
Of course GWB is pushing for "Tort Reform" to eliminate class action lawsuits in the United States.
It doesn't require a tin foil hat to see why this is such a priority for him when a major ally to his campaign is clearly in the sites for such a lawsuit.
Re:Limits on personal information... (Score:3, Interesting)
Browsers have a wallet-like feature which fills it in on demand.
Excellent points, all.
My pet peeve is that "form filling out" information disclosure should really be kept to the minimum required for the transaction.
If you go into a doctor's office for an ingrown toenail, there's no reason you should have to dump down 57 pieces of data on a form. If I put down that I'm a 27 year old male with no allergies and I can digitally sign that I'm able to pay up to $500 for any services, that should be enough.
Likewise for getting an account at the video rental store, getting an airline ticket [cf John Gilmore's battles], etc.
Problem is, businesses and governments are addicted to the increasing TIA and decreasing the anonymity that was an artifact of older technology. People living the "free world" tolerate encroachment of their privacy without much thought. It won't be until a totalitarian regime (eg, China) starts using technology in new ways to suppress dissent and control the populace that people will become aware of the implications of putting so much information in the hands of the authorities.
Which reminds me - if you're a U.S. citizen, contact your Congressional Representative to eliminate the more egregious parts of the so-called Patriot Act.