ChoicePoint Data Stolen By Imposters

swight1701 writes "Criminals posing as legitimate businesses have accessed critical personal data stored by ChoicePoint Inc., a firm that maintains databases of background information on virtually every U.S. citizen. The incident involves a wide swath of consumer data, including names, addresses, Social Security numbers, credit reports and other information. ChoicePoint notified between 30,000 and 35,000 consumers in California that their personal data may have been accessed by "unauthorized third parties." No obvious notice appears to be on their website."

Legal question

[mctk]

Supposing my identity stolen and used for fraudelent activity. If we could trace the identity theft back to ChoicePoint, could they be held liable (in any sense of the word)?

So who ELSE is affected!?

[Buran]

The story says that these things "are seldom limited to a single geographic area" ...

SO WHO THE FUCK ELSE HAD THEIR INFO STOLEN!? WHAT STATES!?

We want to know! NOW! Why are they refusing to disclose vital information? I'd be VERY angry to find out that someone committed identity theft, these people knew of the stolen info, and they didn't tell me.

Do a little quick math

[JoeShmoe]

California, population approx 30 million, or 1/10 of the US population.

So, the number of stolen identies is probably closer to 300,000 to 350,000. Only California has a law that forces companies to disclose these kinds of risks to personal data, but I think it's a fairly safe assumption that the theives didn't target just California records (in fact, if they wanted to use them for identity theft, it would make more sense to excluse California records because those indidivuals would be on alert).

So, potentially one in every one hundred people in the US now has their electronic profile available for identify theft. That's a scary (although I'll admit unlikely) idea.

Closing question...what exactly is the f'ing differences between a "legitamate" company accessing this ChoicePoint database an an "illegimate" company? Wouldn't theft of database access be just as much a risk? If Sam's Wholesale Cookies can browse through the database, concievable so can any employee of Sam's Wholesale Cookies or anyone who breaks into a Same's Wholesale Cookies computer. Is there not a single person in all of government who sees the folly of having all the eggs in one basket? Not even a secure basket...the free sample basket by the front door of the mall.

- JoeShmoe
.

Re:Ineptness to the point of being evil

[Anonymous Coward]

No, legislation is the solution, not the courts. And if personal info were copyrighted we would have all sorts of BS like England does where celebrities can sue for being called whiny in print. What we need is a happy medium, the details of which should be worked out by somebody less tired than me.

Re:Thats only what they are required to report

[FuzzyDaddy]

1. Lee [Choicepoint spokesperson] said law enforcement officials have so far advised the firm that only Californians need to be notified.

2. The incident happened months ago, and ChoicePoint just got permission from law enforcement to disclose the incident.

I would say it's pretty likely they wouldn't report data thefts about people in other states...

The powers that be....

[skids]

....have similar problems [democratic...ground.com] of their very own.

Where's the Upside?

[LighthouseJ]

I RTFA and it says that ChoicePoint aggregates my information and sells it. I interpret "aggregates" as it crawls through and acquires my personal information without my knowledge. I never signed anything saying ChoicePoint can keep and handle my information how they see fit, nor did I receive anything that says some company has my information so I know. Am I alone in saying that no company should be able to profit off of my existance? If that's not bad enough that ChoicePoint has made a living selling my information of which I won't see a dime, now criminals have my personal information and now I have to stay on guard to see if the criminals do anything notably bad in my name.

This whole companies' existance and screwup just stamps out all notions of privacy I had, now not only theives profitted from me without even notifying/asking me, but now criminals can benefit from my existance too.

Before you OH NOE, there's a solution.

[Anonymous Coward]

http://www.privacy.ca.gov/financial/cfreezeon.htm
It's heavy handed, sure. You're effecitvely DOS'ing yourself, and things may take longer to open windows, etc.. But better safe than sorry.

Lets all laugh at security

[Toloran]

I used to work at a mortgage insurance agency as a temp doing data entry. I would see 100 or so SSN a day. They don't track who enters what data so I could of easily wrote down a few SSNs along with the person name, phone number, address, etc without anyone knowing I had done it. Even if they make extra-super-duper-sure that they people accessing the information are legit, there is absolutely no assurance that the person handling your information is honest.

"Law Enforcement Clearance?"

[bmasel]

"The firm was only given clearance by law enforcement officials to disclose the incident two weeks ago, Lee said"

Now why exactly would they need permission to tell me (if I were a CA resident) that I should be worried about my data being misused? The certainly didn't need any cop's permission to amass it, not to hand it to a "legitimate" customer.

Re:Ineptness to the point of being evil

[mingot]

By the way, don't you recognize this particular company? Same one that helped BushCo purge all those voters in 2000. I think they got out of the voter purging business before 2004, but I haven't really been tracking it.

Off topic, really, but I have to vent. They screwed my wife out of a job this year. We were recently married and they failed her background check on her name on file with the credit bureaus not matching the name on her application. They also dragged ass fixing the problem and had a policy in place to NOT notify they potential employer that they had made a mistake.

a blast from the past

[edward.virtually@pob]

here are links to the last time they were mentioned on slashdot [slashdot.org] and my comment on them at that time [slashdot.org]. these guys just keep getting slimier.

Re:So who ELSE is affected!?

[greenplato]

This is a great time to hunker down and read Harry Frankfurt's essay "On Bullshit." [jelks.nu]

This fellow James Lee is the Jackson Pollock of bullshit artists. I can see how this statement cound get the parent's goat: "Lee said law enforcement officials have so far advised the firm that only Californians need to be notified."

Of course, because California is the only state that requires notification. Duh.

You read his statements and they stick out like a sore thumb, in opposition to the universe as you know it. You wonder if he is either incompetent or lying. But it's really neither, he bullshitting you. This is what Frankfurt says:

It is impossible for someone to lie unless he thinks he knows the truth. Producing bullshit requires no such conviction. A person who lies is thereby responding to the truth, and he is to that extent respectful of it. When an honest man speaks, he says only what he believes to be true; and for the liar, it is correspondingly indispensable that he considers his statements to be false. For the bullshitter, however, all these bets are off: he is neither on the side of the true nor on the side of the false. His eye is not on the facts at all, as the eyes of the honest man and of the liar are, except insofar as they may be pertinent to his interest in getting away with what he says. He does not care whether the things he says describe reality correctly. He just picks them out, or makes them up, to suit his purpose.

Re:if i *accidentally* ...

[wfeick]

The question is, what is a reasonable effort to maintain the safety of your data? If a company is making a good faith effort to keep their systems up to date with the latest patches, you probably don't have a reasonable case to sue them. I haven't seen anything that suggests their protection of people's data is analagous to "a rickety old warehouse in the middle of a populated area."

Don't get me wrong; it bugs me that there are companies whose sole purpose is to gather up whatever data they can find on me and sell it to whoever gives them money for it. One thing I would really love to see is a requirement that any data in their database have an attributed path back to the source of the information, so I know who is selling it to them.

Similarly, I'd love to see a law that requires any company who sends out junk mail to include in that mail a list of where they got a person's information from. If a magazine or web site knew that selling your information to a mailing list was going to cause their name to show up on all junk mail received from that mailing list (and transitively from any other mailing lists that that list was incorporated into) I suspect far fewer companies would be so eager to sell people's data for a quick buck.

Re:Ineptness to the point of being evil

[Jah-Wren Ryel]

Courts aren't going to help you with that at all. The copyright on information belongs to the writer, not the subject of the piece. Just think what your copyright concept would do to the news media...

It isn't nearly as simple as that.

Photographers require a release from models they shoot, similarly with tv shows (watch any of those reality shows and you'll occasionally see people who were filmed but would not sign a release, their faces and any other personally identifiable information is blurred out). So while copyright in the photo or film is owned by the shooter, I believe that it is considered a derivative of the subjects themselves. There could easily be a specific section of the copyright code that deals with this as a special case, I just don't recall any.

So, I think it is reasonable to consider personal records as a rough equivalent of a photograph of that person as they certainly are derived from the actual personal details that in part make up that person. (Then we get into the sticky territory of copyrighting facts.)

Re:if i *accidentally* ...

[btellier]

Uhm.

Let's say I run an online job market site. IIS backed with SQL server. A blackhat hacker uses an unknown exploit to break in, unauthenticated, to IIS. He then leverages this account to steal SQL credentials (or he uses an unknown SQL vulnerability) and downloads every resume we have on the system.

You're telling me that I should be charged with a crime?

To further your car analogy, you're saying if, while driving, my factory-faulty bumper comes off and brains a passing pedestrian that I should be liable? OK, maybe not, because I didn't know about it. How bout this: Ford tells me that my bumper might fly off, and that I have to take it to a mechanic ASAP. I decide to do it after work, but on the way to work, *thump*, I kill a pedestrian with my faulty bumper.

See the problem? It's not black and white.

Re:Ineptness to the point of being evil

[Bastian]

and you, the merchant, are forced to cover costs by passing it on to customers.

I don't think there's any coincidence that my local coffee shop raised all their prices about the same time they started accepting credit cards, and I appreciate that my favorite local CD store charges a buck fifty per CD extra if you pay with credit cards - that way, I don't have to subsidize other peoples' credit card use when I pay cash.

That said, with the way retailers have to bear the brunt of the damage when someone commits credit card fraud, I am absolutely amazed that almost no stores have a policy of requiring a picture ID with a credit card. If I ran a store, cashiers would get fired for not carding people who want to buy things with credit cards.

Re:Ineptness to the point of being evil

[shanen]

Actually, in theory there is no reason for the bank to know anything about you, even including your name or address. I'll construct a simple concrete scenario around your example of an online purchase:

1. Go to Web site and log in (or otherwise establish your identity--I actually think a secure system should really have at least two security elements of something you have and something you know, but this is getting off the topic here).
2. Select the merchandise and order it.
3. The store contacts your computer for payment information.
4. Your computer asks for confirmation that you made the order.
5. After confirmation, your computer returns a bank number, an account number, and an authorization to withdraw some money.
6. The store contacts the bank and asks for money.
7. For extra security, the bank might double-check with your computer again. (Just an example of what should be user-controllable security settings that could be included in the certificate. If you were really paranoid, you might insist that the bank doublechecks directly with you, especially for larger purchases, but in that case the certificate would also need to include some personal information about you and how to contact you. Your decision whether or not to do that, however.)
8. Money is transferred to the store.
9. The store contacts your computer again, confirms payment and asks for the shipment information.
10. Merchandise is shipped.

There is no intrinsic requirement here for the bank to know more than the source and destination account numbers and how to examine the certificate for authenticity. The bank has no reason to know how much money you have in other banks, or anything beyond the fact that this account number has enough money to cover the requested transfer. (Your other example is almost exactly the same, but with the transfer coming from your employer to an account you have specified.)

Re:Remember the Florida election of 2000 ?

[brighton]

OK - long story made short, I live here in South Florida and was looking for a job sometime in the fall of 2001. Seisint placed a wanted ad on monster for a Unix Systems Administrator.

I sent my resume and never got response back from them. Being unemployed, and having a little time in my schedule, I started doing some nmap probes (just regular tcp scans) on their network. It was mostly curiousity at first, but I was shocked at how many open ports and machines were sitting there on the internet. Sure enough I found a Windows box with file-sharing on. Curiousity got the best of me, and I tried accessing the 'C$' share on this box with "Administrator" (nopassword) . It worked.

Okay, so as it turned out this machine had cuteftp installed on it, and the user had the passwords to his ftp sites in a (quasi-encrypted) file. I don't remember the file name, nor do I remember the version of CuteFTP they were using, but there was a cheap script-kiddie type program I found that 'decrypted' the passwords in this cuteftp file. (It took no time at all, cuteftp probably used something really stupid like XOR..) I found this user's passwords to something like 8 production oracle servers in that file. (The password was the same on all boxes - and I remember the user names being a little different , so for all I know root on those boxes was the same as all the other passwords)

Not wanting to cross any further boundrys than I already had, I figured I'd send my findings to Seisint, and see if that got them more interested in my application. In fact in had! They wanted to talk to me and hear more about what I had to say regarding their network - For a number of reasons (I decided to go back to school mostly) I declined and told some dude from the IT department over the phone the whole story from above. In hindsight , I was lucky they didn't get federal investigators involved (back then there was no homeland security! Nowadays I could be labeled a terrorist) .

Yeah I know this is slashdot, and you all don't know me from shit, but I have the old emails somewhere I think. If anyone ever needed them for anything, I would go back and look for them. In all of this, I believe most of these large data repositories have shockingly poor secuirty procedures, I'm shocked there aren't more thefts like this one happening on a regular basis.

It needs to be treated as what it is:

[Sycraft-fu]

An identifier. An SSN is an ID, not a verification. It is useful because there can be, and are, collisons of names, which is the primary method of identifying someone. So you take a name + an SSN and there is nearly a zero chance of a collison (even more so if you add a birthdate). As you note, however, it needs to be assumed that this is known, is public. I wouldn't attmept to use my name to verify my identity, why would I use my SSN?

Companies need to get on the stick and use other verification measures. Using an SSN as na ID # is fine, not as a password, that needs to be something else not related to identity.

Put the slashdot effect to good use

[Omega Hacker]

Everyone reading this story should take a few minutes out of their day and call ChoicePoint, and ask them a few, um, "point"ed questions. According to their page at http://www.choicepoint.com/privacy.html [choicepoint.com] you can call them at 1-877-301-7097. Call them up, take some of their precious time (they're taking yours, it's only fair) and phone bill, and ask them directly if your private, personal information was involved in this theft. I'll be doing so tomorrow, and making as much of a pain of myself as I can. Supervisor, here I come!

Re:Data ownership

[Lisandro]

I don't know about the rest of the world; but Argentina grants it's citizens a consitutional right called "Habeas Data" [warwick.ac.uk], which, in a nutshell, specifies that every individual owns his personal information and it can't be disclosed or abused without his consent. This includes medical records, bank accounts, work historials and so. Knowing that most modern constitutions are based on the US one, i thought something similar would be available to Americans.

It's usually paired with another consitutional right called "Habeas corpus", which ensures freedom of movement in the country and grants rights against detention without due process.

Basic principle of the EU directive

[CaptainZapp]

YOU own your data and not any halfwitted, slimebag company that happens to have it in one of their databases.

As a matter of fact, even supplying personal data to third parties is outright verboten without a solid reason to do so. (And no, money grubbing greed is not considered a solid reason, legally)

I *did* create it!

[theonetruekeebler]

The copyright on information belongs to the writer, not the subject of the piece

I created my address by purchasing a house and moving into it. I created my credit history by obtaining credit, using it, and paying it off (or not). I created my salary history by getting a job and drawing a salary. I created my education history, GPA, major, minor, and concentration by getting an education. I created this message. I created my marital status. I created my child, though they are creating original art of his own in the form of barf stains and poopy diapers. I created my driving record in the car I purchased (thereby creating a transaction). I created a trip to Alaska last year. I created the purchase of several souvenirs while there. I created a speeding ticket near Healey, though I will concede that the public has the right to know what sorts of idiots they are sharing the road with and place that in thee public domain.

I created every single item in that database through my own actions. Any score, categorization, or classification created from that data is a derivative work. Who the hell are they to act like they have more of a right to it than I do?

Just to remove some ambiguity from the posting...

[Angostura]

Although the posting notes that the company has notified several thousand Californians, don't take this as suggesting that the damage is limited to Californians. From the article:

"California law requires firms to disclose such incidents to the state's consumers when they are discovered. It is the only state with such a requirement but such data thefts are rarely limited to a single geographic area."

Time to start lobbying some other states' legislatures, perhaps.

The Shrub pushes for Tort Reform

[hydertech]

As an attorney, I would suggest that there is already adequate support in the law for an action against Choice Point. As some posters have already noted, the cost of litigation would prevent individuals from suing separately--the solution in such cases is to file an action on behalf of all those affected. This is called a "class action".

Of course GWB is pushing for "Tort Reform" to eliminate class action lawsuits in the United States.

It doesn't require a tin foil hat to see why this is such a priority for him when a major ally to his campaign is clearly in the sites for such a lawsuit.

Re:Limits on personal information...

[4of12]

Browsers have a wallet-like feature which fills it in on demand.

Excellent points, all.

My pet peeve is that "form filling out" information disclosure should really be kept to the minimum required for the transaction.

If you go into a doctor's office for an ingrown toenail, there's no reason you should have to dump down 57 pieces of data on a form. If I put down that I'm a 27 year old male with no allergies and I can digitally sign that I'm able to pay up to $500 for any services, that should be enough.

Likewise for getting an account at the video rental store, getting an airline ticket [cf John Gilmore's battles], etc.

Problem is, businesses and governments are addicted to the increasing TIA and decreasing the anonymity that was an artifact of older technology. People living the "free world" tolerate encroachment of their privacy without much thought. It won't be until a totalitarian regime (eg, China) starts using technology in new ways to suppress dissent and control the populace that people will become aware of the implications of putting so much information in the hands of the authorities.

Which reminds me - if you're a U.S. citizen, contact your Congressional Representative to eliminate the more egregious parts of the so-called Patriot Act.