Forgot your password?
typodupeerror
United States Security Government Privacy The Courts News

Congress to Investigate ChoicePoint 259

Posted by CowboyNeal
from the inquiries-and-enquiries dept.
twzop writes "I just saw a story on the CBS evening news about the previously posted story about ChoicePoint, Inc. in Atlanta, GA getting hacked and US citizens' data being compromised. The story stated that Congress was going to get involved by investigating the scandal and that there was a large class action lawsuit against the private firm."
This discussion has been archived. No new comments can be posted.

Congress to Investigate ChoicePoint

Comments Filter:
  • damage size? (Score:5, Interesting)

    by c0dedude (587568) on Thursday February 24, 2005 @09:15PM (#11772806)
    What was the size of the data leaked? I've seen figures vary, I'm wondering if anyone knows, including ChoicePoint.
    • Re:damage size? (Score:4, Informative)

      by Anonymous Coward on Thursday February 24, 2005 @09:20PM (#11772848)
      It is unlikely anyone can know for sure how much leaked. I believe it happened that they traced some identify theft back to a fictitous company that paid for access to choice point. During this investigation they found other fictitous companies registered with choice point. Do they know all the queries made by the fictitous companies? possible... Have they found all the fictitous companies?
    • Re:damage size? (Score:3, Insightful)

      by EmagGeek (574360)
      They probably have no idea. Since they have no restrictions on who they'll sell your data to, there are probably still identity thieves on their customer rolls.
    • 145,000 (Score:5, Informative)

      by js7a (579872) <james@b o v ik.org> on Thursday February 24, 2005 @10:02PM (#11773092) Homepage Journal
      Five posts and nobody's answered the question? It's not as if you aren't directly connected to a zillion ways to find it.

      ChoicePoint data theft widens to 145,000 people [zdnet.com]

      • Re:145,000 (Score:5, Insightful)

        by sphealey (2855) on Thursday February 24, 2005 @11:13PM (#11773484)
        Well, that number has been "widening" every time ChoicePoint makes a "choice" to reveal more details. Currently the number is 145,000, which I believe is up from 120,000 and 20,000.

        The public certainly doesn't know the number. My guess is ChoicePoint (a) knows it is higher (b) doesn't know the total.

        sPh
        • Well, that number has been "widening" every time ChoicePoint makes a "choice" to reveal more details. Currently the number is 145,000, which I believe is up from 120,000 and 20,000.

          Remember the tsunami? The initial estimate was 10000 and every story that appeared on the wire jacked it up by 20000 or 30000. That's quite impressive, actually, for a corporate fuckup to reach the point where it reminds me of the tsunami.
    • Re:damage size? (Score:3, Insightful)

      by mwood (25379)
      Doesn't matter now. It would seem that at least one Congressperson is on the list -- why else would we be seeing action on this?
    • Apparently, some of the choice point executives knew there was going to be quite a bit of fallout over this. This morning's Atlanta Journal/Constitution [ajc.com] (reg. required - Google cache anyone?) is reporting that:

      Since the sales began in November, ChoicePoint CEO Derek Smith and President Douglas Curling have sold 472,000 ChoicePoint shares worth nearly $21 million, according to the executives' Securities and Exchange Commission filings.

      • ChoicePoint execs defend selling stock

        By ROBERT LUKE, MATT KEMPNER
        The Atlanta Journal-Constitution
        Published on: 02/25/05

        Thirteen days after the arrest of a suspect in the ChoicePoint identity theft case -- and more than three months before the problem surfaced publicly -- the company's top two executives began selling their stock.

        Since the sales began in November, ChoicePoint CEO Derek Smith and President Douglas Curling have sold 472,000 ChoicePoint shares worth nearly $21 million, according to the ex

  • by Anonymous Coward on Thursday February 24, 2005 @09:16PM (#11772816)
    It's just congress getting ready to solicity another round of bribes...err campaign contributions. How many Enron executives are in jail again? Yeah.

    Before we get too excited about the possibility of justice, let's remember that it's only a crime if it wasn't a rich person that did it.
    • by zors (665805) on Thursday February 24, 2005 @11:35PM (#11773586)
      Thirteen execs, three traders, and two accountants have been endicted. [64.233.161.104]

      You can't just round up a lynch mob for these kinds of crimes. First, you plea bargain with the little fish so you have plenty of evidence to use against the big fish. its common practice in any attempt to bring a down an organized criminal establishment, which is basically what the higher levels of Enron were.
      • The funny thing is, Martha Stewart - the horrific "criminal" that she is - will have been in jail, released, and had a new reality show [msn.com] probably hit the top of the ratings before ANY of these top Enron crooks see the inside of a criminal courtroom.

        I realize there's a lot of difference between the Stewart trial and the Enron investigation - comparing apples to watermelons, perhaps - but I still can't help but wonder, if Martha had had the same political connections, would she behind bars right now?
  • by schwit1 (797399) on Thursday February 24, 2005 @09:22PM (#11772864)
    The Washington Post has an article [washingtonpost.com](reg required) today about Beth Plowman, a Damascus international public health adviser, was shocked when she discovered that a $27,240 arbitration judgment had been levied against her for credit card charges incurred by an identity thief who bought sporting goods all across Europe.
  • by Creepy Crawler (680178) on Thursday February 24, 2005 @09:22PM (#11772865)
    I do a lot of computer security work in my area, and trust me when I say that many, many places have either no or woefully inadequate security present.

    One place I did a job for actually had a symbol AP in the ceiling of the factory, login: Symbol, pass: (blank) and unencrypted transfers. The domain admin acct (win2k) had no password, and guest was active. They also bungled up a RAS so that anybody that knew that number had "root".

    Those were just external security issues.. It took 50 hours to barely fix their problems.

    Still, problems are abound just like that: No or bad security. Many times, it has to do with plain laziness, not thinking anybody cares about us, just not knowing, or trying to do security and maintainence without understanding.

    Another amazing this is how well modem-scanners work these days... Back in the day, all the security nuts cared about dial-back and other things... Now, everybody thinks of always-on internet so you need a firewall. Not so. Many machines have dialup gateways or interfaces in which most are just not configured. Even (to my knowledge, I use freeBSD and linux) Windows RAS server has dialback capability.

    Now, why Congress wants to scrutnize them, well.. Wonder if they've secured THEIR wireless network since I was in DC...
    • by Anonymous Coward on Thursday February 24, 2005 @09:31PM (#11772924)

      This is very interesting, but didn't ChoicePoint sell this personal information to the people that "stole" it? The issue is that people were buying credit reporting services from choicepoint, since choicepoint is in the business of selling this data to companies. The people who stole this data just posed as real companies, and choicepoint didn't do their homework and check on the black hats' bona fidus.

      This is not a hacker issue; no one is claiming a computer was rooted or compromised or that some kid with a script was punching passwords into choicepoint's web site. Choicepoint was selling this data, and the they were human engineered into selling the data to people who had malign intent.

      The issue is wether anyone should be selling this stuff AT ALL.

      • by Creepy Crawler (680178) on Thursday February 24, 2005 @09:42PM (#11772989)
        ---This is very interesting, but didn't ChoicePoint sell this personal information to the people that "stole" it?

        I consider misleading to get information the same as hacking to get it. The only difference is that ChoicePoint was paid. Why should they care?

        ---The issue is that people were buying credit reporting services from choicepoint, since choicepoint is in the business of selling this data to companies. The people who stole this data just posed as real companies, and choicepoint didn't do their homework and check on the black hats' bona fidus.

        Sometimes hacking has to do with throwing up a huge wall of "mistrust" and make the other party believe in something they shouldnt. Still, couldnt you claim that many "legit" companies use this data in what could be considered very improper?

        Guess that brings up the question whether we should punish the company(s) or the people who do wrong...

        ---This is not a hacker issue; no one is claiming a computer was rooted or compromised or that some kid with a script was punching passwords into choicepoint's web site. Choicepoint was selling this data, and the they were human engineered into selling the data to people who had malign intent.

        Still, this shows one of my points: Laziness. A "identity" company not checking the corporate identity. And then the people in the "evil" company do evil things.

        Who's to be punished?

        ---The issue is wether anyone should be selling this stuff AT ALL.

        Would you accept checks from somebody for medium-large amounts without checking up on who they are, and whether they've bounced checks before?

        In reality, the law SHOULD be that you have full access to YOUR information, and can correct provable, factual parts that are incorrect. I really cant answer if they should be selling this data...
        • by ScrewMaster (602015) on Thursday February 24, 2005 @11:26PM (#11773541)
          In reality, the law SHOULD be that you have full access to YOUR information, and can correct provable, factual parts that are incorrect.

          Absolutely, and I would add that there should be a stiff penalty if a data aggregator denies a citizen that ability, and such denial results in a crime.

          I really cant answer if they should be selling this data...

          Sure you can! Think about how this came about, and where it's going.

          Originally, collecting and maintaining the so-called "credit history" on individual citizens was all about risk avoidance. That's still the case, of course. Businesses have always maintained records about past customers, so that they could then decide how, and if, to do business with said customers in the future. That's been true since we kept records carved on rocks or stamped in clay. The problem came in when business realized, with the advent of the mainframe, telecommunications and vast, cheap, readily-accessible storage that they could share this information with each other, thus dividing the risk. Thus was born the credit bureau. To my mind, the whole concept of the credit bureau is on ethically shaky ground anyway ... do business have the right to defend themselves against the normal costs of doing business, by placing their own customers at risk? Is this a justifiable tradeoff? Given the number of lives destroyed by the credit system over the years, I'd be inclined to say no ... it's usurious at best, and usury is illegal. Or used to be, at any rate.

          So where are we now? Well, what has changed is that the demand is no longer just for security (customer "x" wants to buy product "y", give me yes/no on the transaction) but for the actual information used to make such decisions ... the financial history itself. I understand that companies like ChoicePoint actually acquire more detailed information than the traditional credit bureaus. So now we have an entirely different can of worms. In fact, in their eagerness to sell our personal histories (and sell us out) to companies that want to use that information to sell us other products, they have brought us to the brink of rendering the entire system useless (or at least, too dangerous to be trusted by the average citizen.)

          ChoicePoint and similar organizations concentrate private information to a degree that makes it very, very dangerous to the individual by its mere existence. And then ... they sell it! Perhaps if the banking system were more robust, held more intrinsic safeguards, it might be different. Given how little information is required to perform an act of identity theft, however, I am personally unnerved by the idea of this data being used not simply to verify my creditworthiness, but sold on the open market to anyone meeting ChoicePoint's (apparently) minimal standards.

          In answer to your question, I would say, "no", ChoicePoint should not be allowed to do what they do. I mean, they are taking chances with the financial lives of millions of Americans, who in return get ... nothing. That to me is the mark of a morally bankrupt business model, which if it isn't illegal probably ought to be.
          • >>>In reality, the law SHOULD be that you have full access to YOUR information, and can correct provable, factual parts that are incorrect.

            >Absolutely, and I would add that there should be a stiff penalty if a data aggregator denies a citizen that ability, and such denial results in a crime.

            Really, after thinking about it, couldnt you sue them for libel if they refuse to correct your information? They send and receive the "written word" and it's wrong.. Damages in refusal of sales and other ne

          • I also wonder - the root cause of identity theft is the absolute unwillingness of anyone in Congress to step up to the plate and enact legislation that will penalize the misuse of personal information (warehousing it qualifies). As a result, identity theft is almost a no-brainer.

            What's their solution? Biometrics and national ID cards? Yeah, right. It's just one MORE avenue that thieves will have to rape innocent people. More information about more people, the security of which is only as strong as its weak
      • The tricky thing is how to fix this. As a data mining consultant I organize the purchase of hundreds of thousands of dollars worth of sensitive data for our clients. And in all of these purchases, I have never seen a vendor proactively validate that my team, or my client's were bona fide.

        One would hope that these vendors check that our companies are statutory entities and that our e-mail and mailing addresses are associated with these entities, but these can all be spoofed or are difficult to verify.
    • by Anonymous Coward
      Tell me about it.. I worked a short-term contract thru a contract svcs co, where the agency was required to do an additional bkgnd on me, per the client, over and above the normal one they run on all their consultants, since this client was a VERY well-known large financial services company and had a policy of these additional bkgnd checks. One of the first things I discovered upon arrival to begin work, was all of their WinXP machines had no administrator password, and most of the user accts were admin-eq
  • by Wheresmywig (862568) on Thursday February 24, 2005 @09:23PM (#11772868)
    What I find odd about the reportage of this story is that noone seems to be pointing out that Choicepoint was also responsible for providing Florida with some of the data it used to strip people from the voter rolls back in 2000. That wasn't exactly good either.
    • Choicepoint is the firm that Katherine Harris, who simultaneously served in the Bush campaign and as head vote-counter in Florida (no other democracy allows that, by the way), used to come up with a felon list. The list included thousands of blacks who weren't eligible to vote (at least 5,000). It was set up to disenfranchise everyone who had a similar name (even first initial and last name) as a felon. Considering that blacks voted 90-10 for Gore and that Bush only won the state (officially) by 537 vote
      • Yeah but from the Bush standpoint...

        1.) security starts with Iraq

        2.) security can only be established with a Patriot Acts

        3.) security begins with the FBI, CIA, NSA, Bush security advisors

        Apparently it's ok to favor shipping every other IT job abroad, since IT security folks in corporate america are not part of the security equation.

      • Choicepoint is the firm that Katherine Harris, who simultaneously served in the Bush campaign and as head vote-counter in Florida (no other democracy allows that, by the way), used to come up with a felon list.

        Wrong. Choicepoint was contracted to generate the list before [salon.com] Katherine Harris was in office. And they were hired by a woman named Ethel Baxter, who is a Democrat.

        The list included thousands of blacks who weren't eligible to vote (at least 5,000).

        Good. That was the goal- to identify the peopl
        • by roesti (531884) on Friday February 25, 2005 @01:03AM (#11774133)
          While the generation of the "purge list" did have a legal basis - namely, that ex-felons were ineligible to vote - the process of generating the list was an enormous debacle.

          ChoicePoint/DBT originally produced a list of about 8000 voters to remove from the electoral rolls. Katherine Harris got back to them and told them to widen the net - by omitting a few data integrity requirements, such as middle names, dates of birth, and dates and details of their convictions - and assured ChoicePoint that they needn't worry about the number of false positives in the list. This increased the size of the list to about 58,000 voters, more than half of whom were African-Americans.

          When the fraud was officially investigated, ChoicePoint admitted to a false-positive rate of up to 15%, which was already far in excess of Bush's lead in the Florida poll. Later, an independent investigation showed an error rate of more than 90% - some 55,000 voters, some 30,000 of whom were black.

          The USCCR was unable to identify a single voter that was incorrectly prevented from voting because of the felon list.
          This is a flat-out lie. Read some first-hand accounts of voter disenfranchisement for yourselves. [usccr.gov] Voters were erroneously scrubbed from the electoral roll, were not adequately notified in advance, tried to vote anyway and were turned away - simple as that.

          It's surprising how many people don't know this when it's actually very well documented; in fact, the story broke long before the election actually took place. My suggestion to the doubters is to watch Unprecedented: The 2000 Presidential Election [unprecedented.org], a very thorough documentary on the topic.

          • by cheezedawg (413482) on Friday February 25, 2005 @01:52AM (#11774396) Journal
            ChoicePoint/DBT originally produced a list of about 8000 voters to remove from the electoral rolls. Katherine Harris got back to them and told them to widen the net - by omitting a few data integrity requirements, such as middle names, dates of birth, and dates and details of their convictions - and assured ChoicePoint that they needn't worry about the number of false positives in the list. This increased the size of the list to about 58,000 voters, more than half of whom were African-Americans.

            When the fraud was officially investigated, ChoicePoint admitted to a false-positive rate of up to 15%, which was already far in excess of Bush's lead in the Florida poll. Later, an independent investigation showed an error rate of more than 90% - some 55,000 voters, some 30,000 of whom were black.


            What you seem to be missing here is that a false positive on the felon list does not mean that person was disenfranchised. Instead it meant that the election supervisor of the county that the individual lived in was required to verify that they were eligible to vote (that is, if the county used the felon list at all- over half of the counties ignored the list completely). You see, the list was designed to have false positives. As Katherine Harris said, it was supposed to cast a wide net to find ineligible voters that were registered to vote. In other words, if somebody was disenfranchised, it is the County Election Supervisor's fault.

            So please stop calling it "fraud". There was no fraud here.

            This is a flat-out lie. Read some first-hand accounts of voter disenfranchisement for yourselves. Voters were erroneously scrubbed from the electoral roll, were not adequately notified in advance, tried to vote anyway and were turned away - simple as that.

            It is not a lie. None of the witnesses that the USCCR heard from were prevented from voting because of the felon list. Allow me to quote from the dissenting statment [usccr.gov]:
            Without question, some voters did encounter difficulties at the polls, but the evidence fails to support the claim of systematic disenfranchisement. Most of the complaints the Commission heard in direct testimony involved individuals who arrived at the polls on election day only to find that their names were not on the rolls of registered voters. The majority of these cases were due to bureaucratic errors, inefficiencies within the system, and/or error or confusion on the part of the voters themselves...
            The Commission did not hear from a single witness who was actually prevented from voting as a result of being erroneously identified as a felon.
          • by Anonymous Coward
            Hello,

            Did you read the post you linked to? http://www.usccr.gov/pubs/vote2000/report/ch2.htm [usccr.gov]

            It does list people who were unable to vote, but not because of the felon purge.

            Donnise DeSouza was told that her name was not on the rolls ... Furthermore, Ms. DeSouza learned that her name was actually on the rolls of registered voters

            So, she was not purged.

            Angenora Ramsey, an African American former poll worker with 18 years' experience, had changed her address prior to November 7. Based on her familiari

          • Doubters will tend to avoid such information, since the 2000 Florida debacle was a highly politicized situation. I've tried in several instances to reveal the suspect methods of Harris to avowed Republicans, but as soon as they heard that I got my information from the Internet and indie documentaries (i.e. not from Fox News), they disregarded the information entirely.

            The same thing is now happening with the Ohio frauds. Doubters needn't look any further than the statements of Ken Blackwell (Republican)
        • Have a look at the actual disenfranchizing list (annotated fragment) [gregpalast.com], and keep trying to let these scumbags off the hook.
          • And how many of these people on the list were actually prevented from voting? The answer is that we don't know, but the USCCR wasn't able to find a single person that was.

            Greg Palast is so twisted up in hate that he can't see straight. His conclusions are not supported by any of the data he presents. Yet, people are so eager to hate President Bush that they are willing to accept his fluff at face value. Its sad, really.
        • What about the machines in predominantly black communities that would quietly accept botched ballots, and the machines in predominantly white communities which would spit it back with an error? Hmm?
  • It's about Time (Score:5, Interesting)

    by tepp (131345) on Thursday February 24, 2005 @09:23PM (#11772872)
    Choicepoint - and their competitors such as TransUnion, have become unrelegated "authorities" on people's personal data for far too long. A leak like this was inevitable. Honestly, I think our data has leaked before, but because only California has a (recently made) law dictating that victims must be told of such losses, nobody was informed when it happened in the past.

    I'm not normally a "Big brother is watching you" kind of girl, but the amount of power these companies have over our lives - the ability to deny us life, home, and auto insurance, to get a home or auto loan, to even get a job! - is insane. Especially when you try to correct inaccurate information and they refuse to accept it! For example, I don't rent, I own my own house. But for years I've tried to correct that - and my status, which is married, not single - and have had them tell me flat out that THEIR data is correct and I must be dreaming about my husband & house...
    • true. this story has run on npr.org as well. The initially only notified california users. But some pressure has them notifying all possible victims now.
    • Re:It's about Time (Score:2, Interesting)

      by supertopaz90 (710045)

      Another poster said Choicepoint doesn't care about you because you are just a number - you don't pay for its services, the companies do. Right, makes sense.

      But, reading your situation above, could someone bring a libel suit against Choicepoint? According to some random site I found [freeadvice.com], libel is a written defamation, and defamation is:

      Defamation, sometimes called "defamation of character", is spoken or written words that falsely and negatively reflect on a living person's reputation.
      If a person or the n

    • and have had them tell me flat out that THEIR data is correct and I must be dreaming about my husband & house...

      You wouldn't be the first girl to be told that. :-P
  • Damn! (Score:2, Interesting)

    by Primal_theory (859040)
    This is the third time my identity has been stolen this week...I loose my damn dog and keys less then i loose my identity!!!

    On a more serious note: Big brother

    So if big brother, has like all this information on us (creditcard numbers places we freq eat and stupid random intel like that), then what if THEY get hacked? Wouldnt that mean hell for everybody thats ever been in america? I could only imagine standing in line at a public school to get my friggin id back, but how would they validate whose who?
    • Re:Damn! (Score:3, Interesting)

      ---So if big brother, has like all this information on us (creditcard numbers places we freq eat and stupid random intel like that), then what if THEY get hacked? Wouldnt that mean hell for everybody thats ever been in america? I could only imagine standing in line at a public school to get my friggin id back, but how would they validate whose who? if theres no pictures, oculd you just steal somebody's drivers liscence or wallet and say that your them?

      Im no lawyer, but if you just _cant_ prove your identit
  • by Anonymous Coward
    Choicepoint CEO personal info here. [slashdot.org]
  • It is too easy for companies to be careless with people's personal data and it will take a serious threat of penalty to make them put in extra expense and effort to guard it properly. The same kind that make airlines so carefull about safety i.e. closing down the shop type of penalty.
  • by Agent R (684654) on Thursday February 24, 2005 @09:30PM (#11772921)
    Can anyone tell me why ChoicePoint never did any deeper background checks on their clients knowing full well that identity theft is at an all time high? Didn't they have enough time to ramp up their security protocols to prevent this sort of thing from happening? Plus, who the !@#$% gave ChoicePoint permission to gather data on me?

    Funny, ChoicePoint kind of reminds me of what Microsoft wants to do with their .NET establishment. Gather all personal info on one database. Currrently, it's a mistake to put all the eggs in one basket.
    • by justins (80659)
      Plus, who the !@#$% gave ChoicePoint permission to gather data on me?

      The federal government.

      Funny, ChoicePoint kind of reminds me of what Microsoft wants to do with their .NET establishment. Gather all personal info on one database. Currrently, it's a mistake to put all the eggs in one basket.

      There are many "baskets" like Choicepoint.
    • Can anyone tell me why ChoicePoint never did any deeper background checks on their clients knowing full well that identity theft is at an all time high?

      What's really ironic about this statement is that Choicepoint does background checks for employeers.

      Last several times I was accepted for a job, I had to submit myself to a background check provided by Choicepoint.

      They could do a similar background check on their clients, but I bet that would be bad for Choicepoint's business.
    • "Can anyone tell me why ChoicePoint never did any deeper background checks on their clients knowing full well that identity theft is at an all time high?"

      Because it would cost money that's why. The only reason you know what happened is because the left wing hippies in california passed a law that holds businesses sort of kind of responsible.

      Businesses have no morals or conscience. They don't care about you. It's up to you (through your govt) to make sure the businesses don't run amok.
    • The ChoicePoint breech exposed a fundamental flaw in all credit/background information.

      The business model is predicated on accumulating vast quantities of personal data on people and then selling access to other companies.

      You see the problem is they will in fact sell the information to pretty much any company who wants it for a price.

      If you want to commit identity theft all you have to do is create a legitimate company, if necessary fronting it with people without a criminal record, if you have one. As
  • by tbuckner (861471) on Thursday February 24, 2005 @09:31PM (#11772923)
    This ID theft fiasco is but the tip of the iceberg. ChoicePoint helped throw Florida voters off the registration lists in the infamous 2000 election, and made a pretty penny off 9-11. God knows what else they're up to. See http://www.gregpalast.com/ [gregpalast.com] Quote: "For ChoicePoint, with its 15-billion-plus records on every living and dying being in the United States, Ground Zero would become a profit center lined with gold. Contracts would gush forth from War on Terror fever not hurt by the fact that ChoicePoint did something for George W. Bush that the voters would not: select him as our president." Full article at http://www.gregpalast.com/detail.cfm?artid=356&row =0 [gregpalast.com]
  • I didn't know anybody watched cbs anymore...
  • Bruce Schneier (Score:5, Informative)

    by Shamashmuddamiq (588220) on Thursday February 24, 2005 @09:33PM (#11772942)
    Schneier wrote about this in his blog [schneier.com].
  • Score [bsalert.com] another major issue that was instigated by the New Media [bsalert.com] (bloggers).
  • NoChoicePoint (Score:5, Interesting)

    by MillionthMonkey (240664) on Thursday February 24, 2005 @09:37PM (#11772959)
    From Bruce Schneier: [schneier.com]
    ChoicePoint protects its data, but only to the extent that it values it. The hundreds of millions of people in ChoicePoint's databases are not ChoicePoint's customers. They have no power to switch credit agencies. They have no economic pressure that they can bring to bear on the problem. Maybe they should rename the company "NoChoicePoint."

    The upshot of this is that ChoicePoint doesn't bear the costs of identity theft, so ChoicePoint doesn't take those costs into account when figuring out how much money to spend on data security....Until ChoicePoint feels those costs -- whether through regulation or liability -- it has no economic incentive to reduce them.
    • by geekotourist (80163) on Thursday February 24, 2005 @11:12PM (#11773482) Journal
      The FTC IDTheft website has this 2003 report filled with statistics [ftc.gov]:
      • over 3 million Americans had fraudulent ID theft (the worse kind), and 10 million total had some type of ID theft
      • ID theft victims spent a total of 300 million hours "fixing" their problems.
      • Fraudulent ID theft averaged $10,000 stolen. The total cost of all ID theft is $50 billion.
      • the monetary cost to fix fraudulent ID theft averages $1,200 per ID victim.
      But in reading this report the bias that "businesses are the true victims" shows up. The $5 billion in costs to the identity victim (and 300 million hours of time) is described as "Individuals whose information is misused bear only a small percentage of the cost of ID Theft" (pg 6). That's a bad way of thinking about it for several reasons:
      • 300 million hours of victims' time = 300 million hours of research and investigative time = a 'donation' of at least a few billion dollars.
      • The ID theft victim gets hit with real and lasting costs. Companies get to write off their losses, or use insurance and pass their costs on to consumers. A year after ID theft is discovered, the theft is just a blip in a spreadsheet to the companies where the stolen identity was used. The victim will still be writing letters, finding new ramifications, and losing time and sleep over the matter.
      • Those 300 million hours also = stress, lost time from work, family, charities, plus also extra medical expenses.
      • "15 percent of ID Theft victims reported that their personal information was misused in nonfinancial ways. The most common such use reported was to present the victim's name and identifying information when someone was stopped by law enforcement authorities or was charged with a crime." What's the cost of your kid seeing you arrested because someone else used your name? Not to mention...
      • Now that the government gets data from Choicepoint and others, and because the government has no legal responsibility to find or fix bad data in its files, the rest of your life could be hobbled by bad data and you won't quite know why.
      So basically Choicepoint and the credit card reporting agencies are creating a "public bad." Like polluters, they force other people and companies to bear the cost of problems they've created. 300 million hours and $5 billion dollars would = fantastic security finished in months if the companies themselves had to pay these costs. Instead, 10 million people are forced to do their own cleanup work, and the fact that 9.999 million people have already done the job doesn't make it any easier for you when you're the victim.
  • Mitigating damages (Score:5, Interesting)

    by Skapare (16644) on Thursday February 24, 2005 @09:43PM (#11772998) Homepage

    Why is it such a concern that something as benign as a 10 digit number, plus information that can be found in the phone book, should be of such a concern? One reason is that armed with such a small amount of information, someone can do a tremendous amount of harm to people, and the companies those people do business with.

    Someone can get a driver's license in your name, and build a bad driving record, or worse, in your name. And the state will insist it is you. The affected state will file this with your state, and your own state may cancel your driver's license because it looks like you moved to the other state. In extreme situations you could be arrested.

    Someone can get a bank account in your name. Then with these checks that have your SSN and address on them, make a hundred fraudulent purchases totaling tens of thousands of dollars, on an account they probably stuck just $250 in to get it open. This will ruin your rating with banks, which is kept by a separate reporting agency not subject to the same reviews as the 3 big credit reporting agencies are.

    There are many other kinds of examples, including opening credit accounts. The common problem in all of these is the assumption that by having certain information, the person with it must actually be you. Those of us familiar with security protocols already know that having the very information you give to someone else to show who you are, enables who you just gave it to to masquerade as you. Most people are honest but a slight few are dishonest. Theft of identity information has been happening for decades but it is only now becoming so widespread that politicians and lawmakers are no longer going to be able to hide their head under the carpet and pretend it doesn't exist in order to avoid the hard choices they will have to make.

    And remember, this is identity theft; it is not authenticity theft. Identity only says who you are. We need to stop businesses and governments from assuming that identity is authenticity.

    • by Sancho (17056) on Thursday February 24, 2005 @10:18PM (#11773204) Homepage
      This is identity infringement. Or is it actually "theft" when people do it to content owners?

      Can't have it both ways, Slashdotters.
      • by Skapare (16644)

        That's an interesting way to look at it. You could say it was stolen from who holds it, and infringing on who it refers to. It's not who it was stolen from who suffers the most. I like this concept.

      • No, infringement is ChoicePoint copying and selling my data/information without permission in the first place. (However in their case it is perfectly legal).

        Theft is somebody using that information to draw money out of my bank account. Hardly anybody would justify signing Hillary Rosen's name on phony checks.

  • systems. It is very telling to see who is running what. Take a look at ChoicePoint, T-Mobil, etc.
  • by G4from128k (686170) on Thursday February 24, 2005 @09:53PM (#11773053)
    ChoicePoint sold data to customers that turned out to be criminals. These criminal customers did not "hack" into the system, they were granted paid access to it. At best/worst the criminals did a bit of social engineering to appear as a legitimate business. Otherwise the feat involved no technological illegitimate access. I think that is the scariest part of the story.
    • by sulli (195030) *
      But ChoicePoint maintained data sufficient to do identity theft on the affected consumers, without our permission. They sold these data to the crooks without our permission. That is the real scandal. (I was affected.)
    • I've been writing nastygrams to NPR all week, viz: ChoicePoint were not "hacked", and the data were not "stolen". ChoicePoint sold the data through their regular sales channels. And presumably the fraud ring made payments, 'coz they kept this up for a year.

      And yes, ChoicePoint are likely only the tip of the iceberg, though they're one of the larger, and newer firms. Larger means more data and more attractive target. Newer means they've had less time to get experienced (trans: to f*ck up before and g

  • As if (Score:3, Informative)

    by imnoteddy (568836) on Thursday February 24, 2005 @10:03PM (#11773095)
    large class action lawsuit against the private firm

    Class action lawsuits were essentially outlawed by the Rupublican Congress and President Bush this week. Nobody will ever get any damages from Choicepoint.

    • Re:As if (Score:4, Informative)

      by demaria (122790) on Thursday February 24, 2005 @11:03PM (#11773442) Homepage
      It just moves the cases from state to federal court under certain circumstances, and limits lawyer fees in coupon settlements. You know, those ones where, if you win, you get $5 off your next purchase, assuming you make a next purchase that is. I'm still waiting to redeem my CRT monitor settlement from the early 90s.

      It was passed in the Senate 72-26, with 8 Democrats sponsoring the bill. That's a veto proof majority. That's bipartisan dude.
  • by shanen (462549) on Thursday February 24, 2005 @10:04PM (#11773104) Homepage Journal
    If Congress wants to get involved, it would be to protect ChoicePoint from being hassled by the peasants. Haven't you been paying attention?

    Class dismissed. (As in the "no class" action suit.)

  • by Doc Ruby (173196) on Thursday February 24, 2005 @10:14PM (#11773179) Homepage Journal
    I wonder if they'll ask Hank Asher, who started the company (and DataBase Technologies), about his cocaine flights into Florida for Iran/Contra. Or how John Poindexter (of Iran/Contra) got them that fat contract for TIA, and saved it as the secret MATRIX program when TIA got too hot for Congress. Or about that Florida voter-purge list, with over 40K legitimate Florida voters prevented from voting in 2000, and again in 2004. Maybe Asher will have some answers that won't get the coincidence theorists freaking out about how this one company could be so lucky for so long with the same people.
  • by Anonymous Coward on Thursday February 24, 2005 @11:17PM (#11773505)
    Id Theft can be extremely painful to resolve.

    I had (regular) mail stolen from my mail box (before I realized how bad it is to actually use your mailbox for outgoing mail), at first I thought it was a post office screw up, but several months later, I got a call from a bank employee who just completed a transaction which he thought was fishy. He asked my if I had just cashed a four figure check there. When I told him that I hadn't he warned me that somebody was stealing my Identity. I called my credit card companies to get new cards and security added to my accounts, contacted all of the big three credit agencies and got a hold put on my credit, contacted the local police.

    The next thing I knew it was raining collection notices on me.

    This guy was printing checks with my name and driver's liscense number. For Id, he had a printer which could create fake driver's liscenses with all of my information, but his face and description.

    Fortunately, I was lucky, this guy got pulled over for a faulty brake light and the officer looked into the car and saw over a dozen driver's liscenses on the back seat of his car, all with his picture on them, but different names. The officers told me that I was the one in a hundred whose Identity Thief was caught.

    Now, 8 years later, I can share some lessons with you. Trust me, you don't want any of this to happen to you, arguing with collection agencies is no fun at all, they assume that everybody is a slimeball.

    1) Get a shredder. Get two in case the first one breaks. Shred everything that has anything that can identify you. Id Theives also dumpster and dump dive to look for your information, don't give them any help. shred shred shred...

    2) Get your annual credit report from the big three credit bureaus. Take the time to review it, carefully. They each have a formal procedure for clearing up problems. Follow it to correct your information. They can be reached here http://www.creditreporting.com/ [creditreporting.com]

    3) Check your credit and bank statements, you never know what they have on you or when they get it.

    4) If it does happen to you, file a police report immediately. This report number is your best defense against the onslaught of collection agencies that will soon be banging down your door.
  • In light of this whole Choicepoint situation, I have been thinking a lot about the difference between the value of isolated information versus the value of aggregated information.

    Clearly, the more aggregated information can be, the higher the value because those using it do not have to look so far to get other, related facts about a subject.

    Perhaps the form of regulation on the topic of information security for these large clearinghouses should be to keep as much information isolated as possible...so th

  • Why can't individuals copyright their own personal information (name, address, SS#, phone number) which all combined create a unique ID, and then sue any company holding that information with a violation of the DMCA?

    Remember that under the provisions of the DMCA, they can't REVERSE ENGINEER, which is exactly how these credit reporting agencies gather information about you.

    I think it's high time individuals treated themselves like corporations. Corp's are protected under the New America, people are not. Th
    • Why can't individuals copyright their own personal information (name, address, SS#, phone number)

      Maybe because they didn't create them? You also can't copyright 'tekrat' or similar names/titles because names/titles are not works in themselves.

      I think it's high time individuals treated themselves like corporations.

      Corporations are virtual persons. So you got this backwards. If you treat yourself as a corporation, well, can I buy your shares then? You can then be my slave!

      Don't lower yourself to a co

  • Blood Money (Score:3, Interesting)

    by Doc Ruby (173196) on Friday February 25, 2005 @01:18AM (#11774234) Homepage Journal
    In partnership with to Hank Asher [slashdot.org], Floridian Iran/Contra coke pilot, ChoicePoint was founded by Derek Smith, whose DNA analysis company scored a multimillion dollar contract [gregpalast.com] to identify victims from Ground Zero samples.
  • From the article text:

    He worries that thieves will eventually do to him what sheriffs detectives in Los Angeles say they've done to more than 700 other people -- reroute his mail, ring up credit card debts, buy a car or even commit a felony in his name.

    As if the thieves themselves weren't bad enough? Now I can't trust my sheriff's department! Why, just the other day, I gave some officer all my financial data over his website. Why would they do a thing like this? </sarcasm>

    Solomon Chang
  • Whew! (Score:2, Funny)

    by cove209 (681558)
    Now that Congress is looking into it, I can sleep better at night!
  • When this story broke a week or two ago, somebody here posed the question of how you know if you are one of the people whose information was stolen. I replied along the lines of, "You'll know because you'll get a letter from attorneys notifying you that you are part of a class action lawsuit against ChoicePoint." Looks like that might actually be the right answer! What do I win?

[Crash programs] fail because they are based on the theory that, with nine women pregnant, you can get a baby a month. -- Wernher von Braun

Working...