Congress to Investigate ChoicePoint

twzop writes "I just saw a story on the CBS evening news about the previously posted story about ChoicePoint, Inc. in Atlanta, GA getting hacked and US citizens' data being compromised. The story stated that Congress was going to get involved by investigating the scandal and that there was a large class action lawsuit against the private firm."

damage size?

[c0dedude]

What was the size of the data leaked? I've seen figures vary, I'm wondering if anyone knows, including ChoicePoint.

Not the first time with Choicepoint

[Wheresmywig]

What I find odd about the reportage of this story is that noone seems to be pointing out that Choicepoint was also responsible for providing Florida with some of the data it used to strip people from the voter rolls back in 2000. That wasn't exactly good either.

It's about Time

[tepp]

Choicepoint - and their competitors such as TransUnion, have become unrelegated "authorities" on people's personal data for far too long. A leak like this was inevitable. Honestly, I think our data has leaked before, but because only California has a (recently made) law dictating that victims must be told of such losses, nobody was informed when it happened in the past.

I'm not normally a "Big brother is watching you" kind of girl, but the amount of power these companies have over our lives - the ability to deny us life, home, and auto insurance, to get a home or auto loan, to even get a job! - is insane. Especially when you try to correct inaccurate information and they refuse to accept it! For example, I don't rent, I own my own house. But for years I've tried to correct that - and my status, which is married, not single - and have had them tell me flat out that THEIR data is correct and I must be dreaming about my husband & house...

Damn!

[Primal_theory]

This is the third time my identity has been stolen this week...I loose my damn dog and keys less then i loose my identity!!!

On a more serious note: Big brother

So if big brother, has like all this information on us (creditcard numbers places we freq eat and stupid random intel like that), then what if THEY get hacked? Wouldnt that mean hell for everybody thats ever been in america? I could only imagine standing in line at a public school to get my friggin id back, but how would they validate whose who? if theres no pictures, oculd you just steal somebody's drivers liscence or wallet and say that your them?

Re:Damn!

[Creepy Crawler]

---So if big brother, has like all this information on us (creditcard numbers places we freq eat and stupid random intel like that), then what if THEY get hacked? Wouldnt that mean hell for everybody thats ever been in america? I could only imagine standing in line at a public school to get my friggin id back, but how would they validate whose who? if theres no pictures, oculd you just steal somebody's drivers liscence or wallet and say that your them?

Im no lawyer, but if you just _cant_ prove your identity cause XYZ documents are stolen/lost, you bring acquainances who are legitly proven and they vouch for you. People like that could be friends, family, employees, teachers...

Essentially, its like that Orkut. If you cant prove who you are, people who are proved back you up. And if they lie, its perjury and a bunch of other charges.

Screwed by ChoicePoint

[Agent R]

Can anyone tell me why ChoicePoint never did any deeper background checks on their clients knowing full well that identity theft is at an all time high? Didn't they have enough time to ramp up their security protocols to prevent this sort of thing from happening? Plus, who the !@#$% gave ChoicePoint permission to gather data on me?

Funny, ChoicePoint kind of reminds me of what Microsoft wants to do with their .NET establishment. Gather all personal info on one database. Currrently, it's a mistake to put all the eggs in one basket.

ChoicePoint has many tentacles

[tbuckner]

This ID theft fiasco is but the tip of the iceberg. ChoicePoint helped throw Florida voters off the registration lists in the infamous 2000 election, and made a pretty penny off 9-11. God knows what else they're up to. See http://www.gregpalast.com/ [gregpalast.com] Quote: "For ChoicePoint, with its 15-billion-plus records on every living and dying being in the United States, Ground Zero would become a profit center lined with gold. Contracts would gush forth from War on Terror fever not hurt by the fact that ChoicePoint did something for George W. Bush that the voters would not: select him as our president." Full article at http://www.gregpalast.com/detail.cfm?artid=356&row =0 [gregpalast.com]

It's about Time-Security puncture.

[Anonymous Coward]

Two things here. One there's lot's of data that's not really needed.

Two ChoicePoint needs to backup it's customers when it comes to consequences of it's failure. In other words it accepts financial and legal liabiliy (to me) for the consequences of it's failure.

And last, inefficiencies be damned. Data doesn't really need to be centralized. Talk about single point of failure.

NoChoicePoint

[MillionthMonkey]

From Bruce Schneier: [schneier.com]

ChoicePoint protects its data, but only to the extent that it values it. The hundreds of millions of people in ChoicePoint's databases are not ChoicePoint's customers. They have no power to switch credit agencies. They have no economic pressure that they can bring to bear on the problem. Maybe they should rename the company "NoChoicePoint."

The upshot of this is that ChoicePoint doesn't bear the costs of identity theft, so ChoicePoint doesn't take those costs into account when figuring out how much money to spend on data security....Until ChoicePoint feels those costs -- whether through regulation or liability -- it has no economic incentive to reduce them.

Re:Trust me, its not just ChoicePoint.

[Anonymous Coward]

Tell me about it.. I worked a short-term contract thru a contract svcs co, where the agency was required to do an additional bkgnd on me, per the client, over and above the normal one they run on all their consultants, since this client was a VERY well-known large financial services company and had a policy of these additional bkgnd checks. One of the first things I discovered upon arrival to begin work, was all of their WinXP machines had no administrator password, and most of the user accts were admin-equiv, also with no passwords. Not to mention the fact that each machine ran an MSDE/MSSQL database that contained that user's client's info, which part of my job was to go around and back up these databases... According to the admin mgr, whom I reported to, these had not been backed up in quite a while. I contacted my agency manager, and told him about this, and he was unsurprised, since he'd dealt with this customer for quite a while. Needless to say, I'll never give this co. a penny of my investment funds...

Mitigating damages

[Skapare]

Why is it such a concern that something as benign as a 10 digit number, plus information that can be found in the phone book, should be of such a concern? One reason is that armed with such a small amount of information, someone can do a tremendous amount of harm to people, and the companies those people do business with.

Someone can get a driver's license in your name, and build a bad driving record, or worse, in your name. And the state will insist it is you. The affected state will file this with your state, and your own state may cancel your driver's license because it looks like you moved to the other state. In extreme situations you could be arrested.

Someone can get a bank account in your name. Then with these checks that have your SSN and address on them, make a hundred fraudulent purchases totaling tens of thousands of dollars, on an account they probably stuck just $250 in to get it open. This will ruin your rating with banks, which is kept by a separate reporting agency not subject to the same reviews as the 3 big credit reporting agencies are.

There are many other kinds of examples, including opening credit accounts. The common problem in all of these is the assumption that by having certain information, the person with it must actually be you. Those of us familiar with security protocols already know that having the very information you give to someone else to show who you are, enables who you just gave it to to masquerade as you. Most people are honest but a slight few are dishonest. Theft of identity information has been happening for decades but it is only now becoming so widespread that politicians and lawmakers are no longer going to be able to hide their head under the carpet and pretend it doesn't exist in order to avoid the hard choices they will have to make.

And remember, this is identity theft; it is not authenticity theft. Identity only says who you are. We need to stop businesses and governments from assuming that identity is authenticity.

that's why this investigation will go nowhere

[JoeBuck]

Choicepoint is the firm that Katherine Harris, who simultaneously served in the Bush campaign and as head vote-counter in Florida (no other democracy allows that, by the way), used to come up with a felon list. The list included thousands of blacks who weren't eligible to vote (at least 5,000). It was set up to disenfranchise everyone who had a similar name (even first initial and last name) as a felon. Considering that blacks voted 90-10 for Gore and that Bush only won the state (officially) by 537 votes, Bush owes his presidency to Choicepoint.

Because of this political debt, the Congress will block any serious investigation of Choicepoint.

Re:damage size?

[Shakrai]

I'm from a private company, and I'm here to help myself without your consent.

I work in the goddamn insurance industry (IT; not sales; I'm not completely evil) and even my co-workers think Choicepoint are a bunch of evil thieving bastards.

My own personal experience with them revolved around the three weeks it took to get them to remove accidents that my sister had on her own automobile policy (i.e: no relation to me!) off of my CLUE report. They claimed that they showed up on my CLUE report because her SSN is only two digits removed from mine.

In the process of trying to get this fixed so that I wouldn't be surcharged for my sisters accidents they stonewalled me and generally tried to walk all over me. Every time we would change something they would need to generate a new clue report. But they could only generate those reports overnight. Apparently the computer system that allows an insurance company to get a copy of your CLUE report in about 15 seconds only allows one copy of the consumer version of that report to be generated -- and it takes several hours for them to generate it.

Furthermore I take exception to the fact that they listed an accident that I had under my parents policy (borrowed car while mine was in the shop). Perhaps I sign away my own rights when I buy my own insurance policy but I don't recall signing anything with my parents insurance company when I borrowed the car that authorized them to release my personal information (SSN/lic #) to Choicepoint. Where the hell is the outrage? I'm sick and tired of companies stockpiling information on me without permission.

In a fair world they wouldn't be allowed to release that sort of information to some data clearinghouse. So what if the insurance industry can't verify your accident record? If you lie to them then it's insurance fraud (felony in most states) and your policy is null and void. Why can't they use that as an enforcement mechanism rather then enriching the likes of Choicepoint and the big-three credit reporters?

Bah! End rant...

Close Enough For Government Work

[Doc Ruby]

I wonder if they'll ask Hank Asher, who started the company (and DataBase Technologies), about his cocaine flights into Florida for Iran/Contra. Or how John Poindexter (of Iran/Contra) got them that fat contract for TIA, and saved it as the secret MATRIX program when TIA got too hot for Congress. Or about that Florida voter-purge list, with over 40K legitimate Florida voters prevented from voting in 2000, and again in 2004. Maybe Asher will have some answers that won't get the coincidence theorists freaking out about how this one company could be so lucky for so long with the same people.

Re:damage size?

[killjoe]

"In a fair world they wouldn't be allowed to release that sort of information to some data clearinghouse."

It's not a fair world. In this world choicepoint is one of most politically connected companies in the world and nothing will happen to them.

Isolation versus Aggregation

[dozek]

In light of this whole Choicepoint situation, I have been thinking a lot about the difference between the value of isolated information versus the value of aggregated information.

Clearly, the more aggregated information can be, the higher the value because those using it do not have to look so far to get other, related facts about a subject.

Perhaps the form of regulation on the topic of information security for these large clearinghouses should be to keep as much information isolated as possible...so that even if there is a fault, the effects are minimized.

This approach works in plenty of scenarios as far as contingency planning and fault tolerance goes. Faults and failures can occur, but in this case, the owners of the information should work towards containment for the sake of those they are representing (that is, those they have data about).

I am interested to see how the proposals for regulating this industry emerge, or if they will be squelched by various lobbies. We'll see.

Re:Trust me, its not just ChoicePoint.

[ScrewMaster]

In reality, the law SHOULD be that you have full access to YOUR information, and can correct provable, factual parts that are incorrect.

Absolutely, and I would add that there should be a stiff penalty if a data aggregator denies a citizen that ability, and such denial results in a crime.

I really cant answer if they should be selling this data...

Sure you can! Think about how this came about, and where it's going.

Originally, collecting and maintaining the so-called "credit history" on individual citizens was all about risk avoidance. That's still the case, of course. Businesses have always maintained records about past customers, so that they could then decide how, and if, to do business with said customers in the future. That's been true since we kept records carved on rocks or stamped in clay. The problem came in when business realized, with the advent of the mainframe, telecommunications and vast, cheap, readily-accessible storage that they could share this information with each other, thus dividing the risk. Thus was born the credit bureau. To my mind, the whole concept of the credit bureau is on ethically shaky ground anyway ... do business have the right to defend themselves against the normal costs of doing business, by placing their own customers at risk? Is this a justifiable tradeoff? Given the number of lives destroyed by the credit system over the years, I'd be inclined to say no ... it's usurious at best, and usury is illegal. Or used to be, at any rate.

So where are we now? Well, what has changed is that the demand is no longer just for security (customer "x" wants to buy product "y", give me yes/no on the transaction) but for the actual information used to make such decisions ... the financial history itself. I understand that companies like ChoicePoint actually acquire more detailed information than the traditional credit bureaus. So now we have an entirely different can of worms. In fact, in their eagerness to sell our personal histories (and sell us out) to companies that want to use that information to sell us other products, they have brought us to the brink of rendering the entire system useless (or at least, too dangerous to be trusted by the average citizen.)

ChoicePoint and similar organizations concentrate private information to a degree that makes it very, very dangerous to the individual by its mere existence. And then ... they sell it! Perhaps if the banking system were more robust, held more intrinsic safeguards, it might be different. Given how little information is required to perform an act of identity theft, however, I am personally unnerved by the idea of this data being used not simply to verify my creditworthiness, but sold on the open market to anyone meeting ChoicePoint's (apparently) minimal standards.

In answer to your question, I would say, "no", ChoicePoint should not be allowed to do what they do. I mean, they are taking chances with the financial lives of millions of Americans, who in return get ... nothing. That to me is the mark of a morally bankrupt business model, which if it isn't illegal probably ought to be.

Re:damage size?

[jcknox]

You're assuming there was an accident, and that he was at fault. CLUE (Comprehensive Loss Underwriting Exchange) reports are reports containing CLAIMS information provided by cooperating insurance companies. These allow insurance companies to evaluate you not just on your driving record (they're available on homeowners policies as well), but your proclivity to file claims. Some people will file a claim every time their door gets dinged in a parking lot or their windshield get cracked by a rock. These things don't show up as at-fault incidents. Other people will only file a claim in the event of a major accident. Insurance companies don't like claims, regardless of who is a fault, so they use CLUE reports to preferentially rate people that are claims-averse.

So information that is not a matter of public record is indeed disclosed by CLUE reports.

Re:It's about Time

[supertopaz90]

Another poster said Choicepoint doesn't care about you because you are just a number - you don't pay for its services, the companies do. Right, makes sense.

But, reading your situation above, could someone bring a libel suit against Choicepoint? According to some random site I found [freeadvice.com], libel is a written defamation, and defamation is:

Defamation, sometimes called "defamation of character", is spoken or written words that falsely and negatively reflect on a living person's reputation.
If a person or the news media says or writes something about you that is understood to lower your reputation, or that keeps people from associating with you, defamation has occurred.

In some ways its a stretch, as it isn't directly related to your "character," but its hard to deny that erroneous information doesn't lower your reputation. Companies charge higher interest rates or insurance premiums to "riskier" types of people; if your Choicepoint says you rent when you own and are single when you're married, then, hey, to an auto insurance company, you look riskier. Looks to me like your reputation was falsly lowered. Also, remember, average Joes don't need to show negligence like public figures do (that is, you don't need to prove that Choicepoint is knowingly publishing bad information, just that they are).

IANAL, nor a law student, so I have not studied libel case law to know if this would hold up, but it makes a lot of sense to me. Anyone have any thoughts?

Re:Dear Choicepoint...

[Doctor_Jest]

I just heard from them, after 3 emails and noting I was contacting my state's AG, I got a reply saying all my data was being deleted at my request. :)

Just be persistent, firm, refrain from profanity, and send a letter to your state's AG complaining of the company....

Worked for me. :)

The first time I got an email back saying I had to use a Do Not call list from the DMA website, but I replied back to that email with a firm request that I wanted my data OFF their servers. Of course, I have no way of knowing they did it, but it is nice that my firm letter notifying my state's AG of their practices was enough of an incentive to get them to do something.

Blood Money

[Doc Ruby]

In partnership with to Hank Asher [slashdot.org], Floridian Iran/Contra coke pilot, ChoicePoint was founded by Derek Smith, whose DNA analysis company scored a multimillion dollar contract [gregpalast.com] to identify victims from Ground Zero samples.

Re:damage size?

[bleckywelcky]

While I agree the system is comprised of a lot of bullshit - that everyone tracks every last piece of information about you that they can get their hands on, and trades that information with all their insurance buddies ... you might have a higher rate because you are male (unless you are a lesbian since you mentioned a GF). Males in their early 20s have some of the highest rates for many reasons, some which are more fair (numbers of accidents) than others.

The whole insurance business is a crock, these companies make shitloads of money off everyone for years and years, and then when something like 9/11 happens they cry and moan to congress (despite the fact that in the end they still end up making a ton of money). It's a huge profit business driven by more executives and board-types. What we need are community insurance bureaus. Kind of like credit bureaus where the bureau revolves around some sort of organization (a university, a large company for its employees, etc). We have this sort of thing with health insurance, but as far as I can tell, we don't have it for vehicle or property insurance.

My insurance bill per year is nearly 1/2 the cost of my vehicle (I drive cheaper used vehicles) and my record is spotless other than 1 ticket (not a speeding ticket or anything, it was a technicality akin to a parking violation).

A couple of things:

[mrchaotica]

Change "request" to DEMAND , send it certified snail mail, and send a copy to your lawyer (and inform Choicepoint in the letter that you're doing so.

ChoicePoint Execs Seem to Know

[The Angry Mick]

Apparently, some of the choice point executives knew there was going to be quite a bit of fallout over this. This morning's Atlanta Journal/Constitution [ajc.com] (reg. required - Google cache anyone?) is reporting that:

Since the sales began in November, ChoicePoint CEO Derek Smith and President Douglas Curling have sold 472,000 ChoicePoint shares worth nearly $21 million, according to the executives' Securities and Exchange Commission filings.