ChoicePoint Data Stolen By Imposters 381
swight1701 writes "Criminals posing as legitimate businesses have accessed critical personal data stored by ChoicePoint Inc., a firm that maintains databases of background information on virtually every U.S. citizen. The incident involves a wide swath of consumer data, including names, addresses, Social Security numbers, credit reports and other information. ChoicePoint notified between 30,000 and 35,000 consumers in California that their personal data may have been accessed by "unauthorized third parties." No obvious notice appears to be on their website."
Ineptness to the point of being evil (Score:5, Insightful)
The article further quotes ChoicePoint spokesman Chuck Jones:
Why the hell are they allowed to keep a dossier on me if they don't have any mechanism in place to allow them to track how it is used and by whom? This is insane!The correct solution to this problem, IMNSHO, is for the courts to determine that personal, financial, and credit records relating to an individual are the COPYRIGHTED PROPERTY OF THAT INDIVIDUAL, and may not be provided to any other party without the owner's explicit consent. Not a blanket consent to provide the data to anyone inquiring, but specific consent to provide it to XYZ Corporation.
Re:Ineptness to the point of being evil (Score:3, Insightful)
Re:Ineptness to the point of being evil (Score:5, Insightful)
Probably won't happen, however. In fact, we are going in the other direction and the companies that hold your data legally "own" it in most cases.
By the way, don't you recognize this particular company? Same one that helped BushCo purge all those voters in 2000. I think they got out of the voter purging business before 2004, but I haven't really been tracking it.
Re:Ineptness to the point of being evil (Score:3, Informative)
Re:Ineptness to the point of being evil (Score:5, Insightful)
Just out of curiousity, how do you propose that I store personally identifiable information such as my name and address on a computer owned by me when I wish to make a purchase online? How can I have my paycheck electronically deposited into my banking account if my employer can't store my personal information? How is H&R Block going to prepare my taxes for me if they can't enter any of my information on a computer that I don't own? Am I going to have to tell Netflix my name and address and credit card info every single time I want another movie?
Limits on personal information... (Score:4, Insightful)
That solves your bank deposit problem. Public/private key separation would solve most of the problems.
As far as repeatedly entering addresses--come on, that's easy. Browsers have a wallet-like feature which fills it in on demand. There's no need for the provider (netflix) to store the information, and they should refrain from doing so.
So far as taxes are concerned--of course you have to give personal info for H&R Block to process them, but the grandparent means it should be treated as your property. You may leave valuables with a bank safety deposit box, but the bank does not own them. It is a steward. Its rights obviously don't extend to sharing information about what you've deposited with others.
Re:Limits on personal information... (Score:3, Interesting)
Browsers have a wallet-like feature which fills it in on demand.
Excellent points, all.
My pet peeve is that "form filling out" information disclosure should really be kept to the minimum required for the transaction.
If you go into a doctor's office for an ingrown toenail, there's no reason you should have to dump down 57 pieces of data on a form. If I put down that I'm a 27 year old male with no allergies and I can digitally sign that I'm able to pay up to $500 for any services, that should be enough.
L
Re:Ineptness to the point of being evil (Score:5, Interesting)
There is no intrinsic requirement here for the bank to know more than the source and destination account numbers and how to examine the certificate for authenticity. The bank has no reason to know how much money you have in other banks, or anything beyond the fact that this account number has enough money to cover the requested transfer. (Your other example is almost exactly the same, but with the transfer coming from your employer to an account you have specified.)
You forgot one thing... (Score:3, Insightful)
Otherwise, perfectly described Swiss bank anonymous account... "But think about the CHILDREN!"...
Yes, tehre are technical means, and then there are financial/political "considerations". I wish it would happen ike you describe, but, really, a snowball chance in hell it will, agreed?
Paul
Re:Ineptness to the point of being evil (Score:5, Insightful)
where to? no-one knows your address
Re:Ineptness to the point of being evil (Score:5, Interesting)
Off topic, really, but I have to vent. They screwed my wife out of a job this year. We were recently married and they failed her background check on her name on file with the credit bureaus not matching the name on her application. They also dragged ass fixing the problem and had a policy in place to NOT notify they potential employer that they had made a mistake.
Experian (in UK) also screws you : my experience (Score:5, Informative)
A few years ago I applied for a mortgage, and got refused because the bank did a credit check with Experian, Experian told them I wasn't on the electoral register, so the bank turned me down. I knew I was on the electoral register, and had been for years. I went to the local council for my previous residence, and the helpful council officer checked my record, and even let me come round the desk and look at her screen to see my record. I phoned Experian "I know I am on the electoral register for this address" (Experian) "no, sorry sir, this isn't on your record" (me) "I'm looking at my name on the electoral register, I'm just handing you over to the council officer who will confirm" (nice govt. officer): "yes, he is" (Experian "ahh... we'll look into that" (me): "cheers, I've been turned down already for a mortgage, are there any other parts of my credit records you should be checking?".
I really recommend that anybody in the UK who is about to buy a house/car/other significant credit transaction to ask for their records first. Which of course costs you money that goes into the credit agencies pockets. It's a corrupt system, and there's nothing we can do about it. Private companies running (ruining?) peoples' lives. "Sue the company" might be ok for you big shots but I was on low wages then and I'm a student now. One day I'll be working again and the first thing I got to do is use *my time* and *my money* to unpick *their mistakes*. Experian's mistake f*cked up my life, be wary people.
Me too - UK rules are scary (Score:3, Insightful)
Not so long ago, I was surprisingly refused credit. In fairness, that part wasn't Experian's fault; it was down to an automated address database that didn't recognise the correct form of my address and decided I didn't exist. However, during the follow-up enquiries with the credit card company who'd turned me down, I obtained a copy of my credit record from Experian. There were so many minor inaccuracies it was scary. The best bit was when, at 17:05 after speaking to someone there for five minutes (after ab
Data ownership (Score:5, Informative)
When they lose the data, as far as they are concerned they have lost some of their business information (ie. someone accessed their data without paying).
That the data is about you, and could be damaging to you is incosequential to them. Anyone could have bought the data from them anyway.
Re:Data ownership (Score:3, Insightful)
For example, before all this computerization, if you wanted to borrow some money, you told the bank about who you borrowed from in the past, and they would check to see what those people said about the loan
Re:Data ownership (Score:3, Insightful)
The problem with this is that *you* don't own the data kept about you...When they lose the data, as far as they are concerned they have lost some of their business information
Which is why most developed countries have privacy legislation. "Ownership", in the context of personal information, is about the extent to which individuals can exert control over what happens to that data. Ownership doesn't (or shouldn't) reside with the business alone.
That the data is about you, and could be damaging to you i
Re:Data ownership (Score:5, Interesting)
It's usually paired with another consitutional right called "Habeas corpus", which ensures freedom of movement in the country and grants rights against detention without due process.
Re:Data ownership (Score:3, Insightful)
Well, he's entitled not to tell anyone. People can change, you know. This can happen, but now the involved executive has the right to initiate legal actions.
What if a reporter learns that a politician has secret bank accounts where huge sums of money are regularly received?
In that case, he wo
Basic principle of the EU directive (Score:4, Interesting)
As a matter of fact, even supplying personal data to third parties is outright verboten without a solid reason to do so. (And no, money grubbing greed is not considered a solid reason, legally)
Re:Ineptness to the point of being evil (Score:3, Insightful)
Re:Ineptness to the point of being evil (Score:5, Insightful)
Courts aren't going to help you with that at all. The copyright on information belongs to the writer, not the subject of the piece. Just think what your copyright concept would do to the news media...
Re:Ineptness to the point of being evil (Score:3, Interesting)
It isn't nearly as simple as that.
Photographers require a release from models they shoot, similarly with tv shows (watch any of those reality shows and you'll occasionally see people who were filmed but would not sign a release, their faces and any other personally identifiable information is blurred out).
I *did* create it! (Score:3, Interesting)
I created my address by purchasing a house and moving into it. I created my credit history by obtaining credit, using it, and paying it off (or not). I created my salary history by getting a job and drawing a salary. I created my education history, GPA, major, minor, and concentration by getting an education. I created this message. I created my marital status. I created my child, though they are creating original art of
Re:Ineptness to the point of being evil (Score:3, Informative)
No Place to Hide: Behind the Scenes of Our Emerging Surveillance Society [democracynow.org]
Re:Ineptness to the point of being evil (Score:5, Insightful)
The thing that bothers me is that some data is unchangeable, e.g. US social security #, date of birth, and mother's maiden name. Once it's out there, you're screwed.
Once someone has this data they can really do a number on you because that's all most commercial sites seem to require in terms of validation. They can take out credit cards in your name, perhaps even access your bank account if they have access to your checking account number.
I think that eventually, and unfortunately, there's gonna have to be a law. No organization except the social security administration should be allowed to store our SS #, for example. Heck, at the rate things are going, they may have to start allowing people to change their SS # to start fresh.
A friend never allows her SS # to be used for anything. Not banks, not schools, not health insurance. They squawk and scream and threaten and she stands firm. No, she says, you can't have it. It's only for her retirement, not for generic identification purposes. So far she has successfully evaded spreading her most precious identifying information all over the internet in god knows how many incompetently coded and poorly safeguarded databases. Massachusetts also allows one to use a generated code instead of SS # on drivers licenses.
This thing is really out of hand. Of course, it's going to cost credit card companies millions of dollars when bogus bills start bouncing, and that's probably when the powers that be finally wake up and address the problem.
The powers that be.... (Score:3, Interesting)
Re:Ineptness to the point of being evil (Score:3, Insightful)
Fraud is a cost of business to credit card companies, the only way that the credit card companies would actually pay the price here would be if people actually stopped using them. Short of that drastic and unlikely occurrence any level of theft and fraud will be absorbed and paid by t
Re:Ineptness to the point of being evil (Score:5, Informative)
as a holder of a merchant account, I can say that you're full of shit. WE bear the brunt of fraud (a.k.a. "Chargebacks")... not only do we lose the money, but we get charged a nice little fee along with it. (usually around $30-40).
oh yeah, and get more than $x percent chargebacks in a year, your account goes *poof*
Re:Ineptness to the point of being evil (Score:3, Interesting)
I don't think there's any coincidence that my local coffee shop raised all their prices about the same time they started accepting credit cards, and I appreciate that my favorite local CD store charges a buck fifty per CD extra if you pay with credit cards - that way, I don't have to subsidize other peoples' credit card use when I pay cash.
That said, with the way retailers have to bear the brunt of the damage when someone comm
Re:Ineptness to the point of being evil (Score:2)
Banks require your social security number for tax reporting purposes. It's a Federal law (you get that 1099-INT each each with interest bearing accounts, for example), as the IRS has a vested interest in your finances. You cannot "opt out", any more than you could opt out of giving your employer your SS#.
Re:Ineptness to the point of being evil (Score:4, Informative)
Also, there are lots of foreign people in the U.S. and elsewhere who have U.S. bank accounts but no SS #. I suspect that banks assign these people arbitrary generated numbers. Perhaps you can go to a bank, tell them you're from Scotland or Uruguay or the South Pole and just open an account without the damn SS number. Of course they may demand a passport.
Now here's an interesting bit of trivia. You can change [ssa.gov] your social security number. It's free and you have to apply, with proof of identity, and also supply a reason why the change is needed. It can be a change of name, threat of domestic violence, identity theft, or even because the numbers are offensive to your religious beliefs. I suppose the latter reason is the best way to change your SS # arbitrarily. However, they say they keep your old number on file and cross referenced, so it may be that someone with your old number could still cause you grief.
Re:Ineptness to the point of being evil (Score:5, Informative)
The IRS is way ahead of you, that's what ITINs and ATINs [irs.gov] are for.
Re:Ineptness to the point of being evil (Score:5, Informative)
Re:Ineptness to the point of being evil (Score:2)
As of Saturday afternoon, I had not received any notification from ChoicePoint. I'll watch my mailbox.
Re:Either that...or... (Score:2)
One thing I'd have to wonder...what would a company like ChoicePoint be doing with someone's personal data(like Social Security Number), unless they had been explicitly authorized to have it? As far as I'm concerned, ChoicePoint might very well be the unauthorized third party.
Re:Ineptness to the point of being evil (Score:3, Insightful)
We need a full investigation. ChoicePoint's liability could be enormous. It is clear a cover-up may be going on.
Will you even get a notice? (Score:5, Insightful)
The article points out that "Lee said law enforcement officials have so far advised the firm that only Californians need to be notified.", so I'm guessing that there are probably another 300,000, or so, nationwide who will not be notified by the company. A few other really high-profile types might get a notice, but I'm betting that no more than a couple dozen non-Californian SlashDot readers will get notices.
Does anybody else want to call and ask and see if they even get an answer? (I don't live in the US, so I probably don't count, statistically speaking.)
Re:Will you even get a notice? (Score:4, Insightful)
Now, that data is going to worth a lot of money to someone. There are going to be individuals on that list who could have more $100k stolen each, ergo, the data is worth a multiple of that.
But what if someone leaked it? Disgruntled employees or clients, other blackhats, cleaners, anyone? How wide would a 100MB csv spread on Kazaa? Given the precedent set by spammers, nearly all of those victims could be exploited.
Anyone want to guess the political, economic and cultural impact of 1 in every 10 US citizens becoming bankrupt or even destitute in a matter of months? If it doesn't happen this time, its a ticking time-bomb for the future.
A radical redesign of the modern approach to financial security is overdue.
Re:Ineptness to the point of being evil (Score:2)
I don't think so. "Whiny" is a subjective description, not factual information about a person, and even if there was an objective standard for it, as soon as the person said one whiny thing in a public place, it would no longer be private data.
Re:OT (Score:2)
For instance, a random entity shouldn't be able to find out what insurance carrier and plan I use. But if I post to Usenet that I subscribe to the Blue Cross HMO plan, then I would no longer be able to assert that as being private data that I exclusively own.
I enjoy... (Score:5, Funny)
It's pretty silly.
Re:I enjoy... (Score:2, Funny)
if i *accidentally* ... (Score:5, Insightful)
Companys should be held responsable for the data they hold.
Re:if i *accidentally* ... (Score:2, Insightful)
Re:if i *accidentally* ... (Score:2)
Companies definitely should be held responsible for the data they hold, and the costs incurred by their mistakes.
But a driver that broke no law other than being at the wrong place at the wrong time shouldn't, and isn't necessarily held responsible. In the US, it really depends on the state.
Re:if i *accidentally* ... (Score:5, Insightful)
Does that sound like an extreme example? Perhaps it is. But lives can be shattered in other ways besides being blown to bits. And I'm sure there will be a few deaths involved, as people with medical conditions suddenly find themselves without means, because some identity thief just bought himself a brand new house at their expense. No, the Information Age is proving to carry some serious risks, and those risks are largely due to cavalier treatment of personal data.
I'm not sure what it will take before some standards are put in place, with appropriate penalties for failure to maintain them. Probably won't happen now, with "tort reform" on the way and limits being placed on class-action lawsuits. Certainly not in the corporate-friendly period we find ourselves in. Hell, the government can't even enforce quality-of-service standards on the damn phone companies anymore. But at some point, enough people (enough voters) are going to get hurt by this problem that something will have to be done. The only question is whether the cure will be worse than the disease.
Re:if i *accidentally* ... (Score:3, Interesting)
The question is, what is a reasonable effort to maintain the safety of your data? If a company is making a good faith effort to keep their systems up to date with the latest patches, you probably don't have a reasonable case to sue them. I haven't seen anything that suggests their protection of people's data is analagous to "a rickety old warehouse in the middle of a populated area."
Don't get me wrong; it bugs me that there are companies whose sole purpose is to gather up whatever data they can find on me
Re:if i *accidentally* ... (Score:3, Insightful)
Re:if i *accidentally* ... (Score:4, Funny)
So long as they don't have a "Going Out of Business" sale...
Re:if i *accidentally* ... (Score:3, Interesting)
Let's say I run an online job market site. IIS backed with SQL server. A blackhat hacker uses an unknown exploit to break in, unauthenticated, to IIS. He then leverages this account to steal SQL credentials (or he uses an unknown SQL vulnerability) and downloads every resume we have on the system.
You're telling me that I should be charged with a crime?
To further your car analogy, you're saying if, while driving, my factory-faulty bumper comes off and brains a passing pedestrian that I should be li
Re:if i *accidentally* ... (Score:3, Insightful)
Legal question (Score:5, Interesting)
Re:Legal question (Score:5, Informative)
Ordinarily in a case like this a class action would be brought against the company. The "Class Action Fairness Act" will shift class actions from state to federal court. Ostensibly this was done to prevent venue shopping- where you look for the state with the most favorable laws for your class action suit- but it also has the nice property that federal courts rarely agree to hear class action lawsuits, citing differences in state law. The Act effectively puts an end to all class action suits without explicitly banning them.
If you're a victim of identity theft because your Social Security number was compromised by ChoicePoint, you'll have to hire a lawyer yourself, prove that the identity theft was a result of ChoicePoint's negligence, and your case will be heard separately from those filed by any other plantiffs.
Re:Beowolf Lawsuits (Score:3, Insightful)
If
So who ELSE is affected!? (Score:4, Interesting)
SO WHO THE FUCK ELSE HAD THEIR INFO STOLEN!? WHAT STATES!?
We want to know! NOW! Why are they refusing to disclose vital information? I'd be VERY angry to find out that someone committed identity theft, these people knew of the stolen info, and they didn't tell me.
Re:So who ELSE is affected!? (Score:5, Insightful)
Re:So who ELSE is affected!? (Score:3, Informative)
Re:So who ELSE is affected!? (Score:2)
So I say again, where is the disclosure?
Re:So who ELSE is affected!? (Score:3, Informative)
Well, from a legal standpoint, it certainly does. If there is no law in your state requiring them to do so, then legally they don't have that obligation to you. Morally, I believe they are obligated to, but morality isn't the same as legality now is it?
Re:So who ELSE is affected!? (Score:4, Insightful)
Anyway, this is the prison we built for ourselves, and as a result the fact that you happen to live in another state means they do have less obligation to you, as that word has any actual meaning anyway. Otherwise we'd be within our rights to march down there with torches and pitchforks and perforate 'em.
Welcome to the downside... (Score:5, Insightful)
Next big issue is going to be medical records online. While having such information in once location could be of great benefit to doctors and hospitals around the world, there are also dangers as well, like your HMO, employers, or if your a public figure, the media getting their hands on otherwise private medical records.
Re:Welcome to the downside... (Score:2)
The idea that your life can be destroyed if someone just acquires your name and social security number is insane. Social Security numbers are security through obscurity and they completely stopped working when the Internet came in to being.
And no I don't want the government to institute an all
Let me be the first to say, (Score:2, Funny)
poor credit score keeps me safe. (Score:5, Funny)
Re:poor credit score keeps me safe. (Score:3, Funny)
I am at a negative risk of contracting STDs. As in, not only is my likelihood non-existent, but the more time you spend around me, the more your likelihood of contracting anything goes down.
Yes, I realize I am posting this with on Valentine's Day. I believe anyone who can't laugh at themselves needs to lighten up
Acceptable losses (Score:4, Insightful)
All those foolish people who protested the collection and sale of personal data of private citizens should be ashamed since the prosperity of this country depends greatly on the efficiency of business. And if you don't like it in this country any more go some place better! There isn't any place better you say? Then shoot yourself now because there's nothing you individuals can do to change things to your liking anyway.
(The preceding was stated as an opposite to my actual feelings on the matter to illustrate how ridiculous I feel the opposing view might be. There are no acceptable losses when it comes to privacy and the right of everyone to keep what they have earned. Loss of privacy opens the door for unscrupulous people to do bad things and reduces an individual's ability to protect one's self.)
The real problem here isn't the break-in... (Score:5, Insightful)
If the data was that critical and personal, why was it available to "legitamate businesses" in the frist place?
Are a set of articles of incorporation and a pile of money all I need to 'legitimately' access "databases of background information on virtually every U.S. citizen"?
Re:The real problem here isn't the break-in... (Score:5, Funny)
Excellent! (Score:4, Informative)
No Place To Hide [publicradio.org]
It was truely disturbing. Now that we're permanently at war with the Forces Of Evil (terrorists, for now) people should get used to not having any privacy. Sigh.
Do a little quick math (Score:5, Interesting)
So, the number of stolen identies is probably closer to 300,000 to 350,000. Only California has a law that forces companies to disclose these kinds of risks to personal data, but I think it's a fairly safe assumption that the theives didn't target just California records (in fact, if they wanted to use them for identity theft, it would make more sense to excluse California records because those indidivuals would be on alert).
So, potentially one in every one hundred people in the US now has their electronic profile available for identify theft. That's a scary (although I'll admit unlikely) idea.
Closing question...what exactly is the f'ing differences between a "legitamate" company accessing this ChoicePoint database an an "illegimate" company? Wouldn't theft of database access be just as much a risk? If Sam's Wholesale Cookies can browse through the database, concievable so can any employee of Sam's Wholesale Cookies or anyone who breaks into a Same's Wholesale Cookies computer. Is there not a single person in all of government who sees the folly of having all the eggs in one basket? Not even a secure basket...the free sample basket by the front door of the mall.
- JoeShmoe
.
Re:Do a little quick math (Score:5, Informative)
The databases basically involve public records from every county in a state describing ownership, professional licenses, et cetera. They often include every piece of information involved in submitting a request for some type of certification. Land deeds, for example, are in there, as well as contractor's licenses. A lot of that information is public record, but the stuff that isn't is the address (that's sometimes but very rarely public) and sometimes social security number. If you can establish that someone was at a certain address, and get a social from that address, hopefully correlating it with another address and matching (or near-matching) social security number, then you can look that ssn up in connection with all kinds of other items. This can connect them to any number of other people who you can bother for their phone number.
Eventually, you can find property, and depending on what state it's in you can sometimes take it away. California makes it pretty hard to do that kind of stuff to someone; you can't take away a home which is also a business, for example, and you can't take away someone's primary automobile -- unless you're the lien holder, that is. Or, well, the federal government.
Notice above I said something about a near-matching SSN? All of this stuff is near-matching. The problem is that someone might write their name (or other information) carefully in one place and illegibly in another. They might of course also forget or "forget" the number and misenter it. Finally, let us not forget the wonders of data entry and the errors therein. Some forms are OCR'd (anything typed) and some were probably hand entered. The record only goes back so far as well, but it's generally pretty far.
Anyway, anyone with a business that has a reason to need to do that kind of thing can get access to those databases. They can tell what you were doing with it, so if you do something naughty, they could tell.
"Criminals posing as legitimate businesses" (Score:5, Funny)
No Changes Forthcoming (Score:5, Insightful)
If this incident doesn't create intense public outrage and a rash of calls to legislators demanding change, then I doubt there will ever be changes that protect individual identity and information.
Furthermore, I would propose that every individual that finds ChoicePoint's egregious lack of security reprehensible, to draft a letter demanding a full explanation and any details relating to whether or not their information has been stolen. I don't expect this company to come clean, but just imagine the hassle of having to reply to hundreds of thousands of letters.
Maybe having to deal with thousands of peeved off consumers will clean up their act.
Re:No Changes Forthcoming (Score:2, Informative)
However, there is some data they possess which isn't public records (DMV records mostly) which require special privledges to access. I would hope that they actually review who has access to that information, and not give it out to persons without legitimate needs.
I think the main concern is that fact that this data is aggregated for use, wi
More of ChoicePoint's greatest misses (Score:3, Informative)
*This is not an endorsement of the linked site or the opinions expressed there. I just recall these claims from a Slashdot submission I made a couple years ago related to this.
Remember the Florida election of 2000 ? (Score:4, Informative)
When is Joe Six pack going to wake up to the fact that in secret the government has conspired to create a dossier on every citzen in this country and this is who they hired to do it:
Hank Asher then creates the MATRIX as a state level network version of the TIA office. Essentially continuing the TIA office, but freeing it from congressional oversight and federal whistleblower protections. He admits smuggling millions of dollars worth of cocaine in 1981 and 1982. Coincidentally at the time when the Iran-Contra dealings were in full swing.
But this is only speculation. Could there be more of a link between illegal dealings between Hank Asher and the republican party? OF COURSE THERE IS!
In 1992, Asher founded Database Technologies, which later merged with ChoicePoint. In 1999, he founded Seisint Inc. by merging two companies. He is still on Seisint's board of directors, and continues to play an active role in the company.During the 2000 presidential election ChoicePoint, gave Florida officials a list with the names of 8,000 ex-felons to "scrub" from their list of voters. But it turns out none on the list were guilty of felonies, only misdemeanors.
So there we have it. We went from having a domestic spying agency run by a five time felon to having the same domestic spying program sans congressional oversight and whistle blower protections run by a convicted drug smuggler who has proven that he'll break the law to further the republican agenda.
http://www.oldamericancentury.org/oh_republican
A Florida law enforcement data-sharing network is about to go national. In the name of counterterrorism, the Departments of Justice and Homeland Security are pouring millions of dollars into the system to expand it to local law enforcement agencies across the nation. It's called Matrix, which stands for Multistate Anti-Terrorism Information Exchange. According to the Washington Post, the computer network accesses information that has always been available to investigators but brings it together and enables police to access it with extraordinary speed. Civil liberties and privacy groups say the Matrix system dramatically increases the ability of local police to snoop on individuals.
http://www.democracynow.org/article.pl?sid=03/0
The Florida company that built the database was founded by the man behind ChoicePoint and Database Technologies. The companies administered the contract that stripped thousands of African Americans from the Florida voter roles before the 2000 election.
Although narrower in scope than John Poindexter's controversial Terrorist Global Information Awareness program, Matrix may serve a similar purpose because it provides unprecedented access to US residents regardless of their criminal background. And states are eager to participate in the new program. On Tuesday, the Department of Homeland Security announced plans to launch a pilot program in state law enforcement data-sharing among Virginia, Maryland, Pennsylvania and New York.
Re:Remember the Florida election of 2000 ? (Score:4, Interesting)
OK - long story made short, I live here in South Florida and was looking for a job sometime in the fall of 2001. Seisint placed a wanted ad on monster for a Unix Systems Administrator.
I sent my resume and never got response back from them. Being unemployed, and having a little time in my schedule, I started doing some nmap probes (just regular tcp scans) on their network. It was mostly curiousity at first, but I was shocked at how many open ports and machines were sitting there on the internet. Sure enough I found a Windows box with file-sharing on. Curiousity got the best of me, and I tried accessing the 'C$' share on this box with "Administrator" (nopassword) . It worked.
Okay, so as it turned out this machine had cuteftp installed on it, and the user had the passwords to his ftp sites in a (quasi-encrypted) file. I don't remember the file name, nor do I remember the version of CuteFTP they were using, but there was a cheap script-kiddie type program I found that 'decrypted' the passwords in this cuteftp file. (It took no time at all, cuteftp probably used something really stupid like XOR..) I found this user's passwords to something like 8 production oracle servers in that file. (The password was the same on all boxes - and I remember the user names being a little different , so for all I know root on those boxes was the same as all the other passwords)
Not wanting to cross any further boundrys than I already had, I figured I'd send my findings to Seisint, and see if that got them more interested in my application. In fact in had! They wanted to talk to me and hear more about what I had to say regarding their network - For a number of reasons (I decided to go back to school mostly) I declined and told some dude from the IT department over the phone the whole story from above. In hindsight , I was lucky they didn't get federal investigators involved (back then there was no homeland security! Nowadays I could be labeled a terrorist) .
Yeah I know this is slashdot, and you all don't know me from shit, but I have the old emails somewhere I think. If anyone ever needed them for anything, I would go back and look for them. In all of this, I believe most of these large data repositories have shockingly poor secuirty procedures, I'm shocked there aren't more thefts like this one happening on a regular basis.
Copycriminals (Score:2)
All this info must be protected by copyright. I transfer a copy of my personal info to a receiver in a specific transaction, with the right to copy it only as required to complete that transaction, unless expressly allowed otherwise. When they "shar
Yeah, thank goodness only AUTHORIZED third parties (Score:4, Insightful)
Where's the Upside? (Score:5, Interesting)
This whole companies' existance and screwup just stamps out all notions of privacy I had, now not only theives profitted from me without even notifying/asking me, but now criminals can benefit from my existance too.
defense? (Score:5, Funny)
Lets all laugh at security (Score:4, Interesting)
A better solution (Score:5, Insightful)
It needs to be treated as what it is: (Score:5, Interesting)
Companies need to get on the stick and use other verification measures. Using an SSN as na ID # is fine, not as a password, that needs to be something else not related to identity.
"Law Enforcement Clearance?" (Score:3, Interesting)
Now why exactly would they need permission to tell me (if I were a CA resident) that I should be worried about my data being misused? The certainly didn't need any cop's permission to amass it, not to hand it to a "legitimate" customer.
a blast from the past (Score:3, Interesting)
Jail (Score:3, Insightful)
Who is going to jail over this?
If the answer is "no one", then it will happen again.
Re:Jail (Score:3, Insightful)
SSN is the real problem (Score:4, Funny)
Put the slashdot effect to good use (Score:5, Interesting)
Cocksuckers (Score:3)
What could be more telling. NO, ASSHOLES, that's NOT THE LATEST NEWS.
If one ever needed evidence of the lying, cheating, dishonorable aspect of American Capitalism, this is it.
Dickheads. Suspender wearing, Blackberry toating, power lunching, lay-offing, ass-kissing, pro-activly cocksucking DICKHEADS.
I can't stand it any more. Where's my Prozac (TM)?. These fuckwads are hurting my buzz.
Choicepoint/DBT have had many PR problems before.. (Score:4, Informative)
The Joys of the DPA (Score:3, Informative)
This is why... (Score:3, Informative)
Just to remove some ambiguity from the posting... (Score:5, Interesting)
Although the posting notes that the company has notified several thousand Californians, don't take this as suggesting that the damage is limited to Californians. From the article:
"California law requires firms to disclose such incidents to the state's consumers when they are discovered. It is the only state with such a requirement but such data thefts are rarely limited to a single geographic area."
Time to start lobbying some other states' legislatures, perhaps.
Ultimate consumer-friendly solution (Score:4, Insightful)
These companies are in a position of responsibility, but they don't seem to take it very seriously. The credit bureaus have already bribed their way into legislation that makes it your responsibility to correct errors in their data, not them. If we don't act now, they'll bribe (excuse me, I mean "make campaign donations") and get a free pass on handing out your data to the Russian mafia, too. I say make them liable for monetary damages, instead.
Institute it, and watch how fast their security improves. The attitude of: "Oh well, its not our problem" would be a thing of the past. OR somebody would sue them bankrupt. Either way, the consumer wins.
Plus, the idea of suing these bastards into bankruptcy appeals to me because of Choicepoint's role in George W. Bush's 2000 coup.
Re:Thats only what they are required to report (Score:5, Funny)
Re:Thats only what they are required to report (Score:5, Insightful)
I very much doubt that they're willing to do this. They're only providing any notification becuase they're required by law to do so; left to their own devices they would ignore it entirely.
Re:Thats only what they are required to report (Score:5, Interesting)
2. The incident happened months ago, and ChoicePoint just got permission from law enforcement to disclose the incident.
I would say it's pretty likely they wouldn't report data thefts about people in other states...
Re:Contact them... (Score:2)
Category - Affected Consumers.
I would like to know if my personal data was compromised during your recently discovered - or any other known - security breach.
Thank you.