March 10, 2005 3:04 PM PST

ChoicePoint data loss may be higher than reported

ChoicePoint could have leaked information on far more than 145,000 U.S. citizens, the data collector's latest filing to the Securities and Exchange Commission suggests.

The Atlanta-based company said in the filing that it has alerted only consumers whose personal details were improperly sold on or after July 1, 2003--the date that a California notification law went into effect.

In its regulatory 8-K document, filed on March 4, ChoicePoint said that it had restricted its search to a 15-month period, during which records on 145,000 consumers were purchased by 50 fraudulent companies.

Guide to Scam Traps

"These numbers were determined by conducting searches of our databases that matched searches conducted by customers who we believe may have had unauthorized access to our information products on or after July 1, 2003, the effective date of California's notification law," ChoicePoint said in the filing.

The exclusion of possible sales to suspect companies before that date raises questions about the true number of Americans affected by the data leak. Sales could have taken place before the period covered by the California Security Breach Information Act, which requires businesses to tell people if their sensitive details have been exposed.

A ChoicePoint representative declined to comment or speculate on the number of records that may have been exposed before July 1, 2003. ChoicePoint provides consumer data services to insurance companies, other businesses and government agencies.

In its SEC filing, the company did not specify whether it intends to do additional searches. ChoicePoint did say that any increase in its estimate of the number of potentially affected consumers will not be "significant." It's not clear whether that estimate is only for records sold on or after July 1, 2003.

Background data
ChoicePoint discovered on Sept. 27, 2004, that a few of its small-business customers in the Los Angeles area were engaged in "suspicious activity." The company notified law enforcement agencies, but did not notify the consumers whose information was leaked until early February.

At first, the company only notified some 35,000 California residents as required by law in that state. After a public outcry for more information, the company notified 110,000 U.S. citizens whose records were improperly accessed.

The ChoicePoint incident was the first of many data leaks to be disclosed recently. This week, publisher Reed Elsevier Group acknowledged that hackers gained access to personal information on about 32,000 U.S. citizens in its LexisNexis databases. In late February, financial services giant Bank of America alerted government workers that backup tapes containing their sensitive data had gone missing.

Legislators and government agencies have already started investigating ChoicePoint, with the SEC and Congress looking into the company's business practices. The incidents are widely expected to spur legislation aimed at protecting consumer data.

Any decision by ChoicePoint not to search further into the past would be reasonable from a corporate standpoint, said Bruce Schneier, a security expert and chief technology officer for network protection provider Counterpane Internet Security. However, the strategy would make the company and its actions an even larger target for lawmakers, he said.

"They are putting a big sign on themselves saying, 'Please regulate me,'" Schneier said. "They are showing that they are not going to be a good actor unless we force them to be."

Schneier took ChoicePoint to task in an entry on his blog. He argued that as long as U.S. citizens are not customers of data collection companies, they should not expect good security.

"The real problem here is that your data is not controlled by you," he said. "We are not ChoicePoint customers, so they have no reason to listen to us. If we didn't hire them, we can't fire them."

2 comments

Join the conversation!
Add your comment
NoChoicePoint
So now NoChoicePoint is saying that as many as 50 companies conned them into disclosing sensitive information. That is up from the "few" that they said last week, and the "1" in 2002. I guess they improved their systems with time. Maybe next year it will be hundreds. We can only hope. Practice makes perfect.

www.nochoicepoint.com
Posted by Stating (869 comments )
Reply Link Flag
The Quality Of Their Data Is About As Good As The Quality Of Their Controls
Apparently the quality of their data is about as good at the quality of their internal controls and management. A recent article in MSNBC highlighted several people who somehow obtained the information that ChoicePoint was selling about them. It was rife with errors, inaccuracies and just plain garbage.

How many people have been denied jobs, loans, insurance policies, credit, or even an apartment by the garbage that has been aggregated by this company?

It seems that just merge data from a myriad of suppliers on any data field that matches. It sounds like they buy data with little checking or verification and do even less cleaning or verification when they merge this information. Remember the old adage "Garbage In Garbage Out"? I would like to see the dossier they have on John Smith.

The idea that our law enforcement or Federal agencies would rely on such data is mind boggling. How can they do their job if the data is not good? Maybe its time for these agencies to cancel their subscription with ChoicePoint and others like it and find new suppliers. Stop wasting our money on poor products and stop providing data to companies such as these.

It seems that every regulator and government agency has ChoicePoint in their crosshairs now tht a Senator's data was mishandled. A check of the business news for ChoicePoint listed several Class Action lawsuits being prepared on the behalf of shareholders. I would say that the gig is just about up for ChoicePoint and Mr. Smith.
Posted by (17 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.