February 18, 2005 9:18 AM PST

ChoicePoint data theft widens to 145,000 people

ChoicePoint has confirmed that scammers culled the personal information of tens of thousands of Americans in a recent attack on its consumer database, resulting in 750 individual cases of identity theft.

The Atlanta-based company said that it plans to inform approximately 110,000 consumers outside the state of California whose information may have been accessed in the criminal scheme, originally reported on Tuesday. The company has already told some 35,000 Californians that their personal data, including their names, addresses, Social Security numbers and credit reports, was stolen by scammers. California is the only U.S. state with legislation in place that requires companies to notify its residents when their personal data has been compromised.

ChoicePoint also said that law enforcement officials informed the company of 750 cases of identity theft tied directly to the incident. One California man has already pleaded no contest to felony charges related to the ChoicePoint attack, while federal and state law enforcement agencies continue to look for others involved in the operation.

The perpetrators were able to dupe the company, which provides consumer data services to insurance companies, other businesses and government agencies, by passing themselves off as legitimate customers. Chuck Jones, a company spokesman, said the criminals set up 50 fraudulent accounts with ChoicePoint by posing as businesses including collection agencies that were looking to run background checks on potential customers.

Jones said that ChoicePoint was misled via a detailed effort, as the criminals used previously stolen identities to set up what appeared to be legitimate business licenses, phone numbers and addresses for the organizations they claimed to be when applying for accounts with the company. He said the firm has changed its policies for qualifying new accounts, and will now go as far as having people who are looking to access the company's databases visit the physical location of firms in order to verify those persons' legitimacy.

"We're working hard to deploy new technologies and tighten up the policies and procedures that ChoicePoint already had in place," Jones said. "It's always been critical for us to verify that people are who they say they are, but we think that our verification process has already been improved significantly (since the attack)."

The spokesman said that ChoicePoint has been targeted by criminals seeking to steal consumer data in the past, but never on such a wide scale. He said the company does not expect to report any additional consumers affected by the scheme.

The company said that it first learned of the security problem last fall, but ChoicePoint claims that law enforcement officials would not allow it to disclose the incident until now, so as not to compromise their investigations. Jones said the company is working on the case with the Los Angeles County Sheriff's office, U.S. Postal inspectors and the FBI.

Some privacy experts have predicted that the debacle will shine new light on the risks posed to consumers by information brokers such as ChoicePoint, and said the incident may convince other states to adopt legislation similar to the guidelines required by California. Last month, Sen. Dianne Feinstein, a Democrat from California, proposed legislation for a federal law that would require companies to inform consumers in any U.S. state of personal data losses.

Jones said ChoicePoint might support such legislation and will continue to work to help improve consumer protection across the data services industry.

"ChoicePoint has always been a proponent of responsible use of consumer data," he said, "and we remain hopeful that there will be a national discussion for improving policies that involves legislators, privacy experts and industry, to help establish better ground rules for this issue moving forward."

However, at least one privacy expert called ChoicePoint's claim of dedicated protection "comical." Ray Everett-Church, an attorney who runs his own consulting company, PrivacyClue, said data brokers such as ChoicePoint are far more concerned with making a profit than actively guarding against fraud.

"They're taking (consumer data) in the front door with the promise of protection and shoving it out the back door as fast as they can to the highest bidders--it's just a matter of time before we see more of these scenarios," Everett-Church said. "I've always marveled at these companies' ability to say they care about consumer privacy with a straight face."

He said ChoicePoint and other data aggregation companies have been doing very little in the way of completing background checks on customers, and said the firm probably could have identified the criminal enterprise as fraudulent by researching information in its own databases more closely.

"Don't tell me that your first priority is protecting consumers, when clearly the first priority is maximizing value for your shareholders," said Everett-Church. "I'm not buying it."

2 comments

Join the conversation!
Add your comment
These Fools Can't Verify For Themselves - Time For Class Action Or The FTC
Doesn't it make you feel wonderful that your personal information is being held by this company ? It's so bad that they can't even verify who they are giving the information to.

I guess anybody with a buck can gain access to our personal information with little more than a business card and someone else's stolen id.

You read all the stories about criminals using spyware and phishing to steal a person's id. Why go to all the trouble when you can order it directly from ChoicePoint ?

It also makes you wonder who else is carefully "guarding" your information.

This company is ripe for a class action suit by those whose information has been compromised. I will bet that a settlement of $100,00 per incident might get their attention.

I also think that the Federal Trade Commission might want to weigh in on the issue.

What is ChoicePoint going to do to help the people whose "stolen identity nightmare" was made possible by it's lack of care and negligence?
Posted by (17 comments )
Reply Link Flag
choicepoint invasion tip of the iceberg
Suntrust Bank and their association with MBNA is involved in very similar tactics; and utilize deceptive means to divert customers. Choicepoint must be taken to task; and our observations of government reponse - must not be considered adequate if information mining continues without new and unique privacy guidelines.
Posted by (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.