Scammers access data on 35,000 Californians

ChoicePoint confirmed Tuesday that criminals recently accessed its database of consumer records, potentially viewing the personal data of about 35,000 Californians and resulting in at least one case of identity fraud.

The Atlanta company, which provides consumer data services to insurance companies, other businesses and government agencies, said the unidentified individuals posed as legitimate businesspeople in order to breach its defenses. Chuck Jones, a company spokesman, said that roughly 50 fraudulent accounts were set up by the schemers, through which they could view the data of California residents.

News of the crime first surfaced when ChoicePoint sent an e-mail to individuals potentially affected by the attack last week. Among the data available through the company's services, and possibly accessed by the criminals, are consumers' names, addresses, Social Security numbers and credit reports, Jones confirmed. However, he said it is nearly impossible to tell what information was viewed by the criminals.

"It's not easy to determine if anyone's info has been accessed; what has been determined is that some information could have been accessed," Jones said. "That is why ChoicePoint decided to notify people who may be impacted by this."

Jones said the company is working with federal, state and local law enforcement officials on the case, specifically the Los Angeles County Sheriff's office, U.S. Postal inspectors and the FBI. The officials have identified one case where data stolen in the scheme was used to commit identity fraud but have yet to offer more details on that incident.

The spokesman said ChoicePoint has already changed its procedures to prevent similar attempts to steal personal information but declined to comment on those policies. When individuals attempt to access their own information via the company's services, they are tested with a battery of detailed questions on their data to prevent fraud, Jones said.

The consumer data heist underscores the ease with which criminals can pose as lawful businesses to collect information on people without their knowledge. Jones said that ChoicePoint currently maintains 19 billion public records on U.S. residents.

Companies typically pay to access the data to create background profiles on customers applying for loans, insurance or even government jobs. Some experts have called for reform of privacy laws, many created as many as 30 years ago, that still govern the disclosure policies of companies such as ChoicePoint.

Jones said that ChoicePoint, which was spun off massive credit reporting house Equifax in 1997, hasn't experienced similar attacks in the past. However, the company has gone to great lengths to engender trust in the accuracy and security of its data, even hiring former New York Police Commissioner Howard Safir in 2000 to enhance the database it makes available to government and law enforcement agencies.

How about....

Why don't they log what users view in addition to controlling access to the system? Seems like a SOX issue to me.

[Marcus Westrup]

To true

I expect most companies dealing with public data are due for a security audit. Good intentions aside, managers, programmers and data specialists are not paranoid enough to see the security holes that criminals can take advantage of.
Its not just hackers or employees, you have to pay attention to who walks through the door.