ChoicePoint says potential fraud victims in all U.S. states, D.C. and three territories, AP, Feb 21 "ATLANTA - ChoicePoint Inc. said Monday that residents in all 50 states, the District of Columbia and three U.S. territories may have been affected by a breach of the company's credentialing process in which criminals gained access to its massive database of consumer information. The Alpharetta-based company said the smallest number of possible victims - two - was in the U.S. Virgin Islands, while the largest number - 34,114 - was in California. It planned to release a state-by-state breakdown later Monday. People in Puerto Rico and Guam also may have been affected. ChoicePoint said it is almost done notifying by mail the 144,778 people that may have been affected. California authorities say as many as 500,000 people may have been affected, but ChoicePoint disputes that number. "All I can tell you is our number is roughly 145,000, and we know that we're over-notifying," marketing director James Lee said. "There will be duplications in there." The company also announced that it is making roughly 17,000 customers go through a recredentialing process to verify that they are legitimate businesses, and it has hired a retired Secret Service agent to assist in revamping its verification process. . . . The company acknowledged last week that thieves apparently used previously stolen identities to create what appeared to be legitimate businesses seeking ChoicePoint accounts. The bandits then opened up 50 accounts and received volumes of data on consumers, including names, addresses, Social Security numbers and credit reports. The ring, which operated for more than a year before it was detected, used the information to defraud at least 750 people, according to investigators in California." http://www.mercurynews.com/mld/merc...alifornia/northern_california/10954914.htm?1c
Is ChoicePoint covered by FCRA and FACTA? Should we be requesting reports from them like we do from the 3 main CRAs, both to ensure that the information they have on file is accurate, and to determine what risk of possible identity theft their information poses? What legitimate reason does ChoicePoint, or any CRA, have to deliver to a customer identification information, including SSNs and DOBS, on large blocks of US citizens? It is one thing for a CRA customer, whether OC or CA, to verify a SSN it already has with a CRA. It is entirely a different level of risk for a CRA to provide identifying information, in wholesale blocks, to any party that does not already have that information.
Note the similarity to the Tave/Charter Pacific Bank case, where an institution supposedly with responsibility for maintaining security of customer information, in this case credit card numbers of customers of other merchant accounts it handled, none-the-less sold this information en-mass to criminals, with little regard to the risks or liability of its actions: http://www.faughnan.com/ccfraud.html#CPBank The problem is not only the failure to adequately check the legitimacy of a customer before selling information, but the very practice of selling such information en-mass. The fact that identity information is sold without regard to the original legitimate purpose for which an individual provided it shows that our identity verification infrastructure is inherently insecure, subject to compromise by the least secure holder. The barn door is open, the horses are gone, and criminals see the opportunity. Identity information is used as authentication, which is an inherent miss-use since it has already been provided to unknown numbers of companies, and is not revocable.
http://www.siliconvalley.com/mld/siliconvalley/10961626.htm It appears that ChoicePoint will now require customers that are not government agencies or publicly traded companies to be recredentialed, and that after that recredentialing, SSN, DOB, and drivers license information will only be provided to government agencies, publicly traded companies, or companies "sponsored" by them. That should fix everything... I guess employees of publicly traded companies or governmental agencies would never steal identity information. http://www.italks.net/forum/printthread.php?t=201 http://www.upi.com/view.cfm?StoryID=20020802-070910-3356r http://www.oag.state.ny.us/press/2001/jul/jul17a_01.html http://www.msnbc.msn.com/id/5015565
http://www.choicepoint.com/news/statement_0205_1.html "What we know about the crime: In October 2004, we detected possible signs of fraudulent activities in several small business accounts based in the Los Angeles area. We alerted the Los Angeles County Sheriff�s Department and they subsequently confirmed our suspicions and began an investigation. In November, we received a letter from the lead criminal investigator asking us to delay consumer notification until January 2005 as he was concerned that earlier disclosure could compromise the investigation."
