When word first emerged this week that still unknown scammers had
illegally obtained detailed dossiers on 35,000 people by posing as
legitimate customers of ChoicePoint, the company portrayed it as a
relatively minor criminal case, limited to California.
But by week's end, it was shaping up to be a full-blown scandal with
as many as a half million people nationwide potentially vulnerable to
Outraged, attorneys general from 38 states demanded that ChoicePoint
warn any victims in their states as well, and politicians, consumer
advocates and security experts called for more federal oversight of a
lightly regulated industry that gathers and sells personal data about
nearly every adult American.
The task force leader, sheriff's lieutenant Robert Costa, said the
number of people vulnerable to identity theft in the case could reach
That's a much higher number than the latest estimate acknowledged by
ChoicePoint, which belatedly sent warning letters to a total of
145,000 people in various states after a chorus of complaints.
The volume of data compromised was so huge that deputies are almost
certain that a 41-year-old Nigerian man sentenced Thursday to 16
months in jail in the scam did not act alone.
The man, Olatunji Oluwatosin, was arrested on Oct. 27 when ChoicePoint
faxed him some paperwork at a Kinko's store in a sting operation. He
pleaded no contest and did not agree to help authorities in the probe.
"We were victimized by some extremely well organized criminals,"
ChoicePoint spokesman Chuck Jones said.
An Alpharetta, Ga.-based spinoff from the credit-reporting giant
Equifax, ChoicePoint maintains databases that hold 19 billion Social
Security numbers, credit and medical histories, motor vehicle
registrations, job applications, lawsuits, criminal files,
professional licenses and other pieces of sensitive information.
ChoicePoint also owns a DNA analysis lab and facilitates drug testing
But ChoicePoint and other privately owned aggregators of personal
information operate with virtually no federal oversight, and critics
say the companies haven't done enough to safeguard their
Word of the identity theft case got out after ChoicePoint sent warning
letters last week to people in California; the only state with a
law requiring disclosure of such security breaches to people whose
identities are threatened. But ChoicePoint said it discovered the
breach in October, when the Los Angeles County Sheriff's Department
began investigating one case of identity theft.
Jones initially told The Associated Press on Tuesday that ChoicePoint
had not alerted the FBI or other federal law enforcement agencies, and
that "we don't have any evidence to indicate at this point that the
situation has spread beyond California."
But security experts scoffed at that idea, and other states'
politicians quickly demanded the same consideration for their
residents that Californians were getting.
On Wednesday, Sen. Dianne Feinstein D-Calif., called for hearings on
her proposed national version of the California law, while Sen. Bill
Nelson D-Fla., asked federal regulators Friday to oversee
data-brokering companies the same way they do other companies that
handle financial and medical records.
New York state legislator James Brennan asked his state to suspend an
$800,000 ChoicePoint contract until the company agreed to warn any
New York residents whose data might have been exposed.
ChoicePoint eventually decided to send letters to 110,000 more people
around the country; an unprecedented move for the company, but
"the right thing to do" in this case, Jones said.
Victims should receive letters within a few weeks, Jones said, and
immediately check credit histories for suspicious activity. The
company also plans to release a list of states affected in the next
Costa, who runs Southern California's High Tech Task Force Identity
Theft Detail, said the estimate that as many as 500,000 people may be
threatened is based on records his department subpoenaed from
Costa also said that the FBI, the Secret Service and U.S. Immigration
and Customs Enforcement; the largest investigative arm of the
Department of Homeland Security; have now contacted his department to
join the probe.
Citing the ongoing investigation, ChoicePoint won't speak publicly
about details about the scam or discuss any security measures added
since the breach.
Costa says he can't reveal many details either. But some details have
Using stolen identities and faxing applications to ChoicePoint from
Kinko's stores, the thieves opened up 50 accounts and for months
received volumes of data on consumers, including names, addresses,
credit reports and Social Security numbers; all the data needed to get
credit in someone else's name.
The ring also set up commercial mail-receiving locations in places
such as Mail Boxes Etc., where deputies found redirected mail for more
than 700 people; everything from personal letters to junk mail to the
credit card applications that are like gold for con artists, Costa
ChoicePoint had required the con artists to fax copies of business
licenses, and verified through a background check that licenses were
valid for nonbank financial institutions. But they didn't perform
physical checks or visit the addresses, as they sometimes do, to make
sure they were legitimate.
Computer experts worry that ChoicePoint and other companies that
specialize in gathering and selling private information still aren't
sufficiently protecting it from unauthorized uses.
"Most financial organizations have very sophisticated fraud detection
algorithms to minimize the impact to the end user; why couldn't
this company have the same type of controls?" asked Joseph Ansanelli,
a member of the Financial Services Information Security Analysis
Center who has testified before Congress on identity theft and
consumer data privacy. "Even if the criminals misrepresented
themselves to do fraud, there are fraud detection programs that could
kick in at that point."
NOTE: For more telecom/internet/networking/computer news from the daily
media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra . New articles daily.
*** FAIR USE NOTICE. This message contains copyrighted material the
use of which has not been specifically authorized by the copyright
owner. This Internet discussion group is making it available without
profit to group members who have expressed a prior interest in
receiving the included information in their efforts to advance the
understanding of literary, educational, political, and economic
issues, for non-profit research and educational purposes only. I
believe that this constitutes a 'fair use' of the copyrighted material
as provided for in section 107 of the U.S. Copyright Law. If you wish
to use this copyrighted material for purposes of your own that go
beyond 'fair use,' you must obtain permission from the copyright
owner, in this instance, Associated Press.
For more information go to:
[TELECOM Digest Editor's Note: My very strong recommendation is do NOT
assume Choice Point/Equifax will do anything more than absolutely
required under the law on this matter. I suggest **everyone** send a
letter to Choice Point/Equifax demanding a current copy of their
credit report, and so so frequently over the next year or two to
see how this thing plays out. Look over the reports you recieve very
closely, and dispute any degrogatory item on your report. The law does
require credit bureaus to investigate every consumer dispute and
remove every degrogatory item which the creditor is unable to prove
(or neglects to respond to) in a timely way. As people find out they
have been victimized, I also suggest a class action lawsuit against
Choice Point/Equifax, if those are still allowed, however President
Bush is working hard to eliminate your right to file suit against
corporations which have wronged you. But I do recommend you look into
this ASAP, not relying on the credit bureau to tell you about it. PAT]