By Bob Sullivan
Technology correspondent MSNBC
A Miami-Dade police officer allegedly peeked at thousands of private
consumer records in what database giant ChoicePoint described as
illegal use of its information. The company also announced three other
incidents of improper access, two involving private investigators.
The incidents were discovered in February, said ChoicePoint marketing
director James Lee, when the company was investigating a systematic
electronic break-in by a crime ring that managed to steal some 145,000
records from the firm's massive database. The Alpharetta, Ga.-based
firm maintains records on nearly every adult in the United States.
ChoicePoint is sending out notice of the privacy breach to all those
affected and offering a year of free credit monitoring. The letters
state that Social Security numbers, addresses, dates of birth, and
other personal information might have been accessed by rogue employees
at legitimate agencies, the firm said. The company waited until now to
notify consumers at the request of the various law enforcement
agencies conducting their own investigations, Lee said.
In the biggest single incident, 4,689 people's records may have been
improperly accessed by an officer of the Miami-Dade Police Department
in Florida. Department spokeswoman Detective Mary Walters said the
officer had been suspended and an investigation was ongoing. She
declined to identify the officer and said no charges had been filed.
The three other incidents announced Friday were:
.. Two California-based private investigators, Kenneth Beck and Robert
Starr, allegedly used ChoicePoint's data to hunt for possible identity
theft victims, Lee said.
.. A Texas-based firm named RPM was found to have improperly accessed
data.
.. An employee of an "accredited insurance" company that ChoicePoint
would not name, citing contracts with the firm, was also alleged to have
improperly accessed records.
In total, the three incidents resulted in 547 warning notices being sent
to victims, Lee said.
ChoicePoint also announced Friday it will send out an additional 4,667
notices to newly-discovered victims of the high-profile data theft
revealed in February. Those consumers will also get a year of free
credit monitoring.
In the wake of that incident, ChoicePoint began taking a closer look
at how its databases were being accessed.
"We identified some unusual search patterns," Lee said. "We have the
ability for certain law enforcement customers to track the usage and
report when there are anomalies."
The firm passed the information on the U.S. Secret Service and other
law enforcement agencies, which are conducting their own investigations.
'Access without accountability'
Privacy rights advocate Chris Hoofnagle of the Electronic Privacy
Information Center said the revelations highlight a serious problem
with the use of electronic investigation tools such as ChoicePoint's
database: Law enforcement officials might abuse such systems to
conduct personal searches.
"One concern is the problem of law enforcement having access without
accountability," he said. Hoofnagle said he warned of this problem
four years ago in a law journal article titled "Big Brother's Little
Helper."
"This clearly raises the question of whether or not anyone is
overseeing law enforcement users of ChoicePoint," he said. "Can
police officers just root through the files and take whatever they
wish with no accountability; no need for warrants, etc?"
But Hoofnagle did praise the ability of Choicepoint auditors to
uncover these incidents.
"That's a good thing, that ChoicePoint found these errant users of the
system and that the public has received notice of them," he said.
Lee said ChoicePoint does all it can to make sure its service is used
legitimately, but he said the firm's clients also need to guard
internally against misuse.
"We are using our technology to the degree that we can ensure searches
are proper, but with any customer there has to be internal controls,"
he said.
Congress is currently debating legislation that would make customer
notifications when private data is leaked mandatory nationwide,
imitating a state law that protects California residents.
However, currently it's not clear which firm would have the
responsibility to send the notifications: ChoicePoint, which owns the
data, or the companies with the rogue employees that allegedly stole
the data. While ChoicePoint was not necessarily legally obliged to
send the notifications, the company chose to do so "to avoid
arm-wrestling" with the other firms, Lee said.
So far this year, nearly 50 million consumers' data has been reported
lost, stolen, or exposed to hackers. ChoicePoint's data theft, first
reported Feb. 14 on MSNBC.com, began a string of reported incidents
that has highlighted the fragility of systems used to protect consumer
data.
Copyright 2005 MSNBC Interactive
Copyright 2005 MSNBC.com
URL: http://msnbc.msn.com/id/9370909/page/2/
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily.
*** FAIR USE NOTICE. This message contains copyrighted material the
use of which has not been specifically authorized by the copyright
owner. This Internet discussion group is making it available without
profit to group members who have expressed a prior interest in
receiving the included information in their efforts to advance the
understanding of literary, educational, political, and economic
issues, for non-profit research and educational purposes only. I
believe that this constitutes a 'fair use' of the copyrighted material
as provided for in section 107 of the U.S. Copyright Law. If you wish
to use this copyrighted material for purposes of your own that go
beyond 'fair use,' you must obtain permission from the copyright
owner, in this instance, MSNBC Interactive.
For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml
Bob Sullivan (sullivan@msnbc.com)