more on Database giant gives access to fake firms

[David Farber <dave () farber net>]

------ Forwarded Message
From: Marc <marcaniballi () hotmail com>
Date: Tue, 15 Feb 2005 08:54:28 -0500
To: <dave () farber net>
Subject: RE: [IP] Database giant gives access to fake firms

Hello Dave;
 
For IP if you like.
 
As we are all aware these days, we live in a world that gives individuals
unprecedented powers. The advance of technology now provides consumer
available products that allow anyone so motivated (and it can be
accomplished in many cases by ONE person) to commit physical acts of
destruction well beyond the capacity of the average person only 50 years
ago. The govenment, as it should, legislates and controls access to these
technologies and other products. But I would like to know which is more
dangerous to the average person; the risk of a Timothy McVeigh style attack,
or the risk of identity/credit fraud/extortion? While the government
controls access to firearms (to a degree anyway) and dangerous chemicals and
technologies - holding the manufacturers/distributors to strict regulation,
control and accountability, they do not seem to do the same with companies
like ChoicePoint. The fact that "fake" companies were able to access the
database shows that the company is not formally regulated (at least not
against this form of breach) and moreover is not legally bound and
accountable for the risks to which it is exposing the public through its
incompetence. If they were accountable for (consumer) damages resulting from
their error, I am positive that they wouldn't have been so easily duped.
 
The right to gather data of this nature is a matter of debate (in this list
among other places), but regardless of whether it is
legal/moral/constitutional for someone to gather this data, the fact that
they have the data should impose upon them a legally binding accountability
that ensures that the data is never accessed except by fully qualified and
government sanctioned clients. A database of the type ChoicePoint manages
with a significant portion of the US population recorded within it would, in
my opinion, rank right up there with strong crypto, advanced processors and
computers and enriched plutonium as a tool/technology for creating weapons
of mass destruction. Mass destruction from credit fraud, you ask? Why not?
With a few talented programmers and a bit of social hacking, the contents of
ChoicePoint's database could be used to coordinate an automated credit fraud
system that ran completely automatically and attacked millions of victims in
a few hours. The scenarios are legion, but controllable, if only companies
like ChoicePoint were to be held liable for their mistakes.
 
The article below is rather clear in its portrayal of ChoicePoint as victim
of a crime and criminal investigation - ChoicePoint is not a victim, it is a
collaborator - although a legal team would probably try to add "unwitting."
In my opinion, anyone in possession of a database of this nature ought to be
treated the same as someone in possession of a top secret defense contract -
if there is a leak of any kind, there are SERIOUS repurcussions.
 
Marc


From: owner-ip () v2 listbox com [mailto:owner-ip () v2 listbox com] On Behalf Of
David Farber
Sent: February 15, 2005 6:17 AM
To: Ip
Subject: [IP] Database giant gives access to fake firms


------ Forwarded Message
From: <EEkid () aol com>
Date: Tue, 15 Feb 2005 04:40:03 -0500 (EST)
To: <dave () farber net>
Subject: Database giant gives access to fake firms

Dave, 

Use as you see fit.

I predicted this would happen.  Now, I'm waiting for the first espionage
case connected with privatized collection of personal data.  It's only a
matter of time before privatized dossiers are used to blackmail someone with
a security clearance.  Perhaps it's already happening.

Simply stating 'we apologize for any inconvenience' when your identity is
stolen is not good enough!  This cavalier collection of personal data on all
Americans is a foreign intelligence agent's wet dream, come true.

Jerry

****************************************************************************
***********

 
Database giant gives access to fake firms
ChoicePoint warns more than 30,000 they may be at risk
EXCLUSIVE
By Bob Sullivan
Technology correspondent
MSNBC
 
Updated: 6:38 p.m. ET Feb. 14, 2005
Criminals posing as legitimate businesses have accessed critical personal
data stored by ChoicePoint Inc., a firm that maintains databases of
background information on virtually every U.S. citizen, MSNBC.com has
learned. 

The incident involves a wide swath of consumer data, including names,
addresses, Social Security numbers, credit reports and other information.
ChoicePoint aggregates and sells such personal information to government
agencies and private companies.

Last week, the company notified between 30,000 and 35,000 consumers in
California that their personal data may have been accessed by "unauthorized
third parties," according to ChoicePoint spokesman James Lee.

California law requires firms to disclose such incidents to the state's
consumers when they are discovered. It is the only state with such a
requirement but such data thefts are rarely limited to a single geographic
area.

Lee said law enforcement officials have so far advised the firm that only
Californians need to be notified.

"The only incident that has been confirmed is in California," he said.

ChoicePoint maintains a dossier on virtually every American consumer,
according to Daniel J. Solove, George Washington University professor and
author of "The Digital Person."

The Atlanta-based company says it has 10 billion records on individuals and
businesses, and sells data to 40 percent of the nation's top 1,000
companies. It also has contracts with 35 government agencies, including
several law enforcement agencies.

Victims told months after the fact
The incident was discovered in October, when ChoicePoint was contacted by a
law enforcement agency investigating an identity theft crime. In that
incident, suspects had posed as a ChoicePoint client to gain access to the
firm's rich consumer databases.

Subsequent research by ChoicePoint revealed that about 50 fake companies had
been set up and then registered with ChoicePoint to access consumer data.

California consumers who received warning letters from the firm last week
were "in some way connected to searches" conducted by those fake accounts,
Lee said.

The firm was only given clearance by law enforcement officials to disclose
the incident two weeks ago, Lee said

While the criminals had access to ChoicePoint data, it's not clear what, if
any, information was stolen, said Chuck Jones, another ChoicePoint
spokesman. The letters were sent as a precaution, he said.

The FBI, Los Angeles County Sheriff's Office, and the U.S. Postal
Inspector's Office are investigating, he said.

Consumer frustrated by notification
The letter urges consumers to check their credit reports for suspicious
activity.

"We believe that several individuals, posing as legitimate business
customers, recently committed fraud by claiming to have a lawful purpose for
accessing information about individuals," it reads. "You should continue to
check your credit reports frequently for the next year."

The two-page letter offers details on how to spot fraud, but no additional
information about the incident, or what information may have actually been
stolen.

  
  
"ChoicePoint has apologized for any inconvenience this incident may cause,"
said ChoicePoint spokesman Chuck Jones.  "But ChoicePoint has no way of
knowing whether anyone's personal information actually has been accessed,"
or used to commit identity theft, he added.

California consumer Elizabeth Rosen, who received the ChoicePoint letter
Friday, was upset that the company only provided sketchy details about the
incident to her.

"They gave a toll free number to call, but when I called, the person just
read from a script ... they said disclosing too many details may hurt an
ongoing investigation," Rosen said. "I'm not happy about this. I didn't even
know who ChoicePoint was."

That reaction is common, according to Solove.

"Even though you might not have heard of ChoicePoint, they've heard of you.
They are playing a role in your people's lives whether they know it or not,"
he said.

Privacy consultant Larry Ponemon, who operates the Ponemon Institute, said
he was surprised criminals were able to pose as ChoicePoint clients.

"What really concerns me is when low-tech methods are used to gain access,
than you really have problems," said. "Obviously this is very surprising,
given that they are in the data business."

Jones said ChoicePoint had adjusted its procedures to "help protect against
a repeat" of the incident.

 


------ End of Forwarded Message

You are subscribed as marcaniballi () hotmail com To manage your subscription,
go to http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/


------ End of Forwarded Message

-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/