ID Theft and ChoicePoint Imbroglio

[David Farber <dave () farber net>]

washingtonpost.com 
ID Data Conned From Firm
ChoicePoint Case Points to Huge Fraud

By Robert O'Harrow Jr.
Washington Post Staff Writer
Thursday, February 17, 2005; Page E01

One of the nation's biggest information services has
begun warning more than 100,000 people across the
country they may be targets of fraud, following
disclosures the company inadvertently sold personal
and financial records to fraud artists apparently
involved in a massive identity theft scheme.

ChoicePoint Inc. electronically delivered thousands of
reports containing names, addresses, Social Security
numbers, financial information and other details to
people in the Los Angeles area posing as officials in
legitimate debt collection, insurance and
check-cashing businesses.

At least 700 victims have had their mailing addresses
changed, apparently by people connected to the scheme,
authorities said. Identity thieves often change the
addresses of victims in order to gain control of
credit card offers and other mail. No one knows the
extent of the fraud or the financial impact,
authorities said. Only one suspect has been arrested.

Earlier this week, ChoicePoint officials said the
records of about 35,000 people in California may have
been disclosed. But yesterday, the company said the
scope of the scheme is probably much wider than it
originally reported. Company officials said they were
sending out more letters to 110,000 addresses
throughout the country that may be connected to the
reports delivered to the fraudsters.

"We have reason to believe your personal information
may have been obtained by unauthorized third parties,
and we deeply regret any inconvenience this event may
cause you," the letters say.

Authorities said the number of records involved may go
higher as the investigation continues. "This is way
far more reaching," said Los Angeles Sheriff's
Department Lt. Robert Costa, commander of an identity
theft unit. "I believe that when we're done it will be
more than a half million nationally. It's huge."

Alpharetta, Ga.-based ChoicePoint maintains databases
with billions of records about nearly every adult in
America, including credit reports and criminal
records. Over the past seven years, it has acquired
more than 50 other information companies. Like others
in the industry, the company routinely sells dossiers
to police, lawyers, reporters and intelligence and
homeland security officials across the Internet.

The current case, reported earlier this week by MSNBC,
comes at a time when identity fraud and theft are on
the rise, with as many as 10 million Americans a year
falling victim to criminals who charge goods in their
names or empty their bank accounts. It follows scores
of other information breaches in recent years that
have exposed financial, health care and other
identifying information of millions of people, many of
whom never discover they were put at risk.

In recent days, for instance, a group of former
military and intelligence officials were told they
were at risk of identity theft after thieves broke
into offices of a government contractor and took
computers containing the Social Security numbers and
other personal information about tens of thousands of
past and present company employees. Millions of
financial records have been stolen by hackers from
banks and credit industry companies in recent years.

Critics said retailers, credit issuers, information
services and other companies have not done enough to
protect the extraordinary caches of personal data
collected over the past decade.

"This is an issue that goes beyond ChoicePoint.
They're just one company," said James X. Dempsey,
executive director of the Center for Democracy and
Technology, which advocates for privacy and computer
security. "Both the industry and Congress need to pay
attention to the security of personal information."

Marc Rotenberg, executive director of the Electronic
Privacy Information Center, said the case raises
important questions about who is responsible when
companies are tricked into releasing data. "Companies
such as ChoicePoint are operating with too little
oversight," he said.

The ChoicePoint case began unfolding last fall.
Initially, company employees assumed the requests for
information were legitimate, because the applicants
appeared to work at registered companies in the
Hollywood area. But company investigators noticed that
applications for access to the company's massive
databases were coming from Kinko's stores, sometimes
via fax machines. 

A ChoicePoint official said dossiers, possibly
including thousands of credit reports, were delivered
to personal computers over the World Wide Web or
mailed to suspects who had opened close to 50 accounts
with the company. The reports, including credit
reports, typically cost between $5 and $17, company
officials said. 

Last fall, the company sought help from authorities in
Los Angeles, and together they tricked a suspect into
returning to one of the Kinko's stores in late
October. There, they arrested Olatunji Oluwatosin, 41,
of North Hollywood, who is set to appear in a state
court today on six counts of violating the state
identity theft statute, authorities said. Three of
those counts relate to activity in other states.

Investigators still do not know the extent to which
the information was used or resold. They have been
receiving assistance from postal inspectors. But the
case has not gone as smoothly as investigators would
have liked. Police said that's in part because
ChoicePoint did not appear willing to quickly share
information about the case, an allegation the company
denies. 

"We've been following up on leads while waiting for
ChoicePoint," said Costa, the sheriff's department
investigator who leads the Southern California High
Tech Task Force's identity theft detail.

ChoicePoint spokesman James Lee said the company
learned for the first time yesterday the case involved
people in states outside California. He said the
company has done everything it can to bolster security
immediately and help with the investigation. The
company also is considering "fundamental changes" in
security procedures and customer authentication.

"We're not to blame, but we're taking responsibility,"
Lee said. "The people committing the fraud were
smarter and quicker than we were.

"It's a wake-up call," he said. "Everybody needs to be
ever vigilant and diligent." 

-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/