Calls for federal regulation grow as Choicepoint scandal widens

<p>When word first emerged this week that scammers had illegally obtained detailed dossiers on 35,000 people by posing as legitimate customers of Georgia-based ChoicePoint Inc., the data-brokering company portrayed it as a relatively minor criminal case, limited to California.</p><p>But by week's end, it was shaping up to be a full-blown scandal with as many as a half million people nationwide potentially vulnerable to identity theft.</p><p>Outraged, attorneys general from 19 states, consumer advocates and security experts were all demanding federal oversight of a lightly regulated industry that gathers and sells personal data about nearly every adult American.</p><p>On Friday, the Los Angeles task force in charge of the criminal investigation confirmed that at least 700 people had their identities stolen during the year-long scam by still unknown con-artists who had signed up as clients of ChoicePoint, which is based in Alpharetta, Ga.</p><p>The task force leader, sheriff's lieutenant Robert Costa, said the number of people vulnerable to identity theft in the case could reach 500,000.</p><p>That's a much higher number than the latest estimate acknowledged by ChoicePoint, which belatedly sent warning letters to a total of 145,000 people in various states after politicians across the country joined a growing demand for tighter federal regulations.</p><p>The volume of data compromised was so huge that deputies are almost certain that a 41-year-old Nigerian man sentenced Thursday to 16 months in jail in the scam did not act alone.</p><p>The man, Olatunji Oluwatosin, was arrested when ChoicePoint faxed him some paperwork at a Kinko's store in a sting operation. He pleaded no contest and did not agree to help authorities in the probe.</p><p>"We were victimized by some extremely well organized criminals," ChoicePoint spokesman Chuck Jones said.</p><p>A spinoff from the credit-reporting giant Equifax, ChoicePoint maintains databases that hold 19 billion Social Security numbers, credit and medical histories, motor vehicle registrations, job applications, lawsuits, criminal files, professional licenses and other pieces of sensitive information. ChoicePoint also owns a DNA analysis lab, facilitates drug testing for employers and sells background-checking software at Sam's Club.</p><p>But ChoicePoint and other privately owned aggregators of personal information operate with virtually no federal oversight, and critics say the companies haven't done enough to safeguard its information-rich databases.</p><p>"There's a serious problem that we as a nation don't seem to grasp _ that the public is at risk whenever organizations collect massive amounts of information about us and they don't take extraordinary precautions to ensure that that information is protected," said Dr. Larry Ponemon, who runs a research firm in Tucson, Ariz., dedicated to privacy management in business and government. "People ought to be standing in lines protesting this."</p><p>Word of the identity theft case got out after ChoicePoint sent warning letters to people in California _ the only state with a law requiring disclosure of such security breaches to people whose identities are threatened. But ChoicePoint said it discovered the breach in October, when the Los Angeles County Sheriff's Department began investigating one case of identity theft.</p><p>Jones initially told The Associated Press on Tuesday that ChoicePoint had not alerted the FBI or other federal law enforcement agencies, and that "we don't have any evidence to indicate at this point that the situation has spread beyond California."</p><p>But security experts scoffed at that idea, and other states' politicians quickly demanded the same consideration for their residents that Californians were getting.</p><p>On Wednesday, Sen. Dianne Feinstein, D-Calif., called for hearings on her proposed national version of the California law, and New York state legislator James Brennan asked the state to suspend an $800,000 ChoicePoint contract until the company agreed to warn any New York residents whose data might have been exposed. By Thursday, 19 state attorneys general sent an open letter to ChoicePoint, demanding more details about the crime.</p><p>ChoicePoint eventually said it was sending letters to 110,000 more people around the country _ an unprecedented move for the company, but "the right thing to do" in this case, Jones said.</p><p>Victims should receive letters within a few weeks, Jones said, and immediately check credit histories for suspicious activity. The company also plans to release a list of states affected in the next several days.</p><p>Costa, who runs Southern California's High Tech Task Force Identity Theft Detail, said the estimate that as many as 500,000 people may be threatened is based on records his department subpoenaed from ChoicePoint.</p><p>Costa also said that the FBI, the Secret Service and U.S. Immigration and Customs Enforcement _ the largest investigative arm of the Department of Homeland Security _ have now contacted his department to join the probe.</p><p>Citing the ongoing investigation, ChoicePoint won't speak publicly about details about the scam, or discuss any security measures added since the breach.</p><p>Costa says he can't reveal many details either. But some details of the scam have been released.</p><p>Using stolen identities and faxing applications to ChoicePoint from Kinko's stores, the thieves opened up 50 accounts received volumes of data on consumers, including names, addresses, credit reports and Social Security numbers _ all the data needed to get credit in someone else's name.</p><p>The ring also set up commercial mail-receiving locations in places such as Mail Boxes Etc., where deputies found redirected mail for more than 700 people _ everything from personal letters to junk mail to the credit card applications that are like gold for con artists, Costa said.</p><p>ChoicePoint had required the con artists to fax copies of business licenses, and verified through a background check that licenses were valid for nonbank financial institutions. But they didn't perform physical checks or visit the addresses, as they sometimes do, to make sure they were legitimate.</p><p>Computer experts worry that ChoicePoint and other companies that specialize in gathering and selling private information still aren't sufficiently protecting it from unauthorized uses.</p><p>"Most financial organizations have very sophisticated fraud detection algorithms to minimize the impact to the end user _ why couldn't this company have the same type of controls?" asked Joseph Ansanelli, a member of the Financial Services Information Security Analysis Center who has testified before Congress on identity theft and consumer data privacy. "Even if the criminals misrepresented themselves to do fraud, there are fraud detection programs that could kick in at that point."</p>

http://accesswdun.com/article/2005/2/151361