by: Trevor Bauknight
Last week, Atlanta-based Choicepoint (http://www.choicepoint.com), a giant consumer information clearinghouse, revealed that some of the massive amounts of personal data the company stores on virtually every American citizen was compromised. We found out about this because some 30,000 Californians received mail warning them that the personal information in question may have belonged to them. That was the tip of the iceberg.
Since the initial story broke, we have found out that the compromised information was not restricted to Californians. Only the notification was. Why? California is the only state where the law requires such notification. The company says it sent out an additional 110,000 letters when investigators told them that people outside California may have been affected; but the Los Angeles County Sheriff's office investigating the incident suspects that the number of people affected may reach half a million nationwide.
What is ChoicePoint?
ChoicePoint is a data broker holding some 19 billion records obtained from government, insurance and business sources. The Electronic Privacy Information Center (EPIC - http://www.epic.org) describes the company this way: "According to a recent quarterly statement filed at the Security and Exchange Commission, ChoicePoint sells: 'claims history data, motor vehicle records, police records, credit information and modeling services...employment background screenings and drug testing administration services, public record searches, vital record services, credential verification, due diligence information, Uniform Commercial Code searches and filings, DNA identification services, authentication services and people and shareholder locator information searches...print fulfillment, teleservices, database and campaign management services...'".
Since its spinoff from Equifax in 1997, the company has built its massive databases through the strategic acquisition of some 60 companies, among them: Pinkerton, Inc., a pre-employment screening company; Bridger Systems, a USA Patriot Act compliance company and Bode Technology Group, a DNA identification company. According to EPIC: "At Privacy International's Big Brother Award ceremony held in Cambridge, MA on March 7, 2001, ChoicePoint received the 'Greatest Corporate Invader' award 'for massive selling of records, accurate and inaccurate to cops, direct marketers and election officials.'" Powerful stuff.
What happened?
The ChoicePoint website points out (in boldface): "This incident was not a breach of ChoicePointճ network or a 'hacking' incident, and did not involve any of ChoicePointճ customer information." They're right. The data wasn't stolen. It was sold. And we can safely say that with a 22% growth on net sales of $918 million and 4% year-over-year growth in net profit, the company came out pretty well on the transactions.
Sometime last year, about 50 companies were set up for the specific purpose of accessing ChoicePoint data and defrauding private individuals, and these businesses became ChoicePoint customers in their own right with working logins and passwords. They proceded to guzzle and exploit ChoicePoint data; and in only a few months, at least 750 cases of actual identity theft originated in the abuse of this data. Organized crime has taken on new dimensions in the age of the Internet, and to say that this was "not a breach of ChoicePoint's network", while technically true, leaves the most important things unsaid.
As the infamous computer hacker Kevin Mitnick (http://www.defensivethinking.com) points out in his book on "social engineering" The Art of Deception: Controlling the Human Element of Security, a determined criminal need not be technologically-inclined to help herself to the data she wants. ChoicePoint's failure was in doing the very thing it claims to enable its customers to do verify that their customers are who they say they are.
What should you do?
Everyone is potentially impacted by this incident. As private individuals, you must be ever more vigilant of your personal identity. Some of the best ways to do that are outlined at the EPIC site above. Your credit report is usually the first indicator that something has gone wrong, and checking it rigorously and regularly for unusual queries, account activity, etc. should be your first order of business. Credit reporting agencies like Equifax offer comprehensive monitoring services, and mechanisms are finally being put in place to allow you to check this information free of charge, and details are available at
http://www.ftc.gov/bcp/conline/pubs/credit/freereports.htm
When using the Internet, always be wary of phishing schemes designed to lure you into supplying your personal information to illegitimate businesses masquerading as banks, eBay or even the IRS and FBI. Protecting your computer against spyware and viruses is getting easier now that Microsoft is supplying free software for doing so. But the key to computer security is keeping yourself educated and paying attention to security warnings, certificate verifications and unrequested changes to your system configuration and preferences. At Cafe ID (http://www.cafeid.com), a portion of our website and our time is dedicated to keeping our customers up-to-date on the latest information regarding these threats.
As business owners, you must be able to verify that the account you're opening is really for Mrs. Elder and not for a 41-year old Nigerian man. This is apparently so difficult that not even ChoicePoint can manage it, and it has billions of records and powerful databases at its disposal. Business owners must demand more accountability from these private, profit-driven data brokers, and that, too, is a tall order given that ChoicePoint claims as customers at least 35 Federal government agencies and numerous state and local agencies. The SBA (http://www.sba.gov) and the FTC (http://www.ftc.gov) are excellent resources to help you find out what you need to know and who you need to contact with your concerns.
Establish policies governing interactions with potential customers, and don't waver from them. Be suspicious of requests to do things differently for people, even if they sound like they know the jargon or things that maybe only the right people should know. Such manipulation is at the heart of social engineering. Do everything you can to establish your business identity and secure it with digital certificates and strong passwords. Your company website may be the most visible and the most vulnerable aspect of your Online Identity, so make sure you're dealing with reputable hosting companies. And don't attempt to conduct official transactions via e-mail. Addresses are easy to spoof, as the myriad phishing schemes illustrate.
If you think you already may be a victim of identity theft, there are several steps you should take immediately. Write to your creditors and inform them of what's going on, and use registered mail. Keep paper records of everything. Law enforcement is keenly aware of and interested in this problem, and they should be among the first people to know if you feel your identity has been stolen.
Those are great starting points, but the road is long and winding. Failure to walk it, however, can be disastrous to you, your family and your business.