ChoicePoint Information Theft: An Omen

I read at MSNBC that 30,000 - 35,000 California residents were warned that "unauthorized third parties" may have accessed their personal information, such as their names, addresses, Social Security numbers, credit reports and other information. The data was stolen from ChoicePoint, an Atlanta-based firm that describes itself as "a trusted source and leading provider of decision-making information that helps reduce fraud and mitigate risk. ChoicePoint has grown from the nation's premier source of data to the insurance industry into the premier provider of decision-making intelligence to businesses and government."

ChoicePoint claims the data was stolen through 50 fake companies that were set up to access the data. MSNBC says "The incident was discovered in October, when ChoicePoint was contacted by a law enforcement agency investigating an identity theft crime. In that incident, suspects had posed as a ChoicePoint client to gain access to the firm's rich consumer databases."

MSNBC also reports that ChoicePoint "says it has 10 billion records on individuals and businesses, and sells data to 40 percent of the nation's top 1,000 companies. It also has contracts with 35 government agencies, including several law enforcement agencies."

This is the same ChoicePoint that MSNBC profiled last month. In that story company vice president James A. Zimbardi said "We do act as an intelligence agency, gathering data, applying analytics."

If this private intelligence agency is going to collect and publish my personal information, it better be held to a high standard. I bet that California residents aren't the only Americans affected by this incident. I have no insider information but I expect to hear more details in the future.

This story comes on the heels of a Washington Post report that government contractor SAIC suffered a physical break-in at a San Diego facility on 25 January 2005. Thiefs stole computers "containing the Social Security numbers and other personal information about tens of thousands of past and present company employees." Aside from this buried announcement, the reason we know of this intrusion is the California law requiring disclosure to those affected. In SAIC's case, that is 45,000 current and former employees.

Both of these incidents indicate that California's disclosure law needs to be expanded to the Federal level. How many other organizations are leaking personal data without our knowledge?

These two cases also demonstrate my security mantra that prevention eventually fails. Therefore, we need to have robust detection and response mechanisms in place. The best detection mechanism for an individual may be a service that provides access to your credit report (for a fee). This allows you to monitor access to your credit report and spot potentially fraudulent activity. Consumers in certain western US states are already entitled to an annual free credit report from each of the three credit bureaus. Check this Federal Trade Commission site for more details. It looks like those of us in the northeast will have to wait until 1 September 2005.

Once available, however, it looks like one could order one credit report from each bureau per year. It might be a good strategy to order one from Experian in, say, January, another from Equifax in May, and the third from TransUnion in September. The following year, repeat the cycle, in the same order. This strategy provides a look at your credit report every four months, as opposed to once per year.

The only response strategy is to follow the Federal Trade Commission's identity theft advice.


Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics