Monday, February 28, 2005

When identity thieves strike data warehouses

By Robert Vamosi
“ChoicePoint was not hacked
Several media accounts described the data breach at ChoicePoint as a computer hack. It wasn't. At this time, details are still emerging on what really happened at ChoicePoint, but the customer data was obtained through fraudulent accounts, and the practice appears to have spanned more than one year. There was no database compromise involved. Instead, it appears that an individual or group of individuals fraudulently created accounts with ChoicePoint, then obtained personal data from those accounts and used it to defraud people whose profiles are stored in ChoicePoint's data warehouse by changing billing addresses, then opening up credit accounts under a victim's name. So far, only one person has been charged in the fraud, a 41-year-old Nigerian man living in Los Angeles named Olatunji Oluwatosin, who now faces six felony counts including identity theft.

Ironically, ChoicePoint is a business that provides identification and credential verification for others, yet initial reports suggest a breakdown in ChoicePoint's own client-authentication process that allowed this fraud to occur.

Thank goodness for California laws
Fortunately, California has an identity theft law on the books, SB 1386. Because ChoicePoint retains information about residents in California, ChoicePoint is required by law to disclose any breach of information, which the company did. In fact, we might not have known about the ChoicePoint breach without SB 1386. Soon after the media learned of the initial breach, ChoicePoint felt compelled to notify as many affected individuals as it could, opening a tidal wave of disclosures that now includes more than 140,000 people in nearly all 50 states and the District of Columbia, and at least one class-action lawsuit.

So why don't more states have these laws? Some state houses across the country are considering identity-theft disclosure laws similar to California's. Then why isn't there a federal law? Good question.

After the success of the California law, Senator Dianne Feinstein (D-California) introduced national legislation, SB 115, modeled after the California law, requiring all companies doing business in the United States to notify their customers whenever there's a breach of customer data including first and last names, date of birth, social security number, and address. Unfortunately, the Feinstein bill has no cosponsors in Congress.

As I write, Senate Judiciary Committee chairman Arlan Spector (R-Pennsylvania) has announced plans to hold Senate hearings to examine the privacy, security, and civil liberty implications involved with the sale of personal information. And Senator Bill Nelson (D-Florida) has started studying additional legislation. Nelson should be familiar with ChoicePoint: In 2000, a subsidiary of ChoicePoint, DBT, was hired by the state of Florida to remove felons from the voter registration lists, but the company ended up deleting legitimate voters as well.

Which gets us to next problem: accuracy
If you live in the western United States, you can now request once-a-year free access to your credit history via the big three credit agencies (the Midwest and East Coast will follow suit shortly). The idea is to spot identity theft and also to give you the ability to clarify any errors (yes, the credit agencies sometimes make costly errors). But how do you spot and correct inaccurate information contained by ChoicePoint and others? At the moment, you can't.
con·cept: When identity thieves strike data warehouses