ChoicePoint Feeling the Heat

AP says:

An executive of embattled data broker ChoicePoint Inc. says the company is developing a system that would allow people to review their personal information that is sold to law enforcement agencies, employers, landlords and businesses. ChoicePoint's announcement comes a month after it disclosed that thieves used previously stolen identities to create what appeared to be legitimate businesses seeking personal records.

Posted on April 2, 2005 at 9:09 AM • 18 Comments

Comments

AnonymousApril 2, 2005 11:43 AM

Yes, but if they allow us to view it, then they will have to let us correct it. As the credit reporting companies know, this is an extremely expensive proposition, especially considering how much of their data is actually incorrect. Their current business model relies on quantity rather than quality, and so spending the money to allow people to correct their data is probably not a profitable investment.

jetApril 2, 2005 1:16 PM

I bought a copy of my ChoicePoint file thru my employer a few years ago when we were evaluating companies that do background checks. I discovered that I'd been married twice, once to one of my housemates and once to someone I'd never heard of. My current (and first) wife was not amused by this nearly as much as I was.

ChiaApril 2, 2005 1:45 PM

If they allow us to "correct" our information, would they then spend the effort to validate those corrections? I would then have the right to correct those corrections, right? Sounds like a vicious cycle, ending only when ChoicePoint decides to recind my right to correct it...

John David GaltApril 2, 2005 2:18 PM

Letting us view our information (which I believe the law already requires, and why isn't ChoicePoint already included in annualcreditreport.com?) is necessary but not sufficient. Such agencies should also be required to disclose the source of the information, so that anyone who puts lies in your record can be sued for slander.

Jim HorningApril 2, 2005 7:59 PM

What worries me most about this is how they will validate those making the queries or corrections. This has the potential of being a goldmine for identity theft.

Bruce SchneierApril 3, 2005 6:44 PM

"I wouldn't give ChoicePoint my telephone number. Enough said?"

Unfortunately, no. None of us give ChoicePoint any of our information. They get it from third parties.

AaronApril 4, 2005 12:47 AM

As sad as this event is for those who's information was stolen, hopefully this even will shed (much needed) light on social engineering and database security.
The california law requiring companies to disclose they have had a security breach when in involves personal information is the key idea here... This should be implemented nationally, no excuses. As long as our information (and identity) is out of our hands...(little protection) we can at least have some methods of detection and reaction.
Sadly legistration drags its heavy feet, even in an obvious and sad "proof-of-concept" event such as this...
see:
http://library.findlaw.com/2003/Sep/24/133059.html
http://www.privacyrights.org/ar/ITLawsCA.htm

SoulCrusherApril 4, 2005 5:21 AM

Everyone (now) knows that a significant proportion of the ChoicePoint data are incorrect (in some cases, spectacularly so). Given this, it seems pointless for concerned individuals to bother correcting the data about themselves, since hardly anyone takes the ChoicePoint data seriously.

Any business basing its customer assessments on CP's data is going to find itself in financial trouble pretty quickly, if the stories of gross inaccuracies are true.

GregApril 4, 2005 7:09 AM

Might it not be useful to deliberately corrupt the personal information held by Choicepoint? You might be able to prevent your data matching when someone tried to cross-reference your information. You also get to de-value their database...

Israel TorresApril 4, 2005 8:25 AM

:ChoicePoint and ilk sing this song (laughing all the way to the bank):
I'm rubber and you're glue
whatever is rumor
Bounces off of me
And sticks to you!

Chorus: so what if it isn't true...

I'm rubber and you're glue
whatever is rumor
Bounces off of me
And sticks to you!

Israel Torres


FredApril 4, 2005 9:57 AM

I personally always corrupt the information when they ask for it and have no right. I have been born and live in a lot of different places if they buy the information from the people that ask for that to 'make sure they spoke to me'. I am taller shorter have had a lot of different mothers and my eye color, hair color, etc is very different. I think of it as self defense.

BrianApril 4, 2005 10:40 AM

What is in it for the consumer to go through the trouble of correcting this information? I don't want them selling my info in the first place, so why would I make their data more valuable?

@BrianApril 4, 2005 11:30 AM

"What is in it for the consumer to go through the trouble of correcting this information? I don't want them selling my info in the first place, so why would I make their data more valuable?"

The thing is that the owner's of said information have no control over it. Over our lifetimes we have given this information out freely. It is free game. Nothing is there to stop someone from building an independent file on you (whether you like it or not). The validity comes when other companies that do not have the time and research depth to find out who you are rely on these companies with large databases of profiled information on individuals. In one way or another these profiles may cause you pain such as being denied something because of something that was revealed in your profile (regardless if it is valid information). A one-man-boycott really won't make a dent on anyone except yourself. It is like saying "I don't want to play anymore so I am going to close my eyes and pretend this beast isn't here"... it doesn't work by ignorning.

Israel Torres

BrianApril 4, 2005 12:51 PM

Yeah, I kind of knew that. Is the consensus that since they claim to act in good faith that I can't recover any compensation if I am harmed (e.g. denied a job) by their incorrect data (supposing I knew they were the source)?

Israel TorresApril 4, 2005 1:17 PM

@Brian,
As the crow flies it pretty much is about he-said/she-said... you basically have to have the parties that contributed the information to this large monolith to urge these guys to fix it... but all these guys are selling information without much audit control. (so good luck) Thus, tracing exactly whom you have to arm wrestle to fix the information is a nightmare in itself.

Imagine fixing a credit report, except the credit report knows kung-fu.

Israel Torres

Davi OttenheimerApril 6, 2005 12:36 AM

I think the most disturbing aspect of ChoicePoint is that the leaders involved consistently said they were preserving national security and upholding a new standard in personal privacy.

I mean you have to note that their CISO, and ex-Officer of the NSA, was Georgia’s Information Security Executive Officer of the Year in 2004.

Such a position should imply at least due diligence with regard to data integrity and confidentiality. Instead, we get indignant and self-righteous comments from the CEO, CFO and this man as he tries to completely deflect the issue. For example:

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1062076,00.html

"I was at RSA among other CISOs when the media frenzy around this kicked in. I would never have thought the media would spin it as atrociously as they have. None other than Howard Schmidt came up to me and told me he felt badly."

Poor poor CISO. Clearly you are a victim of a terrible situation that you have absolutely no control over. No responsibility on your part and no public apology or statement on changes necessary. Nope, none. Who would dare say that preventing fraudulent access to data would be your concern?

Somehow, I have a hard time believing that Baich is still a presenter at conferences, claiming to be an authority on "corporate security":

http://www.tmconferences.com/agenda.html?conf=CTST05ST&iter=1

"10AM. Security as an Integral Component of Corporate Strategy. Security planning begins at the beginning--as an integral part of corporate strategy. This presentation shows how one company incorporated security into its strategic planning. Speaker: Rich Baich"

I can hear him now..."thank you both for attending. If either of you are with the media, please raise your hand so security can escort you from the building. I just want to remind you that I firmly believe corporate security is not about stopping someone from selling personal identity information to criminals. In other words, I am here to say that if money is exchanged, then information flow can not be classified as a breach or "hack". In fact, my CEO calls that good business sense -- the more money exchanged for access to your most sensitive information the more sucessful you will be as a CISO! And what a great career it can be. Just ask my good friend Howard who is presenting down the hall on why regulation (to protect public interests such as privacy and freedom) is bad for business..."


Think I'm being too harsh? Consider his prophecy for ChoicePoint data in early 2004:

http://www.nwfusion.com/supp/2004/ndc/0216manage.html

"'The last thing you want to do when securing your data center is shut out revenue-generating partners or customers,' says Rich Baich, CIO at Choicepoint"

Somehow I doubt the media was misquoting him. Perhaps this was the article the criminals read and said to themselves, "now here is a CIO/CISO we can work with." Yes, the LAST thing you would want to do, if you are in charge of corporate security at ChoicePoint, is interfere with revenue.

Disgusting.

Derek Smith, Baich and others who boasted of their security acumen should be held directly responsible, or there will just be many more excutives just like them out to make huge profits with willful disregard for public welfare and/or safety. It's a common sense situation that other industries have had to face and deal with properly.

I've said it before, and I'll say it again. Enron was full of "entrepreneurial brilliance" until we realized they were cooking the books. ChoicePoint's "entrepreneurial brilliance" was also based upon a web of lies. How ironic that not only was Smith making money hand over fist with his ruse and "beat the system" style of leadership, but he also published books about protecting against identity theft as if to thumb his nose at the public.

http://atlanta.bizjournals.com/atlanta/stories/2005/03/07/story3.html

TeresaApril 18, 2005 8:41 PM

I was just screwed out of a job by ChoicePoint. A potential employer ran an "SSN Trace" on me. ChoicePoint told them that my file was classified "high-risk fraud alert," and inferred that I was possibly using multiple aliases for criminal purposes. The employer withdrew the job offer.

What, you may ask, was my crime? I recently got married and took my husband's surname. Having two names attached to my SSN is what triggered the "high-risk fraud alert." Best of all, ChoicePoint very snidely informed me that this was my problem, because I was the one who got married and changed my name. They said that they "have to red-flag any SSN that has more than one name attached to it." I asked them if they'd ever heard of women getting married and changing their last names, and the "customer service" rep repeated her line about how ChoicePoint "has" to red-flag any SSN with more than one name attached.

Now, if any other employer wants to run a background check on me, I have to worry that I will again fail the "SSN Trace" just because I took my husband's name.

If this happened to me, it can happen to anyone. ChoicePoint needs to be reined in NOW.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..