Who owns you? Definitely ChoicePoint! Perhaps Con-Men. Suddenly 1984 looks good.

Submitted by Norm Roulet on Mon, 02/21/2005 - 00:00.

In October 2004 the personal identity aggregator and broker ChoicePoint was defrauded and gave con-men access to 100,000s of Americans' records - 1,000,000s of records - perhaps your social security number, and financial history, and medical files. You wouldn't know, unless you've experienced irregularities - ChoicePoint chose not to notify their victims, except in California, where state legislators have had the wisdom to require their citizens are notified of such fraud... but even there it took four months for ChoicePoint to mail notice to those 35,000 victims. If this sounds pathetic, it is. More pathetic is that we allow companies like ChoicePoint to aggregate and broker our personal identities. Is this what you want? Read on and realize this is not what you want. Keep visiting REALNEO to learn the alternatives... coming soon.

35,000 in state to receive warning: Personal information stolen in October, Georgia firm says

Verne Kopytoff, San Francisco Chronicle Staff Writer - Saturday, February 19, 2005

Tens of thousands of Californians will find out any day now if their personal information may have been compromised in a breach of security at a Georgia information services firm.

ChoicePoint, the Alpharetta, Ga., company, says that it sent out the last of its warning letters to 35,000 California residents Friday. All told, the company estimates that up to 145,000 people's information may have been stolen.

The case, disclosed earlier this week, has become a lightning rod for privacy advocates at a time when identity theft is emerging as an endemic problem.

"I really think that the profit motive has gotten in the way of the security motive," said Beth Givens, director of the Privacy Rights Clearinghouse, a consumer group in San Diego. She and other experts say firms such as ChoicePoint are more committed to profit than keeping personal data secure.

ChoicePoint has 19 billion records covering virtually all U.S. residents. It is one of a handful of largely anonymous firms that collect information including Social Security numbers, driving records and insurance claims that is then used by employers, landlords and the government for background checks.

Criminals gained access to the database by posing as legitimate businesses and paying a fee. They then created up to 50 different accounts to search the firm's files.

Authorities said the criminals had tried to redirect the mail of at least 750 people, usually a first step in identity theft. In such cases, thieves drain the bank accounts or run up big credit card bills under other people's names.

The infiltration took place in October. But ChoicePoint said it had delayed going public at the request of law enforcement.

Olatunji Oluwatosin, a Nigerian national, was charged with six felony counts related to the incident, including identity theft. On Thursday, he pleaded no contest to one count in Los Angeles County Superior Court and was sentenced to 16 months in prison.

Law enforcement is still investigating to determine whether anyone else is responsible and who may have suffered financial losses.

Lt. Robert Costa, with the Southern California High-Tech Task Force identity theft detail, said he thought the number of people potentially affected might rise above half a million. However, ChoicePoint insists that number will be no higher than the current figure of 145,000.

The company said that letters to all 35,000 California residents affected would be mailed as of Friday. The state is the only one to require notification after personal data is compromised.

ChoicePoint plans to send similar letters to potential victims elsewhere.

Sen. Diane Feinstein, D-Calif., proposed legislation last month that would make notification a national requirement. Privacy groups applaud the idea, but they say the current version of the bill has too many loopholes, including the exclusion of some industries.

Consumer groups also want to expand the Fair Credit Reporting Act, which requires financial companies to vouch for the accuracy of their data. Some organizations say that current law applies to only parts of the information broker industry.

A big priority for consumer groups is for the public to be able to freeze their credit reports. This process allows people to block access to their credit reports by any credit card companies. Those firms therefore won't issue new cards to anyone, including identity thieves. People would be able to lift the freeze whenever they want. Such a law is already in effect in California and a few other states, but it hasn't been passed on the federal level.

"The ChoicePoint case is a perfect example of why we need to stop identity theft before it starts," said Jennette Gayer, consumer advocate for California Public Interest Research Group.

Acxiom, another information broker, had some of its personal data stolen twice in computer hackers in 2002 and 2003.

James Lee, chief marketing officer for ChoicePoint, which was spun off in 1997 from Equifax, the credit bureau, said that his company supported regulation.

"There needs to be some discussion of what is good information, what is the proper kind of information to use, when should it be used, and what are the penalties for misuse," he said.

At Least 700 Have Identities Stolen
By THE ASSOCIATED PRESS - NYTimes: February 19, 2005

SAN FRANCISCO (AP) -- At least 700 people had their identities stolen during a yearlong scam by con artists who had signed up as clients of data-broker ChoicePoint Inc., the Los Angeles task force in charge of the criminal investigation confirmed on Friday.

When word first emerged this week that still unknown scammers had illegally obtained detailed dossiers on 35,000 people by posing as legitimate customers of ChoicePoint, the company portrayed it as a relatively minor criminal case, limited to California.

But by week's end, it was shaping up to be a full-blown scandal with as many as a half million people nationwide potentially vulnerable to identity theft.

Outraged, attorneys general from 38 states demanded that ChoicePoint warn any victims in their states as well, and politicians, consumer advocates and security experts called for more federal oversight of a lightly regulated industry that gathers and sells personal data about nearly every adult American.

The task force leader, sheriff's lieutenant Robert Costa, said the number of people vulnerable to identity theft in the case could reach 500,000.

That's a much higher number than the latest estimate acknowledged by ChoicePoint, which belatedly sent warning letters to a total of 145,000 people in various states after a chorus of complaints.

The volume of data compromised was so huge that deputies are almost certain that a 41-year-old Nigerian man sentenced Thursday to 16 months in jail in the scam did not act alone.

The man, Olatunji Oluwatosin, was arrested on Oct. 27 when ChoicePoint faxed him some paperwork at a Kinko's store in a sting operation. He pleaded no contest and did not agree to help authorities in the probe.

``We were victimized by some extremely well organized criminals,'' ChoicePoint spokesman Chuck Jones said.

An Alpharetta, Ga.-based spinoff from the credit-reporting giant Equifax, ChoicePoint maintains databases that hold 19 billion Social Security numbers, credit and medical histories, motor vehicle registrations, job applications, lawsuits, criminal files, professional licenses and other pieces of sensitive information. ChoicePoint also owns a DNA analysis lab and facilitates drug testing for employers.

But ChoicePoint and other privately owned aggregators of personal information operate with virtually no federal oversight, and critics say the companies haven't done enough to safeguard their information-rich databases.

``There's a serious problem that we as a nation don't seem to grasp -- that the public is at risk whenever organizations collect massive amounts of information about us and they don't take extraordinary precautions to ensure that that information is protected,'' said Dr. Larry Ponemon, who runs a research firm in Tucson, Ariz., dedicated to privacy management in business and government. ``People ought to be standing in lines protesting this.''

Word of the identity theft case got out after ChoicePoint sent warning letters last week to people in California -- the only state with a law requiring disclosure of such security breaches to people whose identities are threatened. But ChoicePoint said it discovered the breach in October, when the Los Angeles County Sheriff's Department began investigating one case of identity theft.

Jones initially told The Associated Press on Tuesday that ChoicePoint had not alerted the FBI or other federal law enforcement agencies, and that ``we don't have any evidence to indicate at this point that the situation has spread beyond California.''

But security experts scoffed at that idea, and other states' politicians quickly demanded the same consideration for their residents that Californians were getting.

On Wednesday, Sen. Dianne Feinstein, D-Calif., called for hearings on her proposed national version of the California law, while Sen. Bill Nelson, D-Fla., asked federal regulators Friday to oversee data-brokering companies the same way they do other companies that handle financial and medical records.

New York state legislator James Brennan asked his state to suspend an $800,000 ChoicePoint contract until the company agreed to warn any New York residents whose data might have been exposed.

ChoicePoint eventually decided to send letters to 110,000 more people around the country -- an unprecedented move for the company, but ``the right thing to do'' in this case, Jones said.

Victims should receive letters within a few weeks, Jones said, and immediately check credit histories for suspicious activity. The company also plans to release a list of states affected in the next several days.

Costa, who runs Southern California's High Tech Task Force Identity Theft Detail, said the estimate that as many as 500,000 people may be threatened is based on records his department subpoenaed from ChoicePoint.

Costa also said that the FBI, the Secret Service and U.S. Immigration and Customs Enforcement -- the largest investigative arm of the Department of Homeland Security -- have now contacted his department to join the probe.

Citing the ongoing investigation, ChoicePoint won't speak publicly about details about the scam or discuss any security measures added since the breach.

Costa says he can't reveal many details either. But some details have been released.

Using stolen identities and faxing applications to ChoicePoint from Kinko's stores, the thieves opened up 50 accounts and for months received volumes of data on consumers, including names, addresses, credit reports and Social Security numbers -- all the data needed to get credit in someone else's name.

The ring also set up commercial mail-receiving locations in places such as Mail Boxes Etc., where deputies found redirected mail for more than 700 people -- everything from personal letters to junk mail to the credit card applications that are like gold for con artists, Costa said.

ChoicePoint had required the con artists to fax copies of business licenses, and verified through a background check that licenses were valid for nonbank financial institutions. But they didn't perform physical checks or visit the addresses, as they sometimes do, to make sure they were legitimate.

Computer experts worry that ChoicePoint and other companies that specialize in gathering and selling private information still aren't sufficiently protecting it from unauthorized uses.

``Most financial organizations have very sophisticated fraud detection algorithms to minimize the impact to the end user -- why couldn't this company have the same type of controls?'' asked Joseph Ansanelli, a member of the Financial Services Information Security Analysis Center who has testified before Congress on identity theft and consumer data privacy. ``Even if the criminals misrepresented themselves to do fraud, there are fraud detection programs that could kick in at that point.''

BOOKS OF THE TIMES; Nonstop Scrutiny, As Orwell Foresaw
By MICHIKO KAKUTANI - NYTimes: January 25, 2005, Tuesday

Picture ''Minority Report'' combined with Orwell's ''1984'' and Francis Ford Coppola's ''Conversation'': in an effort to prevent future crimes and predict what certain individuals are likely to do, the government has begun working with high-tech titans to keep tabs on the populace.

One company has come up with a digital identity system that has tagged every adult American with a unique code. Another company is intent on gaining control of all records -- including state and local files, financial information, employee dossiers, DNA data and criminal background checks -- that define our identity. In addition to iris scanners, voice analyzers and fingerprint readers, there now exist face recognition machines and cameras that can identify an individual by how he or she walks. One government group is working on infrared detectors that could register heat signals around people's eyes, indicating an autonomic ''fight or flight'' response; another federal agency has floated a proposal to assess risk by examining airline passengers' brain waves with ''noninvasive neuro-electric sensors.''

This surveillance state is not a futuristic place conjured in a Philip K. Dick novel or ''Matrix''-esque sci-fi thriller. It is post-9/11 America, as described in Robert O'Harrow Jr.'s unnerving new book, ''No Place to Hide'' -- an America where citizens' ''right to be let alone,'' as Justice Louis Brandeis of the Supreme Court once put it, is increasingly imperiled, where more and more components of our daily lives are routinely monitored, recorded and analyzed.

These concerns, of course, are hardly new. Way back in 1964, in ''The Naked Society,'' Vance Packard warned about encroachments on civil liberties and the growing threat to privacy posed by new electronic devices, and in 1971, in ''The Assault on Privacy,'' Arthur R. Miller warned that advances in information technologies had given birth to ''a new social virus -- 'data-mania.''' The digital revolution of the 1990's, however, exponentially amplified these trends by enabling retailers, marketers and financial institutions to gather and store vast amounts of information about current and potential customers. And as Mr. O'Harrow notes, the terrorist attacks of Sept. 11, 2001, ''reignited and reshaped a smoldering debate over the proper use of government power to peer into the lives of ordinary people.''

Some of the material in ''No Place to Hide'' is familiar from news coverage (most notably, the author's own articles about privacy and technology for The Washington Post), from a recent ABC News special (made in conjunction with Mr. O'Harrow's reporting) and from recent books like Jeffrey Rosen's ''Naked Crowd: Reclaiming Security and Freedom in an Anxious Age'' and Christian Parenti's ''Soft Cage: Surveillance in America From Slavery to the War on Terror.''

Still, Mr. O'Harrow provides in these pages an authoritative and vivid account of the emergence of a ''security-industrial complex'' and the far-reaching consequences for ordinary Americans, who must cope not only with the uneasy sense of being watched (leading, defenders of civil liberties have argued, to a stifling of debate and dissent) but also with the very palpable dangers of having personal information (and in some cases, inaccurate information) passed from one outfit to another.

Mr. O'Harrow also charts many consumers' willingness to trade a measure of privacy for convenience (think of the personal information happily dispensed to TiVo machines and Amazon.com in exchange for efficient service and helpful suggestions), freedom for security. He reviews the gargantuan data-gathering and data-mining operations already carried out by companies like Acxiom, ChoicePoint and LexisNexis. And he shows how their methods are being co-opted by the government.

The Privacy Act of 1974, enacted in the wake of revelations about covert domestic spying by the F.B.I., the Army and other agencies, gave individuals new rights to know and to correct information that the government was collecting about them, but the government's current predilection for outsourcing data-gathering to private companies has changed the rules of the game.

As Mr. O'Harrow notes: ''Among other things, the law restricted the government from building databases of dossiers unless the information about individuals was directly relevant to an agency's mission. Of course, that's precisely what ChoicePoint, LexisNexis and other services do for the government. By outsourcing the collection of records, the government doesn't have to ensure the data is accurate, or have any provisions to correct it in the same way it would under the Privacy Act. There are no limits on how the information can be interpreted, all this at a time when law enforcement, domestic intelligence and foreign intelligence are becoming more interlinked.''

Privacy and civil liberties advocates have put the brakes on some government projects, like the Total Information Awareness initiative promoted by John Poindexter, the former vice admiral (of Iran-contra notoriety), and a surveillance engine known (half jokingly) as the Matrix (for the Multistate Anti-Terrorism Information Exchange) that would combine criminal and commercial records in one blindingly fast system. Yet Mr. O'Harrow points out: ''The drive for more monitoring, data collection, and analysis is relentless and entrepreneurial. Where one effort ends, another begins, often with the same technology and aims. Total Information Awareness may be gone, but it's not forgotten. Other kinds of Matrix systems are already in the works.''

Even now, one mini-me version of Big Brother or another is monitoring Americans' daily lives, from the computer ''cookies'' that map our peregrinations around the Net, to the MetroCards, E-ZPasses and car-installed Global Positioning System devices that track our travels, to the security cameras that eyeball us at banks and stores. Mr. O'Harrow writes that RFID (radio frequency identification) tags will be attached soon to credit cards, bank passbooks and ''anything else that will enable businesses to automatically 'know you' when you arrive,'' and that several organizations ''are working on a standard that would enable every manufactured item in the world to be given a unique ID, at least theoretically.''

''Before long,'' he adds, ''our phones, laptop computers, Palm Pilots, watches, pagers and much more will play parts in the most efficient surveillance network ever made. Forget dropping a coin into a parking meter or using a pay phone discreetly on the street. Those days are slipping by. The most simple, anonymous transactions are now becoming datapoints on the vast and growing matrix of each of our lives.''

It is an alarming vision of the future uncannily reminiscent of the world imagined by Orwell in ''1984'': a world where ''you had to live -- did live, from habit that became instinct -- in the assumption that every sound you made was overheard, and, except in darkness, every movement scrutinized.''

It just arrived some two decades later than Orwell predicted.

Published: 01 - 25 - 2005 , Late Edition - Final , Section E , Column 1 , Page 1

CEO, author on security, notably absent after fraud
Some see PR blunder in staying out of limelight

By BILL HUSTED - Atlanta Journal-constitution - Feb. 19, 2005, 10:15PM

ATLANTA - The man who wrote the book on information security has been conspicuous in his absence last week.

ChoicePoint, based in Alpharetta, Ga., faces a public relations nightmare after it sold personal data about consumers to identity thieves posing as legitimate business customers.

The chief executive, Derek Smith, is the author of a book whose title now seems ironic: A Survival Guide in the Information Age: 145 Important Tips to Protect You and Your Family.

Smith has cultivated an image as an info guru through speeches to trade groups and newspaper and TV interviews, including one last month on ABC's Nightline.

No public statements
But since news of the crisis broke, Smith has made no public statements and declined interview requests.

That strategy dumbfounds crisis management and marketing experts contacted Friday.

"If it's a national issue, the CEO must be involved, otherwise he's saying he doesn't care," said Jonathan Bernstein, of Bernstein Crisis Management. PR Week, a public relations trade journal, called Bernstein "one of the 22 people in the world you should have on your speed dial in case of crisis."

Instead of putting Smith out front, ChoicePoint has relied on the low-profile duo of James Lee, the company's marketing director, and Chuck Jones, its public relations officer.

"Derek being the chairman and CEO, I can see why people would want to talk with him," Jones said Friday. "But he's really our strategy person, not the spokesman for this."

Whereabouts unknown
That's about as clear a response as ChoicePoint has when pressed on why Smith has not come forward. It was even unclear whether Smith was at the headquarters.

"I haven't seen him in the halls today," Jones said when asked about Smith's whereabouts on Wednesday.

Al Ries of the Ries & Ries marketing consulting firm in Atlanta said that, in a public relations crisis, "the CEO should come forward immediately, get on radio and TV and apologize. ... You have to take responsibility publicly."

"If your goal is to lead and to maintain credibility and long-term shareholder value, you lead," said Hulus Alpay, senior vice president at Makovsky & Co., a New York public relations and crisis management firm.

"If the goal is to cover your tail, that's a different agenda."

Also an opportunity
A public relations crisis can be an opportunity, said Alpay.

"The classic case was Tylenol, when the company adopted the mantra of 'we are going to protect the public at all costs,' " he said. The pain reliever was temporarily removed from the market because of fears of product tampering.

"And they put the CEO out there as a visible face of the company. You can flip that around for ChoicePoint."

Bernstein said the best course when a wrong has occurred is "to do a mea culpa, completely and with an expression of sympathy and compassion. If they had done this as quickly as possible, you could make it into a one- or two-day news event."

Jones said ChoicePoint's plan has been to say "first and foremost that ChoicePoint was sorry that it happened and going from there into what the potential impact would be on any individual person."

The company has emphasized that the identity thieves used stolen identities to pose as legitimate customers. ChoicePoint says it has since stiffened its screening process.