Who's Online

We have 788 guests online


2497 readings
Privacy a Myth - ChoicePoint PDF Print E-mail
PEJ Events
Sunday, 20 February 2005 14:43
Privacy a Myth - ChoicePoint

ATLANTA (AP) - Consumer data collector ChoicePoint Inc.'s mission is to arm customers with the information necessary to verify that the people they are doing business with are who they say they are. That selling point has been turned on its head by bandits who were given access to the company's massive database by duping it into thinking they were someone they were not.

"The irony appears to be that ChoicePoint has not done its own due diligence in verifying the identities of those 'businesses' that apply to be customers," said Beth Givens, director of the Privacy Rights Clearinghouse, a nonprofit consumer advocacy group in San Diego. "They're not doing the very thing they claim their service enables their customers to achieve."

Formed in 1997 as a spinoff of credit reporting agency Equifax, Alpharetta, Ga.-based ChoicePoint has rapidly grown beyond its roots of analyzing insurance claims information to become a clearinghouse for personal data on hundreds of millions of people.

The 19 billion public records in its database at its suburban Atlanta headquarters include everything from motor vehicle registrations, license and deed transfers, military records, names, addresses and Social Security numbers.

To a debt-collection firm, a mom-and-pop store checking the background of a prospective employee or a law enforcement agency, the one-stop shop that ChoicePoint offers for obtaining personal information can be a lofty enterprise. To a criminal, access can cause a nightmare for privacy advocates and create unwitting victims, which even ChoicePoint now considers itself.

The company acknowledged this week that thieves apparently used previously stolen identities to create what appeared to be legitimate businesses seeking ChoicePoint accounts. The bandits then opened up 50 accounts and received volumes of data on consumers, including names, addresses, Social Security numbers and credit reports.

The ring, which operated for more than a year before it was detected, used the information to defraud at least 750 people. ChoicePoint estimates that as many as 145,000 people in California and other unnamed states may have been affected.

Like any business that opens an account with ChoicePoint, the suspect companies were given an access code and password that allowed them to use ChoicePoint's database. ChoicePoint says it put the applicants in question through rigorous protocols to make sure they were who they say they were.

In this case, says ChoicePoint marketing director James Lee, the bandits, posing as check-cashing companies or debt-collection firms, provided business licenses that appeared to be legitimate and used the names of real people with clean criminal records. The identities they used had not been reported stolen, so red flags were not initially raised, Lee said. The company caught on later to what was going on by tracking the pattern of the searches the suspects were doing, he said.

"Quite obviously, someone who is intent on fraud will go to extraordinary lengths to create the trappings of legitimacy," Lee said.

Lee said the company learned of the problem in October, but did not start notifying those customers who were possibly affected until this month because authorities asked them to keep quiet for fear of jeopardizing their investigation.

Lee conceded that ChoicePoint's own procedures to verify customers' identities were circumvented.

"This has nothing to do with a failure of technology or a failure of security procedures," he said. "This is good old fashion fraud."

He said the company plans to increase its safeguards and come up with new procedures if necessary.

"It's a wake-up call, not just to us but to businesses, period," Lee said. "There are people intent on committing fraud and they are going to be extraordinarily persistent. They're bright. They're creative. We have to be brighter, smarter and more creative to ensure they are not successful."

This incident is not the first time ChoicePoint has raised eyebrows.

A public outcry in April 2003 was created by an Associated Press report in which it was revealed that ChoicePoint bought official registry files listing sensitive data on tens of millions of people from sources in Costa Rica, Mexico, Colombia, Venezuela, Nicaragua, Guatemala, Honduras and El Salvador.

The government data, obtained through middlemen, was sold by ChoicePoint to U.S. law enforcement, immigration and other agencies. In the wake of the AP story, ChoicePoint officials said they had stopped gathering data in some countries, including Costa Rica and Mexico. The company also said it purged the Mexican data from its system.

The sheer breadth of the information the company collects makes it any easy target for criminals, critics say.

Over the last eight years, ChoicePoint has acquired roughly 60 companies, ranging from ones that provided insurance support to pre-employment background information to government support organizations. In so doing, it has grown from 20,000 clients to hundreds of thousands and now operates in 100 countries. The 5,000-employee publicly traded company has tripled its revenue from $300 million in 1997 to $900 million last year.

Privacy advocates say ChoicePoint has gotten too big, too fast, and argue that the data aggregator industry should be more regulated by the government.

"It's not that these activities are inherently evil," said Daniel Solove, a privacy expert and law professor at Georgia Washington University, said. "The problem is the individuals whose information is being used is out of the loop, often helpless and powerless to participate."

Solove said the solution is better controls and greater accountability by the industry to make sure consumers' personal information is not getting into the wrong hands.

Lee, the ChoicePoint official, said the public discourse generated by what happened is not a bad thing. He believes there is a legitimate need for data aggregators like ChoicePoint.

"The reality is, American commerce is based on identifiers," Lee said. "There is only one universal identifier, and that is your Social Security number. We can debate all day, do we need that?"
Last Updated on Sunday, 20 February 2005 14:43

Latest News