Stealing Identities the Old-Fashioned Way

Using an old-fashioned con, thieves posing as legitimate businesses were able to extract the personal information of thousands of consumers from ChoicePoint, which stores Social Security numbers, credit reports, addresses and other data for the vast majority of Americans.

The company sells the information to local, state and federal government agencies and insurance and financial institutions, among others. It said the thieves used stolen identities to create fake businesses as fronts and then bought the information from ChoicePoint.

Consumer Groups

Information brokers such as ChoicePoint have been criticized by consumer privacy advocates, who say the information is handled too cavalierly. The Electronic Privacy Information Center (EPIC), a public interest research center, only two weeks ago warned the Federal Trade Commission about what it called unjustified access to commercial databases. EPIC also questioned whether ChoicePoint's auditing procedures were adequate.

ChoicePoint said it has begun sending letters to 35,000 Californians, but a spokesman said there may be as many as 100,000 victims nationwide. California is the only state that requires companies to inform consumers if they may be the victims of identity theft.

Gross Negligence

Jonathan Penn, principal analyst for identity and security at Forrester Research, issued a harsh assessment of ChoicePoint. "Being a custodian of such aggregated data, ChoicePoint is an extremely obvious target," he said. "They should have network perimeter security measures, insider security measures, encryption measures, strong authentication, customer ID verification and many other procedures to avoid this security incident, breach of trust and business loss."

"And what ChoicePoint is doing now, how they're handling it, is horrible," Penn added. "The good example of how to respond has been set by Wells Fargo (NYSE: WFC) and its recent data theft problem. But ChoicePoint is doing the minimum required and making statements that are patently absurd, i.e. [claiming that] only the data of California residents -- coincidentally, the only people whom they're required to notify -- has been stolen."

Consumer advocates voiced similar concerns. "We strongly encourage ChoicePoint to notify every individual whose data was compromised in this scam," Adam Levin, chairman of Identity Theft 911 and former director of the New Jersey Division of Consumer Affairs, told TechNewsWorld.

"Identity theft knows no borders, and there's no telling where this information has gone or how it will be exploited. What we do know is that the people affected must be told they're at risk so they can take measures to protect themselves."

The Los Angeles Sheriff's Department, FBI and the U.S. Postal Inspectors Office are cooperating on the case.

Arrests May Be Coming

Linda Foley, executive director of the Californian non-profit Identity Theft Resource Center, told TechNewsWorld that sheriff's deputies have several suspects who, she said, are "more than likely repeat offenders." She said she expected "the next news in this case would be of some arrests."

The Atlanta Journal-Constitution reported that Olatunji Oluwatosin, 41, a Nigerian national, was arrested Oct. 27 by deputies when he allegedly tried to retrieve a fax he believed to be from ChoicePoint. He is scheduled to appear Thursday in Los Angeles County Court.

Big Picture Issue

There was no hacking involved, nor was the company lax in following its policies, Foley said.

"ChoicePoint did follow their policy," she said. "ChoicePoint did due diligence here. Unfortunately we have a criminal population that is very smart." She added that once you have stolen the identity of a person with a clean record it is very easy to get a business identification number.

Because businesses and governments want to be able to access vast stores of personal information, the issue is not likely to be resolved easily.

"The problem is more systemic than it is specifically a ChoicePoint problem," Foley said. "Sometimes individuals want as much information as they can get on another person. As an employer, I want to know as much as I can about someone I'm hiring, especially if it's in a sensitive area. It's a governmental decision about whether this is going to be allowed or not."

Victims can put alerts on their credit reports that would require credit agencies to contact them when anyone tries to use their report. A more restrictive option is a credit freeze, in which the consumer would have to "thaw" report by calling a special number and using a PIN code to allow access to the report.