Shostack + Friends Blog Archive

 

More on Choicepoint

The Atlanta Journal Constitution (use Bugmenot) reports:

“We know that there is a national number that is much larger than that,” said Lt. Paul Denny of the [Los Angeles County] sheriff’s department. “We’ve used the number 400,000, but we’re speculating at this point.”

Executives at ChoicePoint, which maintains one of the largest databases of personal information in the country, acknowledged Wednesday that the number of potential victims is much larger than first thought. But they also suggested the actual number is lower than the law enforcement estimate.

The company said in a statement that “additional disclosures will be forthcoming to approximately 110,000 consumers outside of California whose information also may have been accessed.”

Lee said finding the criminals is complicated because ChoicePoint could not in all cases track the data requests to the accounts making the request.

I hope Richard, at TaoSecurity, takes Choicepoint to IDS kindergarden.

5 comments on "More on Choicepoint"

  • sama says:

    I wonder if someone couldn’t subpoena information from them about whose information was compromised… sort of like the RIAA subpoenaing the names associated with IP addresses. The logic would run something like, a) you have deal in soc sec #’s, b) you participated in a network where such information was illegally shared, ergo, cough up the list of names of numbers that were illegally shared. Well, it’s not exacvtly the same, but you see my point.

  • Massive data heist at Choicepoint exposes soft underbelly

    Ever since California passed its law on notification of data loss to citizens, we’ve wondered what happens when the data covers other states as well? Now we know. Choicepoint, one of the larger players in the data conglomerates market, has…

  • Feature: Privacy in the 21st Century

    This is the story that gives me an excuse to name Paris Hilton here at MaisonBisson.
    Here’s a fact of 21st century life: pieces of our life that, taken one by

  • Steve says:

    here is a brief I have sent to national news media urging them to do a real story on ChoicePoint.
    Steve,
    ———————–
    Dear Editors,
    Have you considered how and why ChoicePoint (in the news last week for 145,000 ID thefts) has obtained the capacity to profile your private life and that of almost all other Americans, even better that your employer or your family members will ever know you? Do you know to which large companies and government agencies it sells the history of an ever growing “virtual data copy of your private life????
    Well, first take a look at the business-to-business management services that ChoicePoint is into and the value of the private data derived from such “middleman B2B activity”! For example ChoicePoint manages drug testing services for airport personnel (e.g. SFO?) and acts as a third party administrator for many employer healthcare plans, each of which is a goldmine of data for building out its profile on your virtual self that it has in its massive national databases. ChoicePoint’s customer is usually another big business. The customer is rarely the individual whose data ChoicePoint uses in the process of providing such business management services, so ChoicePoint probably cares little as to what your, the profiled individual, concerns are regarding ChoicePoint’ use of your private life data. Of course it has to comply with certain new California privacy laws and the federal HIPAA Privacy Rule (since it might be a “business associate??? under HIPAA to the employer health plans). But it might be able to get around those by simply removing the key 18 personally-identifying HIPAA data elements on you (first name, last name, telephone, etc.) and then picking up the other 150 or so “deidentified??? data elements it has on you (amount in your bank, health condition, etc) from the particular B2B middleman management service and give the file of 150 data elements the same file identifier number as the file it has already got on you from other sources, including the “big three credit reporting agencies.??? I suggest, however, it would be severely bending the law, if not breaking it, were it to take such an aggressive view of current California privacy laws and federal laws, such as HIPAA and GLBA, and, of course, it would be hugely controversial were it shown to be itself violating anti-identity theft laws!
    So I respectfully suggest let’s do some proactive journalism here and not merely respond to ChoicePoint’s version of the story and its press release that is now known to have been quite misleading — not limitied to Californian victims!
    Let’s investigate the real story on ChoicePoint’s business model – how did this data mine on Americans get to be so personal and so big and who is using it, not just its theft! Surely we will not have to leave this to the British media again, like we did the initial story on the non-existent WMDs in Iraq?
    May the best free democracy be supported by the best free and unencumbered press … 😉
    Meanwhile, here are some relevant links.
    http://www.internetnews.com/security/article.php/3484501
    http://news.com.com/The+flip+side+of+database+snooping/2010-7348_3-5563897.html?tag=st.ref.goo

  • Choicepoint exposes soft underbelly

    Choicepoint is now saying that up to 145,000 records may have been compromised. It took several months for Choicepoint to publicly report that they were tricked by nefarious characters who set up 50 companies get access to Choicepoint out of…

Comments are closed.