ChoicePoint data loss may be higher than reported

SEC filing raises questions about whether the security breach went beyond the 145,000 Americans notified.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
3 min read
ChoicePoint could have leaked information on far more than 145,000 U.S. citizens, the data collector's latest filing to the Securities and Exchange Commission suggests.

The Atlanta-based company said in the filing that it has alerted only consumers whose personal details were improperly sold on or after July 1, 2003--the date that a California notification law went into effect.

In its regulatory 8-K document, filed on March 4, ChoicePoint said that it had restricted its search to a 15-month period, during which records on 145,000 consumers were purchased by 50 fraudulent companies.

Guide to Scam Traps

"These numbers were determined by conducting searches of our databases that matched searches conducted by customers who we believe may have had unauthorized access to our information products on or after July 1, 2003, the effective date of California's notification law," ChoicePoint said in the filing.

The exclusion of possible sales to suspect companies before that date raises questions about the true number of Americans affected by the data leak. Sales could have taken place before the period covered by the California Security Breach Information Act, which requires businesses to tell people if their sensitive details have been exposed.

A ChoicePoint representative declined to comment or speculate on the number of records that may have been exposed before July 1, 2003. ChoicePoint provides consumer data services to insurance companies, other businesses and government agencies.

In its SEC filing, the company did not specify whether it intends to do additional searches. ChoicePoint did say that any increase in its estimate of the number of potentially affected consumers will not be "significant." It's not clear whether that estimate is only for records sold on or after July 1, 2003.

Background data
ChoicePoint discovered on Sept. 27, 2004, that a few of its small-business customers in the Los Angeles area were engaged in "suspicious activity." The company notified law enforcement agencies, but did not notify the consumers whose information was leaked until early February.

At first, the company only notified some 35,000 California residents as required by law in that state. After a public outcry for more information, the company notified 110,000 U.S. citizens whose records were improperly accessed.

The ChoicePoint incident was the first of many data leaks to be disclosed recently. This week, publisher Reed Elsevier Group acknowledged that hackers gained access to personal information on about 32,000 U.S. citizens in its LexisNexis databases. In late February, financial services giant Bank of America alerted government workers that backup tapes containing their sensitive data had gone missing.

Legislators and government agencies have already started investigating ChoicePoint, with the SEC and Congress looking into the company's business practices. The incidents are widely expected to spur legislation aimed at protecting consumer data.

Any decision by ChoicePoint not to search further into the past would be reasonable from a corporate standpoint, said Bruce Schneier, a security expert and chief technology officer for network protection provider Counterpane Internet Security. However, the strategy would make the company and its actions an even larger target for lawmakers, he said.

"They are putting a big sign on themselves saying, 'Please regulate me,'" Schneier said. "They are showing that they are not going to be a good actor unless we force them to be."

Schneier took ChoicePoint to task in an entry on his blog. He argued that as long as U.S. citizens are not customers of data collection companies, they should not expect good security.

"The real problem here is that your data is not controlled by you," he said. "We are not ChoicePoint customers, so they have no reason to listen to us. If we didn't hire them, we can't fire them."