The Atlanta-based company said that it plans to inform approximately 110,000 consumers outside the state of California whose information may have been accessed in the criminal scheme,on Tuesday. The company has already told some 35,000 Californians that their personal data, including their names, addresses, Social Security numbers and credit reports, was stolen by scammers. California is the only U.S. state with legislation in place that requires companies to notify its residents when their personal data has been compromised.
ChoicePoint also said that law enforcement officials informed the company of 750 cases oftied directly to the incident. One California man has already pleaded no contest to related to the ChoicePoint attack, while federal and state law enforcement agencies continue to look for others involved in the operation.
The perpetrators were able to dupe the company, which providesto insurance companies, other businesses and government agencies, by passing themselves off as legitimate customers. Chuck Jones, a company spokesman, said the criminals set up 50 fraudulent accounts with ChoicePoint by posing as businesses including collection agencies that were looking to run background checks on potential customers.
Jones said that ChoicePoint was misled via a detailed effort, as the criminals used previously stolen identities to set up what appeared to be legitimate business licenses, phone numbers and addresses for the organizations they claimed to be when applying for accounts with the company. He said the firm has changed its policies for qualifying new accounts, and will now go as far as having people who are looking to access the company's databases visit the physical location of firms in order to verify those persons' legitimacy.
"We're working hard to deploy new technologies and tighten up the policies and procedures that ChoicePoint already had in place," Jones said. "It's always been critical for us to verify that people are who they say they are, but we think that our verification process has already been improved significantly (since the attack)."
The spokesman said that ChoicePoint has been targeted by criminals seeking to steal consumer data in the past, but never on such a wide scale. He said the company does not expect to report any additional consumers affected by the scheme.
The company said that it first learned of the security problem last fall, but ChoicePoint claims that law enforcement officials would not allow it to disclose the incident until now, so as not to compromise their investigations. Jones said the company is working on the case with the Los Angeles County Sheriff's office, U.S. Postal inspectors and the FBI.
Some privacy experts have predicted that the debacle will shine new light on the risks posed to consumers by information brokers such as ChoicePoint, and said the incident may convince other states to adopt legislation similar to the guidelines required by California. Last month, Sen. Dianne Feinstein, a Democrat from California, proposed legislation for a federal law that would require companies to inform consumers in any U.S. state of personal data losses.
Jones said ChoicePoint might support such legislation and will continue to work to help improve consumer protection across the data services industry.
"ChoicePoint has always been a proponent of responsible use of consumer data," he said, "and we remain hopeful that there will be a national discussion for improving policies that involves legislators, privacy experts and industry, to help establish better ground rules for this issue moving forward."
However, at least one privacy expert called ChoicePoint's claim of dedicated protection "comical." Ray Everett-Church, an attorney who runs his own consulting company, PrivacyClue, said data brokers such as ChoicePoint are far more concerned with making a profit than actively guarding against fraud.
"They're taking (consumer data) in the front door with the promise of protection and shoving it out the back door as fast as they can to the highest bidders--it's just a matter of time before we see more of these scenarios," Everett-Church said. "I've always marveled at these companies' ability to say they care about consumer privacy with a straight face."
He said ChoicePoint and other data aggregation companies have been doing very little in the way of completing background checks on customers, and said the firm probably could have identified the criminal enterprise as fraudulent by researching information in its own databases more closely.
"Don't tell me that your first priority is protecting consumers, when clearly the first priority is maximizing value for your shareholders," said Everett-Church. "I'm not buying it."