ID Data Conned From Firm
ChoicePoint Case Points to Huge Fraud
By Robert O'Harrow Jr.
Washington Post Staff Writer
Thursday, February 17, 2005; Page E01
One of the nation's biggest information services has begun warning more than 100,000 people across the country they may be targets of fraud, following disclosures the company inadvertently sold personal and financial records to fraud artists apparently involved in a massive identity theft scheme.
ChoicePoint Inc. electronically delivered thousands of reports containing names, addresses, Social Security numbers, financial information and other details to people in the Los Angeles area posing as officials in legitimate debt collection, insurance and check-cashing businesses.
At least 700 victims have had their mailing addresses changed, apparently by people connected to the scheme, authorities said. Identity thieves often change the addresses of victims in order to gain control of credit card offers and other mail. No one knows the extent of the fraud or the financial impact, authorities said. Only one suspect has been arrested.
Earlier this week, ChoicePoint officials said the records of about 35,000 people in California may have been disclosed. But yesterday, the company said the scope of the scheme is probably much wider than it originally reported. Company officials said they were sending out more letters to 110,000 addresses throughout the country that may be connected to the reports delivered to the fraudsters.
"We have reason to believe your personal information may have been obtained by unauthorized third parties, and we deeply regret any inconvenience this event may cause you," the letters say.
Authorities said the number of records involved may go higher as the investigation continues. "This is way far more reaching," said Los Angeles Sheriff's Department Lt. Robert Costa, commander of an identity theft unit. "I believe that when we're done it will be more than a half million nationally. It's huge."
Alpharetta, Ga.-based ChoicePoint maintains databases with billions of records about nearly every adult in America, including credit reports and criminal records. Over the past seven years, it has acquired more than 50 other information companies. Like others in the industry, the company routinely sells dossiers to police, lawyers, reporters and intelligence and homeland security officials across the Internet.
The current case, reported earlier this week by MSNBC, comes at a time when identity fraud and theft are on the rise, with as many as 10 million Americans a year falling victim to criminals who charge goods in their names or empty their bank accounts. It follows scores of other information breaches in recent years that have exposed financial, health care and other identifying information of millions of people, many of whom never discover they were put at risk.
In recent days, for instance, a group of former military and intelligence officials were told they were at risk of identity theft after thieves broke into offices of a government contractor and took computers containing the Social Security numbers and other personal information about tens of thousands of past and present company employees. Millions of financial records have been stolen by hackers from banks and credit industry companies in recent years.
Critics said retailers, credit issuers, information services and other companies have not done enough to protect the extraordinary caches of personal data collected over the past decade.
"This is an issue that goes beyond ChoicePoint. They're just one company," said James X. Dempsey, executive director of the Center for Democracy and Technology, which advocates for privacy and computer security. "Both the industry and Congress need to pay attention to the security of personal information."
Marc Rotenberg, executive director of the Electronic Privacy Information Center, said the case raises important questions about who is responsible when companies are tricked into releasing data. "Companies such as ChoicePoint are operating with too little oversight," he said.
The ChoicePoint case began unfolding last fall. Initially, company employees assumed the requests for information were legitimate, because the applicants appeared to work at registered companies in the Hollywood area. But company investigators noticed that applications for access to the company's massive databases were coming from Kinko's stores, sometimes via fax machines.
A ChoicePoint official said dossiers, possibly including thousands of credit reports, were delivered to personal computers over the World Wide Web or mailed to suspects who had opened close to 50 accounts with the company. The reports, including credit reports, typically cost between $5 and $17, company officials said.
Last fall, the company sought help from authorities in Los Angeles, and together they tricked a suspect into returning to one of the Kinko's stores in late October. There, they arrested Olatunji Oluwatosin, 41, of North Hollywood, who is set to appear in a state court today on six counts of violating the state identity theft statute, authorities said. Three of those counts relate to activity in other states.
Investigators still do not know the extent to which the information was used or resold. They have been receiving assistance from postal inspectors. But the case has not gone as smoothly as investigators would have liked. Police said that's in part because ChoicePoint did not appear willing to quickly share information about the case, an allegation the company denies.
"We've been following up on leads while waiting for ChoicePoint," said Costa, the sheriff's department investigator who leads the Southern California High Tech Task Force's identity theft detail.
ChoicePoint spokesman James Lee said the company learned for the first time yesterday the case involved people in states outside California. He said the company has done everything it can to bolster security immediately and help with the investigation. The company also is considering "fundamental changes" in security procedures and customer authentication.
"We're not to blame, but we're taking responsibility," Lee said. "The people committing the fraud were smarter and quicker than we were.
"It's a wake-up call," he said. "Everybody needs to be ever vigilant and diligent."