TELECOM Digest OnLine - Sorted: ChoicePoint Data Cache Became a Powder Keg


ChoicePoint Data Cache Became a Powder Keg


Marcus Didius Falco (falco_marcus_didius@yahoo.co.uk)
Sat, 05 Mar 2005 22:55:37 -0500

http://www.washingtonpost.com/wp-dyn/articles/A8587-2005Mar4.html

Identity Thief's Ability To Get Information Puts Heat on Firm
By Robert O'Harrow Jr.
Washington Post Staff Writer
Saturday, March 5, 2005; Page A01

The man on the phone called himself James Garrett.

Speaking with a lilting accent, the man said he was an executive with
a Los Angeles company called M.B.S Financial. He told an employee at
ChoicePoint Inc. that he wanted to open an online account with the
company to receive electronic reports on people.

It was the kind of request that ChoicePoint, one of the nation's
largest information services, gets all the time. Thousands of
corporate and government clients rely on the company to provide them
with publicly available information on people for help in hiring,
fraud detection, journalist research, national security and debt
collection.

But the man's call last fall was different, according to a detective's
description of the encounter and testimony presented in a later court
hearing. Unknown to ChoicePoint, the caller was not Garrett, an actor
in the Los Angeles area. Police said he was a con artist involved in a
vast identity-theft scam that succeeded in making off with records of
at least 145,000 people. The real Garrett was just another victim.

The imposter's attempt to gain access to even more files would not
only expose the scam, but spark a national outrage and congressional
hearings over whether the nation's growing commercial data industry is
doing enough to guard personal information.

Yesterday, the burgeoning scandal led ChoicePoint to cut off access to
some sensitive data to thousands of small businesses. The company also
announced in filings with the government that two senior executives
were under investigation by the Securities and Exchange Commission for
stock trades that took place after they learned about the scheme last
fall but before they made it public.

On the day the man called ChoicePoint in late September, he was close
to getting what he wanted. He had already filed an application for the
right to download reports to his computer, for about $15 each,
claiming he needed sensitive personal information like Social Security
numbers to track down targets of his collection agency.

But to the ChoicePoint employee on the other end of the line,
something wasn't quite right. For starters, the caller used a Los
Angeles copy store to fax his paperwork to open an account. That
seemed strange for a businessman, and even more so when an in-house
investigator realized that similar requests had recently been made by
others in the Los Angeles area. Something also seemed out of kilter
about the local government documents the man forwarded to prove his
business existed.

Authorities in Los Angeles were called for help. The officer assigned
to the case, a sheriff's detective named Duane Decker, asked the
company whether it could lure the man posing as Garrett back to the
copy store as part of a modest sting operation. ChoicePoint would
convince Garrett he needed to go back to the copy store to sign a
faxed copy of his application and send it back to the company.

The ruse worked. On Oct. 27, a man claiming to be Garrett showed up as
promised at the Copymat store on Sunset Boulevard. He approached the
counter, asked for a document filed for James Garrett and paid the
bill.

Decker, lingering nearby, asked the man if he was Garrett. When the
man said yes, Decker asked him to step outside. As they left the
store, the detective said he thought he had an easy case in hand. He
couldn't have been more wrong.

The man Decker stopped was Olatunji A. Oluwatosin, a 41-year-old
Nigerian national. Oluwatosin claimed he was picking up the paperwork
for another man named Bobby, according to testimony at Oluwatosin's
court hearing.

On the way out of the store with Decker, Oluwatosin dropped the
paperwork he had just received from ChoicePoint and other forms for a
company dubbed Gala Financial. At the time, he was carrying five cell
phones, only one of them in his own name. Three credit cards bore the
names of other people, including at least one woman.

At Decker's request, Oluwatosin shared his address in North
Hollywood. Once there, Decker said he found a printout of a
ChoicePoint search involving another name, that of a man he later
learned had lost $12,000 to identity thieves. Decker also found a
receipt for a public storage business not far away. Before long,
searching in unit B-245, Decker found what he later told a state court
judge were the tell-tale signs of an identity theft operation: new
televisions, electric generators and other products in shipping boxes
stripped bare of details about where the goods came from.

The paperwork offered other leads. Decker found addresses that turned
out to be commercial mail services. Investigators asked to see the
unopened mail at some of those locations. One clerk brought out two
large bags containing credit card applications, financial statements
and other mail that had been redirected from homes around the nation.

Driving to more than a dozen commercial mail services in one day,
Decker and a postal inspector identified redirected mail from more
than 700 people. Further investigation revealed links to 22 other
ChoicePoint accounts that had been opened under false pretenses.

"I realized that this was just absolutely huge and out of control,"
Decker said.

Identity theft and fraud has become a national problem in a few short
years. In 2003, federal authorities estimated that about 750,000 people
fell victim to some identity scam. Now the prevailing estimate is close to
10 million.

Driving the rise is a growing number of clever criminals who use
people's Social Security numbers and other facts of their lives to
take on their personas to run up credit cards bills, empty bank
accounts and commit other crimes. But consumer advocates say it's also
the failure of so many information brokers, retailers and credit
issuers to adequately protect records or do enough to stop swindlers
by verifying the identities of customers.

Credit card companies, marketers and others have lost millions of
files to hackers and identity thieves in recent years. Two years ago,
ChoicePoint itself was hit by another identity theft scheme involving
personal records of thousands of people.

ChoicePoint, based in Alpharetta, Ga., has assembled a huge trove of
personal data in recent years. Much of that information, such as court
rulings, driver records and real estate details, comes from government
agencies. The company also purchases information from the three major
credit bureaus and other information services.

Its ability to create and electronically transmit exhaustive dossiers
on people makes it a favorite of many Fortune 500 companies,
government agencies and law enforcement and Homeland Security
authorities. Today, it has more than 100,000 customers and revenue
approaching $1 billion, a large proportion based on the resale of
details about individuals.

Before granting service, ChoicePoint typically requires a photocopy of
a driver's license and business records on file with a state or local
government agency. A ChoicePoint employee would then verify that such
a person and company exists. Identity thieves skirted this system by
using fake IDs and by setting up front companies on paper, registered
with government agencies in phony names, according to court and
company records.

Olatunji Oluwatosin pleaded no contest to identity theft in a
California court last month. He was sentenced to 16 months in state
prison. Authorities are still investigating who else may be involved
in the scandal. They believe others, possibly many others, worked with
him.

ChoicePoint officials, meanwhile, said they have since identified more
than 50 accounts that appear to be phony. The company has warned
people to watch for unauthorized activity on their credit reports and
has offered to give them free access to that information, at an
estimated cost of $2 million.

The real James Garrett said he first noticed that something was amiss
when he received a call from a credit card company. The company told
him that a card in his name had been redirected to another
address. When Garrett went to police to report the fraud, police told
him he was apparently part of an identity theft ring, possibly related
to terrorist financing, Garrett said yesterday.

An investigator in the ChoicePoint case later told him that identity
thieves had obtained not only his name and address, but his Social
Security number, credit card password and mother's maiden name.

"They knew everything about me," Garrett said.

Behind the scenes, the case continues to expand. Decker and other
authorities in Los Angeles have discussed the case with the FBI and
Secret Service, which has indicated it may have another identity theft
suspect with ties to the ChoicePoint case. The Federal Trade
Commission has begun an inquiry.

At the same time, public ire is intensifying. Congress is planning to
hold hearings about the breach and the information industry in
general. Some of those hearings may involve questions about national
security. Democrats, including Sen. Bill Nelson (D-Fla.) have asked
for a study about how terrorists might use information brokers like
ChoicePoint.

In response to the thefts, ChoicePoint said in an SEC filing that it
is "discontinuing the sale of information products that contain
sensitive consumer data ... except where there is either a specific
consumer-driven transaction or benefit or where the products support
federal, state or local government and law enforcement purposes."

"We fully support a continued national discussion of how to ensure
that information is used responsibly, that the positive benefits of
information use are preserved and that the illegal uses of data are
severely punished," the company's filing said.

The company has defended the sale of hundreds of thousands of shares
since November, before the scandal became public, by ChoicePoint chief
executive Derek V. Smith and president and chief operating officer
Douglas C. Curling, saying the transactions were part of scheduled
sales arranged last fall. Smith said he personally did not know about
the security breach until January.

Decker, meanwhile, said that after four months it feels like his
investigation is just beginning.

"Sometimes you're looking at Social Security numbers, and all of the
sudden a name pops out and you realize, 'These are real people, all of
them,' " he information is out there," he said. "They could all be
victims, if not now, in the future.

Special correspondent Kimberly Edds contributed to this story from Los
Angeles.

Copyright 2005 The Washington Post Company

NOTE: For more telecom/internet/networking/computer news from the daily
media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra . Hundreds of new articles daily.

*** FAIR USE NOTICE. This message contains copyrighted material the
use of which has not been specifically authorized by the copyright
owner. This Internet discussion group is making it available without
profit to group members who have expressed a prior interest in
receiving the included information in their efforts to advance the
understanding of literary, educational, political, and economic
issues, for non-profit research and educational purposes only. I
believe that this constitutes a 'fair use' of the copyrighted material
as provided for in section 107 of the U.S. Copyright Law. If you wish
to use this copyrighted material for purposes of your own that go
beyond 'fair use,' you must obtain permission from the copyright
owner, in this instance, The Washington Post Company.

For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml

Post Followup Article Use your browser's quoting feature to quote article into reply
Go to Next message: Marcus Didius Falco: "All Wired Up"
Go to Previous message: Monty Solomon: "Harvard Applicants Breached Security"
TELECOM Digest: Home Page