Tuesday, March 08, 2005
ChoicePoint Inc. security breach, the apocalypse of identity theft, threatens the economy and national security
Identity theft has become a pandemic. Its perpetrators are more organized than ever and could be affiliating with terrorist groups. Thieves could be terrorists themselves and have gained access to huge databases. Names, addresses, phone numbers, social security numbers, and dates of birth are up for grabs, and the information is useful to those with mal intent. Government and the business world are struggling to respond, and controversy defines the efforts to develop regulations that would properly protect consumers.
The system of identification is fundamentally flawed. The confluence of everyday cyber crime and terrorism demonstrates a need for across-the-board countermeasures and changes in the way in which we identify people. Organized international crime rings could easily collude with terrorist networks. A clever and properly equipped computer hacker could bring nations and monetary systems to their knees. A dirty bomb could detonate in a crowded city street and kill thousands—all courtesy of terrorists-turned-identity-thieves. Through identity theft, a terrorist operation could easily forge identities, enter the country illegally and, in others’ names, fund the entire operation.
Large databases are vulnerable
In October 2004, hackers infiltrated a University of California, Berkley database to render the identities of 1.4 million low-income healthcare recipients and the people who provide the care vulnerable. A recently passed California law, SB1386, requires companies and state agencies to inform Californians of any security breach potentially jeopardizing the identities of 500,000 or more people. The university complied.
Laws that require officials who suspect wide-scale identity theft to alert those who may be victims are good. They’re bad when insufficient, enforced improperly, or willfully ignored. Their provisions must scale to the speed of identity theft, whose perpetrators can ruin people’s lives and, possibly, the safety of millions, in short order.
Data warehousers are slow to respond
In what officials are pegging as an orchestrated effort, over the course of this past year multiple charlatans conducted a massive ruse against ChoicePoint, a large Georgia-based data mining company. Criminals posing as legitimate small businesses (e.g., debt collectors, credit checkers, etc.) easily gained access through the front door of ChoicePoint’s database to lift countless U.S. citizens’ identities.
This happened more than four months ago. It wasn’t until February that ChoicePoint began to inform the public. California’s law may have prompted ChoicePoint to alert Californians to their possibly compromised identity information, but the communiqué was still tardy. Worse, only after facing pressure from 38 state attorneys general, did ChoicePoint admit that the crime’s scope was far greater, The Globe and Mail and others report. According to AZCentral.com, ChoicePoint claims California law enforcement officials encouraged the company not to disclose the breach sooner.
Thefts trace to organized crime
Reuters and others report that a Nigerian man has been sentenced to 16 months in jail for his involvement in the crime against ChoicePoint. Authorities say he was part of a larger criminal network.
Organized crime’s link to identity theft has precedent. This past October, law enforcement officials suspected Russian mobsters to be behind a major identity theft racket in Brighton, Massachusetts. This past year high-profile phishing attacks and e-mail scams have originated from Nigeria.
The Seattle Post-Intelligencer and Cox News Service provide an informative report on organized crime’s link to the Internet. Well-known organized rings such as the Gambino crime family have tried their hands at consumer fraud. Newer players from Russia, Africa, Argentina and elsewhere have thrown their hats into the ring as well.
The trend threatens our economy. Would-be entrepreneurs, established companies, and online consumers, all cowed by the specter of crime, may shy away from the Internet, delivering a blow to U.S. economic growth.
According to ABC News and others, ChoicePoint said the company would inform approximately 145,000 people spread across all 50 U.S. states, the District of Columbia, and three territories that thieves who fraudulently signed up with ChoicePoint may have stolen personal information.
ChoicePoint’s slow response and the massive scale of the crime have encouraged a California woman, as reported in the Los Angeles Business Journal and elsewhere, to sue ChoicePoint over the theft of her identity. Her suit could reach class-action status to cover the losses of the thousands others whose sensitive personal information may have been compromised.
Nobody should be surprised. While a low profile can help a criminal investigation, it is disconcerting for victims to learn how long ChoicePoint took to admit the crime’s full scale.
Questionable stock sales by executives at the company further fuel suspicions that ChoicePoint could have done more, and sooner, to protect the integrity of identities at risk. Again reported in AZCentral.com, ChoicePoint’s chief executive officer and the company’s president “made a combined $16.6 million in profit from selling company shares in the months after the data warehouser learned that people’s personal information may have been compromised and before the breach was made public.”
Tougher regulation is necessary
Clearly, the public cannot count on these companies, which have access to so much of our personal information, or law enforcement officials to alert consumers in a timely manner when security is breached. Business proprietors with so much at stake may put their own well being before others’.
As reported by CNET, Reuters, The Associated Press, and others, members of U.S. Congress have noticed. Reacting to the ChoicePoint debacle, Senator Charles Schumer (D-NY) has promised to introduce legislation to “curb” identity theft. FOX News reports that Democrats and Republicans alike have united to plan hearings into the latest industry shortcomings and what can be done to improve the system.
Centralization begets breaches
Centralization carries with it a false sense of security. Common sense says the fewer people who control a given repository, the less susceptible it will be to danger. The laws of averages say breaches will still happen, and when they do, watch out. Once the criminal compromises a highly secure centralized database’s security protocol, the information at his disposal is just as available to him as cash is to the Saturday evening thief who robs a convenience store at midnight—maybe even more so.
Centralized industries can also be at the mercy of their leaders’ whims, bureaucracies’ weaknesses, and systems’ shortcomings. Look at the food industry. As it has consolidated and centralized, people have warned of its susceptibility to terrorist attack—or plain old susceptibility, as evidenced by confirmed cases of mad cow disease.
Databases consolidate into fewer hands
This is not simply a question of consumers’ rights. It’s a matter of national security. Although these databases can help crime fighting, when they are compromised, national security is at risk.
The data mining industry is consolidating and centralizing like the food industry. ChoicePoint is one example of how large organizations are expanding control over people’s identities. Credit records, legal records, information on consumer habits and even the minutest details about people’s lives are all filing into a dwindling number of databases of increasing sizes that are becoming more susceptible to theft.
Identity theft threatens Homeland Security
As reported in The Washington Post and other publications, ChoicePoint and companies like it are beginning to operate as private intelligence services for national security and law enforcement tasks. In this capacity, these companies can circumvent privacy and information laws that constrain government bodies. By getting around these, they support Homeland Security activities.
FOX News reports that ChoicePoint is, in fact, a major government contractor providing important background check support to Homeland Security activities. In light of the company’s inability to secure its own database, observers have to wonder how safe any of us are. Security failures such as ChoicePoint’s will happen again. In fact, they already have; breaches such as the latest at Westlaw and BankAmerica will receive my attention in later columns. It is up to business leaders and government officials to clamp down on identity thieves and develop a strategy to let consumers know when their identities have been stolen.
Robert Siciliano Personal Security, Identity Theft Expert featured on CNN, FOX, MSNBC and CNBC. IDTheftSecurity.com