Data collection firm warns Californians about stolen information

By: RACHEL KONRAD - AP Technology Writer | Wednesday, February 16, 2005 2:45 PM PST ∞

SAN FRANCISCO (AP) -- A company that collects consumer data warned thousands of Californians that thieves penetrated the company's computer network and may have stolen credit reports, Social Security numbers and other sensitive information.

ChoicePoint Inc., which sells such data to government agencies and a variety of companies, acknowledged Tuesday that several people broke into its computer database and purloined data from as many as 35,000 Californians.

Last fall, con artists apparently used previously stolen identities to create what appeared to be legitimate businesses seeking ChoicePoint accounts, said Chuck Jones, a spokesman for the Alpharetta, Ga.-based company. They opened about 50 accounts and received volumes of data on consumers, including names and addresses, important identification numbers and job histories.

The attack appears to have resulted in at least six cases of identity theft in Los Angeles County. It's unclear whether the data of people outside California was exposed. But law enforcement agents, who have arrested one person on six counts of theft, say hundreds of thousands of Americans elsewhere may be at risk.

ChoicePoint has not notified consumers in other states, nor is it working with law enforcement agents elsewhere, Jones said.

"California is the focus of the investigation, and we don't have any evidence to indicate at this point that the situation has spread beyond California," Jones said. "If at some point in time we get information that it's in other areas, we'll revisit the disclosure."

Jones said ChoicePoint officials do not define the data theft as a hacking -- a term typically used to describe breaches of a company's operating system or some other part of its network. In this case, professional con artists used stolen identities to open legitimate accounts and receive information from ChoicePoint's extensive consumer databases.

Security experts said the attack still exploited a vulnerability -- the company's apparent inability to distinguish real businesses from dummies. They also dismissed the notion that the data thieves would limit their attack geographically.

"I've never heard of a hacker doing something just to make a company comply with a state statute -- that's ridiculous," said Nick Akerman, partner and co-chairman of the computer fraud division of law firm Dorsey & Whitney. "It'd be like robbing a bank that wasn't FDIC insured so the robber wouldn't have to be prosecuted by the FBI."

When ChoicePoint discovered the crime in October, it closed the suspect accounts, restricted access, strengthened site verification, informed law enforcement agencies and cooperated in their investigation.

On Oct. 27, Los Angeles County sheriff's deputies arrested Olatunji Oluwatosin, 41, when the Nigerian national went to his office to receive a fax ostensibly from ChoicePoint. Police were waiting for the Hollywood resident at his office in Los Angeles. He's been in jail since then and is scheduled to appear Thursday in Los Angeles County Superior Court.

Agents believe several other people were involved, said Los Angeles County sheriff's Lt. Robert Costa, who heads the Southern California's High Tech Task Force Identity Theft Detail.

"It definitely could not have been limited to Southern California," Costa said.

ChoicePoint mailed notifications to Californians last week and continued to send the letters this week.

State residents were the only Americans notified because the state has a law requiring companies that do business with residents to warn them when they've had security breaches in corporate computer networks. Since the law took effect in July 2003, organizations have alerted customers whenever "unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person."

The bill defines "personal information" as an individual's first name or initial and last name, with one of the following: Social Security number; driver's license number; state identification number; or credit or debit card account number and security code. Except when disclosure would impede a criminal investigation, companies must notify consumers "in the most expedient time possible."

The law doesn't impose specific fines but makes companies with questionable computer networks more vulnerable to lawsuits and public scorn. If thieves gain access to data for 500,000 or more customers, the company must alert those people through e-mail, a "conspicuous" posting on a Web site and disclosure to a major media outlet.

Identity theft is the country's fastest-growing crime, and more than 9.9 million Americans were victims last year. The crimes cost a total of $5 billion, not including lost productivity, according to the U.S. Postal Inspection Service.

One of the biggest breaches happened in October, when a University of California network exposed personal data of 1.4 million Californians. The computer database in Berkeley contained names, addresses, phone numbers, Social Security numbers and birthdays of everyone who participated in a state in-home care program since 2001.

The ChoicePoint attack could galvanize support for a federal law protecting consumers from corporate security breaches. New Hampshire, New York and Texas are considering similar bills, and Sen. Dianne Feinstein, D-Calif., reintroduced legislation last month for a national version of the California law.

"This is a nightmare scenario for the company and for consumers," said Matt Stevens, chief technology officer at Network Intelligence Inc., a database security company in Westwood, Mass. "More of these incidences and people will wake up. Right now you've got people in Massachusetts saying, 'Hey, why am I less important than people in California?"'