When word first emerged this week that still unknown scammers had illegally obtained detailed dossiers on 35,000 people by posing as legitimate customers of ChoicePoint, the company portrayed it as a relatively minor criminal case, limited to California.
But by week's end, it was shaping up to be a full-blown scandal with as many as a half million people nationwide potentially vulnerable to identity theft.
Outraged, attorneys general from 38 states demanded that ChoicePoint warn any victims in their states as well, and politicians, consumer advocates and security experts called for more federal oversight of a lightly regulated industry that gathers and sells personal data about nearly every adult American.
The task force leader, sheriff's lieutenant Robert Costa, said the number of people vulnerable to identity theft in the case could reach500,000.
That's a much higher number than the latest estimate acknowledged by ChoicePoint, which belatedly sent warning letters to a total of145,000 people in various states after a chorus of complaints.
The volume of data compromised was so huge that deputies are almost certain that a 41-year-old Nigerian man sentenced Thursday to 16 months in jail in the scam did not act alone.
The man, Olatunji Oluwatosin, was arrested on Oct. 27 when ChoicePoint faxed him some paperwork at a Kinko's store in a sting operation. He pleaded no contest and did not agree to help authorities in the probe.
"We were victimized by some extremely well organized criminals," ChoicePoint spokesman Chuck Jones said.
An Alpharetta, Ga.-based spinoff from the credit-reporting giant Equifax, ChoicePoint maintains databases that hold 19 billion Social Security numbers, credit and medical histories, motor vehicle registrations, job applications, lawsuits, criminal files, professional licenses and other pieces of sensitive information. ChoicePoint also owns a DNA analysis lab and facilitates drug testing for employers.
But ChoicePoint and other privately owned aggregators of personal information operate with virtually no federal oversight, and critics say the companies haven't done enough to safeguard their information-rich databases.
Word of the identity theft case got out after ChoicePoint sent warning letters last week to people in California; the only state with a law requiring disclosure of such security breaches to people whose identities are threatened. But ChoicePoint said it discovered the breach in October, when the Los Angeles County Sheriff's Department began investigating one case of identity theft.
Jones initially told The Associated Press on Tuesday that ChoicePoint had not alerted the FBI or other federal law enforcement agencies, and that "we don't have any evidence to indicate at this point that the situation has spread beyond California."
But security experts scoffed at that idea, and other states' politicians quickly demanded the same consideration for their residents that Californians were getting.
On Wednesday, Sen. Dianne Feinstein D-Calif., called for hearings on her proposed national version of the California law, while Sen. Bill Nelson D-Fla., asked federal regulators Friday to oversee data-brokering companies the same way they do other companies that handle financial and medical records.
New York state legislator James Brennan asked his state to suspend an $800,000 ChoicePoint contract until the company agreed to warn any New York residents whose data might have been exposed.
ChoicePoint eventually decided to send letters to 110,000 more people around the country; an unprecedented move for the company, but "the right thing to do" in this case, Jones said.
Victims should receive letters within a few weeks, Jones said, and immediately check credit histories for suspicious activity. The company also plans to release a list of states affected in the next several days.
Costa, who runs Southern California's High Tech Task Force Identity Theft Detail, said the estimate that as many as 500,000 people may be threatened is based on records his department subpoenaed from ChoicePoint.
Costa also said that the FBI, the Secret Service and U.S. Immigration and Customs Enforcement; the largest investigative arm of the Department of Homeland Security; have now contacted his department to join the probe.
Citing the ongoing investigation, ChoicePoint won't speak publicly about details about the scam or discuss any security measures added since the breach.
Costa says he can't reveal many details either. But some details have been released.
Using stolen identities and faxing applications to ChoicePoint from Kinko's stores, the thieves opened up 50 accounts and for months received volumes of data on consumers, including names, addresses, credit reports and Social Security numbers; all the data needed to get credit in someone else's name.
The ring also set up commercial mail-receiving locations in places such as Mail Boxes Etc., where deputies found redirected mail for more than 700 people; everything from personal letters to junk mail to the credit card applications that are like gold for con artists, Costa said.
ChoicePoint had required the con artists to fax copies of business licenses, and verified through a background check that licenses were valid for nonbank financial institutions. But they didn't perform physical checks or visit the addresses, as they sometimes do, to make sure they were legitimate.
Computer experts worry that ChoicePoint and other companies that specialize in gathering and selling private information still aren't sufficiently protecting it from unauthorized uses.
"Most financial organizations have very sophisticated fraud detection algorithms to minimize the impact to the end user; why couldn't this company have the same type of controls?" asked Joseph Ansanelli, a member of the Financial Services Information Security Analysis Center who has testified before Congress on identity theft and consumer data privacy. "Even if the criminals misrepresented themselves to do fraud, there are fraud detection programs that could kick in at that point."
NOTE: For more telecom/internet/networking/computer news from the daily media, check out our feature 'Telecom Digest Extra' each day at. New articles daily. *** FAIR USE NOTICE. This message contains copyrighted material the use of which has not been specifically authorized by the copyright owner. This Internet discussion group is making it available without profit to group members who have expressed a prior interest in receiving the included information in their efforts to advance the understanding of literary, educational, political, and economic issues, for non-profit research and educational purposes only. I believe that this constitutes a 'fair use' of the copyrighted material as provided for in section 107 of the U.S. Copyright Law. If you wish to use this copyrighted material for purposes of your own that go beyond 'fair use,' you must obtain permission from the copyright owner, in this instance, Associated Press.
For more information go to:[TELECOM Digest Editor's Note: My very strong recommendation is do NOT assume Choice Point/Equifax will do anything more than absolutely required under the law on this matter. I suggest **everyone** send a letter to Choice Point/Equifax demanding a current copy of their credit report, and so so frequently over the next year or two to see how this thing plays out. Look over the reports you recieve very closely, and dispute any degrogatory item on your report. The law does require credit bureaus to investigate every consumer dispute and remove every degrogatory item which the creditor is unable to prove (or neglects to respond to) in a timely way. As people find out they have been victimized, I also suggest a class action lawsuit against Choice Point/Equifax, if those are still allowed, however President Bush is working hard to eliminate your right to file suit against corporations which have wronged you. But I do recommend you look into this ASAP, not relying on the credit bureau to tell you about it. PAT]