Michael Zimmer.org

I used to work in the electronic payment processing industry, and was amazed at the amount of purchasing data that passed through our systems on a daily basis. My company was in a top 10 processor, with First Data Corp dominating the field. I recall seeing statistics that something like 1 in 3 credit card transactions somehow pass through First Data’s systems: they either processed the authorization, settled the transaction to the merchant, or provided services to the card issuing bank. With millions of transactions flowing through their servers each …

The AP is reporting that ChoicePoint will allow consumers to access and review their personal information on file with the data aggregation company.
“You will receive the reports that we have on you,” Don McGuffey, the firm’s vice president for data acquisition, told the state’s Senate’s Banking, Finance and Insurance Committee on Wednesday.
This is a promising step in addressing the many problems related to the ChoicePoint fiasco, but many questions remain:

Will I need to pay for reviewing my record?
How often can I view my record?
Will all information possessed by ChoicePoint about …

Finally, an encouraging development from the ChoicePoint fiasco. InfoWorld reports that ChoicePoint will stop selling sensitive consumer data to many of its customers, except when that data helps complete a consumer transaction or helps government or law enforcement. Perhaps an end is near for the market of selling personal consumer information (including social security & drivers license numbers) to virtually anyone who wants it. From the article:
The company decided to stop selling sensitive data, such as Social Security numbers and driver’s license numbers after being tricked into divulging personal information …

ChoicePoint’s CISO, Richard Baich, is interviewed by SecuritySearch.com, where he makes his case that the ChoicePoint fiasco is not a security or hacking issue:
This is not an information security issue. My biggest concern is the impact this has on the industry from the standpoint that people are saying ChoicePoint was hacked. No we weren’t. This type of fraud happens every day. …This is a business process that failed. Before the media calls this a hack, it should get the facts straight. You could say they’re the same, they’re not.
I’ve made …

Bruce Schneier provides his thoughts on the ChoicePoint fiasco, noting that until companies like ChoicePoint are forced to absorb (financially) the full costs of ID theft, they’ll continue to treat our personal information merely as a commodity:
Identity theft is the fastest-growing crime in the U.S., and an enormous problem elsewhere in the world. It’s expensive — both in money and time — to the victims. And there’s not much people can do to stop it, as much of their personal identifying information is not under their control: it’s in …

Wired News reports that citizens who fall victim to ID theft becuase of the ChoicePoint debacle will find it difficult to recover damages for their losses if they decide to seek recourse against ChoicePoint:
Legal experts say that people who suffered losses as a result of the breach will find it difficult to get compensation from ChoicePoint for selling their personal data to con artists, even if the victims can prove that ChoicePoint was negligent in screening customers who purchased their data. That’s because courts have been unwilling to penalize companies …

In the aftermath of the ChoicePoint security breach(here and here), the Privacy Rights Clearinghouse has produced a lengthy page on what the incident means to you and what data aggregators like ChoicePoint may have on you:
Many consumers who contact the Privacy Rights Clearinghouse (PRC) wonder how data aggregators like ChoicePoint get their personal information and what they have on file about them. ChoicePoint compiles data from many sources including public records (court records, property tax assessor files, professional licenses, vehicle registration, bankruptcy records, and so on), along with credit reports, …

More news outlets are finally covering this story (CNN, Reuters, ZDNet). Interesting, however, is that the AP story (picked up by the Washington Post, LA Times, and others) label the perpetrators as “hackers” who “penetrated the company’s computer network.” Nowhere in the original MSNBC article is there mention of the criminals hacking into a system. Rather, that reports indicates that “suspects had posed as a ChoicePoint client to gain access to the firm’s rich consumer databases.” Changing the story into some malicious hacker who infiltrated their computer seems to take …

MSNBC reports that criminals posing as legitimate businesses have accessed critical personal data stored by ChoicePoint. ChoicePoint collects information from public records (they have contracts with at least 35 federal agencies to share data with them) and then combines it with information from private detectives, the media, and credit reporting agencies. They’ve reportedly amassed a database of 10 billion records, indexed by peole’s SSNs.
The incident involves a wide swath of consumer data, including names, addresses, Social Security numbers, credit reports and other information. ChoicePoint aggregates and sells such personal information …