MSNBC reports that criminals posing as legitimate businesses have accessed critical personal data stored by ChoicePoint. ChoicePoint collects information from public records (they have contracts with at least 35 federal agencies to share data with them) and then combines it with information from private detectives, the media, and credit reporting agencies. They’ve reportedly amassed a database of 10 billion records, indexed by peole’s SSNs.
The incident involves a wide swath of consumer data, including names, addresses, Social Security numbers, credit reports and other information. ChoicePoint aggregates and sells such personal information to government agencies and private companies.
Last week, the company notified between 30,000 and 35,000 consumers in California that their personal data may have been accessed by “unauthorized third parties,” according to ChoicePoint spokesman James Lee.
California law requires firms to disclose such incidents to the state’s consumers when they are discovered. It is the only state with such a requirement but such data thefts are rarely limited to a single geographic area.
The article notes that this happened in October, 2004 – and we’re just finding out about it today. There is no way of telling if citizens outside of California are in danger – and as of right now, no notice or warning appears on ChoicePoint’s website.
An important step towards better privacy protections would be to require any firm who aggregates personal information (such as ChoicePoint) to notify consumer of any use of that information, least of which being when such information is stolen
UPDATE: Paul from Privacy Digest adds (via e-mail): “If California didn’t have that notification law we probably still wouldn’t know about the exploit.”