More news outlets are finally covering this story (CNN, Reuters, ZDNet). Interesting, however, is that the AP story (picked up by the Washington Post, LA Times, and others) label the perpetrators as “hackers” who “penetrated the company’s computer network.” Nowhere in the original MSNBC article is there mention of the criminals hacking into a system. Rather, that reports indicates that “suspects had posed as a ChoicePoint client to gain access to the firm’s rich consumer databases.” Changing the story into some malicious hacker who infiltrated their computer seems to take ChoicePoint off the hook (except for thin database security), when they need to be held to task for not properly vetting the companies they contract with and allow access to their data.
Criminals tricked the company by posing as legitimate businesses to gain access to the various ChoicePoint databases, which contain a treasure trove of consumer data, including names, addresses, Social Security numbers, credit reports and other information. At least 50 suspicious accounts had been opened in the name of nonexistent debt collectors, insurance agencies and other companies, according to the company.
They also report that ChoicePoint has now disclosed that over 145,000 consumers might be affected, and that they will send notifications to the additional 110,000 (outside of California).
UPDATE: ChoicePoint’s website now mentions the situation, and they also acknolwedge that hackers were not involved:
This incident was not a breach of ChoicePoint’s network or a “hacking” incident…
UPDATE: Paul at Privacy Digest adds:
Using the word hacker to label the bad guys makes it sound like someone broke into the ChoicePoint system, not applied for and received an account which is what did actually happen. And its especially scary that it happened at ChoicePoint a company that provides authentication services for other organisations. Don’t they know who their own customers are?