Identity Theft for Fun and Profit


bIPlog’ Tara Wheatland explains how much of the news reporting has completely missed the point of the ChoicePoint scandal– it is not hacking, but the company’s practices and policy. Un-Spinning the ChoicePoint Scandal:

The persons, admittedly criminals, who gained access to “critical personal data” on hundreds of thousands of U.S. citizens did not steal the data–ChoicePoint sold it to them.… So what went wrong here, putting aside the use the criminals made of the information gained from ChoicePoint? The criminals did not hack into ChoicePoint databases, nor did they, by common definition, “steal” any information. The main problem was arguably on ChoicePoint’s end–the criminals successfully circumvented ChoicePoint’s “tests” for legitimacy of purpose.

EPIC has more info concerning ChoicePoint
Bruce Schneier looks at ChoicePoint’s 8K filing and finds: ChoicePoint Says “Please Regulate Me”: “ChoicePoint actually has no idea if only 145,000 customers were affected by its recent security debacle. But it’s not doing any work to determine if more than 145,000 customers were affected — or if any customers before July 1, 2003 were affected — because there’s no law compelling it to do so.”
MSNBC reports that ChoicePoint data is often riddled with errors.
Today, the NY Times reports on a theft of personal data from LexisNexis, and it’s not merely some students’ rewards points balances: Consumer Data Is Stolen From LexisNexis Unit

The British-Dutch publisher Reed Elsevier said today that hackers had stolen identification and passwords from the government records unit of its LexisNexis division and may have fraudulently used that data to obtain further information about as many as 32,000 people in the United States. The LexisNexis unit, Seisint, which Reed Elsevier purchased in July 2004 for $775 million, consolidates records from government offices in the United States.

LexisNexis responds: LexisNexis investigates compromised customer IDs and passwords to Seisint U.S. consumer data: “Reed Elsevier today announced that LexisNexis, its global legal and business information business, has identified a number of incidents of potentially fraudulent access to information about U.S. individuals at its recently acquired Seisint unit. The incidents arose from the misappropriation by third parties of IDs and passwords from legitimate customers.”

Andrew Raff @andrewraff