ChoicePoint to pay $15 million over data breach

Majoras said ChoicePoint failed to properly verify the identity of customers when requesting consumer information, even after the firm received subpoenas from law enforcement about unauthorized activity. The company also ignored other warning signs, the FTC complaint says, including:

• Poor business verification documents, such as delinquent utility bills and residential telephone bills
• Documentation with multiple addresses that contradicted each other
• Illogical application information, such a tax registration information that showed the business or articles of incorporation that had been suspended
• Applications with critical information missing, such as business license number or the applicant's last name

The alleged crime ring also engaged in obvious suspicious behavior, the complaint alleges, such as:

• Furnishing a number of credit reports to an alleged apartment leasing agency that far exceeded the number of rental units the fake firm had indicated on its application
• Continuing to furnish reports even after the applicant's telephone had been disconnected
• Continuing to furnish reports even after the applicant's ChoicePoint account had been suspended for non-payment
• Working with applications even after employees identified application documentation as suspicious

ChoicePoint spokesman James Lee said the company denies several of those assertions as described by the FTC in the complaint — including the allegation that employees had raised red flags — but agreed to the settlement to "put the matter behind us."

Lee also said that the firm disputes the FTC assertion that there have been 800 ID theft victims as a result of the incident; he said only 16 victims have been positively identified.

'Drop in the bucket'
Elizabeth Rosen, the first consumer to step forward after receiving a letter from ChoicePoint indicating her information had been sold to criminals, was angry about the settlement. She said government officials should have contacted her, or other victims, before agreeing to its terms. While a $5 million fund for identity theft victims has been created, Rosen and most others won't qualify because she has yet to find evidence that anyone has opened financial accounts in her name — she only knows her identity was sold by ChoicePoint.

"Do I have to hire a private investigator to find out if I am a victim of identity theft? I get nothing out of this. There's no satisfaction here. I don't like that nobody got any of us involved," she said. "It's still in the back of my mind that someone could have taken out a mortgage in my name and I wouldn't know. ... I've reconciled myself to the fact that I'm nobody and nobody wants to protect me."

ChoicePoint did provide free credit monitoring service to data theft victims, but such services are not not foolproof.

BOB SULLIVAN ON CHOICEPOINT THEFT Database giant gives access to fake firms Read the Feb. 14 story that started it all Data theft affects 145,000 nationwide Suspect agrees to plea deal ChoicePoint files found riddled with errors No easy way to fix mistakes, either ChoicePoint CEO grilled by Congress Data broker backs some new regulations

The $10 million penalty is "a drop in the bucket," Rosen said, adding that ChoicePoint still has not told her exactly what information about her was sold to the criminals. The firm has merely sent her a generic background report.

Soon after ChoicePoint revealed the extent of the breach last year, authorities arrested Nigerian-born Olatunji Oluwatosin in connection with the incident. Last month, he plead guilty to charges of conspiracy and grand theft.  He is scheduled to be sentenced in February.

ChoicePoint also announced its quarterly results on Thursday. The firm said profits sunk by 29 percent. For the three months ending Dec. 31, ChoicePoint said it earned $27.68 million, or 30 cents a share, compared to a profit of $39.22 million, or 43 cents a share, for the same period a year ago.

Since the ChoicePoint incident, dozens of companies have revealed similar security lapses to consumers. Researcher Larry Ponemon of the Ponemon Institute says about 1 in 9 adult U.S. citizens has received a letter indicating their data has been put at risk by a company.

The data leaks continue, however. In the latest incident, Ameriprise Financial Inc. said  Wednesday that a company laptop containing information about 158,000 of its clients had been stolen from an employee’s car.

The disclosures have led to a flurry of congressional hearings and several legislative initiatives.  None have yet reached a floor vote.

While admitting ChoicePoint's procedures needed fixing, Lee said the string of disclosures last year show the company was no different from many other firms that warehouse consumer data.

"At that time no one really knew the magnitude of the issues surrounding consumer information security," he said.  "We now know for sure this is not a ChoicePoint problem. This is an economy-wide problem, and we've addressed it."

MORE FROM SECURITY

Security Section Front

Red Tape: Your chance to spy on Google   Hacking ring caught in $9 million fraud Tagged.com settles with states in invite fight Framed for child porn — by a PC virus In China, battles over a new wall Spain: Internet-related child porn on the rise Google providing better view of personal data EU agrees on new Internet user rights Red Tape: ‘Fakeosphere’ ads target consumers Internet censorship limits could be set by WTO Security Section Front   Add Security headlines to your news reader: