State officials push ChoicePoint on ID theft notifications

Computerworld - Credit and personal information vendor ChoicePoint Inc. has reached an agreement with 19 state attorneys general to notify 145,000 consumers whose personal information may have been stolen by identity thieves.
In an announcement Wednesday, Illinois Attorney General Lisa Madigan and 18 other state attorneys general sent a letter to Atlanta-based ChoicePoint, asking the company to immediately provide as much detail as possible to anyone whose personal information might have been compromised, including when and where it occurred.
The company should also urge affected consumers to check their credit reports immediately to ensure that fraudulent activity has not occurred, the letter said.
ChoicePoint provides data to credit providers, government agencies, landlords and others who use personal information to grant loans, leases and other contracts.
In a statement that same day, ChoicePoint said it is continuing to work with local and federal law enforcement agencies to investigate the alleged data-theft incident, which occurred last fall. The incident wasn't disclosed publicly until this week to allow law enforcement officials to continue their investigation, according to the company.
ChoicePoint said the data theft happened when "a small number of very well-organized criminals posed as legitimate companies to gain access to personal information about consumers."
So far, ChoicePoint has notified approximately 35,000 California residents that personal information -- including names, Social Security numbers, credit reports and other data -- may have been accessed by the thieves.
The company said it will also notify another 110,000 consumers outside of California about the incident. About 750 people so far have been victims of identity theft in connection with the case, according to the company.
"This incident was not a breach of ChoicePoint's network or a 'hacking' incident and did not involve any of ChoicePoint's customer information," the company said. "Nevertheless, this is a serious issue which ChoicePoint is addressing aggressively."
A spokesman for the company couldn't be reached today.
The data thieves apparently posed as legitimate business customers to gain access to information about consumers, according to ChoicePoint. "Financial fraud conducted by seemingly legitimate businesses is a pervasive problem in the economy," the company said. "While ChoicePoint offers a wide range of tools to help detect fraud, no one -- including us -- is immune from it."
Gail O'Connor, a spokeswoman for Illinois AG Madigan, said today that the company is also being asked to meet with the attorneys general to discuss how the incident happened and how to prevent it from being repeated. That meeting has not yet been set up, she said.
Other attorneys generalsigning the letter were from Alaska, Arizona, Connecticut, Florida, Idaho, Indiana, Iowa, Maryland, Massachusetts, Michigan, Ohio, Oregon, New York, North Carolina, North Dakota, South Dakota, Vermont and Washington.
California is the only state so far with laws requiring companies to notify residents in the event of a security breach involving personal financial data.
"Identity theft threatens a consumer's financial health, credit rating and peace of mind," Madigan said in the letter. "I will work to help make sure that ChoicePoint does the right thing by informing Illinoisans of any financial or identity theft risks they may face."

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Knowledge Center.