The ChoicePoint Data Security Breach: What It Means for You

 Update: April 20, 2005

 

Note: As a result of the February 2005 breach, ChoicePoint implemented a number of privacy policies and procedures. Visit: www.privacyatchoicepoint.com.

 

Data aggregators compile in-depth dossiers of personal information on almost everyone, even though many have never heard of them, have never had an account with them, nor have given them permission to obtain personal information. Until recently, many Americans had never heard of ChoicePoint, one of the largest data aggregators. But with recent information coming to light that identity thieves opened 50 accounts to access ChoicePoint’s databases of personal information, many people are just realizing that companies like ChoicePoint exist. (See www.washingtonpost.com/wp-dyn/articles/A30897-2005Feb16.html)

 

Choicepoint is one of the largest data aggregators and resellers in the country. It compiles, stores, and sells information about virtually every U.S. adult. Its customers include employers, debt collectors, loan officers, media organizations, law offices, law enforcement, among others. The identity thieves who obtained ChoicePoint accounts through the establishment of fake businesses had the information equivalent of the key to Fort Knox. With their online access to ChoicePoint’s data files, they were able to obtain all the personal information they needed – including Social Security numbers and date of birth – to successfully commit identity theft.

 

Many consumers who contact the Privacy Rights Clearinghouse (PRC) wonder how data aggregators like ChoicePoint get their personal information and what they have on file about them. ChoicePoint compiles data from many sources including public records (property tax assessor files, professional licenses, vehicle registration, bankruptcy records, and so on), along with credit reports, and consumer demographic and lifestyle data. Many consumers are aware of their credit report, but most probably do not know that ChoicePoint offers other types of consumer reports – employment background checks, tenant rental history, and insurance claims.

 

In fact, consumers nationwide can get a free copy of these reports maintained by ChoicePoint if a prospective employer, landlord or insurer used ChoicePoint’s services for screening purposes. So, if you are wondering what kind of information ChoicePoint has about you, now’s a good opportunity to find out.

 

If ChoicePoint has compiled one of these reports about you, you can get a free copy:

According to ChoicePoint, their tenant rental history includes landlord debt, criminal, eviction, registered sex offender and FBI searches. Their employment background check report includes information on arrest and conviction history including fugitive files, state and county criminal record repositories, prison, parole and release files from state Department of Corrections, Administrative Office of Courts and other state agencies, in addition to credit history, employment verification, education verification, license credentials and certification verification, and business or personal reference verification.

 

If an individual’s background check, tenant history or insurance claims were accessed through a company other than ChoicePoint, consumers are entitled to a free copy of their report from that company. The following PRC fact sheets contain additional information about these other types of consumer reports such as CLUE insurance reports and background checks.

  • PRC Fact Sheet 6(b), The “Other” Consumer Reports: What You Should Know about “Specialty” Reports
  • PRC’s Fact Sheet 26, CLUE and You: How Insurers Size You Up
  • PRC’s Fact Sheet 16, Employment Background Checks: A Jobseeker's Guide

ChoicePoint also provides a report of public records information. It enables individuals to get a free copy of their own record, if one exists in their data files.

 

In addition to ChoicePoint, many data brokers sell public records information on the Internet. Consumers often contact the PRC to ask how their public records information ends up in the hands of these companies and if there’s a way to opt out of it. The PRC has two publications that address this topic. The first is our fact sheet 11, From Cradle to Grave: Government Records and Your Privacy. We have also compiled a list of online information brokers, along with the limited opt-out opportunities that they offer.

If you received a letter from ChoicePoint, informing you that your information was obtained illegitimately by members of the crime ring, you will want to establish a fraud alert with the three credit bureaus right away -- Experian, Equifax, and TransUnion. You can call one of them, and that bureau will share your fraud alert request with the other two. Here are the phone numbers for the fraud departments:

  • Equifax: Report fraud: Call (888) 766-0008
  • Experian (formerly TRW): Report fraud: Call (888) EXPERIAN (888-397-3742)
  • TransUnion: Report fraud: Call (800) 680-7289

You will receive a letter from each of the bureaus that informs you that you can order a free copy of your credit report. Be sure to take advantage of that offer. Once you've received your credit report from each of the bureaus, check it very carefully for signs of fraud. If you notice credit accounts that are not yours, or if you see inquiries that you did not initiate, it's a good indication that you are a victim of identity theft. You will then need to follow the instructions for identity theft victims offered by the Federal Trade Commission.

 

Though ChoicePoint is providing credit monitoring services for victims, this service is only offered for one year. Those who received a security breach notice from ChoicePoint can establish a similar form of credit monitoring once ChoicePoint's credit monitoring service expires by staggering access to their free annual credit reports. Available to consumers nationwide as of September 1, 2005, individuals are able to order one of their credit reports every four months and can do so to better monitor their credit report for possible identity theft after the credit monitoring service has ended. Visit: www.annualcreditreport.com.

Another California law that comes into play with the ChoicePoint situation is the "security freeze" law. It enables individuals in California to essentially "shut off" their credit reports. If an identity thief were to attempt to open credit fraudulently, they would be unable to do so because the credit issuer would be unable to access the victim's credit report. To learn more about the California security freeze law, visit the California Office of Privacy Protection web site and read this guide: www.privacy.ca.gov/sheets/cis10securityfreeze.pdf

 

For information on the security freeze laws in other states, visit: www.consumersunion.org/campaigns//learn_more/003484indiv.html

 

A book by Washington Post reporter Robert O’Harrow, No Place to Hide, provides extensive information about the data compiler industry, with company profiles on ChoicePoint, Acxiom, and Lexis-Nexis.

 

UPDATE: March 9, 2005
LexisNexis announced today that 32,000 consumers personal information including names, addresses and Social Security numbers were illegally accessed by using the user name and passwords of a company that has a contract with the data aggregator. The company is sending notices to all who were affected and is providing credit monitoring services. The instructions posted above for those who received a notice from ChoicePoint, also applies to those who received notification from LexisNexis.

 

UPDATE: March 17, 2005

EPIC, the PRC and other consumer organizations criticized FTC Chairman Deborah Platt Majoras's testimony on commercial data broker Choicepoint to the House Energy and Commerce Committee. To read their letter to the Chairman, go to www.epic.org/privacy/choicepoint/majorasltr3.17.05.pdf.

 

UPDATE: April 20, 2005

The PRC maintains a running list of the numerous data breaches that have been reported since 2005 and the number of records compromised.