06:27 PM
Connect Directly


Data aggregator made for a tempting target for identity thieves.

Criminals posing as legitimate companies were able to gain access to the names, addresses, Social Security numbers and credit reports of hundreds of thousands of consumers in the databases of ChoicePoint (Alpharetta, Ga.), an aggregator of consumer data. According to the company, at least 145,000 consumers could be affected.

The damage to the financial services industry could be profound, warns Mark Rasch, senior vice president and chief security counsel for Solutionary, Inc. (Omaha, Neb.), a managed security services company. "This undermines every single assumption that we make about identity and authentication," he says. "If you can get to a data aggregator, you can get to any bit of information [banks] can use to authenticate."

To the extent that identity thieves can compile a complete dossier on any given individual, that information can be used to impersonate someone for a wide range of criminal purposes. "If I get to an aggregator, I get personal information which I can use to apply for accounts — a passport, a birth certificate, and a driver's license," observes Rasch. "If I'm a terrorist, I'd much rather travel under someone else's name."

The Incident

In a release posted on ChoicePoint's Web site, the company stated: "This incident was not a breach of ChoicePoint's network or a 'hacking' incident and did not involve any of ChoicePoint's customer information."

The implication is that the thieves did not steal information about the specific banks, retailers, insurance companies, telecom companies and government agencies that do business with ChoicePoint.

Instead, the breach involved ChoicePoint's "inventory," which consists of consumer information compiled from various public-record sources, including credit reports, Social Security numbers, court records, criminal histories, license records and revocations, professional associations, purchase and sale information, liens, divorce proceedings and the like.

As required by state law under the California Security Breach Information Act (SB 1386), ChoicePoint has notified 35,000 California residents of the security breach. ChoicePoint has also said in its statement that it will notify approximately 110,000 customers outside of California, where disclosures of security breaches are not currently required.

The criminals obtained the information by creating fictitious companies and opening commercial relationships with ChoicePoint. "Where [ChoicePoint] apparently broke down is in the creation of accounts, in allowing people to create these accounts without any real background investigation-or [the criminals] were able to fool whatever background investigation they were able to do," notes Solutionary's Rasch.

Also, Rasch points out that ChoicePoint might have instituted better controls for detecting suspicious behavior by its commercial customers. "If I have a company with 200 employees, maybe I'll be doing six or seven background checks a month," says Rasch. "[The criminals] were literally going through tens of thousands of background checks. That should have been a trigger that they weren't just doing a background check - they were generating a database of personal information."

The gravity of this incident should lead to a national debate on the limits and allowable uses of personal information, observes Rasch. "We need better rules on what data aggregators can do," he says. "If they're going to have a business model to sell my data, they need to have the legal responsibility to protect it, and they need to have the responsibility, if there has been a breach, to fix the problem."

"There are benefits to the consumer for access to accurate public information," Rasch adds. "But it depends on accurate information, control over where it goes, and on only legitimate people having access."

The fallout from this incident may lead to calls for the United States to follow the lead of the European Union in terms of consumer privacy protections. "In the EU, there's this concept of ownership of data by the data subject, and the right to control the use of information by the data subject," notes Rasch. "In the U.S., what we've done is taken discrete types of information - health and financial - and wrapped protection around those."

ChoicePoint's financial services customers use the company's aggregated information for several legally-permissible reasons:

  • to conduct statistical analyses of consumer behavior for targeted marketing;
  • to conduct background searches on current and prospective employees;
  • to determine whether to extend credit;
  • to reevaluate a person's creditworthiness (and thus his or her credit terms) based on discrete events, such as a missed payment with a utility.
ChoicePoint representatives were not immediately available for comment.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.