Choice Point Screening

Stamford Police said Jevene Wright, 29, created a fictitious company called “Choice Point Screening” and submitted false invoices for background checks that were submitted to Noble Americas Corporation, an energy retailer firm located in Stamford. (Patrick Barnard, “The Stamford (CT) Patch“)

I don’t want to minimize the issue here. Assuming the allegations are correct, the company’s assurance in their trust of their employees is diminished, they may face compliance or contractual issues, and they’re out at least 1.4 million dollars, most of which has likely been spent. A good number of folks are having bad days, and I don’t want to add to that.

At the same time, I do have a number of comments.

First, Those background check services sure are expensive! I wonder how many people that was.

Hmmm, according to their website, “In the past six years Noble has grown from 1,500 employees to over 14,000.” I do wonder how many of the “background checks” came back with false allegations of past misconduct. If there were 14,000 people with no red flags, isn’t that something of a red flag in and of itself? I also wonder (in a law school hypothetical sort of way, and assuming with no evidence that Wright or an accomplice fabricated false reports on some people so that his fraud went undetected) what sorts of claims might be available to those denied employment based on those untrue statements?

Second, there’s something of a natural experiment here that lets us assess the value of background checking. Assuming Noble Americas Corporation runs a second set of background checks, I’m very curious to know how well spent that $2m* will have been: how many employees do they fire, having learned of something so heinous that the employee can’t be kept, and how many do they fire, having been handed a reason to get rid of a poor performer? (Naturally, those 2 numbers will be rolled into one.)

Lastly, there’s an interesting social engineering angle here. There’s a real company “ChoicePoint” now part of LexisNexis. (ChoicePoint was made famous for their awesome handling of a 2003 data breach, which this blog diligently covered.) So when naming a false background check company, Choice Point Screening seems like it might be a new brand for the company. An auditor, seeing all those background checks, is unlikely to focus in on the extra space. It’s a nice touch.

Dear ChoicePoint: Lying like a cheap rug undercuts all that

ChoicePoint was supposed to take steps to protect consumer data. But the FTC alleged that in April 2008 the company switched off an internal electronic monitoring system designed to watch customer accounts for signs of unauthorized or suspicious activity. According to the FTC, that safety system remained inactive for four months, during which time unauthorized individuals used stolen credentials to look up personal information on 13,750 people in one of ChoicePoint’s consumer databases.

In a written statement, ChoicePoint blamed the incident on a government customer that failed to properly safeguard one of its user IDs needed to access ChoicePoint’s AutoTrack XP Product…

Really? You’re blaming customers? Saying it’s not your fault? Claiming to be the victim? Ummm, lemme use small words here: you’ve played that card. Shot that wad. From 2004 onwards, you own all failures. You should have had systems to watch for unauthorized access, and failure to properly safeguard credentials.

Oh wait. You did. We agree on that need. You had a system to do that, and you turned it off. So really, all that work you’ve done to convince people you’d turned a corner? This undercuts that. You need to come out with an explanation of why you turned off that system, and you need to do it this week. It needs to be comprehensible to the techies who are taking you to task all over the blogosphere. No legal defensiveness. Tell people what happened. This:

The FTC expressed concerns that not detecting the former government customer’s inappropriate access was inconsistent with ChoicePoint’s obligations under the Final Order, which ChoicePoint denies. Notably, the Supplemental Order does not allege any current or ongoing violations of ChoicePoint’s Final Order. Following the incident and acquisition by Reed Elsevier, new policies and practices were put into place to enhance the strength and quality of ChoicePoint’s security. As part of that effort, certain security enhancements were made to the ChoicePoint product at issue including providing additional information and steps customers could take to further safeguard their IDs and passwords.

is incomprehensible. Your customers know what you did. Why not talk about both what you did and what you turned off, and most importantly, why? I bet there are real reasons, but your lawyers ain’t saying. How many false positives was that system shooting out? What did it cost to investigate them?

Either come clean, or suck it up, and be glad it was only $275,000.

For more, “ChoicePoint Breach Exposed 13,750 Consumer Records,” or our prior posts on Choicepoint.

[Update: Comments from ChoicePoint in the comments.]

PS to C: This is, once again, my opinion, on my blog, and has nothing to do with my employer.

University of Miami: Good for the body, bad for the soul?

The University of Miami has chosen to notify 41,000 out of 2.1 million patients whose personal information was exposed when thieves stole backup tapes.

The other 2.1 million people, apparently, should be reassured, that their personal medical data was stolen, but the University feels it would be hard to read, and well, there’s no financial identity theft risk associated with it. If you believe the sorts of people who notify 1.9% of the victims of a breach. Sorry, ChoicePoint. Unfair comparison. You notified about 18% of the victims*, nearly ten-fold as many.

There’s some analysis of how hard it would be to read the tapes. I’m skeptical: why does someone steal tapes from an Iron Mountain van if not to read them?

The Breach Blog feels differently. In “University of Miami reports stolen tapes affecting patients,” he digs into the likelihood of the data being accessed.

Now, the University claims that the tapes are in a “complex and proprietary format,” which seems to be “Tivoli Storage Management” from IBM. Now, Tivoli storage manager has encryption capabilities (page 3 of this PDF.) I’m curious why that wasn’t in use.

Also, looking around, I found this quote at an IBM partner site:

Much is made of the inbred security of the TSM system since the backed up data is so closely linked with the TSM database. While, to the layman this is true, and it is almost impossible to reconstruct TSM data without the database, it is possible in the right scenario, with the right skills at your disposal.

Until I hear more, I’m skeptical of the University’s claims. I don’t believe, and I have not believed for a long time, that breach notices are about identity theft. They’re about the performance of a promise to protect information.

(*Footnote: 18% being 30/160, approximate numbers for the ChoicePoint incident.)

ChoicePoint’s data quality

In a comment, Tom Lyons asked:

I have two clients who are asking me to investigate matters with Choice
Point as it relates to inaccurate employment records provide to
prospective employers. I am seeking persons who have similar
experiences to determine a “pattern and practice” on the part of Choice

I don’t know Mr. Lyons, but I can’t imagine anyone would object to “more informed, more timely decisions that positively impact society.” Feel free to get in touch with him.

Choicepoint’s Error Rate

Choicepoint regularly claims a very low rate of errors in their reports. In the Consumer Affairs story, “Choicepoint gets a Makeover,” Choicepoint President Doug “Curling claims his company has a less than 1/10th of 1 percent error rate.”

Now WATE in Knoxville, TN, reports that “Anderson Co. man finds credit report error:”

At his insurance company’s request, ChoicePoint gathered the sum total of Ray’s credit, what he owes for his car, his house, credit cards and other purchases. “It says my grand total of indebtedness is $426,000. That’s about five times what I currently owe,” Ray says.

Some debts Ray paid off showed as though they hadn’t been paid at all. “This was a boat loan” for $50,000, Ray says. “I paid it off over a year ago.”

He also says he went online to ChoicePoint, filed a dispute and spoke with company officials. “My data had not been updated. It was incorrect. My employer was incorrect,” Ray says.

ChoicePoint disputes that any errors were made.

See also my May 2005 posting, “Choicepoint Analyses:”

Choicepoint defines an error as a problem between their collector and the report; bad data collected, which we used to call the “garbage in, garbage out” problem, has been defined away.

and finally, don’t forget Deborah Pierce’s work in “Data Aggregators:
A Study of Data Quality and Responsiveness

100% of the reports given out by ChoicePoint had at least one error in them.

The deep trouble here is not that Choicepoint reports are inaccurate (although that seems to be a problem based on impartial reports). The trouble is the accountability disconnect between data collection, aggregation, and use. No one takes responsibility for the decisions that are made based on bad data.

[Update: Just after posting this, I came across “Where’s Waldo? Spotting the Terrorist using Data Broker Information:”

In its coverage of the issue, the Ottawa Citizen reported that since September 2001, the RCMP has been buying and retaining this kind of personal information from data brokers, and in some instances may have forwarded that information to U.S. law enforcement.

Good thing Ray’s inaccurate data was “only” used to deny him credit.]

[Update 2: Choicepoint’s Chuck Jones disagrees; please see comments.]

“Free the Grapes” Externalizes Risk

grape-press.jpgOr so “Shipcompliant” would have us believe, with a blog post entitled “Free the Grapes! Updates Wine Industry Code for Direct Shipping Practices.”

The new addition to the Code is step 4, which specifies that wineries should verify the age of the purchaser of the wine at the time of transaction for all off-site transactions (Internet, phone, mail, fax, etc.). This can be done either by obtaining a photocopy of the purchaser’s drivers license or by using an approved online age verification vendor such as ChoicePoint or IDology.

So to protect themselves from liability, wine merchants who sign up for this code will be putting their customers at risk. Of course, the code already says:

Free the Grapes! encourages licensees to contract only with shippers who check the identification of recipients at the time of delivery to ensure that the recipient is 21 years of age or older.

So there’s no reason to add this step. The very next step ensures that wine won’t get into the hands of our corruptable youth.

This is two steps backwards: We’re creating more work for the wineries and wine sellers, exposing their customers to increased risk of privacy violations, and all to cover a risk that’s already covered.

Free the grapes? How about free the people from this nonsense?

Photo: “A sculpture commemorating the wine press and its importance to California history in Golden Gate Park near the De Young Museum of Fine Arts (6)” by mharrsch.

Choicepoint reports $50M more expenses, some due to breach

The Atlanta Business Chronicle reports that “ChoicePoint tumbles to third-quarter loss:”

ChoicePoint Inc. went into the red in the third quarter, hurt by about $50 million in charges related to asset impairment, stock expenses and legal fees from a data breach in 2005.

Choicepoints losses are a severe outlier. As I said in March, 2005, “Why Choicepoint Resonates:

It’s now a full month since Bob Sullivan of MSNBC broke the Choicepoint story. I’d like to think back, and ask, why does this story have legs? Why are reporters still covering it?

There are a couple of important trends which combine to make this a perfect storm, attractive to editors and readers.

I still think my analysis is decent, and that any serious statistical analysis of breach costs must show “without Choicepoint” numbers.

[Update: Clarified title, which attributed all expenses to the breach.]

Fines, Settlements in Privacy Invasions

peeping-dog.jpgTopping the list, Vodaphone has been fined $100M (€76M) for failing to protect 106 mobile accounts. “Greek Scandal Sees Vodaphone fined” at the BBC, via Flying Penguin.

On this side of the Atlantic, Choicepoint, Experian and Reed-Elsevier are looking to pay $25 million to settle claims that they invaded the privacy of 200 million drivers in the US. None of that money would go to those whose privacy was invaded. (“Driver Data Lawsuits Settlement Proposed.”)

Pop quiz: Which do you think will influence behavior more?

Photo: Peeping Dog, by ErinV.

Worse Than Choicepoint: The FTC?

So part of Choicepoint’s settlement with the FTC was a $5m fund to compensate their victims. Now, there were 167,000 victims, of whom 800+ had their identities abused by fraudsters. None have gotten any money:

Jessica Rich, assistant director of the FTC’s division of privacy and identity theft, said in a statement released to AP on Wednesday that “law enforcement is still identifying victims and we want to make sure we have the right people.”

(From the AP, “FTC Yet To Pay Choicepoint Victims.”)

Choicepoint, while we’re correcting errors

A few weeks back, I corrected an error in a post about Choicepoint. Choicepoint also corrected an error, see “Job seeker loses opportunity after inaccurate background check” for details:

“Well, first they said, ‘Something was wrong with your background check,'” she said. “I said, ‘What is wrong with it? What is wrong with my background check?'”

ChoicePoint found out that Smith was convicted of identity theft 10 years ago and sentenced to three years’ probation.

The problem? It wasn’t the correct Smith.

Oh, the irony.

Choicepoint Correction

In response to “Choicepoint Spins off Three Businesses,” Choicepoint spokesperson Matt Furman sent the following:

It is factually incorrect to describe ChoicePoint or its subsidiary,
Bode Technology Group, as attempting to “amass a DNA database.” Bode’s
clients are almost entirely government laboratories that are trying to
solve crimes and identify victims as well as felony offenders. The
samples provided to Bode for analysis are identified by a case number
and Bode’s work does not reveal information about race, hair or eye
color, national origin or medical conditions. DNA analysis is done
simply to develop a profile that can be used to determine if two people
are related or the sample matches a suspect. In no circumstance,
however, does Bode “own” any data, samples or any other material and
never maintains permanent custody of any sample.

The only centralized databases of DNA profiles are managed by the FBI
and its counterparts in the states, not by Bode. Bode is not now nor
has it ever been in the business of amassing DNA data and selling it
wholesale or otherwise to any government agency. Instead, the men and
women of Bode are responsible for making DNA-based identifications where
no one else has been able and bringing criminals to account for their

Matt actually sent that over two weeks ago, and I have a number of operational questions about it, such as: Is the data identified only by a case number? Could it be correlated with other data? Is the question of relation given as “sample A, sample B?” or is one sample named? What data does Bode retain after the sample is destroyed or returned? Presumably, there’s some data kept to enable Bode or its representatives to testify in court. However, I’m swamped with other things, and despite my interest in the questions, I don’t have a lot of time to pursue them.

However, I remain glad that “amassing a DNA database and selling the contents to the government is something even Choicepoint doesn’t expect will become profitable,” even if that was a mis-understanding of their plans.

Choicepoint Spins off 3 Businesses

From their press release:

ALPHARETTA, Ga., July 10 /PRNewswire-FirstCall/ — ChoicePoint (NYSE: CPS – News) today announced its intent to divest various businesses resulting from its company-wide strategic review. The previously disclosed review process resulted in the company adopting a new strategic focus on helping customers manage economic or physical risks, as well as the decision to divest businesses that either do not fit within the new strategic direction or are unlikely to gain critical mass in the marketplace under ChoicePoint’s ownership. This process is ongoing and is expected to continue throughout 2006. Included in the announced divestiture plan are ChoicePoint’s direct marketing, forensic DNA and shareholder services businesses.

I’m glad to discover that amassing a DNA database and selling the contents to the government is something even Choicepoint doesn’t expect will become profitable. I’m also glad that they’re owning up to mistakes. Now lets see if we can see some fair information practices around the rest of their services.

See other analysis in Direct Marketing News or the Boston Globe.

What Choicepoint Learned

Another new measure: ChoicePoint this month created a security advisory committee comprised of DiBattiste, the company’s CIO, head of internal audit, the chief business officer, chief marketing officer, chief administrative officer and general counsel. The group meets regularly “to ensure we’re hitting every aspect of security and privacy,” says DiBattiste.

“One of the lessons we learned is that security is a moving target,” she says. “The bad guys move too. So we have to constantly be in touch with the things we need to be doing to respond.”

So ends an article “Choicepoint’s Lessons Learned” in Baseline.

They learned that in 2006?

Maybe they should be attending Blackhat, or Defcon. I hear tell Defcon has some ATMs that they could use.

The FBI’s Use of Data Brokers

Although the federal government and local law enforcement agencies nationwide use private data brokers, the FBI said that practices used by these companies to gather private phone records without warrants or subpoenas is illegal, according to an Associated Press article on

A senior FBI lawyer, Elaine N. Lammert, told lawmakers the bureau was still surveying agents around the United States, but so far has found no “systemic” use of data brokers by the FBI.

That’s from the CSO Blog, “Data Brokers May Act Illegally.” In other news, “ChoicePoint-FBI Deal Raises New Privacy Questions.”

So what are we paying for?

How Damaging is a Breach?

overflowing-dam.jpgPete Lindstrom is looking at an important set of questions: How likely is it that a given breach will result in harm to a person? What’s the baseline risk? Data is nonexistent on these questions, which means we get to throw around our pet theories.

For example, we know of 800 ID thefts from the 167,000 Choicepoint victims, all of which happened before notification. We don’t know how many more of those people have been victimized, because no one is collecting data. The breach data we have is collected by three amateur volunteer efforts: ourselves, here at Emergent Chaos, the Privacy Rights Clearinghouse “Chronology of Data Breaches,” and’s Dataloss list. There are also regular reports through ISN, and Dave Farber’s Interesting People List.

While we’re happy that there are amateur efforts, it’s hard to measure the results. To the best of my knowledge, there is no central database of ID theft victims. There is no repository of who’s gotten notices. And thus, no easy way to measure the real human impact of breaches, or see how much crime they enable.

Dam Water” photo by Ed Hidden.