Choice Point Screening

Stamford Police said Jevene Wright, 29, created a fictitious company called “Choice Point Screening” and submitted false invoices for background checks that were submitted to Noble Americas Corporation, an energy retailer firm located in Stamford. (Patrick Barnard, “The Stamford (CT) Patch“)

I don’t want to minimize the issue here. Assuming the allegations are correct, the company’s assurance in their trust of their employees is diminished, they may face compliance or contractual issues, and they’re out at least 1.4 million dollars, most of which has likely been spent. A good number of folks are having bad days, and I don’t want to add to that.

At the same time, I do have a number of comments.

First, Those background check services sure are expensive! I wonder how many people that was.

Hmmm, according to their website, “In the past six years Noble has grown from 1,500 employees to over 14,000.” I do wonder how many of the “background checks” came back with false allegations of past misconduct. If there were 14,000 people with no red flags, isn’t that something of a red flag in and of itself? I also wonder (in a law school hypothetical sort of way, and assuming with no evidence that Wright or an accomplice fabricated false reports on some people so that his fraud went undetected) what sorts of claims might be available to those denied employment based on those untrue statements?

Second, there’s something of a natural experiment here that lets us assess the value of background checking. Assuming Noble Americas Corporation runs a second set of background checks, I’m very curious to know how well spent that $2m* will have been: how many employees do they fire, having learned of something so heinous that the employee can’t be kept, and how many do they fire, having been handed a reason to get rid of a poor performer? (Naturally, those 2 numbers will be rolled into one.)

Lastly, there’s an interesting social engineering angle here. There’s a real company “ChoicePoint” now part of LexisNexis. (ChoicePoint was made famous for their awesome handling of a 2003 data breach, which this blog diligently covered.) So when naming a false background check company, Choice Point Screening seems like it might be a new brand for the company. An auditor, seeing all those background checks, is unlikely to focus in on the extra space. It’s a nice touch.

Dear ChoicePoint: Lying like a cheap rug undercuts all that

ChoicePoint was supposed to take steps to protect consumer data. But the FTC alleged that in April 2008 the company switched off an internal electronic monitoring system designed to watch customer accounts for signs of unauthorized or suspicious activity. According to the FTC, that safety system remained inactive for four months, during which time unauthorized individuals used stolen credentials to look up personal information on 13,750 people in one of ChoicePoint’s consumer databases.

In a written statement, ChoicePoint blamed the incident on a government customer that failed to properly safeguard one of its user IDs needed to access ChoicePoint’s AutoTrack XP Product…

Really? You’re blaming customers? Saying it’s not your fault? Claiming to be the victim? Ummm, lemme use small words here: you’ve played that card. Shot that wad. From 2004 onwards, you own all failures. You should have had systems to watch for unauthorized access, and failure to properly safeguard credentials.

Oh wait. You did. We agree on that need. You had a system to do that, and you turned it off. So really, all that work you’ve done to convince people you’d turned a corner? This undercuts that. You need to come out with an explanation of why you turned off that system, and you need to do it this week. It needs to be comprehensible to the techies who are taking you to task all over the blogosphere. No legal defensiveness. Tell people what happened. This:

The FTC expressed concerns that not detecting the former government customer’s inappropriate access was inconsistent with ChoicePoint’s obligations under the Final Order, which ChoicePoint denies. Notably, the Supplemental Order does not allege any current or ongoing violations of ChoicePoint’s Final Order. Following the incident and acquisition by Reed Elsevier, new policies and practices were put into place to enhance the strength and quality of ChoicePoint’s security. As part of that effort, certain security enhancements were made to the ChoicePoint product at issue including providing additional information and steps customers could take to further safeguard their IDs and passwords.

is incomprehensible. Your customers know what you did. Why not talk about both what you did and what you turned off, and most importantly, why? I bet there are real reasons, but your lawyers ain’t saying. How many false positives was that system shooting out? What did it cost to investigate them?

Either come clean, or suck it up, and be glad it was only $275,000.

For more, “ChoicePoint Breach Exposed 13,750 Consumer Records,” or our prior posts on Choicepoint.

[Update: Comments from ChoicePoint in the comments.]

PS to C: This is, once again, my opinion, on my blog, and has nothing to do with my employer.

University of Miami: Good for the body, bad for the soul?

The University of Miami has chosen to notify 41,000 out of 2.1 million patients whose personal information was exposed when thieves stole backup tapes.

The other 2.1 million people, apparently, should be reassured, that their personal medical data was stolen, but the University feels it would be hard to read, and well, there’s no financial identity theft risk associated with it. If you believe the sorts of people who notify 1.9% of the victims of a breach. Sorry, ChoicePoint. Unfair comparison. You notified about 18% of the victims*, nearly ten-fold as many.

There’s some analysis of how hard it would be to read the tapes. I’m skeptical: why does someone steal tapes from an Iron Mountain van if not to read them?

The Breach Blog feels differently. In “University of Miami reports stolen tapes affecting patients,” he digs into the likelihood of the data being accessed.

Now, the University claims that the tapes are in a “complex and proprietary format,” which seems to be “Tivoli Storage Management” from IBM. Now, Tivoli storage manager has encryption capabilities (page 3 of this PDF.) I’m curious why that wasn’t in use.

Also, looking around, I found this quote at an IBM partner site:

Much is made of the inbred security of the TSM system since the backed up data is so closely linked with the TSM database. While, to the layman this is true, and it is almost impossible to reconstruct TSM data without the database, it is possible in the right scenario, with the right skills at your disposal.

Until I hear more, I’m skeptical of the University’s claims. I don’t believe, and I have not believed for a long time, that breach notices are about identity theft. They’re about the performance of a promise to protect information.

(*Footnote: 18% being 30/160, approximate numbers for the ChoicePoint incident.)

ChoicePoint’s data quality

In a comment, Tom Lyons asked:

I have two clients who are asking me to investigate matters with Choice
Point as it relates to inaccurate employment records provide to
prospective employers. I am seeking persons who have similar
experiences to determine a “pattern and practice” on the part of Choice
Point.

I don’t know Mr. Lyons, but I can’t imagine anyone would object to “more informed, more timely decisions that positively impact society.” Feel free to get in touch with him.

Choicepoint’s Error Rate

Choicepoint regularly claims a very low rate of errors in their reports. In the Consumer Affairs story, “Choicepoint gets a Makeover,” Choicepoint President Doug “Curling claims his company has a less than 1/10th of 1 percent error rate.”

Now WATE in Knoxville, TN, reports that “Anderson Co. man finds credit report error:”

At his insurance company’s request, ChoicePoint gathered the sum total of Ray’s credit, what he owes for his car, his house, credit cards and other purchases. “It says my grand total of indebtedness is $426,000. That’s about five times what I currently owe,” Ray says.

Some debts Ray paid off showed as though they hadn’t been paid at all. “This was a boat loan” for $50,000, Ray says. “I paid it off over a year ago.”

He also says he went online to ChoicePoint, filed a dispute and spoke with company officials. “My data had not been updated. It was incorrect. My employer was incorrect,” Ray says.

ChoicePoint disputes that any errors were made.

See also my May 2005 posting, “Choicepoint Analyses:”

Choicepoint defines an error as a problem between their collector and the report; bad data collected, which we used to call the “garbage in, garbage out” problem, has been defined away.

and finally, don’t forget Deborah Pierce’s work in “Data Aggregators:
A Study of Data Quality and Responsiveness
:”

100% of the reports given out by ChoicePoint had at least one error in them.

The deep trouble here is not that Choicepoint reports are inaccurate (although that seems to be a problem based on impartial reports). The trouble is the accountability disconnect between data collection, aggregation, and use. No one takes responsibility for the decisions that are made based on bad data.

[Update: Just after posting this, I came across “Where’s Waldo? Spotting the Terrorist using Data Broker Information:”

In its coverage of the issue, the Ottawa Citizen reported that since September 2001, the RCMP has been buying and retaining this kind of personal information from data brokers, and in some instances may have forwarded that information to U.S. law enforcement.

Good thing Ray’s inaccurate data was “only” used to deny him credit.]

[Update 2: Choicepoint’s Chuck Jones disagrees; please see comments.]

“Free the Grapes” Externalizes Risk

grape-press.jpgOr so “Shipcompliant” would have us believe, with a blog post entitled “Free the Grapes! Updates Wine Industry Code for Direct Shipping Practices.”

The new addition to the Code is step 4, which specifies that wineries should verify the age of the purchaser of the wine at the time of transaction for all off-site transactions (Internet, phone, mail, fax, etc.). This can be done either by obtaining a photocopy of the purchaser’s drivers license or by using an approved online age verification vendor such as ChoicePoint or IDology.

So to protect themselves from liability, wine merchants who sign up for this code will be putting their customers at risk. Of course, the code already says:

Free the Grapes! encourages licensees to contract only with shippers who check the identification of recipients at the time of delivery to ensure that the recipient is 21 years of age or older.

So there’s no reason to add this step. The very next step ensures that wine won’t get into the hands of our corruptable youth.

This is two steps backwards: We’re creating more work for the wineries and wine sellers, exposing their customers to increased risk of privacy violations, and all to cover a risk that’s already covered.

Free the grapes? How about free the people from this nonsense?

Photo: “A sculpture commemorating the wine press and its importance to California history in Golden Gate Park near the De Young Museum of Fine Arts (6)” by mharrsch.

Choicepoint reports $50M more expenses, some due to breach

The Atlanta Business Chronicle reports that “ChoicePoint tumbles to third-quarter loss:”

ChoicePoint Inc. went into the red in the third quarter, hurt by about $50 million in charges related to asset impairment, stock expenses and legal fees from a data breach in 2005.

Choicepoints losses are a severe outlier. As I said in March, 2005, “Why Choicepoint Resonates:

It’s now a full month since Bob Sullivan of MSNBC broke the Choicepoint story. I’d like to think back, and ask, why does this story have legs? Why are reporters still covering it?

There are a couple of important trends which combine to make this a perfect storm, attractive to editors and readers.

I still think my analysis is decent, and that any serious statistical analysis of breach costs must show “without Choicepoint” numbers.

[Update: Clarified title, which attributed all expenses to the breach.]

Fines, Settlements in Privacy Invasions

peeping-dog.jpgTopping the list, Vodaphone has been fined $100M (€76M) for failing to protect 106 mobile accounts. “Greek Scandal Sees Vodaphone fined” at the BBC, via Flying Penguin.

On this side of the Atlantic, Choicepoint, Experian and Reed-Elsevier are looking to pay $25 million to settle claims that they invaded the privacy of 200 million drivers in the US. None of that money would go to those whose privacy was invaded. (“Driver Data Lawsuits Settlement Proposed.”)

Pop quiz: Which do you think will influence behavior more?

Photo: Peeping Dog, by ErinV.

Worse Than Choicepoint: The FTC?

So part of Choicepoint’s settlement with the FTC was a $5m fund to compensate their victims. Now, there were 167,000 victims, of whom 800+ had their identities abused by fraudsters. None have gotten any money:

Jessica Rich, assistant director of the FTC’s division of privacy and identity theft, said in a statement released to AP on Wednesday that “law enforcement is still identifying victims and we want to make sure we have the right people.”

(From the AP, “FTC Yet To Pay Choicepoint Victims.”)

Choicepoint, while we’re correcting errors

A few weeks back, I corrected an error in a post about Choicepoint. Choicepoint also corrected an error, see “Job seeker loses opportunity after inaccurate background check” for details:

“Well, first they said, ‘Something was wrong with your background check,'” she said. “I said, ‘What is wrong with it? What is wrong with my background check?'”

ChoicePoint found out that Smith was convicted of identity theft 10 years ago and sentenced to three years’ probation.

The problem? It wasn’t the correct Smith.

Oh, the irony.