Privacy in Peril

I know your name. I know where you live, and everywhere you've ever lived. I know when and where you were born. I know how many credit cards you have--and how good you are about paying them off. And I know all about your insurance claims, your work history, and whether you have a criminal record.

At least, I could uncover all of that, and a broad range of other sensitive personal information about you. All I'd have to do is pay between $10 and $50 to any of a vast number of online information brokers--companies such as Intelius and ZabaSearch, and larger firms like Acxiom and ChoicePoint--and in 15 minutes I'd have as much information about you as I could possibly want.

With a name, an address, and a Social Security number, a person can take out loans, open credit card accounts, lease an apartment, and commit crimes, all in your name. When their actions get confused with yours, you may get stuck with the bills or, in extreme cases, be arrested. That your data is readily available via the Internet only increases your vulnerability.

Information brokers gather incredible amounts of personal data--not just credit details--from many different sources, including private companies and government agencies; then they sell it to businesses, to law enforcement, or to anyone who can demonstrate a need that the brokers consider legitimate. The laws limiting what information can be sold and who can receive it are weak and narrowly focused, so for the most part each broker is free to formulate its own standards.

And not all of them safeguard your data as well as they could, as shown by a number of highly publicized fraudulent purchases from, and hacks into, some of the largest sellers of personal info--firms like Acxiom, ChoicePoint, and LexisNexis. In early 2005, ChoicePoint revealed that it had sold information on 145,000 consumers nationwide. Reportedly, the buyers posed as legitimate business customers but were members of a Nigerian organized-crime group. ChoicePoint says that criminal attempts were made to use the identities of approximately 750 consumers. LexisNexis reported that it had uncovered 59 incidents over a two-year period in which unauthorized persons had gained access to personal data on 310,000 people in the United States.

Mickey Martinez, a Yale University law student who is a plaintiff in a ChoicePoint class-action suit, says that he received a letter the broker sent out to warn people who were exposed to identity theft as a result of its breach. "I was just outraged. No matter how zealously careful you are, carelessness [by] one of these outfits potentially can put you at risk."

He adds that he's been careful to shred personal documents, tell credit agencies not to send him preapproved credit offers, and refrain from conducting financial transactions over his wireless network, and yet he was still exposed. ChoicePoint offered to pay for a year's worth of credit monitoring, which he thinks is insufficient. "At the very least, they should offer a lengthier period of monitoring, and [issue] some sort of statement of responsibility: If something goes wrong, they will take upon themselves the financial burden and the hassle of fixing it," he says.

Information brokers aren't alone. At this writing the Privacy Rights Clearinghouse lists some 80 breaches of data for over 50 million people since February. Among the most serious incidents: CardSystems, a credit card processor, unwittingly coughed up information on 40 million people to a hacker; and a CitiGroup subsidiary lost data on 3.9 million people when unencrypted backup tapes it had shipped via United Parcel Service went missing.

Nevertheless, information brokers have been catching the most flak recently. "The thing about a breach like ChoicePoint's is, it's so much more serious--because if organized crime buys the data, you can be pretty sure they're going to use it," says Garnet Steen, president of RelyData, a company that offers identity theft recovery services. "That's a little different from saying that a state university's database got hacked, when it could have been just some computer-science students flexing their muscles."

The real issue is not whether information brokers should have access to personal data--if you want to live, work, and purchase things in this country, such access is probably unavoidable--but whether they, and not you, should have ultimate control over who can see your information. (Continue to page 2.)

See the Complete Special Report

The New Security War: In This Special Package
Best Defenders and Spy Sweeper Leads the Field (chart)
The Hidden Money Trail
Privacy in Peril
Is the Net Doomed?
Threat Alert: Spear Phishing
Threat Alert: Antivirus Killers
Threat Alert: Instant Messaging Attacks
10-Step Security
Security by the Numbers
More Security Resources on the Web

Also See Our In-Depth Online Series
Web of Crime

Subscribe to the Security Watch Newsletter

Comments