The chief executive of information broker ChoicePoint Inc. told interviewers last week that a recent security breach was the only such incident in the company's history, despite the fact that criminals had gained access to its database with similar methods at least once before.
"This is the first time that that kind of process has really happened for us," Derek Smith said in a Feb. 21 interview with Atlanta television station WXIA, referring to a 2004 case in which criminals pretended to have a legitimate need for financial data and tapped 145,000 personal records. A North Hollywood man has pleaded no contest to felony identity theft in the scam.
Smith and other executives of the Alpharetta, Ga.-based company declined Wednesday to answer questions about the earlier incident, reported Wednesday by The Times. A pair of fraud artists pleaded guilty in a 2002 case in which at least 7,000 ChoicePoint records were accessed, leading to what prosecutors said was at least $1 million in fraudulent purchases.
Members of the House Committee on Homeland Security said they planned to request today an investigation of ChoicePoint and other companies that sell personal information, including Social Security numbers and credit records.
Lawmakers also said they planned to introduce legislation in the House and Senate calling for increased Federal Trade Commission oversight of businesses that collect personal data and package it for sale to financial institutions, employers and other customers.
"The 2002 incident shows that ChoicePoint should have learned its lesson about security breaches," said Rep. Edward Markey (D-Mass). Markey said he would push for a bill that would make it a crime to sell Social Security numbers. "I've introduced this bill several times in the past without it passing, but the time has now arrived."
Rep. Loretta Sanchez (D-Garden Grove) said she worried that criminals might not be the only ones who could exploit security gaps at ChoicePoint.
"We are very concerned from a terrorist standpoint, as well as a privacy standpoint," said Sanchez, a member of the House Homeland Security committee. Despite the criticism, ChoicePoint executives Wednesday declined to say how the company had handled the incidents in 2002 and 2004 or whether there had been other leaks of private data.
Identity thieves typically use Social Security numbers and other confidential details to open credit accounts in the names of unsuspecting consumers, who often discover too late that fraudulent purchases were made in their names.
In a statement Wednesday, ChoicePoint reiterated a promise made last week that it would review many of its accounts to make sure its customers had legitimate need for the personal data they bought from the company. The company also said it was taking steps to protect its records by truncating sensitive details such as Social Security numbers and birthdates.
In the statement, ChoicePoint didn't acknowledge the 2002 incident or explain why its chief executive told WXIA and Associated Press last week that the recent case was the first.
The statement did express sympathy for people whose credit records were damaged through fraudulent use of ChoicePoint data in the most recent case. "We regret any consequences consumers may experience," it said. "We are doing everything we can to inform and assist those consumers."
Because of California law that went into effect in 2003, the company was required to inform 35,000 people in the state that their personal records might have been compromised. After demands from attorneys general across the nation, the company said it would notify an additional 110,000 people that their records could have been used by the scammers.
The law wasn't in effect when the earlier breach -- which received no public attention at the time -- resulted in two arrests in 2002.
Research analyst Avivah Litan of Gartner Inc. said that the services performed by companies such as ChoicePoint were so valued that it might get by with little need for damage control.
"The need for data systems like ChoicePoint is growing and it's not going away," Litan said. "When someone opens a bank account, gets an auto loan, applies for a mortgage -- there is a good chance their personal data is gotten from ChoicePoint or a company like them.
"The irony is that the information is also used for fraud protection. A bank will compare the information you give them with what's on record at ChoicePoint."
ChoicePoint shares fell 28 cents to $40.67 in trading Wednesday on the New York Stock Exchange, a drop of less than 1%. The stock has fallen nearly 11% since Feb. 14, just before the latest security breach became known.