Thursday, February 17, 2005

Is your data safe? How a high tech giant fell victim to low tech scamsters

I remember how frustrated our clients were when we first began asking them to provide documentation that they were indeed legitimate businesses. This was in response to then new credit bureau rules requiring us to do so. Some bureau agreements even went so far as to require re-sellers to personally visit or otherwide send someone to photograph their client’s physical office facility. All of this, in the interest of protecting your personal consumer information. Ironically, your personal data would be safer today if ChoicePoint, one of the nation’s largest employment screening firms and resellers of consumer data had followed its own rules. ChoicePoint was a subsidiary of credit behemoth Equifax until spun off in 1997.

“It was a simple scam”, says Russ Rosenberg, President of Asset Control. “You set up a bogus firm and mine for data under the guise of screening your own employees. I can’t see the scam having real legs unless the fraud artists set up multiple firms over a long period of time in order to enlarge the scope of the operation. If this is the case the scam could potentially affect tens of thousands of consumers or even more”, said Rosenberg. According to Bob Sullivan, MSNBC’s technology correspondent, about 50 fraudulent companies may have been identified so far. Additional media sources have recently reported that consumers in all 50 states may have been affected.

According to the industry’s own rule, each company would have had to provide specific documentation in order to show that the company was a legitimate business entity. “I can understand one or two companies slipping through the system" said Rosenberg, "and then only long enough for the documentation to be reviewed. If fifty companies slipped by ChoicePoint’s scrutiny then I would have to believe it to be something else other than a fluke. The sad part is that ChoicePoint is a security services company when it comes right down to it”.

If the infiltration was electronic you could almost understand it. In fact, fraud artists, hackers and various virus purveyors find ways around the protections put in place the most reputable of companies such as Microsoft and others. But in this case, con artists wheeled an entire herd of Trojan horses right into ChoicePoint’s client list. A rather unsophisticated maneuver but one the industry anticipated.

This is only the latest blunder, however. ChoicePoint has been on the hot seat before for security breaches that allowed millions of records containing personal identifying information to be sold via the internet, thus falling into unauthorized hands. In January 2000, the company was fired by the Pennsylvania Department of Transportation because it violated privacy / security stipulations in its contract. Because of the violation, the personal information of millions of Pennsylvania residents was offered for sale on the internet.

Hopefully, the FTC will apply the pressure where it is founded and not on the vast majority of smaller agencies that are just trying to do a good job for their clients. The likely result of all of this, says Rosenberg, is that the multitude of smaller employment screening agencies will be placed under stricter guidelines, making it even more difficult for firms to provide their clients with the products and services they need.

Regardless of which background screening agency you use, we recommend that you closely examine their privacy policy. If they cannot produce one, this should be the first flag that something is wrong. Next, specifically ask if they have any agreements with other companies to sell, or otherwise transfer your or your employee’s personal data for any purpose. Last, make certain that any web-based program the company uses to send or retrieve your searches is SSL protected and that the company can demonstrate this.

To view Asset Control’s privacy policy go to http://www.assetcontrol.net/ and click on “Privacy Policy”.