They've Got Your Number (and More)

A potential disaster has taken place. It has received virtually no attention. Only MSNBC has reported it. There is almost no discussion of it on the web. Had a specialist in communications issues not contacted me, I would not have heard about it.

You have probably not heard of ChoicePoint. Over the last twenty years, ChoicePoint has compiled a private data base on Americans that dwarfs anything the I.R.S. has. Unlike the I.R.S., ChoicePoint has a comprehensive computer system that is state of the art. The information covers name, address, Social Security, transactions, and much, much more.

Last week, the company notified over 30,000 people in California that it has experienced a breach in security. Hardly any of these people had ever heard of ChoicePoint.

But they are in bed with ChoicePoint, like it or not.

So are you. Here’s why:

ChoicePoint maintains a dossier on virtually every American consumer, according to Daniel J. Solove, George Washington University professor and author of The Digital Person.

The Atlanta-based company says it has 10 billion records on individuals and businesses, and sells data to 40 percent of the nation’s top 1,000 companies. It also has contracts with 35 government agencies, including several law enforcement agencies.

So, what exactly has happened? The company is not quite sure. Neither is the government.

Criminals posing as legitimate businesses have accessed critical personal data stored by ChoicePoint Inc., a firm that maintains databases of background information on virtually every U.S. citizen, has learned.

The incident involves a wide swath of consumer data, including names, addresses, Social Security numbers, credit reports and other information. ChoicePoint aggregates and sells such personal information to government agencies and private companies.

This information caught my attention. It apparently has not caught the attention of the major news media. For them, it’s a non-story, in part because the company so far has successfully downplayed it.

While the criminals had access to ChoicePoint data, it’s not clear what, if any, information was stolen, said Chuck Jones, another ChoicePoint spokesman. . . .

Last week, the company notified between 30,000 and 35,000 consumers in California that their personal data may have been accessed by “unauthorized third parties,” according to ChoicePoint spokesman James Lee . . .

The words “may have been accessed” are not reassuring to me. I’m in the database. Now I wonder who has access to it.

Lee said law enforcement officials have so far advised the firm that only Californians need to be notified.

Why California? Because only California requires by law that data-gathering companies notify its citizens when a breach of security takes place. So, unless you live in California, you will not be notified.

What does it all mean? We aren’t sure yet. This much we know: the concerns that you have had about providing your Social Security number to strangers are now on the front burner. You have worried that someone might pass on this information to criminals, who would use this information to penetrate your accounts and start spending your money. It looks as though thieves got this information wholesale: a volume discount operation of historic proportions.

Subsequent research by ChoicePoint revealed that about 50 fake companies had been set up and then registered with ChoicePoint to access consumer data.

California consumers who received warning letters from the firm last week were “in some way connected to searches” conducted by those fake accounts, Lee said.


When did this happen? Last October. According to ChoicePoint, there was no announcement because law authorities prohibited it.

The incident was discovered in October, when ChoicePoint was contacted by a law enforcement agency investigating an identity theft crime. In that incident, suspects had posed as a ChoicePoint client to gain access to the firm’s rich consumer databases . . .

The firm was only given clearance by law enforcement officials to disclose the incident two weeks ago, Lee said.

The letters were sent as a precaution, he said.

A precaution? For what? For whom? If it’s a precaution for up to 35,000 Californians, then what about you? What about me? I don’t live in a “precautionary” state.

The letter urges consumers to check their credit reports for suspicious activity.

“We believe that several individuals, posing as legitimate business customers, recently committed fraud by claiming to have a lawful purpose for accessing information about individuals,” it reads. “You should continue to check your credit reports frequently for the next year.”

Next year? Next decade!

I think of Wilford Brimley’s line in Absence of Malice. His character was investigating a breach of security in a Federal prosecutor’s office. The local newspaper had picked up story after story. The bureaucrat in charge of the office admitted to a leak. Brimley, playing the ultimate good old boy Southern lawyer, responded:

A leak? You call what’s going on here a leak? Boy, the last time we had a leak like this, Noah built himself a boat.

The article went on to say that nothing much is being said by ChoicePoint.

The two-page letter offers details on how to spot fraud, but no additional information about the incident, or what information may have actually been stolen.

“ChoicePoint has apologized for any inconvenience this incident may cause,” said ChoicePoint spokesman Chuck Jones. “But ChoicePoint has no way of knowing whether anyone’s personal information actually has been accessed,” or used to commit identity theft, he added.

Here is what is arguably the largest data base company on earth. It can’t say what has or has not been breached. It is now four months after the breach took place.

Privacy consultant Larry Ponemon, who operates the Ponemon Institute, said he was surprised criminals were able to pose as ChoicePoint clients.

“What really concerns me is when low-tech methods are used to gain access, than you really have problems,” said. “Obviously this is very surprising, given that they are in the data business.”

Jones said ChoicePoint had adjusted its procedures to “help protect against a repeat” of the incident.

Somehow, this is not reassuring. “Locking the barn door after the horse has escaped” comes to mind.


Last week, I was asked several times to provide my Social Security number. I have moved, so I had to open new accounts. My bank required it — to keep the I.R.S. informed, if necessary. The phone company required it. The cable company required it to hook up my high speed Internet access.

Do they need my number? No. Why do they want it? To run a credit check on me. Our Social Security numbers are the key to credit checks. This lowers the cost of running a credit check. The problem is, it lowers the cost for running other surveys, and criminals now seem to be in possession of this information.

I am old enough to have a Social Security card that says, right on the front of the card, “For Social Security Purposes — Not for Identification.” Talk about the good old days!

When I told the girl at the cable company that I did not want to provide this number because of identity theft, she said she could not have agreed more. She had been ripped to the tune of $800 last year. She had given out her number, and someone at a company had passed it along.

To get your credit records sorted out after a major violation can take months. The paperwork is horrendous. Here is how the Federal Trade Commission describes the ordeal:

Identity theft is a serious crime. People whose identities have been stolen can spend months or years and thousands of dollars cleaning up the mess the thieves have made of a good name and credit record. In the meantime, victims of identity theft may lose job opportunities, be refused loans for education, housing, or cars, and even get arrested for crimes they didn’t commit. Humiliation, anger, and frustration are among the feelings victims experience as they navigate the process of rescuing their identity.

If it happens to you, here is where to start cleaning up the mess. First, go to the FTC’s page. Print it out. This will take a while. The steps you must take are numerous.

The Department of Justice has also put up a web page that outlines a parallel series of steps you should take. Just skim reading this page is enough to spoil your day.

A private organization, Privacy Rights, has also set up a web page with recommendations.

The loss of credit and the loss of time can be as devastating as the actual theft. In some cases, honest citizens get their identities mixed up with criminals. They have no peace until the system is fixed.

How much fixing does the system need now? ChoicePoint isn’t saying.

Yes, it would be a good idea to monitor your credit rating for a year. This will cost you up to $9 per report. A few states have mandated lower rates. You should check this page for the names and addresses of the three credit reporting firms, plus the prices in various states.

Under a new law, you are entitled to one free credit report per year. Depending on which region you live in, you may be eligible now. Regions are being phased in all year. For a map of which regions will become eligible when, click here.

You should know what your credit rating is anyway. I know mine because I recently purchased a home.

Problem: if too many inquiries are made, the companies’ computerized algorithms lower your credit rating, on the assumption that you’re trying to get too many loans, or maybe that businessmen don’t trust you. Who knows why?

Because of the breach of security at ChoicePoint, we should check our credit. That’s what the company told over 30,000 Californians. I take the warning seriously.

Pay close attention to your monthly bank statements. Anything suspicious should be traced down and, if identity theft has occurred, reported to the credit agencies and the Federal Trade Commission.

The full magnitude of the breach is not known yet. It seems to have been a low-cost heist. But the data may be used for purposes other then penny-ante dipping into particular bank accounts. Information can be used in other ways. Maybe it could be used for a gigantic direct-mail data base, to check who has how much money and should therefore receive which kinds of offers. I know I could use a list like that!


We’re losing our privacy. I don’t think there is much we can do about it. We can fight it when we can, but when the cost of something falls, more of it is demanded. The cost of invading our privacy is falling as never before. The ChoicePoint story is indicative. Here is a firm that has been legally gathering data and selling it for over two decades.

There is a website for computer professionals, Slashdot. They opened a forum on the ChoicePoint incident. They offered various complaints and technical suggestions, such as encryption. But one of them identified the big problem: the data are valuable, so they will be sold.

The problem with this is that you don’t own the data kept about you. You might have the right to view the data, but you don’t own it. Since just about forever, various companies have been tracking various info about people (buying habits, credit history etc.). They track these for their benefit (and their customers) — not yours.

When they lose the data, as far as they are concerned they have lost some of their business information (i.e. someone accessed their data without paying).

That the data is about you, and could be damaging to you is inconsequential to them. Anyone could have bought the data from them anyway.

We do not have ownership of our data. We share it when we buy, and those on the other side of the transaction are not prohibited from selling it in one form or other. Unless a society’s legal system defends property rights systematically, including our names, Social Security numbers, and records, these will be treated as public domain assets, available to the highest bidder. In some cases, the highest bidder is a government agency.

Our governments have been running a war on privacy for decades. Government agencies pay ChoicePoint to access its data. The company claims that it was a government agency that forced the firm to delay notifying residents in California.

The government is not only not protecting our privacy, it is paying millions of dollars to private firms that have reduced our privacy. It’s more efficient this way . . . unfortunately.

When the Federal government created the Social Security System in 1935, it created not only a fiscal nightmare, it created a privacy nightmare. The soothing warning on my Social Security card — “For Social Security Purposes — Not for Identification” — was comforting in my youth, but it has become meaningless. That all-pervasive number is just too tempting in an age of credit.


Not all of your money should be accessible digitally.

Not all of your digital money should be in accounts that you use often to make purchases. Transfer money from more secure accounts into less secure accounts.

You should use firewalls and other defensive measures, especially if you do on-line banking.

You should not keep financial information on a laptop.

But all of these precautions are undermined with respect to security breaches in distant firms that monitor what you do with digital money, day by day.

If any event, such as bank payments gridlock, ever paralyses the use of digital money for longer than a couple of weeks, the division of labor will collapse. Buying and selling will be with cash only. (Got any cash?) But those who survive the collapse will at least have greater privacy. Look on the bright side!

February 19, 2005

Gary North [send him mail] is the author of Mises on Money. Visit

Copyright © 2005