Saturday, February 26, 2005

US bank 'loses' customer details

Hot on the heels of the ChoicePoint case (see below), another large-scale problem with customer data being compromised: as the BBC reports, the Bank of America has revealed it has lost computer tapes containing account details of more than one million customers who are US federal employees. Apparently the tapes went missing while being shipped to a back-up data centre.

The interesting things is that several members of the US Senate are among those affected, who could now be vulnerable to identity theft. Details of Vermont Senator Pat Leahy's credit card account are among those missing, the Senator's spokeswoman Tracy Schmaler said.

This will certainly increase the Senate's propensity to hold hearings on this problem…

Friday, February 25, 2005

U.S. Congress to hold hearings in ChoicePoint case

As CBS reports, a Senate committee said it will hold hearings on identity theft and information brokers. This follows the revelation that a databank of ChoicePoint (see previous blog entry) with information on millions of people was accessed by criminals.

The report also states that California authorities estimate the number of people affected by the breach is 500,000 rather than the 144,778 ChoicePoint has stated so far.

The fate of one person affected, a retired banker, and described in the report makes instructive reading to find out just what horrible (and long term!) consequences such an event can have. Democrat Senators Dianne Feinstein of California and Charles Schumer of New York are planning to introduce legislation to alter the situation.

Saturday, February 19, 2005

ChoicePoint, ID theft and Californian Law

The dangers of large scale collections of private citizens' data became evident again today. As CNN and others have reported, U.S. firm ChoicePoint was tricked into disclosing information (names, addresses, Social Security Numbers etc.) about 140,000 people in the United States. ChoicePoint had initially denied that anything untoward had happened to its data, but a Californian law mandates it to disclose the problems it had by being tricked into by criminals who posed as customers. Apparently ChoicePoint was less than careful in ascertaining the identities of their customers. (See also the story on Slashdot here and here which claims that no less than 750 cases of identity theft have resulted from this).

This is ironic since ChoicePoint claims to have in its possession no less than 19 billion public records, including driving records, sex-offender lists and FBI lists of wanted criminals and suspected terrorists. It also maintains personal profiles of nearly every U.S. consumer, which it sells to employers, landlords, marketing companies and about 35 U.S. government agencies.

The Alpharetta, Ga.-based firm notoriously during the 2000 presidential election had given Florida officials a list with the names of 8,000 ex-felons to “scrub” from their list of voters. But it turned out none on the list were guilty of felonies, only misdemeanors.

Update: ChoicePoint's own information on the event is here. It confirms the number given above of so far 750 cases of identity theft. In addition, the webpage also gives a breakdown of cases on a state-by-state basis and the total as 144,778.

Further update: WiredNews reports that a Californian woman has filed the first lawsuit against ChoicePoint for fraud and negligence in this case. Maybe this will help establish some sort of data protection regulation in the private sector that (in an encompassing way) is so far lacking in the U.S. -- especially if this lawsuit is granted class-action status.

Yet another update: The Electronic Privacy Information Center has created a special webpage with information on the ChoicePoint case.

Tuesday, February 01, 2005

UK ID card bill about to be passed in House of Commons

Concerning the aforementioned UK Identity Card Bill, Spy Blog reports that it has finished its House of Commons Committee stage, with virtually no amendments, and it looks as if the Report and Third Reading are provisionally set to be on Thursday 10th February 2005 -- i.e. next week.

Thanks to new “Freedom of Information” legislation that was introduced in the UK, it is now possible to learn more about the goings-on of the bureaucratic-legislative machinery. A request has made clear that there is heavy involvement of consulting firms (who charge an enormous amount of money for their services) in the ID card process, and more than 60 meetings with the business side of ID cards have taken place so far. Interestingly, there is up to now no indication that any meetings have taken place with people or groups who are worried about the privacy and security of the proposed scheme, or who are opposed in principle to some or all aspects of it.