February 17, 2005

Massive data heist at Choicepoint exposes soft underbelly

Ever since California passed its law on notification of data loss to citizens, we've wondered what happens when the data covers other states as well? Now we know. Choicepoint, one of the larger players in the data conglomerates market, has sent out notifications to "as many as 35,000 Californians," but admits that "the number of victims nationwide could total 100,000". Those victims haven't been notified. (Worse, Adam points at reports of the LA police speculating on 400,000.)

It appears that 50 accounts were set up by the crooks, as valid purchasers of information. That's not hacking, that's commerce! As Alan Wheeler says, "this isn't a traditional break-in and steal. Crooks set up valid companies and used the standard commercial interface to buy the information. If you aren't in the business of selling the information; you aren't vulnerable to selling information to less savoury characters." My emphasis. Anybody who doubts the industrial nature of today's threat model, please contact me as I have a splendid opportunity on a bridge.

The real issues here are a) inside attacks are as serious or more serious than hacker attacks, b) like Sutton, the crooks will rob Choicepoint because "that's where the data is" so c) worrying about certificate issues is like trying not to spill ones drink in a torrential downpour, and d) it's going to get worse. The guy from Sun was right, Americans have no privacy, and they may as well get used to it.

The good news is that this means that phishing is defeatable. We only need to put in some basic defences (like TrustBar) and we'll shift across the major points of attack to the insiders and the financial info warehouses. Hmm... that would be good news in a strictly relative sense, in that at least we, the net, can cover our patch.

Posted by iang at February 17, 2005 02:43 PM | TrackBack

LA cops are guesstimating the number of victims at 400K, according to the AJC article cited at Emergent Chaos. Thanks for pointing out that this has nothing to do with "hackers" and everything to do with "where the money is".

I wonder what the folks at Seisint (now owned by LexisNexis?) are thinking...

Posted by: Chris Walsh at February 17, 2005 05:44 PM

Goes to show that all the stress on identity is misplaced. Imagine all the people whose identity has been stolen - boy what a haul for the scammers or would be "terrorists". All ID based security is a bunch of BS. When will people learn that anonymous-cash like systems are far superior - it is possible to ascertain that a valid person has valid credit for the use of a system without revealing identity. If no identity is revealed, none can be stolen.

It will take *worse* heists than this one before people wake up and abandon idiotic schemes based on identity - such as the fascist National ID card. Just imagine if Hitler has such systems in place... we seem to have many politicians lining up to start the fourth reich.

Posted by: Venkat Manakkal at February 17, 2005 08:35 PM

I've been thinking about this from a purely political perspective. The usual about the sovereignty of the individual etc ... but cast that aside and lets look at what has really happened. According to one of your links - - that says,

"Last fall, hackers apparently used stolen identities to create what appeared to be legitimate businesses seeking ChoicePoint accounts,"

so now they have access to 10,000 err no, 50,000; err no, 400,000; err no - we're-afraid-to-say many new identities. They can use these new identities to open more ChoicePoint accounts, or other accounts in companies doing the same thing in the US or the UK or the EU or ... They can repeat the process over and over again. The above identities were harvested from only 50 accounts: how many more bogus accounts are in the system? Will they ever find out? What about other data vendors ... are they riddled with bogus accounts?

Well done hackers - the system is finished. Enjoy the proceeds ...

Posted by: Darren at February 18, 2005 09:44 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.