ID theft scandal not the first
ATLANTA — A newly revealed case shows that the vast commercial database of personal information at ChoicePoint Inc. was tapped by identity thieves in 2002 — contradicting a statement by its CEO that a much more recent breach was the first of its kind.
A Nigerian-born brother and sister were charged in 2002 with a scam in which they posed as legitimate businesses to set up ChoicePoint accounts and gain access to its massive database. They then made 7,000 to 10,000 inquiries on names and Social Security numbers in the database and used some of those identities to commit at least $1 million worth of fraud, Assistant U.S. Attorney Mark Krause in Los Angeles said Wednesday.
Last week, after a similar case became public, ChoicePoint chief executive Derek Smith told the Associated Press in an interview that the company had never been victimized by that kind of criminal operation before. He did not mention the 2002 case.
“We saw for the first time organized crime come in and attack through a small business segment,” Smith said about the recent incident. “We had not experienced this kind of environment or understanding before.”
The company announced Feb. 15 that a breach first detected in October may have compromised the personal information of as many as 145,000 people.
Asked during last week’s interview if any breach similar in scale had occurred at the company before, Smith responded, “No. I’m not aware of anything.”
Smith had asserted that there had been small instances where the company had found people fraudulently trying to get access to its database.
Repeated requests to three ChoicePoint representatives for a comment on the apparent contradiction were not successful Wednesday. The 2002 case was reported Wednesday by the Los Angeles Times.
In the 2002 case, the two suspects were accused of using other people’s identities and fake business and real estate licenses to set up what appeared to be legitimate businesses seeking ChoicePoint accounts.
In the recent breach, ChoicePoint notified 145,000 people by mail in all 50 states, including 35,000 in California, that their personal information may have been compromised. California is the only state that requires companies to notify its residents if such a breach occurs. Its law went into effect in July 2003.