The number of people being notified that they may have been caught in a massive identity-theft scam quadrupled Wednesday -- to 145,000 -- amid calls for better protection of personal information.
ChoicePoint Inc., one of the nation’s largest collectors of consumer data, said it would warn 110,000 people outside California that con artists posing as merchants had looked at information including addresses, phone listings, Social Security numbers and credit reports.
The company took the step after criticism that it was sending warning letters only to 35,000 possible victims in California, where state law requires such disclosure.
U.S. Sen. Dianne Feinstein (D-Calif.) cited the ChoicePoint case in requesting hearings on a bill to require companies to better safeguard personal data and disclose some security lapses.
“Data breaches are becoming all too common, and current federal law does not require notification to consumers,” she said.
A version of Feinstein’s bill died in committee last year, but some security executives and activists said momentum was building for new laws.
“This is the tipping point,” said Beth Givens, director of the nonprofit Privacy Rights Clearinghouse.
Although breaches of credit bureaus and other such collectors occur from time to time, the scale of the yearlong ChoicePoint operation was among the largest ever uncovered. ChoicePoint is used mostly by landlords and merchants for background on potential tenants and customers, but it counts law enforcement and other government agencies among its clients. Its databases contain a host of information, including links to the three credit bureaus.
“A data breach affecting ChoicePoint is akin to the pot of gold at the end of the rainbow,” Givens said.
The scammers used 50 fake ChoicePoint merchant accounts to look at the personal information of thousands of people nationwide. That information can be used to open credit card accounts or buy goods under assumed names.
Los Angeles County Sheriff’s Det. Duane Decker said he had identified 750 people who had been defrauded by the ring, which operated for more than a year before it was detected in October. One person was arrested, and investigators are searching for other suspects.
ChoicePoint spokesman James Lee said the company decided to advise the out-of-state residents to check their credit reports after Decker said Wednesday that the fraud ring appeared to be a national operation.
“We have no problem with notification,” Lee said. “We do very strongly believe there needs to be a broader public discussion.”
Security experts said much could be done without new laws, including better encryption of data. In addition, “we may need to look at the way we interact with other people who have access to our data,” said former U.S. cyber-security czar Howard Schmidt.
Under some proposed laws, companies might be exempt from telling everyone about data leaks if they have strong enough policies in place. As things stand, companies are subject to different rules depending on what industry they belong to.
Credit agencies are tightly regulated. They must provide free copies of their reports to consumers once a year.
Under federal law, financial institutions other than credit bureaus can share personal information with their affiliates and others with whom they have marketing agreements. Consumers can opt out of sharing only with unaffiliated third parties, said Gail Hillebrand, senior attorney for Consumers Union.
Other merchants can pretty much do what they want. “They can buy it; they can sell it; they can trade it,” she said. “There are not many restrictions.”
Hillebrand said Congress should impose new rules on how personal data can be shared and impose a disclosure requirement after improper access. She said companies should be held liable for the harm from such access.
Also Wednesday, new details emerged about the case against the man arrested, 41-year-old Olatunji Oluwatosin, a Nigerian living in North Hollywood.
When Oluwatosin was arrested in October, he had five cellphones and three credit cards -- all in other people’s names, Decker testified at a January hearing.
In all, Oluwatosin is charged with six felony counts: two of identity theft, two of making false financial statements while assuming a false identity and two of possessing forged driver’s licenses. He was jailed in lieu of $2-million bail.