"Firms Hit by ID Theft Find Way to Cash In on Victims" from the Los Angeles Times, Monday August 22, 2005. ©2005 Los Angeles Times. Reprinted with permission.
Firms Hit by ID Theft Find Way to Cash In on Victims
August 22, 2005
Home Edition, Main News, Page A-1
By Joseph Menn, Times Staff Writer
Elizabeth Rosen was plenty angry when ChoicePoint Inc. sent her a form letter acknowledging that crooks might have perused some of her most sensitive personal and financial data.
But the Hollywood nurse was flabbergasted when the company, one of the nation's largest collectors of consumer records, also offered to sell her some of the same information so she could see what might have been compromised.
Rosen was among the 150,000 people whose records were released to identity thieves who scammed their way into ChoicePoint's databases, which the company says constitute the largest private collection of court records, Social Security numbers and other public and personal data in the country.
Insurance companies, banks, law enforcement agencies and many arms of federal and local governments buy information from ChoicePoint to perform background checks on potential clients, tenants or employees. Now the Alpharetta, Ga., firm is finding a lucrative new business charging consumers worried about identity theft for access to their own criminal, education and employment histories.
"They sold information on me to criminals," Rosen said, "but they're not sharing it with me."
Rosen's experience highlights a paradox in the recent string of thefts of personal information: Many of the same companies responsible for safeguarding reams of sensitive data that have fallen into the hands of scammers are now trying to cash in by pledging to protect consumers' privacy.
Information brokers infiltrated by con artists, banks that have lost unencrypted financial data and peddlers of online background checks are pitching fraud-detection plans that cost from $25 a year to more than $150.
The companies offering these services say they provide real value. But victims of identity theft and consumer advocates complain that ChoicePoint, the major credit bureaus and others are reaping the benefits of their own lapses and, in some cases, recklessness. They say there's little incentive for sellers of personal data to tighten security when they profit from people worried that they'll be among the 10 million annual victims of identity theft.
Critics such as Gail Hillebrand, an attorney for Consumers Union, which publishes Consumer Reports magazine, contend that the data brokers and banks fuel identity theft by marketing all manner of information and by offering easy credit without screening applicants to ensure that they are who they say.
"It's certainly wrong to be only selling protection for a problem you helped create without also working actively to solve that problem," Hillebrand said.
Because of the data breaches, some banks are working harder to authenticate the people behind transactions, while ChoicePoint and other information brokers are cutting back on the types of data they offer. And during the spate of high-profile breaches that followed ChoicePoint's disclosures, lawmakers began debating legislation aimed at forcing the companies to clamp down further.
In the meantime, however, the credit bureaus and others are hyping their anti-fraud offerings, in some cases deceiving consumers as they take in millions of dollars for credit monitoring, identity-theft insurance and other services.
Those products can help "level the playing field," said Silicon Valley information technology analyst Rob Enderle. "Historically, other people have been able to get huge amounts of information on you, and you haven't had easy access."
Nonetheless, some question the value of such services.
Few people who have false charges rung up in their names are held financially responsible. Federal law entitles consumers to a free credit report every year from each of the three major bureaus. In California and some other states, consumers can put a freeze on their credit records to deter fraud. Consequently, experts say most people don't need special insurance or credit monitoring, which checks whether new loans have been sought in their name.
"They're peddling fear," said Pam Dixon, executive director of the nonprofit World Privacy Forum.
Billions of records about virtually every adult in the country are maintained by an array of companies. Among the most familiar are the credit bureaus that have long tracked debts and payment histories. Less familiar, though, are data brokers such as ChoicePoint, which aggregate other personal information and operate with fewer restrictions. And, increasingly, banks and credit card companies maintain considerable data caches on their customers.
All trade information back and forth. The credit bureaus and data brokers also sell their information. The growth in so-called data mining is made possible by the digitization of records, which makes it cheaper and easier to collect, store, retrieve -- and even steal -- sensitive information.
Among those benefiting from heightened worry is ChoicePoint, which acknowledged in February that scam artists had used its system to gain access to credit reports and other records on people.
ChoicePoint said it would stop offering Social Security and driver's license numbers to small businesses except when consumers approved it. Yet since last year, ChoicePoint has also charged consumers -- even those among the 150,000 victims -- $24.95 for "identity authentication" and a check of their own criminal records.
The company website suggests the services for those "concerned about identity theft" on top of a free search of more limited records. But it won't sell to consumers, even those with improperly exposed data, other material it inadvertently sent to the members of an identity theft ring who faked documentation to obtain ChoicePoint business accounts.
ChoicePoint Chief Marketing Officer James Lee said that the company had to charge for searches that required fresh labor to compile and that it wouldn't sell the complete dossiers to anyone but qualified businesses because they included data on neighbors and associates of the person whose data was being requested.
Other firms targeting those concerned about being victimized include Wells Fargo & Co., the San Francisco-based bank that has lost Social Security numbers and other data on hundreds of thousands of customers in the last two years, in one case through a computer stolen from an unlocked car.
Since June 2004, Wells Fargo has offered what it calls Select Identity Theft Protection for $12.99 a month. That fee gets the customer daily credit monitoring, quarterly reports and $10,000 in insurance for any financial losses stemming from identity theft.
Washington Mutual Inc. -- which was a favorite of identity thieves who targeted its ATM cards before they were better encrypted -- since March 2004 has charged $10 a month for a package including credit monitoring and $15,000 in insurance. Similar insurance is available from major insurers for $25 a year.
The banks' role in paid protection services rankles Hillebrand, she said, because their industry's eagerness to extend credit has been a major cause of identity theft.
"A lot of it could be eliminated if creditors were more careful about establishing the identity of the applicant," she said.
Other major players in the fraud-alert business are the three credit bureaus, which are private companies that assess a person's creditworthiness and share information with the likes of ChoicePoint. Reports from Experian, Equifax and TransUnion are prized by thieves because they indicate where targets have bank accounts and what their key identifying numbers are, such as birth dates and Social Security numbers.
Consumers have the right to get a free credit report on themselves from each of the big three credit bureaus once a year by visiting www.annualcreditreport.co on the Internet or calling (877) 322-8228. Individuals have a better chance of catching abuse quickly if they ask for a report from a different bureau every four months.
Despite the law, the bureaus try to entice people into paying for credit reports and related services. All three offer some form of credit monitoring. Equifax adds insurance and charges $12.95 a month. It also sells credit reports for $9.95 and a combination of the three reports in its own format for $29.95.
Unlike its two competitors, though, Equifax doesn't attach the word "free" to any of the products it sells. Experian promises a "free Experian credit report" and credit score to those who agree to pay $9.95 a month for monitoring. And TransUnion, in a $29.95 offer, provides a triple report and one "free" score, along with insurance.
"That use of language is disturbing," said Dixon of the World Privacy Forum, because consumers might think they have to buy something to get the reports they've heard about.
The Federal Trade Commission recently found that a unit of Experian, Irvine-based ConsumerInfo.com Inc., went too far. The firm settled with the government for $950,000 last week over a complaint that it failed to warn consumers in ads that one package of free credit reports came with monitoring costs of $79.95 a year for those who didn't cancel a trial service.
The three bureaus won't say how profitable the paid offerings are, but they promote them heavily, touting them on the front pages of their websites.
Laguna Niguel attorney Mari Frank, whose identity was assumed by a woman who posed as a private detective to get Frank's credit report, said the bureaus had no reason to staunch the flow of sensitive information if they could charge people who worry about that flow.
"They're cashing in on this, so there's no incentive to make it go away," Frank said.
The Federal Trade Commission also faulted Experian and other companies for using more than 100 websites with names close to the official www.annualcreditreport.com.For example, www.annualcreditmonitoringreport.com whisks visitors to a site selling a service called FreeCreditProfile, which is offered by TrueCredit, a TransUnion subsidiary.
"We don't make use of domain names that are close to, or are misspellings of, 'annualcreditreport' to try to create business," said TrueCredit President John Danaher. Asked about TransUnion's use of "annualcreditmonitoringreport," Danaher said: "That doesn't have the words 'free, annual' in it."
However it's advertised, critics say buying such services seems like paying protection money to the thugs who pose the biggest threat.
"I'd hate to think people are relying on data brokers, the people who have compromised their identity in the first place, to somehow be the guardians of their identity," Dixon said. "It's a very troubling trend."