Are Your Secrets Safe?

By Bill Saporito

Your name, your address, your Social Security number, your phone number, your driver's license, your car registration, your credit history, your birth certificate, your real estate deeds, your legal history, your fishing license, your military record, your insurance claims, your thumbprint, your DNA. That is just some of the information that data aggregator ChoicePoint might have collected on you and millions of other Americans.

The problem isn't necessarily that ChoicePoint has those data--although some privacy advocates are wary--but that some bad guys also got hold of them. That's why the nation's largest data miner, whose computers maintain and manipulate 19 billion data files for clients ranging from the Cub Scouts to the CIA, found itself trying to explain last week how a Nigerian con artist posing as several small-business owners could extract data on 145,000 people. "They were careful not to trip the triggers, and they did pay their bills," James Lee, ChoicePoint's chief marketing officer, says of the fake businesses. But the Nigerian job did trigger a national debate on privacy, identity theft and the role of the megaminers that dominate the information landscape.

The scam didn't hack ChoicePoint's network, Lee hastens to point out, a little disingenuously. Nothing so elaborate was necessary. The perp armed himself with phony letterheads and ordered electronic files by fax at $150 a batch. After a number of successful attempts, a ChoicePoint employee finally got wise and alerted police. When cops nabbed Olatunji Oluwatosin, 41, at a Copymat shop in Hollywood, he had five cell phones and three credit cards on him, each under different names. He has pleaded no contest to identity theft, but authorities say others must be involved, since the stolen data have been used in 750 fraud attempts.

Oluwatosin is keeping his mouth shut, but the breach at ChoicePoint has had politicians in full gumflap. "Our system of protecting people's identity is virtually nonexistent in this country," said Senator Charles Schumer, Democrat of New York. Schumer's staff was able to download personal information on the likes of Dick Cheney and Brad Pitt from a ChoicePoint rival, Westlaw. Nearly 10 million people were victimized last year by identity theft, at a cost of $5 billion. Senator Arlen Specter, Republican of Pennsylvania, pledged to schedule hearings on the topic. And that was before Bank of America learned, as first reported by TIME.com that it had lost several data-backup tapes that held information on at least 1.2 million federal employee credit-card accounts--possibly including some of Senators.

What the hearings will likely discover is how much the government itself has fueled the explosive growth of ChoicePoint, Westlaw and other top data aggregators--Acxiom, credit-reporting agency Equifax, HNC Software and Lexis Nexis. For decades such firms, especially credit-reporting agencies, collected financial and personal data on most Americans. Governments had their own databases of licenses, crime stats, voter records and the like. Today, thanks to the exponential growth in computing power, the rise of the Internet and industry consolidation, data companies can bring all that together in one place. Properly harnessed, such networked information can lubricate commerce or thwart terrorism, and after 9/11, government agencies flocked to the new powerful resource. But in the wrong hands, it can harm innocent citizens' lives.

ChoicePoint, led by CEO Derek Smith, 50, was among the first to realize that those conflating data streams were a huge business opportunity. Smith took over an underperforming division of Equifax that sold financial data to the insurance industry, and after the unit was spun off, he went on a buying spree. Since 1997, ChoicePoint has made 58 acquisitions, from Bode Technology Group, which does DNA analysis and handled the task of identifying remains of World Trade Center victims, to i2, an outfit that provides actionable intelligence by devouring police reports. ChoicePoint, with sales of $918 million in 2004 and profits of $141 million, is now a leader in biometric identification, postcrime forensic DNA analysis and sophisticated criminal-profiling tools. It also does background checks and manages government databases. That's a long way from credit reports but reflects Smith's view that information, once used strictly to manage financial risks, can be profitably adapted to manage security risks too.

ChoicePoint's analytic capability gives privacy advocates the creeps and has made ChoicePoint, in the eyes of some, an outsourced intelligence agency. The company works for thousands of government units, performing such mundane tasks as screening job applicants and looking for deadbeat dads, as well as doing antiterrorism analysis for the Department of Homeland Security. Its powerful search algorithms can worm through vast databases to see outliers that separate systems could not. Had such a system been operating in 2001, Smith has said, it could have highlighted the 9/11 hijackers before they got on the planes.

Smith is an entrepreneur, but he's not insensitive to the philosophical issues of data mining. "ChoicePoint doesn't tell society what the rules should be. We create fundamental risk profiles that help society manage itself," he told Georgia Trend in 2002. "Ultimately, that process will create huge consequences both positive and negative." For years, he has been asking for a dialogue on the whole issue of privacy, security and identity fraud. In the aftermath of the California scam, he's about to get one. --Reported by Greg Fulton/ Atlanta and Mark Thompson/ Washington

With reporting by Greg Fulton/ Atlanta; Mark Thompson/ Washington