39 posts categorized "Data Brokers" Feed

FTC Sues Data Broker For Selling Consumers' Sensitive Information To Fraudsters

Federal Trade Commission logo Do you know how much your bank account information is worth to fraudsters? Read on.

Just before the Christmas holiday, the U.S. Federal Trade Commission (FTC) announced that it had charged a data broker with selling consumers' sensitive personal information to fraudsters to commit theft and fraud:

"... LeapLab bought payday loan applications of financially strapped consumers, and then sold that information to marketers whom it knew had no legitimate need for it. At least one of those marketers, Ideal Financial Solutions – a defendant in another FTC case – allegedly used the information to withdraw millions of dollars from consumers’ accounts without their authorization."

Defendants named in the lawsuit include Sitesearch Corporation (doing business as LeapLab), LeapLab, LLC (based in Arizona), Leads Company (based in Nevada), and John Ayers. LeapLab's Twitter account seems dormant, and its website is not operating. BusinessWeek lists John Ayers as Chairman of the Board of LeapLab.

In its complaint, the FTC alleged that LeapLab:

"... collected hundreds of thousands of payday loan applications from payday loan websites known as publishers. Publishers typically offer to help consumers obtain payday loans. To do so, they ask for consumers’ sensitive financial information to evaluate their loan applications and transfer funds to their bank accounts if the loan is approved... The defendants sold approximately five percent of these loan applications to online lenders, who paid them between $10 and $150 per lead... the defendants sold the remaining 95 percent for approximately $0.50 each to third parties who were not online lenders and had no legitimate need for this financial information."

So, your bank account information is worth 50 cents to fraudsters. The sensitive consumer information LeapLab allegedly sold to non-lender third parties included consumer’s names, addresses, phone numbers, employers, Social Security numbers, bank account numbers, and bank routing numbers. Who were these non-lender third parties? They included:

"... marketers that made unsolicited sales offers to consumers via email, text message, or telephone call; data brokers that aggregated and then resold consumer information; and phony internet merchants like Ideal Financial Solutions. According to the FTC’s complaint, the defendants had reason to believe these marketers had no legitimate need for the sensitive information they were selling..."

In a separate complaint, the FTC sued Ideal Financial Solutions (based in Las Vegas, Nevada), for allegedly buying information about 2.4 million consumers between 2009 and 2013 from data brokers and using that information:

"... to make millions of dollars in unauthorized debits and charges for purported financial products that the consumers never purchased. LeapLab provided account information for at least 16 percent these victims."

The New York Times reported:

"The complaints are part of a multiyear government crackdown on fraudulent debt collection and other scams that target people in financial distress. But the case against LeapLab indicates that federal regulators are now widening their investigation to include the middlemen who traffic in the kind of closely held consumer details that can make consumers vulnerable to financial scams... Frederick G. Gamble, a lawyer in Tempe, Ariz., who was listed as a statutory agent of LeapLab, did not respond a voice mail message seeking comment..."

Thanks to the FTC staff for enforcing credit laws. I look forward to the FTC pursuing more data brokers and non-lender third parties who engage in similar behaviors.

Thee has to be strong consequences for this type of wrongdoing. I hope that the defendants pay fines, pay the credit monitoring and resolution costs for affected consumers, and serve time in prison. That sounds about right for the amount of damages inflicted upon consumers.

What are your opinions?


Massachusetts And Several States Attorney Generals Investigate Breach At Experian

I apologize to readers. I am almost caught up with blog posts after the DDoS attack last week against Typepad, the blogging service I use.

Last week, the Office of the Attorney General of Massachusetts announced an investigation, along with several other states' attorney generals, of the Experian credit reporting agency after criminals were able to obtain consumers' sensitive financial data. The statement said:

"On March 3, Hieu Ngo, a Vietnamese national, pleaded guilty to federal charges in New Hampshire federal court involving his operation of a website that offered his clients access to sensitive personal information for more than 200 million U.S. citizens, including social security numbers, which could be used to commit identity theft or financial fraud... Ngo gained access to the personal information when he obtained an account with a U.S. company known as Court Ventures by posing as a private investigator from Singapore. Due to a reciprocal data sharing agreement between Court Ventures and U.S. Info Search, LLC of Columbus, Ohio, Ngo’s account allowed him access to a database that allegedly contained names, addresses, dates of births, and social security numbers of more than 200 million U.S. citizens."

Ngo may have already resold stolen credit reports, since about 1,300 persons accessed his online account:

"For at least an 18-month period, more than 3.1 million queries were made to the database using Ngo’s account. According to Experian, it purchased Court Ventures’ assets in March 2012, and continued to honor Ngo as a customer until December 2012."

Experian and Court Ventures have sued each other about indemnification: who will pay the costs for this breach. Regardless of who pays in the end, it is bad. Very bad. With 200 million consumers affected, the breach will victimize consumers in most, if not all, states. Massachusetts AG Martha Coakley said:

"We are especially concerned about allegations that the companies may have known of this incident for over a year, while not reporting it so consumer could protect themselves. We will actively investigate this matter and in the meantime, we remind consumers to take proactive steps to protect their personal information.”

The Massachusetts Attorney General advised consumers:

  1. Order copies of your credit reports from the three major credit-reporting agencies (e.g., Experian, Equifax, and TransUnion) and review them for fraudulent entries.
  2. If you notice fraudulent entries on your credit reports, place a Fraud Alert on them.
  3. Review your credit card and debit card statements for fraudulent entries.
  4. Contact the fraud departments at your bank or card issuer to report fraudulent charges.
  5. File a police report with local police if you are a victim of fraud.
  6. Consider placing a Security Freeze on your credit reports for stronger protection.

Consumers that don't have a credit monitoring service can visit AnnualCreditReport.com to order their free credit report once each year from the three major credit reporting agencies (e.g., Equifax, Experian, and TransUnion). Consumers that experience fraud can also submit complaints to the Federal Trade Commission, which tracks fraud affecting consumers.

Consumers who experience problems (e.g., poor customer service, failure to fix fraudulent charges you reported, etc.) with a credit reporting agency, can submit complaints to the Consumer Financial Protection Bureau, (CFPB). At the CFPB site, click on "the Submit A Complaint" link. The CFPB began overseeing credit reporting agencies in 2012.

Expect to hear more news about this breach investigation.


Senators Propose A New Bill To Help Consumers And Hold Data Brokers Accountable

Senators John D. "Jay" Rockefeller IV (D.-W.Va.) and Ed Markey (D-Mass.) recently proposed the Data Broker Accountability and Transparency Act of 2014 (DATA Act, S2025) to provide accountability for companies that make money by collecting and selling information about consumers that are not their customers. The Electronic Privacy Information Center (EPIC) explained the proposed legislation:

"Under the DATA Act, consumers would be able to access their personal information, make corrections, and opt out of marketing schemes. The DATA Act would empower the FTC to impose civil penalties on violators, and would prohibit data brokers from collecting consumer data in deceptive ways."

A variety of companies collect, and sell, information about consumers. During the past 6+ years, this blog has reported about some data brokers, including ChoicePoint, Acxiom, Intelius, US Search, Spokeo, and Lexis-Nexis. Several data brokers have experienced data breaches, and some have sold consumers' sensitive personal data to organized crime. Data brokers collect a wide variety of information about consumers including but not limited to: current and past residential addresses, landline and mobile phone numbers, financial records, products and services purchased, autos purchased, retailers you shop at, and a lot more. With the growth of smart phones, mobile devices, and wearable devices, this data collection is growing quickly to also incude consumers' geo-location information and movement in the real world, health information, and exercise/workout information.

With the rise of data mining (a/k/a "big data"), companies seek to collect as much information as possible about their customers as possible. By analyzing this data, companies can deduce your favorite colors, tastes, and related preferences; including whether you are right- or left-handed. Your personal information is bought, sold, and traded between banks, data brokers, retail stores where you shop, telemarketing firms, collections agencies, and your local government.

Senator Markey said:

"“Consumers have the right to access to their personal data, the ability to correct it, and opt-out from marketing purposes, and Chairman Rockefeller’s legislation ensures these critical consumer controls... The data broker industry has for too longer operated in the shadows, compiling dossiers on millions of Americans. It is time to shine a light on this industry, and Chairman Rockefeller’s legislation helps put in place a system of rules that puts consumers in control of their information. I am proud to co-sponsor this bill...”

And:

"The Data Broker Accountability and Transparency Act of 2014 (DATA Act) comes on the heels of an investigation and majority staff report by the Commerce Committee into the multibillion-dollar industry. Released in December 2013, the report revealed the breadth and scope of the sensitive data – including financial, health, and other personal information – that is routinely amassed by data brokers on consumers without their knowledge or consent. The Committee also held a hearing on Dec. 18, 2013, to examine the privacy and accountability concerns with the industry."

Kudos to Senators Markey and Rockefeller for looking after the needs of consumers. The Direct Marketing Association (DMA) opposed the proposed legislation:

"Though similar bills have died on the Senate floor previously, the Direct Marketing Association says it intends to fight the DATA Act's progress “tooth and nail” due to the high profile it receives from Rockefeller... The section of the DATA Act that most offends marketing stakeholders would compel data brokers to grant consumers access to their data with the ability to correct it at least once a year at no cost. The cost would fall on the so-called data brokers."

You would think that an industry that wants to sell accurate information would welcome corrections by consumers, who know their personal information best. It seems that accuracy takes a back seat to profitability. And, the companies making profits with the information they sell are in the best position to absorb the costs of corrections. If they can't do so profitably, then get out of the business.

Read the full text of the proposed DATA Act (Adobe PDF). Contact your elected officials and tell them to support the DATA Act.

In the interest of full disclosure, I worked for Lexis-Nexis in its Dayton, Ohio headquarters from 1984 to 1986.


LexisNexis And Other Major Data Brokers Hacked By Identity Theft Service

Lexis Nexis logo Late last week, the Krebs On Security blog reported that several major data brokers were hacked by ID Theft Service, with malware planted on their Internet-connected computers to steal consumers' sensitive personal information. These major data brokers sell information such as consumers' address, Social Security Numbers, dates of birth, credit information, and background reports -- information often used by potential employers for verification tasks.

The whole sordid affair revolves around this identity theft service's website:

"... ssndob[dot]ms... has for the past two years marketed itself on underground cybercrime forums as a reliable and affordable service that customers can use to look up SSNs, birthdays and other personal data on any U.S. resident. Prices range from 50 cents to $2.50 per record, and from $5 to $15 for credit and background checks..."

Ssndob[dor]ms (a/k/a SSNDOB) never revealed the sources of the information in its database, but after a series of hacks during 2013:

"... the source of the data sold by SSNDOB has remained a mystery. That mystery began to unravel in March 2013, when teenage hackers allegedly associated with the hacktivist group UGNazi showed just how deeply the service’s access went. The young hackers used SSNDOB to collect data for exposed.su, a Web site that listed the SSNs, birthdays, phone numbers, current and previous addresses for dozens of top celebrities... But late last month, an analysis of the networks, network activity and credentials used by SSNDOB administrators indicate that these individuals also were responsible for operating a small but very potent botnet... This botnet appears to have been in direct communications with internal systems at several large data brokers..."

A botnet is a group of hacked computers controlled remotely by identity thieves. Each hacked computer in the botnet has malware installed on it, which allows the thieves to direct the computer to perform certain tasks. Often, the victims are unaware of the malware and activity performed by their hacked computers.

In this instance, the tasks appear to have been to copy and transmit consumers' sensitive personal and financial information. In this instance, the hacked computers, or servers, are owned by three major data brokers: Lexis-Nexis, Dun & Bradstreet (D&B), and Kroll Background America.

Krebs On Security described the sophisticated botnet malware on the hacked servers:

"... it was carefully engineered to avoid detection by antivirus tools. A review of the bot malware in early September using Virustotal.com... gave it a clean bill of health: none of the 46 top anti-malware tools on the market today detected it as malicious (as of publication, the malware is currently detected by 6 out of 46 anti-malware tools at Virustotal)."

Consumers should know that all three companies collect consumers' sensitive personal and financial information. Reportedly, the data brokers are working with both law enforcement and technology vendors to investigate the extent of the data breaches. So, this story is far from finished.

These data breaches and data brokers -- where plenty of consumers' sensitive personal and financial information are stolen -- are huge problems because of a lot of today's business, including online activity, rests upon the assumption that only the real you knows your Social Security Number and related identifying information. The background verification systems sold by data brokers have been built upon this assumption. The Washington Post's Andrea Peterson summarized the problem:

"... anyone who has access to a comprehensive database that contains this kind of information can impersonate you."

This make data security by data brokers even more important. So, the data security failures in these breaches are huge and not to be under-estimated. Unfortunately, this is not the first data breach at LexisNexis. A 2005 data breach at LexisNexis included the theft of 310,000 records about consumers. A 2009 breach at LexisNexis affected 40,000 persons. Another, separate data breach in 2009 allegedly had ties to organized crime.

Readers of this blog may remember that during 2007, after my sensitive personal information was exposed/stolen during a 2007 data breach at IBM. IBM hired Kroll for its post-breach response. During the mid-1980's i worked for three years at Lexis-Nexis headquarters in Dayton, Ohio as a marketing manager. Attorneys, in both law firms and corporation legal departments, use Lexis-Nexis frequently for both legal and business research.

In 2007, this blog reviewed ChoicePoint. LexisNexis acquired ChoicePoint in 2008.In 2006, ChoicePoint settled with the FTC and paid about $15 million, the largest civil fine at that time for a data breach. At least 800 cases of identity theft and fraud resulted from the breach. The fine resulted from an investigation where the company sold the credit histories of 163,00 consumers to business clients that didn't have a legitimate purpose to use that information; and the company failed to provide adequate data security -- both as required by federal law.

I was surprised that Kroll's servers were hacked. Kroll's reputation is based upon it being a knowledgeable and technically savvy vendor skilled at data security.

{October 2, 2013 update: the Russian hackers also accessed stole data from the National White Collar Crime Center.]


The State Of Texas Made $2.1 Million In 2012 Selling Drivers Personal Information

The CBS television network affiliate in the Dallas/Ft. Worth area reported that the State of Texas made $2.1 million in 2012 by selling the personal information of Texas drivers. Who buys this information collected by the Texas Department of Motor Vehicles:

"CBS 11’s I-Team Investigator Mireya Villarreal discovered nearly 2,500 agencies or businesses purchased the DMV’s data in some form last year. On this list there are towing companies, collection agencies, insurance companies, hospitals, banks, schools, city governments, and even private investigators."

The Driver Privacy Protection Act (DPPA) limits who can buy this information and what they can do with it. The report also highlighted the situation that Texas drivers cannot opt out of these sales.

CBS 11 provided a spreadsheet file which listed the companies that purchased information about Texas drivers. I spent some time reviewing the spreadsheet file and found:

  • What happens in Texas doesn't stay in Texas. Companies from 30 different states purchased the information about Texas drivers
  • Information about Texas drivers is popular. About 2,450 companies purchased information from at least 12 different business types
  • Expected the unexpected. Businesses that purchased driver data included some you'd expect (e.g., auto dealers, banks, finance companies, title services), but also some you might not expect. The list of business types included auto actions, auto dealers, banks/credit unions, city agencies, collection agencies, finance companies, private investigators, salvage yards, title services, universities and colleges, and wrecker services
  • Other who? The "Other" business type seemed to include some interesting organization names from the legal, oil, healthcare, software, and telecommunications industries; plus federal government agencies and some high schools.

The report did not mention the number records each company purchased, the total number of records purchased, or who the largest purchasers were. Knowing this would have enabled a deeper analysis. Then, you could compute an implied value to an average Texas driver's record.

The best comparison I can make is that the State of Florida made about $63 million in 2010 by selling drivers information, with an average value per record of about $ .01. This makes one wonder if Texas government officials did a poor job of selling driver information, or Florida government officials did an exceptional job.

While I didn't see in the Texas list of purchasers the high-profile names of data brokers from the Florida sales, I assume that intermediaries were used.

After reading the Texas DMV webpage about the DPPA, I felt that this page could do a far better job of informing consumers what is really happening. Other states say little in their websites about the money they make from DPPA sales.

What do you think of your state making money by selling your personal information?


Unclear About Data Brokers But Wanting Control And More Disclosure

While the U.S. Senate probes data brokers and consumer privacy issues, a recent study by Trusted ID provides some insights into how consumers view data brokers:

  • 80% of respondents do not have a good understanding of what a data broker is, what they collect and how they use information
  • About 80% of respondents state that it is important to control their data collected and archived by data brokers
  • 76% of consumers feel that it is important to be notified about information that data brokers collect
  • 80% of respondents want a centralized website to manage their information that is collected and archived by data Brokers

The survey was conducted online between August 23 and September 5, 2012, with a national sample of 2,960 Americans.

Earlier this year, the data broker Spokeo paid $800,000 to settle charges by the U.S. Federal Trade Commission (FTC) that it allegedly violated the Fair Credit Reporting Act by operating as a credit reporting agency and by maketing consumers' profiles to companies in several industries without implementing methods to protect consumers as required by the FCRA. The complaint (Adobe PDF) filed by the FTC, in June 2012 in the Central District Court in California, read in part:

"Spokeo assembles consumer information from 'hundreds of online and offline sources,' such as social networking sites, data brokers, and other sources to create consumer... In its marketing and advertising, [Spokeo] has promoted the use of its profiles as a factor in deciding whether to interview a job candidate or whether to hire a candidate after a job interview. Spokeo purchased thousands of online advertising keywords including terms targeting employment background checks, applicant screening, and recruiting. Spokeo ran online advertisements with taglines to attract recruiters and encourage HR professionals to use Spokeo to obtain information about job candidates' online activities. Spokeo has affirmatively targeted companies operating in the human resources, background screening, and recruiting industries... Spokeo profiles are consumer reports because they bear on a consumer's character, general reputation, personal characteristics, or mode of living and/or other attributes listed in section 603( d), and are "used or expected to be used... in whole or in part" as a factor in determining the consumer's eligibility for employment or other purposes specified in section 604."

Consumers can conclude a couple things from this. First, sloppy data practices by data brokers can abuse consumers' information. Second, what you share online in social networking sites can affect whether or not you get a job, or even get an interview. In the rush to make money and create new revenue streams, social networking sites now use your information in ways you didn't originally intend. The I've Been Mugged blog first reviewed Spokeo in 2010.

Download the Trusted ID survey results in the, "Consumer Perspectives - Data Brokers In Review" report (Adobe PDF).


How Companies Analyze Your Spending And Habits

Two really good news article explain how companies analyze consumers spending and social networking activity. I highly recommend that you read both articles.

The Forbes magazine article, "How Target Figured Out a Teen Girl Was Pregnant Before Her Father Did," summarized very well the problematic behavior of many corporations and retailers. To get a jump on its competitors, Target extensively analyzed -- perhaps better than most retailers -- its customers' purchases and attached undisclosed demographic data to each customer's identification number to mathematically predict what customers might by.

The prediction formulas were so good, Target was able to mathematically deduce from past purchases that this teen girl was pregnant and send coupons to her home -- all before the teen told her parent of the pregnancy:

"What Target discovered fairly quickly is that it creeped people out that the company knew about their pregnancies in advance... So Target got sneakier about sending the coupons. The company can create personalized booklets..."

These personalized coupon books were an attempt to hide the fact that Target knew so much, and disguise that knowledge by presenting both coupons not related to pregnancy with coupons that were related:

"... we learned that some women react badly... Then we started mixing in all these ads for things we knew pregnant women would never buy, so the baby ads looked random... we found out that as long as a pregnant woman thinks she hasn’t been spied on, she’ll use the coupons. She just assumes that everyone else on her block got the same mailer..."

One of my friends called Target's behavior "untethered stupidity" to market pregancy products to a teenager. Yes, that was incredibly stupid, and was likely enabled by its rush to make money. Some of my friends were surprised at the content of the above Forbes article. I wasn't surprised because of the amount of personal information shared:

  • Consumers share on social networking websites the items (e.g., products, services, television/cable shows, music) products we like or prefer,
  • Banks regularly collect and resell both debit-card and credit-card purchases,
  • Consumers share on social networking websites a wide variety of sensitive personal data (e.g., birth date, children's names and ages, list of relatives). The full birth date makes it easy for data brokers and advertisers to distinguish several people with the same name,
  • Consumers share product preferences and travel vacation habits through loyalty program memberships,
  • State motor vehicle registries regularly sell drivers' data to companies and data brokers. That includes the car, from which marketers can deduce your wealth, favorite color, and when to pitch extended auto warranty service plans,
  • Data brokers like Spokeo and Acxiom compile consumers' demographic data from public records and social networking websites, which retailers can purchase,
  • Leaky entertainment, quiz, and gaming apps on social networking websites regularly collect consumers sensitive personal data,
  • Leaky smartphone apps regularly collect consumers' sensitive personal data, they often shouldn't. The lack of privacy policies with these apps mean the app developers are free to sell the personal data collected.

What might that undisclosed demographic data be? It's pretty easy to deduce or infer:

  • Name, address, age from the store loyalty program registration
  • Income from any store credit cards, loyalty program registrations, surveys, or average purchase history over time (e.g., wealthy people spend more, less wealthy purchase more with coupons)
  • Favorite colors from the colors of clothes purchased
  • Left-handed preference from types of products purchased
  • Personal preferences from any product comments at the retailer's web site or products "liked" at social networking websites (purchased from data brokers)
  • Type of vision from purchases (e.g., non-prescription sunglasses indicate good vision)
  • Health issues (e.g., eczema, dry skin, dandruff) from the types of lotions and shampoos purchased
  • Health issues (e.g., over-weight) by the size of clothes purchased or from retailers offering pharmacies and in-store clinics
  • Durable goods (e.g., dishwasher, washing machine, gas or electric oven) used at home from purchases
  • Auto and electronics owned from purchases, either the item or related accessories purchased
  • Approximate ages of children by types of toys purchased or from photographs at social networking websites
  • Where else you shop, based on GPS coordinates collected from any apps installed on your smartphone, or data purchased from mobile service providers
  • Retail stores that use facial recognition cameras can track your shopping patterns (e.g., when where, duration), even when you pay with cash and left your GPS-enabled cell phone at home, and supplement this with demographic data from photos you are tagged in at social networking websites
  • Any gaps in the above demographic data can easily be filled by data purchased from data brokers like Acxiom and/or ads run on social networking websites

The New York Times article, "How Companies Learn Your Secrets," includes a more detailed analysis, with how marketers look for "chunks" in consumers' behaviors to predict future purchases:

"This process, in which the brain converts a sequence of actions into an automatic routine, is called “chunking.” There are dozens, if not hundreds, of behavioral chunks we rely on every day. Some are simple: you automatically put toothpaste on your toothbrush before sticking it in your mouth..."

Some chunks are more complex; consider the series of behaviors women will perform to prepare for a pregnancy: purchase different clothes, lotions, and/or personal hygiene items. Now, think more broadly, because everyone's behaviors can be chunked. Not just women. The researchers found:

"... when some customers were going through a major life event, like graduating from college or getting a new job or moving to a new town, their shopping habits became flexible in ways that were both predictable and potential gold mines for retailers. The study found that when someone marries, he or she is more likely to start buying a new type of coffee. When a couple move into a new house, they’re more apt to purchase a different kind of cereal. When they divorce, there’s an increased chance they’ll start buying different brands of beer. Consumers going through major life events often don’t notice, or care, that their shopping habits have shifted, but retailers notice..."

And a baby definitely qualifies as a major life event.

Now, consider your past purchases. Advertisers value that so they can serve up different products at these major life events. Coombine this with your GPS location in the physical world, and it is a marketers dream: to know you shop every Saturday morning and then serve up ads on your smartphone before you arrive at the supermarket; or to serve up childrens toy and food ads before you shop for their birthday parties.

Maybe all of this doesn't bother you, or maybe it does. The bottom line: where you go in the world, what you purchase, and how much you consume are all pretty personal facts. Consumers should have control over when and with whom this personal data gets shared. If you choose to share everything, fine. Some of us feel and act differently.


The Frenzied World Of Companies Collecting Consumers' Financial Histories

Many consumers believe that if you pay your bills on time, keep your (Experian, Equifax, and TransUnion) credit reports accurate, and keep your credit scores high, then all is well. Not necessarily. There are many more companies that track and collect data about consumers financial history.

Chances are, you haven't heard of their names. The Washington Post reported:

"But little attention has been paid to the firms that target consumers outside the mainstream financial system. Often they are students, immigrants or low-income consumers who do not qualify for traditional loans or choose not to use them... they carry particular weight for the estimated 30 million people who live on the margins of the banking system."

Who are some of the smaller firms? Some of them this blog has covered: ChoicePoint, Innovis, RapLeaf, Quantcast, First Data, Acxiom, Intelius, US Search, and Spokeo. Some are data brokers. Some collect website visitation statistics. Others focus on finance or insurance. Some are technology vendors working with ISPs. A prior blog post discussed the variety of brands of credit scores. Some other firms' names you may not have heard about:

"LexisNexis, whose parent company bought ChoicePoint three years ago, handles background checks, tax assessments and criminal histories. Bounced checks can be tracked through Chex Systems, TeleCheck or SCAN. Payday lenders report to a company called Teletrack. Alliant Data compiles information on so-called “installment payments,” industry jargon for recurring monthly fees such as gym memberships. The National Communications, Telecom and Utilities Exchange collects account information for 63 of that industry’s largest firms..."

The accuracy of the information collected by these firms is suspect:

"Arkansas resident Catherine Taylor didn’t learn about the fourth bureau until she was denied a job at her local Red Cross several years ago. Her rejection letter came with a copy of her file at a firm called ChoicePoint that detailed criminal charges for the intent to sell and manufacture methamphetamines. The information was incorrect... Taylor said she has identified at least 10 companies selling reports with the inaccurate personal and financial information, wrecking her credit history so badly that she says she cannot qualify to purchase a dishwasher at Lowe’s. Taylor must apply for loans under her husband’s name and has retained an attorney to force the firms to correct the record..."

And all of these firms do not include social networking websites, advertising networks, and mobile device marketers -- all collect information and profiles about consumers.

Given the long list of companies across several industries collecting consumers' personal information, you could call this a feeding frenzy.


The State of Florida Made $63 Million in 2010 Selling Drivers' Personal Data. What About Your State?

Business Insider reported that the state of Florida sells the personal information of drivers:

"... to private investigators and research services for years with last year's sale bringing in almost $63 million. Reported by News Channel 5 in Tampa, the state sells nearly all the information on every license including birth dates and drivers license numbers."

The news report listed the price at $ .01 price per drivers record. That sounds awfully low -- too low -- given the data elements purchased and the reliable data source (e.g., the State of Florida). Do you think your personal information is worth more than a penny? I do and guess that you do, too.

The companies that purchase Florida drivers' information include some familiar names: Acxiom Information Securities Service, Inc., Choice Point, E-Funds, Explore Information Services, LexisNexis, Line Barge, Goggan, Blair, & Simpson, Inc., SC Services, ShadowSoft, TLO LLC, and West Services Inc..

The Driver Privacy Protection Act (DPPA) is Federal law enacted in 1994, long before corporate data breaches, digitized profiles, and privacy became the problems we have today. The DPPA regulates what personal information must be protected, and can (cannot) be sold by states. According to the Electronic Privacy Information Center (EPIC):

"The DPPA was passed in reaction to the a series of abuses of drivers' personal information held by government. The 1989 death of actress Rebecca Schaeffer was a prominent example of such abuse. In that case, a private investigator, hired by an obsessed fan, was able to obtain Rebecca Schaeffer's address through her California motor vehicle record. The fan used her address information to stalk and to kill her. Other incidents cited by Congress included a ring of Iowa home robbers who targeted victims by writing down the license plates of expensive cars..."

Some states have laws providing greater protections for drivers' personal information. There have been at least two class-action lawsuits for alleged DPPA violations.

Does your state sell drivers' personal information? Probably. It can be difficult to determine. Often, there is a disclosure in your state government motor vehicle registry website about the DPPA and what your state does (and does not) sell. For example, the Massachusetts RMV website:

"The DPPA restricts the disclosure of personal information, as defined in 18 U.S.C §2725. Personal information is information that identifies an individual, including name, address, driver's license number, social security number*, photograph* and medical information... The DPPA only restricts personal information. Information on vehicular accidents, driving violations and driver's status is not personal information. Also, information that does not pertain to an individual would not be considered personal information."

Like other states, only "Permitted Users" can buy this drivers personal information, and the state supposedly verifies both the purchasers' identities and whether the purchasers' usage post-sale complies with the law. So, drivers personal information is being sold. I wasn't able to find a disclosure about the annual total amount of revenues from DPPA sales.

Another example from the New York State DMV:

"You must have a DPPA permissible use to request DMV records that contain personal information. Personal information includes name, address, or Client ID Number (Driver License Number). You must certify that you have a permissible use when you request records that contain personal information... The DMV records that are frequently requested are driver abstracts, registration abstracts, title abstracts, and accident reports... The DMV normally does not provide a history of the ownership or the mileage of a vehicle... To request a vehicle ownership history, you must certify that you have a DPPA permissible use for the information... The National Driver Register (NDR) is a database maintained by the Federal government. The NDR lists: the drivers from each US state who have a driver license that is suspended or revoked, and the drivers who were convicted of a serious traffic violation like DWI or a drug-related violation. Motor vehicle bureaus in the US provide the NDR with the names of persons who lose the privilege to drive or who were convicted of serious traffic violations... You can use form NDR-1 to search the NDR. Information from the NDR must comply with the DPPA."

Another example from Texas:

"... the Driver’s Privacy Protection Act (DPPA), makes it illegal for the general public, including the media, to obtain, publish or confirm personal information about you from the state motor vehicle database. The law does provide exceptions for certain entities, such as courts and police. Texas law provides additional protection under the Motor Vehicle Records Disclosure Act, and the Public Information Act (Section 552.130)."

Personally, I don't believe that Florida (and other states) should sell drivers personal information to information brokers, regardless of the uses claimed by the data brokers. It effectively, makes the data publicly available to everyone, "permitted uses" or not.

The states' DPPA disclosures which I have read are often long, difficult to read, and at times confusing. The information could be presented far better with pages containing separate summaries, instructions, and forms for each target audience (e.g., individuals/residents, companies, state/local agencies, law enforcement/courts, etc.). When there are additional state laws providing broader protections, you almost have to be an attorney in order to reconcile the multiple laws to understand exactly what is protected and sold.

Kudos to News Channel 5 in Tampa for the good investigative journalism.

What is your opinion? Should states sell drivers personal information? Is the price Florida charged too low?


How Telemarketers Get Your Mobile Phone Number

In May, I wrote about how easy it is to find online consumers' mobile phone numbers at websites like Intelius. A natural question from that blog post: how do these data-mining websites and telemarketers obtain consumers mobile phone numbers? That's a relevant question, since consumers have reportedly registered about 200 million phone numbers with the Do Not Call registry since 2004.

There is a good article at TMC.net that answers this question. First some surprising statistics:

"... despite the registry, an estimated 150 million telemarketing calls are made each day in the United States, an estimated 20 percent, or 30 million, of which are potential violations..."

So, a lot of the calls you receive at home are potential violations if you have registered at the Do Not call registry. Many are not violations since there are a multitude of ways your mobile phone number can leak out to telemarketers and data brokerage companies:

  1. Debt Collection Agencies: will contact you whether or not your phone is listed in the Do Not Call registry. Debt collectors will contact you directly or will contact a family member to find your address and phone number.
  2. The United States Post Office: will sell for a small fee a box holder's residential address, if available.
  3. Social media sites: will display your phone number and e-mail, especially where many consumers haven't made their profile page private and accessible only by friends.
  4. Product warranty cards: when you register online or via snail mail that new product you've purchased, you have helped the manufacturer assemble a database of names, addresses, e-mails, and phone numbers that can be sold to marketers and data brokers
  5. Data brokers: regularly sell consumer information, including residential addresses, e-mail addresses, and phone numbers to telemarketers

What consumers can do to minimize this leakage of your mobile phone number:

  • Don't be so quick to disclose your mobile phone number. Ask yourself if you really want this company to know your mobile phone number. Maybe your-email address or landline phone number is enough
  • Register your mobile phone number at the Do Not Call registry, if you haven't already
  • Be careful about the sweepstakes and contests you enter. Read the fine print or contest terms closely, as that document will indicate whether the contest operators will sell your information to other companies
  • Read the privacy policy at websites you visit and have registered at. This document will indicate whether the website operator will sell your personal information to other companies
  • Read the privacy policy for mobile phone apps before you install the app. If the app developer does not have a privacy policy, then that should be a strong clue
  • If you owe money, know your rights regarding debt collection
  • You can file a complaint at the Do Not Call website

To read the full list of ways your mobile phone number can leak out to telemarketers and data brokers, see the TMC.net article.

The author of the TMC.net article suggested that consumers with the Droid and Blackberry brand smart phones use the PrivacyStar app to block and report unwanted telemarketing calls. I have not used this app and cannot verify its accuracy. If you use PrivacyStar app, let us know what you think of it.


Mobile Phone Number And Data Are More Widely Available Than You Might Think

Phone calls in the middle of the night are never good.

My smart phone rang at 3:10 am the other morning. Yes, it woke me up. I glanced at the number and it wasn't from anyone I know. I went back to sleep concluding that if the call was really important, they would call again.

The next morning, my curiosity got the better of me. I paused work to look up the mystery phone number at the AT&T Anywho website. If the phone number is listed and isn't a cellular line, I have found that Anywho usually has it.

The Anywho Reverse Number feature didn't find the mystery phone number, but it suggested that the Intelius website might:

Anywho.com reverse number look-up search results

I followed the link to the Intelius website which identified the mystery caller from a number registered in North Dakota, plus some juicy details:

Intelius.com reverse number look-up search results

Who knew that Intelius captured and displayed the caller's GPS coordinates? I have not test how dynamic the GPS coordinates are; if they are static are updated real-time.

If I wanted to know more, I could have paid for an Intelius report; or searched Pipl or Spokeo. I didn't since my curiosity was satisfied. I don't know anyone from North Dakota. Plus, the call could have been an accidental butt-dial or drunk dial.

Where did Intelius get this mobile phone data? Who knows. The phone's owner could have included their mobile number on property ownership or other public documents. My guess: this person's mobile number was listed on a publicly-available social networking website page, or obtained via retailer or website that resold the data to an information broker.

The point: there is more data available online about you than you realize. Safeguard your personal details, and share them only with people/companies you trust.


Video: Invasion Of The Data Snatchers

If you want an explanation of the role and scope of data mining companies and information brokers, the video below provides a pretty good overview, with engaging graphics. It highlights all of the various ways companies collect personal information about consumers. And, "invasion" is an accurate description.

This blog does not endorse the online service mentioned. Consumers should shop around and read the contractual fine print and terms of any online service before purchase, to determine if the product or service meets your needs.


Facebook Members Warn Their Friends About Spokeo

During the past few weeks, I have seen several friends on Facebook post this message about Spokeo:

"There's a site called www.spokeo.com that's a new online USA phone book with personal information: everything from pics you've posted on Facebook or the web: your credit score, home value, income, age. Remove yourself by searching your name, copy the URL of your page, then go to the bottom right corner of the page and click on the Privacy button to remove yourself. Copy & re-post so your friends are aware."

Regular readers of this blog already know about Spokeo since this blog covered it in April 2010. When I reviewed my personal Spokeo listing recently, it had plenty of errors: incomplete name, wrong address, and other details. The data looked as if Spokeo tried to match and merge (unsuccessfully) data from an old White Pages phone book directory with data they may have purchased from marketers and/or state motor vehicle registries.

This data inaccuracy reminded me of an experience I had with credit reporting agencies in 2004. That year, I applied for an American Express card anticipating an extended business trip in London. American Express denied my application because I was "deceased." Obviously, I am not dead. When I checked my credit reports, they had erroneously co-mingled data from my deceased father and from me. If you don't know it, credit reporting agencies rely on consumers to check the accuracy of their credit reports, and to submit correcting information. This approach rests on the assumption that most consumers want their credit reports to accurately reflect their creditworthiness.

My points:

  1. It is good to view your Spokeo listing and opt-out of their program. The problem: the burden is on consumers to continually opt out as every new Internet-based marketing company springs up. That is not the Internet I envisioned nor long for, and I'll bet you agree.
  2. I feel no obligation whatsoever to notify Spokeo about the inaccuracies in my listing, and hope that you don't feel obligated either. Better to let Spokeo wallow in ignorance.
  3. Like Facebook and other data mining or marketing companies, Spokeo makes money from our personal data, correct or incorrect. If I were sharing in that revenue stream, then I might feel motivated to inform Spokeo of the errors in my personal listing.
  4. Data mining companies like Spokeo will continue to publish plenty of mistakes in their databases. Why? Many consumers have multiple online identities. While data mining companies can analyze purchases from credit cards, patterns from location-based status meesages, or your "likes" on social networking sites, only YOU know how accurate the demographic and descriptive data is about YOU. Spokeo "swims" in the same consumer identity cesspool as other data mining companies and markets. At least credit reporting agencies have the benefit of updating their records with structured data from lenders and banks.
  5. Executives at data mining and marketing companies like Spokeo want to believe their data is accurate. In my view, it often isn't. People move, change street addresses, use multiple email addresses, use multiple phone numbers, regularly delete their web browser cookies, use add-ons like BetterPrivacy to delete Flash cookies, use software like MAXA Cookie Manager to delete a variety of LSO's stored on their computers, and opt-out of location-based messages. So, the value of that data is less than they think and has less utility for applications.

So, go ahead and check your Spokeo listing. How accurate was it? Did you opt-out? I've Been Mugged blog readers want to know.


US Search Settles with FTC Over Deceptive Marketing

Many consumers want to manage their online identity and reputation, especially when the online information is false or misleading. Unfortunately, some companies have rushed to take advantage of consumers' fears.

Late last month, US Search settled charges with the U.S. Federal Trade Commission (FTC) about deceptive marketing. The settlement requires the data broker to refund fees to about 5,000 consumers and not to engage in future deceptive marketing:

"US Search, Inc., is an online data broker that compiles public records and sells data about consumers to the public. The records may contain not only names, addresses and phone numbers, but also information such as aliases, marriages and divorces, bankruptcies, neighbors, associates, criminal records, and home values... Since June 2009, US Search sold consumers its “PrivacyLock” Service, which it claimed would allow them to “lock their records” and prevent their names and other information from appearing on the company’s website, its search results, or advertisements for a year."

 

In its complaint, the FTC alleged the data broker's promises to consumers were false and that the PrivacyLock Service failed to:

  • Block consumers’ names from showing up as an associate of someone else in a search for the other person’s name;
  • Block consumers’ information from appearing in a “reverse search” of their phone number or address, or in a search of their address in real estate records;
  • Work when the consumer changed addresses, thereby generating new records that would not be subject to the PrivacyLock

A "reverse search" is when a user enters a phone number or street address and the service displays the person's name. This website capability has been around for years at popular white-page telephone book websites such as AT&T AnyWho and WhitePages.com. This is one reason why I pay the extra monthly fee to not disclose my landline phone number in the telephone company's white pages. Once your landline phone number gets out, it will likely end up in lots of data brokers' databases.

Many data brokers compile and resell information about consumers. To learn more, read these blog posts about Spokeo and Acxiom. Plus, many states' registry of motor vehicles departments sell data to data brokers. In July of this year, a major DPPA class-action lawsuit was dismissed.


Dump The Porn! Spokeo Has Blown Your Cover

[Editor's Note: Today's blog post is by guest author R. Michelle Green, the Principal for her company, Client Solutions. She is a combination geek girl, personal organizer, and career coach. She has studied what makes some individuals embrace or avoid information technology. (She’s definitely one of the former.) Michelle helps others improve their use of technology in their personal or professional life. Here's her take on Spokeo.]

By R. Michelle Green

A friend was incensed and frightened to discover that Spokeo.com knew where he lived. Maybe it was the picture of his front door that really freaked him out. Welcome to the 21st century. Ain’t data mining a bitch?

Spokeo says it’s not your grandma’s phone book. With Spokeo, you can find contact information searching by name, email address, or phone number. It calls itself a search engine specializing in organizing people-related information.

Register with Spokeo and it can aggregate the data from your favorite social networks in one place. No more checking Facebook, then Linked In, then Live Journal, then Amazon, etc.. Just let Spokeo access your e-mail account and it will harvest your contacts, go get public information about them, and aggregate all that data. You can keep up with everyone’s latest photos and status updates in one place.

While it was new to me and my friend, Spokeo has been around for a while. It first appeared in 2006. Spokeo 4.0 launched in March of this year, and traffic surged within weeks of the announcement. They are already apologizing for no longer being able to respond to callers within 3 to 4 hours.

What does Spokeo really do? Why is it so scary? It makes data mining visible.

I first understood data mining in 1996 after reading William Gibson’s book Idoru. The main character was so adept at reading the digital footprint left by human interactions on the net that he was hired to determine if the title character was real or virtual.

Knowing this can be done and seeing the result are two different things, however. Wait until Spokeo can access purchase records from Netflix or Amazon! (Oh, stop choking. They only look at publicly available data. Oh, you have public wish lists and profiles on both? Never mind. As you were.) Though it’s far from scientific, I searched about 30 names and about 45 emails so far. I searched myself extensively, of course.

So far, the creepy stuff isn’t always that accurate. A lot of the information is clearly from statistical guesses (if you’re living in a zip code that’s 92 percent white, it’s not a stretch to guess you’re Caucasian). I got different results looking by name or by e-mail; and the more established the e-mail, the more extensive the results. No surprise there.

Even the errors are informative, however – some physical locations associated with searches were wrong today, but reflected locations that were, at one time, true. That’s why these sites aren’t putting private investigators out of business. On the other hand, it’s giving them a hell of a helping hand.

So how does Spokeo work? It searches everything. No, you didn’t hear me. Everything. Every publicly available source of information they can get to. That includes phone listings, political contributions, home ownership, posted photos, etc. If you own your home, and use online photo sites, Spokeo could use Google Maps to display your front door, or perhaps Picasa to display a picture of your three kids and the dog.

Anyone can get this on search. Register as a user and you can see more. This blog has a screenshot of what a Spokeo page can look like for registered users. On the other hand, if your name is really common, or you use multiple names (like Richard Dean Anderson from Stargate, for example), Spokeo struggles. And right now, I think the surge in demand is significantly slowing their servers’ response times. Those issues are surely transient.

The scariest thing for me – searching my email addresses. Even for free, it showed some of the blogs that I frequented, a few mixes I’d shared on Pandora. A friend thinks he has a secret email address he’s used for years for naughty searches. I’d told him it was suspect, that by now Google could aggregate his real and his secret identity, but he’d paid me little attention. Entering the secret email on Spokeo immediately revealed his real name. I showed him the link face-to-face, I wanted to watch the top of his head blow off. Good thing for him his wife doesn’t like technology like I do.

What can you do to protect yourself? You can opt out so that your results do not appear if you are searched. Fine print: you can only opt out of name and phone number search, and you have to give them your e-mail to engage this feature. Since they only use public information, you can go to all your sites and make sure you’ve read all their Privacy rules and engaged all the appropriate settings. When Spokeo next updates, your newly private data will disappear. Snopes alleges that Spokeo does not always take expeditious action on these requests.

Facebook’s founder Mark Zuckerberg might call me an old fuddy duddy for even raising these issues. He says that privacy is no longer a social norm. Google’s CEO Eric Schmidt takes the offensive. He says if I have to hide something I shouldn’t be doing it, and name checks the Patriot Act for good measure. You may agree with them. So, Spokeo may not bother you – yet.

By the way – Spokeo will show you even more if you pay them money. And here’s the kicker: the cost for three months is about what you’d pay for popcorn and soda at the movies.

Happy stalking.


© 2010. R. Michelle Green. Reprinted with permission.


When Vinny Met Sally (Lexis-Nexis' Data Breach And Organized Crime)

Lexis Nexis logo This Information Security Resources article titled, "He’s Not After Your Heart, Just Your Data" documented a new threat which is the intersection of dating, insider identity theft, and organized crime:

"Lexis-Nexis made public notification of a data breach that federal authorities say is tied to a New York mafia crime family. The New York-based company has sent more than 13,000 letters to former customers whose personal data may be at risk. The 13,000 customers may have been targeted for extortion and identity theft. Earlier in May, the U.S. Attorney General’s office in Southern District of Florida handed down an indictment charging 11 men with racketeering conspiracy. The 11 had ties to the Bonnano organized crime family."

How the operation worked:

"The alleged suspect, Lee Klein, one of the 11 charged in the indictment, “was an employee of a former Seisint customer who misused his employer’s Accurint access... Accurint is used by law enforcement and other entities to verify identity and locate people... Klein worked for the criminal “crew” of Thomas Fiore, an associate of the Bonanno organized crime family. The indictment alleges that Klein illegally used “information obtained from computer databases in order to acquire identification information regarding potential victims of extortion” and people suspected by Fiore’s criminal organization of being involved with law enforcement."

How the dating connection figures into all of this:

"One of the “old school” tactics that the organized crime figures use, says [Avivah Litan, an analyst at the Gartner Group], is going to the local watering holes and seducing young girls and finding out where they work. The mob’s tactic of dating new employees who work at companies that have access to customer data leads to Litan’s warning, 'He’s not after your heart; he’s after your data.' ”


Breach At Lexis Nexis Affects About 40,000 Consumers

On May 1, CBS News reported:

"Companies Lexis Nexis and Investigative Professionals have notified up to 40,000 people whose “sensitive and personally identifiable” information may have been viewed by individuals who should not have had access. The United States Postal Inspection Service is investigating a data breach at both companies..."

Investigative Professonals performs background checks for individuals and companies.

This breach is important for a couple reasons. First, since the breach occurred between June 14, 2004 and October 10, 2007, this is the longest post-breach delay of consumer notification I have heard: two years. CBS News also reported:

"... the data breach is linked to a Nigerian Scam artist who used the information to incur fraudulent charges on victims’ credit cards. Peter Rendina, a spokesman for the Postal Inspectors Service said that of the 40,000 individuals whose information was accessed, up to 300 were compromised and used to obtain fraudulent credit cards."

Second, the breach is not only credit card theft and fraudulent credit card charges, but also credit fraud since the thieves obtained new credit in the breach victims' names. The CBS News story included the text of the consumer breach notification. Social Security numbers were stolen -- a key element of sensitive personal data for thieves to obtain new credit:

"... sensitive personally identifiable information about you may have been viewed by a few individuals who should not have had access to such information. These individuals were operating businesses that at one time were both ChoicePoint and LexisNexis (hereafter “LexisNexis”) customers, but are no longer. Please be aware that the United States Postal Inspection Service, a federal law enforcement agency investigating this matter, has already notified you directly if it has reason to believe you have been an actual victim of a crime... By utilizing fraudulently-opened mail boxes at commercial mail receiving businesses and personal information of United States residents obtained via LexisNexis, these individuals were able to apply for and obtain fraudulent credit cards...the information accessed may have included your name, date of birth, and/or social security number... the USPIS instructed LexisNexis to delay notifying you until the completion of the USPIS investigation."

Third, this is not the first breach at Choicepoint, acquired by Lexis-Nexs in 2008. After selling its reports to identity thieves in 2005 for about 160,000 consumers, Choicepoint settled with the FTC and paid fines of $10 million in civil penalties and $5 million in consumer redress. Choicepoint seems to have a history of, a) aggressively selling its reports to other companies, some of whom have been identity thieves; b) poor at customer service, and c) lax when it comes to data security. Choicepoint doesn't seem consumer friendly, and it it went out of business tomorrow, I wouldn't shed a tear.

Fourth, Lexis-Nexis offered its breach victims credit monitoring services from Experian. This is a good start, but it's not enough. (Read my review of Experian's service.) Lexis-Nexis should pay the fees for its breach victims' Security Freezes on their credit reports at all three major credit reporting agencies. Why? A Security Freeze is stronger than a Fraud Alert. A Security Freeze will stop thieves from obtaining new credit. Credit monitoring only helps consumers discover fraudulent entries in their credit reports after the fact. Security Freezes help prevent some types of fraud before it can happen.

I checked the United States Postal Inspection Service site (USPIS) for additional information about the breach and its investigation. The Press Releases section of the site featured the latest press releases from 2007. What?! There's nothing more recent?

I also checked the Investigations section of the USPIS site. That was disappointing, since the site section discusses the types of investigations the USPIS performs and not the results of on-going investigations. The USPIS site needs to do a lot more to inform consumers about the status of its investigation, especially victims of the Lexis-Nexis breach. What identity thieves were arrested? What criminals were prosecuted? Is restitution being demanded from the criminals? Neither the USPIS nor Lexis-Nexis are saying.

Two years is a long time to delay a breach notification to consumers. The results of the investigation should justify the delay and be made public. I encourage consumers to contact the USPS Inspector General and your elected officials in Congress.


Data Broker Sued For Selling Social Security Numbers

SC Magazine reported:

"The Missouri Attorney General's Office has filed a lawsuit against a Texas-based data broker that contends the company sold the Social Security numbers of some Missouri residents."

The Missouri AG offices seeks to shut down the site, PublicData.com, and fine its operators. The article quotes Attorney General Jay Nixon as saying:

"This website is a gold mine for identity thieves and needs to be shut down as soon as possible to protect the privacy of Missourians, My office has already seen proof of how this site can be used to destroy the credit of innocent consumers in at least one prominent identity theft case."

According to the company's press release at the PublicData.com web site:

"Irving, TX, February 20, 2008 - PublicData.com was unaware that some Missouri driver’s license numbers were the same as social security numbers. Since Thursday February 7, 2008, PublicData.com has been working with the Missouri Attorney General’s Office to resolve the issue surrounding the use of social security numbers on some Missouri driver’s licenses."

Data brokers buy and sell lists of consumer information, typically name and address information used by companies to mail catalogs or similar mailings. A good data broker is aware of the types of data it buys and sells, and the types of data is shouldn't trade.

The above statement by PublicData sounds like the company is trying to hide behind a claim where they regularly sold driver's license data and didn't know that some driver's licenses contained SSNs. To me, that sounds like a rather shaky or flimsy excuse. Plus, my Massachusetts drivers license number looks far different from a Social Security Number. Again, a good data broker should know what data they trade.

Now, I can't imagine why a person or a company would want to buy somebody else's driver's license data. I can imagine where a private investigator might buy this data while trying to find a person regarding a legal matter or outstanding debt.

If PublicData has sold SSNs, then in my opinion the site should be shut down and the firm's operators fined and jailed.


Lexis-Nexis Parent To Acquire ChoicePoint

BusinessWeek magazine and the Washington Post newspaper both reported the planned acquisition of ChoicePoint by Reed Elsevier, the parent holding company of Lexis-Nexis information services. According to BusinessWeek:

"Talk about a quick fix. Shares of ChoicePoint, which had been languishing near a 52-week low of $31.87, surged on Feb. 21 after the provider of insurance information and ID verification services said it had agreed to be acquired by Anglo-Dutch British information provider Reed Elsevier, owner of Lexis Nexis, for $3.5 billion in cash, or $50 a share..."

BusinessWeek also reported:

"The deal also marks an abrupt end to turnaround plans at the Georgia-based information provider. After experiencing years of rapid growth following its 1997 spin-off from Equifax, ChoicePoint’s stock price settled into a trading range, bouncing back and forth between the low 30s and mid-40s. The problem wasn’t ChoicePoint’s core product, a database of insurance claims which accounts for at over 50% of the company’s $982 million in revenues and 80% of its operating profits. Rather, starting in 2001, management tried to expand beyond ChoicePoint’s core business, funneling the cash from its insurance products into acquisitions, including i2, a software provider to law enforcement agencies. Most, however, have been failures."

Assuming the sales goes through, I hope Reed Elsevier's management can help ChoicePoint improve their customer service. Last year, I purchased my C.L.U.E. insurance reports from ChoicePoint's ChoiceTrust site, to check their accuracy. ChoicePoint never responded to any of my follow-up e-mail inquiries. Nadda. Zilch. That's no way to treat a customer.

If you don't know what a C.L.U.E. report is, and how its content can affect your property insurance rates, see either of these two posts:

[Editor's note: regarding full disclosure, I worked in marketing management at Lexis-Nexis from 1984 - 1986, and I currently co-manage an e-mail group of former Lexis-Nexis employees.]