Data brokers, data breaches, and identity theft

Hello! I’ve been invited to guest-blog here for a little while and I’m excited about the prospect. As an initial matter, anything expressed in this blog post is my own view and not necessarily that of ReputationDefender or any of its employees.

On to the good stuff:

We’ve all heard a lot about the big data brokers like Experian, ChoicePoint, Lexis-Nexis, and others. They collect massive amounts of data about individuals, and then sell it to the highest bidder. Some of it is pretty harmless: I don’t terribly mind a day care center being able to ask job applicants for permission to check that don’t have any outstanding warrants, especially for child abuse or the like.

But, today, I want to discuss data breaches at the big data brokers. Of course, they take a lot of steps to make it hard for data to accidentally leak out. But, they are also such big targets that they are incredibly tempting targets for hackers and identity thieves. Take, for example, what happened at ChoicePoint a few years ago. A crafty hacker was able to get access to detailed reports, ranging from income to FBI background checks, by circumventing ChoicePoint’s privacy controls. Since then, ChoicePoint has dramatically increased the security on its accounts, but is it enough? Around the same time, Lexis Nexis admitted that it released 32,000 data records, including social addresses and security numbers, to a hacker. Lexis Nexis has also increased its security, but the data brokers are still an incredibly tempting target for hackers.

There’s an obvious privacy problem with having your name, social security number, and FBI background check in the hands of a hacker. But, there’s also a much more direct problem too: Identity theft. With your name, address, social security number, and employment history, an enterprising criminal could pretty easily apply for credit cards. Beyond the expense to you, there’s another problem: What happens if those credit cards are used for an illegal purpose?

One man in England found out the hard way. His credit cards were ripped off, and then used on websites featuring photos of underage girls. The police tracked the credit cards back to him and started a criminal investigation. He insisted that he was a victim of identity theft, but he lost his computer, his job, and six months of his life before he could set the record straight. Eventually, a jury found him innocent, but the damage had already been done.

What should an individual do? Reducing the data available to thieves is one thing. You can take your name, address, and phone number out of some databases. If you know what’s out there then you can take the first steps toward making your identity crime-resistant. If you make it harder for identity thieves to steal your personal information then they’ll just move on to another, easier target. Why would they waste time trying to figure out your name and address if there are so many targets out there?

There’s a lot more that can be done, and I hope to touch on more of it in future posts.

~Fortune favors the well-prepared.