A newly revealed case shows that the vast commercial database of personal information at ChoicePoint Inc. was tapped by identity thieves in 2002 — contradicting a statement by its CEO that a much more recent breach was the first of its kind.
A Nigerian-born brother and sister were charged in 2002 with a scam in which they posed as legitimate businesses to set up ChoicePoint accounts and gain access to its massive database.
They then made 7,000 to 10,000 inquiries on names and Social Security numbers in the database and used some of those identities to commit at least $1 million worth of fraud, Assistant U.S. Attorney Mark Krause in Los Angeles said Wednesday.
Last week, after a similar case became public, ChoicePoint chief executive Derek Smith told The Associated Press in an interview that the company had never been victimized by that kind of criminal operation before. He did not mention the 2002 case.
“We saw for the first time organized crime come in and attack through a small business segment,” Smith said about the recent incident. “We had not experienced this kind of environment or understanding before.”
The company announced Feb. 15 that a breach first detected in October may have compromised the personal information of as many as 145,000 people.
Asked during last week’s interview if any breach similar in scale had occurred at the company before, Smith responded, “No. I’m not aware of anything.”
Smith had asserted that there had been small instances where the company had found people fraudulently trying to get access to its database.
Repeated requests to three ChoicePoint representatives for a comment on the apparent contradiction were not successful Wednesday. The 2002 case was reported Wednesday by the Los Angeles Times, nearly a week after the AP interview with Smith.
In the 2002 case, which Krause confirmed, Bibiana Benson, 39, of Sherman Oaks, Calif., and her brother, Adedayo Benson, 38, of Glendale, Calif., both pleaded guilty in connection with the scam. Bibiana Benson received 54 months in prison. Her brother will be sentenced Monday, and prosecutors are asking for a 60-month term, Krause said.
Another Nigerian man also in Los Angeles has pleaded guilty in connection with the more recent breach at ChoicePoint. Krause declined to say Wednesday whether the two cases are related.
In the 2002 case, the two suspects were accused of using other people’s identities and fake business and real estate licenses to set up what appeared to be legitimate businesses seeking ChoicePoint accounts. When Bibiana Benson was arrested, she was in the process of setting up a new account under a new name just in case ChoicePoint shut down the old account, the prosecutor said.
In the recent breach, ChoicePoint notified 145,000 people by mail in all 50 states, including 35,000 in California, that their personal information may have been compromised. California is the only state that requires companies to notify its residents if such a breach occurs. Its law went into effect in July 2003.
Asked if ChoicePoint notified the affected consumers in the 2002 incident, Krause said, “I don’t believe so. They certainly did not tell us they were sending people letters. My recollection was a lot of the people didn’t know until we told them they might be a victim.”
A review of archived news releases on ChoicePoint’s Web site could not find a statement on the subject from 2002. It wasn’t clear if the company made a reference to the matter in a prior Securities and Exchange Commission filing. A cursory review of filings found no matching references.
ChoicePoint officials did not respond to repeated requests Wednesday for comment on whether the company publicly disclosed the prior breach.
In a brief statement, the company repeated an earlier announcement that it was rescreening some business customers and revamping its procedures.
“We regret any consequences consumers may experience,” the statement said. “We are doing everything we can to inform and assist those consumers who may have been impacted.”
The statement did not specify which set of consumers it was talking about.
Last month, the company disclosed that thieves used previously stolen identities to create what appeared to be legitimate businesses seeking ChoicePoint accounts. The bandits opened up 50 accounts and received volumes of data on consumers, including names, addresses, Social Security numbers and credit reports.
The ring, which was discovered in October, used the information to defraud at least 750 people, according to California authorities.
In the wake of the disclosures at ChoicePoint, several states and federal lawmakers have called for tougher regulation of the industry.
On Wednesday, Rep. Bennie G. Thompson, D-Miss., and Sen. Bill Nelson, D-Fla., said they are sending letters requesting an investigation of the terrorism risk posed by ChoicePoint and other information brokers.