ChoicePoint, a Georgia company that boasts it has compiled the deepest database in the nation, said Tuesday that it had alerted 35,000 Californians that they were vulnerable, as required by state law. But it balked at first at notifying a far larger number of potential victims outside California.
Last fall, hackers apparently used stolen identities to create what appeared to be legitimate businesses seeking ChoicePoint accounts, said Chuck Jones, a spokesman for the Alpharetta, Georgia-based company. They opened about 50 accounts.
The attack appears to have resulted in at least six cases of identity theft in Los Angeles County. It's unclear whether the data of people outside California was exposed. But law enforcement agents, who have arrested one person on six counts of theft, say hundreds of thousands of Americans elsewhere may be at risk.
But security experts don't think that hackers would limit their attack geographically.
When ChoicePoint discovered the crime in October, it closed the suspect accounts, restricted access, strengthened site verification, informed law enforcement agencies and cooperated in their investigation.
On Oct. 27, California sheriff deputies arrested Olatunji Oluwatosin, 41, when the Nigerian national went to his office to receive a fax ostensibly from ChoicePoint. Police were waiting for the North Hollywood resident at his office in Los Angeles. He's been in jail since then and is scheduled to appear in Los Angeles County Court on Thursday.
Robert Costa, the lieutenant in charge of Southern California's High Tech Task Force Identity Theft Detail, said agents believe several other people were involved.
"It definitely could not have been limited to Southern California," Costa said.
ChoicePoint sent notifications through the mail to Californians last week.
State residents were the only Americans notified because the state has a unique law requiring companies that do business with residents to warn them when they've had holes in corporate computer networks. Since the law went into effect in July 2003, organizations have alerted customers whenever "unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person."
The law doesn't impose specific fines but makes companies with questionable computer networks more vulnerable to lawsuits and public scorn.
Identity theft is the country's fastest-growing crime, and more than 9.9 million Americans were victims last year. The crimes cost a total of $5 billion, not including lost productivity, according to the U.S. Postal Inspection Service.
One of the biggest breaches happened in October, when a University of California network exposed personal data of 1.4 million Californians.
The ChoicePoint attack could galvanize support for a federal law protecting consumers from corporate security breaches. Sen. Dianne Feinstein, a California Democrat, reintroduced legislation last month for a national version of the California law.