ChoicePoint Inc. (CPS) said Monday that residents in all 50 states, the District of Columbia and three U.S. territories may have been affected by a breach of the company's credentialing process in which criminals gained access to its massive database of consumer information.
The Alpharetta-based company said the smallest number of possible victims — two — was in the U.S. Virgin Islands, while the largest number — 34,114 — was in California. It planned to release a state-by-state breakdown later Monday. People in Puerto Rico and Guam also may have been affected.
ChoicePoint said it is almost done notifying by mail the 144,778 people that may have been affected. California authorities say as many as 500,000 people may have been affected, but ChoicePoint disputes that number.
"All I can tell you is our number is roughly 145,000, and we know that we're over-notifying," marketing director James Lee said. "There will be duplications in there."
The company also announced that it is making roughly 17,000 customers go through a recredentialing process to verify that they are legitimate businesses, and it has hired a retired Secret Service agent to assist in revamping its verification process.
Those customers that will have to be recredentialed are any business that is not publicly traded or not a government agency. Once recredentialed, those customers will no longer receive access to consumers' Social Security (search) numbers, dates of birth and driver's license numbers unless they are sponsored by a public company or government agency, Lee said.
The customers affected represent less than 5 percent of the company's $900 million in annual revenue.
The company acknowledged last week that thieves apparently used previously stolen identities to create what appeared to be legitimate businesses seeking ChoicePoint accounts. The bandits then opened up 50 accounts and received volumes of data on consumers, including names, addresses, Social Security numbers and credit reports.
The ring, which operated for more than a year before it was detected, used the information to defraud at least 750 people, according to investigators in California.
Like any business that opens an account with ChoicePoint, the suspect companies were given an access code and password that allowed them to use ChoicePoint's database. ChoicePoint says it puts applicants for accounts through rigorous protocols such as verifying business licenses and individual's names and background checks.
In this case, the thieves — posing as check-cashing companies or debt collection firms — provided business licenses that appeared to be legitimate and used the names of real people with clean criminal records.
The company caught on later by tracking the pattern of the searches conducted by the suspects.
Lee said the company learned of the problem in October, but did not notify those customers who were possibly affected until this month because authorities did not want to jeopardize their investigation.
Formed in 1997 as a spinoff of credit reporting agency Equifax (search), ChoicePoint has rapidly grown beyond its roots of analyzing insurance claims information to become a clearinghouse for personal data on hundreds of millions of people.
The 19 billion public records in its database at its suburban Atlanta headquarters include everything from motor vehicle registrations, license and deed transfers, military records, names, addresses and Social Security numbers.
Wall Street was closed for the President's Day holiday on Monday, but on Friday, ChoicePoint shares slipped 63 cents to close at $43.50 in heavy trading on the New York Stock Exchange (search) — down from nearly $48 a share on Feb. 4.