Court Orders Brazen Data Thieves to Stop
Superior Court Judge Harriet Derman granted a court order on Tuesday barring data provider Source Resources Inc. from acquiring, possessing or selling confidential information about Verizons 45 million wireless customers. According to Verizons claim, which was filed in early July, Source Resources was able to dupe the carriers customer service representatives into supplying much of the data.
As part of a settlement with Verizon, Source Resources also agreed to surrender any records it maintained of subsequent transactions involving the customer data and to provide documentation detailing the manner in which it obtained the information.
Bedminster, N.J.-based Verizon claimed that Source Resources used personal information obtained from other sources in order to pose as individual customers and trick its service representatives into divulging additional data, including their phone numbers and calling records.
While companies that gather and market sensitive consumer data have increasingly come under fire from Congress for exposing people to identity fraud and other crimes, the Verizon legal claim is one of the first to illustrate the deceitful nature some companies use to build their individual profiles. According to the carrier, Source Resources, of Cookeville, Tenn., routinely misled Verizon workers to get information on behalf of its customers, specifically private investigators.
Managers at Source Resources declined further comment on the lawsuit.
As part of its claim, Verizon submitted online marketing materials reportedly offered by Source Resources that detailed the companys ability to garner the names, addresses and social security numbers of individual cellular subscribers for $85 apiece. For $150, the data broker offered additional information, including wireless calling records and billing information.
"Accessing a persons personal telephone records without a valid court order or the customers permission is illegal," Steven Zipperstein, general counsel at Verizon Wireless, said in a statement. "We will protect our customers against these kinds of assaults on their privacy and use every weapon in our legal arsenal to shut down identity-theft operations."
Sources familiar with the case said that a private investigator named in the suit, Richard Childs, first informed the carrier of Source Resources data acquisition practices when one of his own clients had their information obtained by the firm. Childs did not return calls seeking comment on the case, but Verizon stated in its filing that private investigators are also among the most frequent buyers of the services involved in the Source Resources suit.
Chris Hoofnagle, a director at the Electronic Privacy Information Center, said that the Verizon case helps illustrate an increased need for better safeguards protecting consumer information, particularly against data aggregators and private investigators. In late August, EPIC petitioned the Federal Communications Commission and the Federal Trade Commission to improve security for calling records. In the request, EPIC identified some 40 Web sites that openly offer to obtain calling records without an account holders consent.
"The practice that Verizon is trying to address is exactly what we warned the FCC and FTC about. Luckily, it looks like Verizon caught these guys red-handed," said Hoofnagle. "Its this type of prosecution thats going to be necessary to insure that customer records are secure, but its just part of the protections that should be in place, including stricter regulations for carriers and private investigators.
Hoofnagle said that by moving the battle against abusers of data privacy rights to state courts, organizations looking to stem the practice will likely see a faster response than they can expect in seeking federal legislation to ban such practices.
Pam Dixon, executive director of the World Privacy Forum, said that the Source Resources case highlights the fact that many data providers are willing to break existing laws to find highly marketable data. New Jersey laws already require carriers to obtain a valid court order or a customers express consent before granting access to calling records.
"There is clearly a growing industry of people that are using social engineering to garner this type of information, and doing so in an illegal manner," said Dixon. "You have a lot of private investigators going after information inappropriately, and this shows the need for better regulation of how these people access personal data."
While Dixon praised Verizon for pursuing the Source Resources case aggressively, she said that some relatively simple business practice improvements could help prevent future attempts to trick the firm into disclosing customers information. For instance, she said, if Verizon instituted a password system for launching customer interactions with service representatives, the company could rapidly provide an added level of personal data security.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.