It used to be when thieves wanted to steal someone's identity they would rummage through trash cans for bills and credit card statements to find individual account numbers.


Bibiana Benson had a far cleaner, and more lucrative method.


The Nigerian-born local resident got a fake driver's license, started a bogus real estate business and then opened a post office box in plush Beverly Hills.


That's all that was needed, prosecutors say, for her to obtain thousands of credit cards, bank account numbers and other valuable identity information from ChoicePoint Inc. She also sold the identities to other thieves for $40 to $65 a piece.


"She got 10,000 identities that way," said assistant U.S. Attorney Mark Krause, who headed the federal investigation of Benson and her brother, Adedayo Benson, in Los Angeles. "That's a lot of trash cans."


The Bensons' case was the first to hit ChoicePoint, the Alpharetta, Ga.-based data firm that disclosed in February it may have divulged the personal information of 145,000 people to identity thieves posing as small businesses. The announcement spurred talk in Washington of tougher privacy protections and investigations by state attorneys general into how the company breached the privacy of such individuals.


Last month, the Los Angeles County District Attorney's Office brought a 22-count indictment against Olatunji Oluwatosin, a North Hollywood man who was accused of obtaining the personal information of thousands of people. He also is alleged to have created false businesses, rented local post office boxes and obtained ChoicePoint accounts to get people's identities.


ChoicePoint is one of several data companies that has emerged in recent years to provide public information to businesses, insurance firms and government agencies.


The company helps do employment background checks, drug screenings, public filings, tenant screening, mortgage fraud credentialing and shareholder locator information searches.


Critics charge that ChoicePoint, in generously granting sensitive data, was avoiding federal regulations designed to protect consumers from having their personal information, such as Social Security numbers, made available.


"Part of the problem that we're discovering is that ChoicePoint let people into its system with just a business license," said Chris Hoofnagle, senior counsel at the Electronic Privacy Information Center. "Any Tom, Dick or Harry can get a business license."


Dumpster diving
Identity theft affects about 10 million people each year, according to the Federal Trade Commission, costing some $53 billion in losses.


Traditionally, thieves have gone "dumpster diving" to get identities. However, the Bensons, Oluwatosin and other cases targeting companies such as ChoicePoint have drastically raised the stakes. "I could be a waiter at a restaurant and steal a credit card number, but I only have a number. If I get a ChoicePoint report, I have a mother's maiden name and Social Security number, and I could apply for lots of cards. It's a much bigger problem," Hoofnagle said.


In the Benson case, the fraud started in March 2000 when someone named Dale Patterson rented a mailbox at the Beverly Hills Postal Center on North Canon Drive using an Arizona driver's license, according to court documents.


Investigators found out that the box was actually being used by Benson, who somehow had obtained a ChoicePoint account in the name of a real person named Christine Burton by fraudulently claiming she ran a business called C & B; Research. (ChoicePoint accounts are only available to certain business owners.)


Prosecutors are not sure how Benson got Burton's name, but believe she was able to convince ChoicePoint to create the account by using forged documents that appeared to show C & B; Research was a real business.


"It's not entirely clear what she said she was doing, whether she was a broker or a loan officer," Krause said. "She forged documents that appeared to be from the Department of Corporations."


During the next six months, Benson used her ChoicePoint account to get personal information on other victims. She went on to open bank accounts, cell phone accounts and credit cards in the names of the victims.


"She was buying fancy food, jewelry, fancy clothes, went on vacations, took cash advances through ATMs, drove a Land Rover, stayed in nice places," said Krause. Some of the information also was sold to other thieves, court records say.


Benson and her brother Adedayo eventually rented a total of four mailboxes, two in Beverly Hills and two in Encino, often using the same fake driver's license as identification.


Confirming legitimacy
They were foiled after the U.S. Secret Service, acting on a tip, discovered several credit cards going to the same mail boxes, Krause said. Bibiana Benson was charged with crimes related to identity theft in 2002, and her brother was arrested after being caught on an ATM security camera trying to use someone else's credit card. He was charged in late 2004. The Bensons, whose cases concluded in March, are serving sentences of more than four years each in federal prison.


ChoicePoint has refused to discuss why it did not make an earlier disclosure after learning of the Benson case.


However, Carol DiBattiste, chief credentialing, compliance and privacy officer at ChoicePoint, sent an e-mail to the Business Journal detailing several changes that have taken place at the company.


Customers who receive "sensitive personally identifiable information" now are subject to a visit by a ChoicePoint representative in order to make sure they are legitimate businesses, the e-mail said.


Additionally, the company now disguises parts of credit card numbers when sending personal information and has restricted the types of businesses that may receive Social Security numbers, driver's license numbers and other personal information.


ChoicePoint was ultimately forced to reveal the potential identity theft victims in a separate case under a California law effective in 2003 that requires companies to make such notifications.


The February announcements were linked to the county investigation of Oluwatosin, said Jeffrey McGrath, deputy district attorney at the Southern California high-tech crimes task force.


Oluwatosin used a rented mailbox at a commercial center in Beverly Hills under the name John Alex, according to documents in Los Angeles Superior Court. By October 2002 Oluwatosin had opened a ChoicePoint account at that mailing address for a business called Pacific Collections.


In addition to stealing identities, Oluwatosin used forged business licenses as well as actual licenses obtained by the City of Los Angeles to open ChoicePoint accounts, McGrath alleges.


Oluwatosin, along with an Encino man who was later charged, allegedly used ChoicePoint accounts to obtain personal information that they then used to open credit cards, bank accounts and get cash advances.


Other businesses with different names were set up with rented mailboxes in North Hollywood, Encino, North Hills and West Hollywood.


In a press release last month, District Attorney Steve Cooley called the Oluwatosin investigation "one of the largest cases of identity theft ever prosecuted in Los Angeles County."


ChoicePoint recorded pre-tax charges totaling $11.4 million in the first and second quarters of 2005, mostly for costs associated with notifying individuals whose identities may have been stolen and for legal fees in defending against lawsuits and government investigations, according to documents filed with the Securities and Exchange Commission.


Still, not all victims' rights groups and security advocates place the blame on ChoicePoint.


Linda Foley, co-executive director of the Identity Theft Resource Center, said identity theft is such a rapidly changing crime, it's hard to be sure that any security measures are good enough.


"They were scammed. We're not holding them 100 percent at fault here," said Foley. "What procedures we put in place today, they need to re-evaluate on a monthly basis."

For reprint and licensing requests for this article, CLICK HERE.