This article can also be found in the Premium Editorial Download "Information Security magazine: Reflections on the impact of Sarbanes-Oxley."
Download it now to read this article plus other related content.
Getting the Point|
by Mark Baard
ChoicePoint put data breaches on the front page of The Wall Street Journal, into corporate boardrooms and the consciousness of Americans.
"This is not an information security issue," Baich told Information Security shortly after ChoicePoint disclosed 163,000 customer records had been accessed. "My biggest concern is the impact this has on the industry from the standpoint that people are saying ChoicePoint was hacked. No we weren't. This type of fraud happens every day."
In fact, the incident underscored the vulnerability of sensitive data to many attack vectors, from classic computer hacks to trusted insiders to thieves like the ChoicePoint fraudsters. They posed as legitimate business customers and set up accounts to obtain the type of information that ChoicePoint typically sold third parties.
It's not that ChoicePoint was the first or the worst data breach, but it was spectacular, driving countless companies to take steps to avoid Choice-Point's miserable--and very public--experience, which was resolved when it paid $10 million in fines and $5 million compensation to consumers after it reported
| the breach to California regulators and consumers. ChoicePoint executives got a good tongue-lashing before Congress for good measure.
"The message to ChoicePoint and others should be clear: Consumers' private data must be protected from thieves," FTC Chairman Deborah Platt Majoras said in a statement. "Data security is critical to consumers, and protecting it is a priority for the FTC, as it should be to every business."
But data owners still have a long way to go to secure critical information and prevent fraud, says Gartner analyst Avivah Litan.
"[Data breaches are] still happening," Litan says. Since ChoicePoint was breached, more than 215 million personal records have been lost by entities responsible for them. TJX, Gap Inc., Monster.com and TD Ameritrade this year alone have joined ChoicePoint, the VA and many others as standard-bearers for shoddy data security.
This was first published in January 2008