ChoicePoint, a company specializing in the safeguarding of individual's personal records for insurance and credit companies, found itself in a media maelstrom last week after disclosing that conmen had stolen 145,000 consumer records by setting up fake-business requests. In the eye of the storm: CISO Rich Baich, who with the rest of the crisis management team, must navigate the choppy waters of incident response and criminal investigation under the scrutiny of the media. In a special report to be published in April's Information Security magazine, Baich explains what happened and how he believes his company is handling the intense attention.
Is this an information security issue, in your opinion?
Richard Baich: This is not an information security issue. My biggest concern is the impact this has on the industry from the standpoint that people are saying ChoicePoint was hacked. No we weren't. This type of fraud happens every day.
Why don't you consider this a hack?
Baich: I was at RSA among other CISOs when the media frenzy around this kicked in. I would never have thought the media would spin it as atrociously as they have. None other than Howard Schmidt came up to me and told me he felt badly. He said 'This is fraud, it's not a hack.' This is a business process that failed. Before the media calls this a hack, it should get the facts straight. You could say they're the same, they're not.
Baich: What transpired was that in October, we saw some activity that would suggest fraud taking place within our public records group. We contacted the Los Angeles sheriff's office and set up a sting, and an individual was arrested, convicted and sentenced to 16 months.
The individual circumvented our customer credentialing process by providing fraudulent documents, like business licenses, and became an authorized customer; i.e., the fraud. Once he was an authorized customer, they could access the information available like names, addresses, Social Security numbers, property information; enough information to do malicious acts like identity theft.
We worked with (authorities) and did the right thing disclosing the breach where a lot of companies may not have ever disclosed this. [ChoicePoint cooperated with a request from investigators to delay the disclosure until this month]. A lot of companies may not have ever disclosed this. Our vision is to make a safer, more secure world through the responsible use of information. We feel badly about the 145,000 affected and take that impact to the consumer personally. We're taking action to mitigate further risks in the future.
Editor's Note: ChoicePoint initially disclosed the theft only to Californians, as required under the state's breach notification act. It later announced it would inform all 145,000 victims across the United States. At least 70 victims say their stolen identities have been used to commit fraud.
Can you quantify the impact of this incident to ChoicePoint's reputation?
Baich: It's not possible right now. [ChoicePoint stock dropped 9.7% on Tuesday, closing at $39.30, down from a 52-week high of $47.95 earlier this month]. What would help (the security) industry is to say that a mislabeling of this event as a hack is killing ChoicePoint. It's created a media frenzy; this has been mislabeled a hack and a security breach. That's such a negative impression that suggests we failed to provide adequate protection. Fraud happens every day. Hacks don't.
Where do you think the CISO's responsibilities end in a case like ChoicePoint's, where fraud, and not hacking tools, were used to steal private information? Contribute to the SoundOff thread below and/or SearchSecurity.com's Discussion Forum on the subject.