ChoicePoint CISO on the hot seat, but also firing back

By Mike Mimoso, Senior Editor 24 Feb 2005 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

ChoicePoint, a company specializing in the safeguarding of individual's personal records for insurance and credit companies, found itself in a media maelstrom last week after disclosing that conmen had stolen 145,000 consumer records by setting up fake-business requests. In the eye of the storm: CISO Rich Baich, who with the rest of the crisis management team, must navigate the choppy waters of incident response and criminal investigation under the scrutiny of the media. In a special report to be published in April's Information Security magazine, Baich explains what happened and how he believes his company is handling the intense attention.

Is this an information security issue, in your opinion?

Richard Baich: This is not an information security issue. My biggest concern is the impact this has on the industry from the standpoint that people are saying ChoicePoint was hacked. No we weren't. This type of fraud happens every day.

Is this really not an information security issue? Do you think CSOs are responsible for fraud? Scroll down to SoundOff and read what your peers think. They're also talking about it on IT Knowledge Exchange. Check it out.

Why don't you consider this a hack?

Baich: I was at RSA among other CISOs when the media frenzy around this kicked in. I would never have thought the media would spin it as atrociously as they have. None other than Howard Schmidt came up to me and told me he felt badly. He said 'This is fraud, it's not a hack.' This is a business process that failed. Before the media calls this a hack, it should get the facts straight. You could say they're the same, they're not.

What happened?

Baich: What transpired was that in October, we saw some activity that would suggest fraud taking place within our public records group. We contacted the Los Angeles sheriff's office and set up a sting, and an individual was arrested, convicted and sentenced to 16 months.

The individual circumvented our customer credentialing process by providing fraudulent documents, like business licenses, and became an authorized customer; i.e., the fraud. Once he was an authorized customer, they could access the information available like names, addresses, Social Security numbers, property information; enough information to do malicious acts like identity theft.

Read more on ChoicePoint and fraud prevention Experts weigh in on phishing and other e-pariah Social engineering: The low-tech side of security

We worked with (authorities) and did the right thing disclosing the breach where a lot of companies may not have ever disclosed this. [ChoicePoint cooperated with a request from investigators to delay the disclosure until this month]. A lot of companies may not have ever disclosed this. Our vision is to make a safer, more secure world through the responsible use of information. We feel badly about the 145,000 affected and take that impact to the consumer personally. We're taking action to mitigate further risks in the future.

Editor's Note: ChoicePoint initially disclosed the theft only to Californians, as required under the state's breach notification act. It later announced it would inform all 145,000 victims across the United States. At least 70 victims say their stolen identities have been used to commit fraud.

Can you quantify the impact of this incident to ChoicePoint's reputation?

Baich: It's not possible right now. [ChoicePoint stock dropped 9.7% on Tuesday, closing at $39.30, down from a 52-week high of $47.95 earlier this month]. What would help (the security) industry is to say that a mislabeling of this event as a hack is killing ChoicePoint. It's created a media frenzy; this has been mislabeled a hack and a security breach. That's such a negative impression that suggests we failed to provide adequate protection. Fraud happens every day. Hacks don't.

Where do you think the CISO's responsibilities end in a case like ChoicePoint's, where fraud, and not hacking tools, were used to steal private information? Contribute to the SoundOff thread below and/or SearchSecurity.com's Discussion Forum on the subject.

Tags: Security Awareness Training and Internal Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Awareness Training and Internal Threats Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Secure your remote users in 2010 Layoffs prompt insider threat fears, cybersecurity survey finds How to use Internet security threat reports Creating a HIPAA employee training program Successful rogue antivirus hinges on social engineering External attacks start with unintentional mistakes, survey finds Security technologies fail to address insider threat management Data breach avoidance begins with security basics, panel says

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary dumpster diving  (SearchSecurity.com) Honeynet Project  (SearchSecurity.com) insider threat  (SearchSecurity.com) National Computer Security Center  (SearchSecurity.com) pretexting  (SearchCIO.com) shoulder surfing  (SearchSecurity.com) single-factor authentication (SFA)  (SearchSecurity.com) social engineering  (SearchSecurity.com) Total Information Awareness  (SearchSecurity.com) trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary