ChoicePoint, a Georgia-based corporation and 1997 spin-off from Equifax Inc., provides risk-management and fraud-prevention data. Traditionally, ChoicePoint provided motor vehicle reports, claims histories, and similar data to the automobile insurance industry, but in recent years it broadened its customer base to include general business and government agencies. ChoicePoint collects, stores, and sells the personal information of consumers (e.g., social security numbers, birth dates, employment information, criminal histories and credit histories) to more than 50,000 businesses and agencies. The company also offered data for volunteer and job-applicant screening and data ...view middle of the document...
In January, the LAPD notified ChoicePoint that it could contact the individuals whose data had been compromised.
This crime is an example of a failure of authentication and not a network break-in. ChoicePoint's firewalls and other safeguards were not overcome. Instead, the criminals spoofed legitimate businesses. The infiltrators obtained valid California business licenses, and until their unusual processing activity was detected, appeared to be legitimate users.
In response to this problem, ChoicePoint established a hotline for individuals whose data were compromised to call for assistance. They also purchased a credit report for each of these people and paid for a one-year credit-report-monitoring service. In February 2005, attorneys initiated a class-action lawsuit for 145,000 individuals with an initial loss claim of $75,000 each. It was later acknowledged by ChoicePoint that the total number of individuals whose records were compromised was actually well over this number. At the same time, the U.S. Senate announced that it would conduct an investigation. Later, both the U.S. Federal Trade Commission and Securities and Exchange Commission announced separate investigations into the incident and the response by ChoicePoint executives.
Ironically, ChoicePoint exposed itself to a public relations nightmare, considerable expense, a class-action lawsuit, federal investigation, and a 20 percent drop in its share price because it contacted the police and cooperated in the attempt to apprehend the criminals. When ChoicePoint noticed the unusual account activity, had it simply shut down data access for the illegitimate businesses, no one would have known. Of course, the 145,000 plus individuals whose identities had been compromised would have unknowingly been subject to identity theft, but it is unlikely that such thefts would have been tracked back to ChoicePoint. According to the FTC (which later fined ChoicePoint $10m for their negligence) at least 800 cases of identity theft resulted from the breach.
1. Describe how the information security breach occurred and the business impact of the information security breach at ChoicePoint. Be sure to include both tangible and intangible losses.
• The criminals posed as customers by using stolen identities to create and produce the documents needed to appear legitimate and obtained personal data of 145,000 individuals
• Tangible business losses include:
o Purchased credit reports and paid for one year credit monitoring service for those accounts compromised
o 20 percent drop in share price
o $10mil fine from FTC for negligence
• Intangible business impacts include:
o Public relations nightmare, class action lawsuit, and federal investigation
2. Describe the actions taken by both ChoicePoint and external entities in response to the information security breach. Include your assessment...