Upload
katee3847
View
217
Download
0
Embed Size (px)
DESCRIPTION
Choice Point MIS Case Study
Citation preview
The ChoicePoint Attack
Case questions
1. Describe how the information security breach occurred and the business impact of the information security breach at ChoicePoint. Be sure to include both tangible and intangible losses.
How the Information Security Breach Occurred Fraudulent groups posed as legitimate businesses by using stolen identities
o Created documents that seemed real (business licenses) and became customers of ChoicePoint
These individuals then obtained access to personal data of 145,000 individuals through performing searches of ChoicePoint’s databases (identity theft)
o Stolen information used to access personal information stored by ChoicePoint o Personal data included Social Security numbers, personal information (address, name,
etc.)o Also obtained public record information
ChoicePoint realized there was an issue when it noticed suspicious activity and contacted the LAPD
o LAPD notified ChoicePoint that it could contact customers who were affected
Tangible CostsSource: http://www.msnbc.msn.com/id/11030692/ns/technology_and_science-security/t/choicepoint-pay-million-over-data-breach/#.UKPQHOOe_Jw
Breach containment/crisis managemento Need to pay for external security audits o Cost of PR- media attention/newspapers etc.
Publishing press release about situation to inform public Investigations and forensics
o ChoicePoint Inc. paid $15 million to settle charges that it failed to protect consumers' personal information
Largest civil penalty over data security in the agency's history Customer compensation
o Created $5 million fund to help consumers who became victims of identity thefto Costs to notify victims
Damaged system replacements/new system implementation due to new policieso Ex. New system in place to establish initial identity verification o Cost to implement additional safeguards to prevent similar occurrences
Lawsuitso Legal fees o Consumer lawsuits to represent individuals notified by ChoicePoint o Lawsuits against ChoicePoint brought by shareholders
Loss in profit/stock price
The ChoicePoint Attack
o Financial quarter after the security breach was made public, ChoicePoint said it earned $27.68 million, or 30 cents a share, compared to a profit of $39.22 million, or 43 cents a share, for the same period a year ago
Intangible CostsSource: http://theprivacyplace.org/blog/wp-content/uploads/2008/07/tr-2006-18u.pdf
Damaged reputation (externally, with customers, investors, etc.)o People will automatically think of ChoicePoint as the company with the security fraudo Creates distrust in the companyo Investors will be careful to invest in ChoicePoint stocks o Affects future business opportunities
Loss of customer loyaltyo Customers who were not identified as those affected by the identity theft may become
concerned over the protection of their informationo People become more concerned than before about protecting their informationo Creates confusion among customers
Exposure to greater scrutiny/evaluation o Disclosures led to a congressional hearings and several legislative initiativeso Subject to greater public/congressional attention
Executives removed/under scrutinyo SEC investigation into potential insider trading (officials knew of data breach a lot
earlier before releasing information to public) Damaged reputation within the company
o Employee morale declineso Distrust among employees and higher management/executives
2. Describe the actions taken by both ChoicePoint and external entities in response to the information security breach. Include your assessment of each action taken in your answer.
ChoicePoint established a hotline for customers whose data were compromised to call for assistance
By providing a channel for customer’s individual concerns, ChoicePoint focuses on fixing the relationship it has with each individual customer
Individual customer feels heard/as if his/her problems are being addressed in a personal way (CRM)
Purchased a credit report for each of these people and paid for a one-year credit-report-monitoring service
Customers would feel protected, that if their information were to be compromised, the issue would be solved /they would be aware of it immediately (can check their credit reports)
Allows customers to feel that ChoicePoint is being proactive to stop the identity theft from happening in the first place (can find fraud before it becomes a quantifiable issues)
Attorneys initiated a class-action lawsuit for all 145,000 customers with an initial loss claim of $75,000 each
Demonstrates ChoicePoint’s initiative to protect its customers
The ChoicePoint Attack
ChoicePoint wants to help customers reclaim their losses and will pay the costs for customers to receive compensation
U.S. Senate announced that it would conduct an investigation Government showing it takes the issue of identify theft/fraud extremely seriously
Give citizens sense of safety that the government will place regulation to prevent identity theft from happening again
Government showing other companies that are in the similar industry that they will be punished if customer information is compromised
SEC investigation within ChoicePoint organization Overall ChoicePoint provided the public with prompt, straightforward and accurate notification of
the security breach Directly addressed problem and informed public rather than keeping the situation within
the company which although was costly, allowed customers to see that ChoicePoint’s main concern was maintaining its customer relationships
Important to inform the public directly before the media does
3. Describe reactive steps by ChoicePoint that might have mitigated their losses subsequent to their discovery of the information security breach? Explain/justify your choices.
Source: http://www.msnbc.msn.com/id/11030692/ns/technology_and_science-security/t/choicepoint-pay-million-over-data-breach/#.UKPQHOOe_Jw Executives should have been notified immediately as soon as any type of suspicious activity was
noticedo According to the FTC, law enforcement agencies began to warn ChoicePoint of fraudulent
activity back in 2001o ChoicePoint continued to sell data to companies with expired business licenses even after
employees signaled them out as suspicious ChoicePoint should have publicly announced the policy changes it made within its company to
address the problemo Would help maintain public trust in its operations
ChoicePoint developed a Web site detailing the steps it takes to protect privacyo Developed another site that lets consumers find out what information ChoicePoint
maintains about them in its files (if they can sufficiently authenticate their identities)o Maintain open communication with customers and provide transparency
ChoicePoint should have offered some type of compensation or explanation to its shareholderso Comparatively, ChoicePoint was much more effective in addressing the concerns of its
customers than its shareholders o Could have prevented shareholders from pursuing lawsuit against ChoicePoint
4. Explain what proactive steps by ChoicePoint might deter a reoccurrence of such an information security breach in the future? Explain/justify your choices.
Source: http://www.pcworld.com/article/132795/article.html ChoicePoint could have a system to carefully verify the identities of all customers to preserve
privacy and security of consumer information Clearly define expected behavior and provide tools to employees to simplify compliance
The ChoicePoint Attack
o Develop practices to monitor potentially fraudulent customer behavior, such as investigating companies that suddenly increase the number of background checks they run by a large margin
Write information security breach response policies and procedureso Spell out who should be notified in case of a breach and what the company should do for
affected customers ChoicePoint should have regular security audits
o Allows ChoicePoint to consistently monitor and maintain reasonable security levels under FTC standards
o External auditor can perform objective analysis ChoicePoint should have a channel for employees to report anonymously any suspicious behavior
o Employees will feel safe to share informationo Will allow for greater accountability within the organization
ChoicePoint should also performing background checks on employees on an ongoing basiso Decrease possibility of internal threats since employees have access to privileged
information within ChoicePoint Although identity theft was a result of customer authentication, ChoicePoint should still make sure
to encrypt all laptops/mobile devices of employees o All personal information should also be stored in encrypted form to minimize risk that data
will be acquired by identity thefts