The ChoicePoint Attack

Case questions

1. Describe how the information security breach occurred and the business impact of the information security breach at ChoicePoint. Be sure to include both tangible and intangible losses.

How the Information Security Breach Occurred Fraudulent groups posed as legitimate businesses by using stolen identities

o Created documents that seemed real (business licenses) and became customers of ChoicePoint

These individuals then obtained access to personal data of 145,000 individuals through performing searches of ChoicePoint’s databases (identity theft)

o Stolen information used to access personal information stored by ChoicePoint o Personal data included Social Security numbers, personal information (address, name,

etc.)o Also obtained public record information

ChoicePoint realized there was an issue when it noticed suspicious activity and contacted the LAPD

o LAPD notified ChoicePoint that it could contact customers who were affected

Tangible CostsSource: http://www.msnbc.msn.com/id/11030692/ns/technology_and_science-security/t/choicepoint-pay-million-over-data-breach/#.UKPQHOOe_Jw

Breach containment/crisis managemento Need to pay for external security audits o Cost of PR- media attention/newspapers etc.

Publishing press release about situation to inform public Investigations and forensics

o ChoicePoint Inc. paid $15 million to settle charges that it failed to protect consumers' personal information

Largest civil penalty over data security in the agency's history Customer compensation

o Created $5 million fund to help consumers who became victims of identity thefto Costs to notify victims

Damaged system replacements/new system implementation due to new policieso Ex. New system in place to establish initial identity verification o Cost to implement additional safeguards to prevent similar occurrences

Lawsuitso Legal fees o Consumer lawsuits to represent individuals notified by ChoicePoint o Lawsuits against ChoicePoint brought by shareholders

Loss in profit/stock price

The ChoicePoint Attack

o Financial quarter after the security breach was made public, ChoicePoint said it earned $27.68 million, or 30 cents a share, compared to a profit of $39.22 million, or 43 cents a share, for the same period a year ago

Intangible CostsSource: http://theprivacyplace.org/blog/wp-content/uploads/2008/07/tr-2006-18u.pdf

Damaged reputation (externally, with customers, investors, etc.)o People will automatically think of ChoicePoint as the company with the security fraudo Creates distrust in the companyo Investors will be careful to invest in ChoicePoint stocks o Affects future business opportunities

Loss of customer loyaltyo Customers who were not identified as those affected by the identity theft may become

concerned over the protection of their informationo People become more concerned than before about protecting their informationo Creates confusion among customers

Exposure to greater scrutiny/evaluation o Disclosures led to a congressional hearings and several legislative initiativeso Subject to greater public/congressional attention

Executives removed/under scrutinyo SEC investigation into potential insider trading (officials knew of data breach a lot

earlier before releasing information to public) Damaged reputation within the company

o Employee morale declineso Distrust among employees and higher management/executives

2. Describe the actions taken by both ChoicePoint and external entities in response to the information security breach. Include your assessment of each action taken in your answer.

ChoicePoint established a hotline for customers whose data were compromised to call for assistance

By providing a channel for customer’s individual concerns, ChoicePoint focuses on fixing the relationship it has with each individual customer

Individual customer feels heard/as if his/her problems are being addressed in a personal way (CRM)

Purchased a credit report for each of these people and paid for a one-year credit-report-monitoring service

Customers would feel protected, that if their information were to be compromised, the issue would be solved /they would be aware of it immediately (can check their credit reports)

Allows customers to feel that ChoicePoint is being proactive to stop the identity theft from happening in the first place (can find fraud before it becomes a quantifiable issues)

Attorneys initiated a class-action lawsuit for all 145,000 customers with an initial loss claim of $75,000 each

Demonstrates ChoicePoint’s initiative to protect its customers

The ChoicePoint Attack

ChoicePoint wants to help customers reclaim their losses and will pay the costs for customers to receive compensation

U.S. Senate announced that it would conduct an investigation Government showing it takes the issue of identify theft/fraud extremely seriously

Give citizens sense of safety that the government will place regulation to prevent identity theft from happening again

Government showing other companies that are in the similar industry that they will be punished if customer information is compromised

SEC investigation within ChoicePoint organization Overall ChoicePoint provided the public with prompt, straightforward and accurate notification of

the security breach Directly addressed problem and informed public rather than keeping the situation within

the company which although was costly, allowed customers to see that ChoicePoint’s main concern was maintaining its customer relationships

Important to inform the public directly before the media does

3. Describe reactive steps by ChoicePoint that might have mitigated their losses subsequent to their discovery of the information security breach? Explain/justify your choices.

Source: http://www.msnbc.msn.com/id/11030692/ns/technology_and_science-security/t/choicepoint-pay-million-over-data-breach/#.UKPQHOOe_Jw Executives should have been notified immediately as soon as any type of suspicious activity was

noticedo According to the FTC, law enforcement agencies began to warn ChoicePoint of fraudulent

activity back in 2001o ChoicePoint continued to sell data to companies with expired business licenses even after

employees signaled them out as suspicious ChoicePoint should have publicly announced the policy changes it made within its company to

address the problemo Would help maintain public trust in its operations

ChoicePoint developed a Web site detailing the steps it takes to protect privacyo Developed another site that lets consumers find out what information ChoicePoint

maintains about them in its files (if they can sufficiently authenticate their identities)o Maintain open communication with customers and provide transparency

ChoicePoint should have offered some type of compensation or explanation to its shareholderso Comparatively, ChoicePoint was much more effective in addressing the concerns of its

customers than its shareholders o Could have prevented shareholders from pursuing lawsuit against ChoicePoint

4. Explain what proactive steps by ChoicePoint might deter a reoccurrence of such an information security breach in the future? Explain/justify your choices.

Source: http://www.pcworld.com/article/132795/article.html ChoicePoint could have a system to carefully verify the identities of all customers to preserve

privacy and security of consumer information Clearly define expected behavior and provide tools to employees to simplify compliance

The ChoicePoint Attack

o Develop practices to monitor potentially fraudulent customer behavior, such as investigating companies that suddenly increase the number of background checks they run by a large margin

Write information security breach response policies and procedureso Spell out who should be notified in case of a breach and what the company should do for

affected customers ChoicePoint should have regular security audits

o Allows ChoicePoint to consistently monitor and maintain reasonable security levels under FTC standards

o External auditor can perform objective analysis ChoicePoint should have a channel for employees to report anonymously any suspicious behavior

o Employees will feel safe to share informationo Will allow for greater accountability within the organization

ChoicePoint should also performing background checks on employees on an ongoing basiso Decrease possibility of internal threats since employees have access to privileged

information within ChoicePoint Although identity theft was a result of customer authentication, ChoicePoint should still make sure

to encrypt all laptops/mobile devices of employees o All personal information should also be stored in encrypted form to minimize risk that data

will be acquired by identity thefts