The ChoicePoint Attack

Case questions
1. Describe how the information security breach occurred and the business impact of the information security breach at ChoicePoint. Be sure to include both tangible and intangible losses. How the Information Security Breach Occurred Fraudulent groups posed as legitimate businesses by using stolen identities o Created documents that seemed real (business licenses) and became customers of ChoicePoint These individuals then obtained access to personal data of 145,000 individuals through performing searches of ChoicePoints databases (identity theft) o Stolen information used to access personal information stored by ChoicePoint o Personal data included Social Security numbers, personal information (address, name, etc.) o Also obtained public record information ChoicePoint realized there was an issue when it noticed suspicious activity and contacted the LAPD o LAPD notified ChoicePoint that it could contact customers who were affected Tangible Costs Source: http://www.msnbc.msn.com/id/11030692/ns/technology_and_science-security/t/choicepointpay-million-over-data-breach/#.UKPQHOOe_Jw Breach containment/crisis management o Need to pay for external security audits o Cost of PR- media attention/newspapers etc. Publishing press release about situation to inform public Investigations and forensics o ChoicePoint Inc. paid $15 million to settle charges that it failed to protect consumers' personal information Largest civil penalty over data security in the agency's history Customer compensation o Created $5 million fund to help consumers who became victims of identity theft o Costs to notify victims Damaged system replacements/new system implementation due to new policies o Ex. New system in place to establish initial identity verification o Cost to implement additional safeguards to prevent similar occurrences Lawsuits o Legal fees o Consumer lawsuits to represent individuals notified by ChoicePoint o Lawsuits against ChoicePoint brought by shareholders

The ChoicePoint Attack

Loss in profit/stock price o Financial quarter after the security breach was made public, ChoicePoint said it earned $27.68 million, or 30 cents a share, compared to a profit of $39.22 million, or 43 cents a share, for the same period a year ago

Intangible Costs Source: http://theprivacyplace.org/blog/wp-content/uploads/2008/07/tr-2006-18u.pdf Damaged reputation (externally, with customers, investors, etc.) o People will automatically think of ChoicePoint as the company with the security fraud o Creates distrust in the company o Investors will be careful to invest in ChoicePoint stocks o Affects future business opportunities Loss of customer loyalty o Customers who were not identified as those affected by the identity theft may become concerned over the protection of their information o People become more concerned than before about protecting their information o Creates confusion among customers Exposure to greater scrutiny/evaluation o Disclosures led to a congressional hearings and several legislative initiatives o Subject to greater public/congressional attention Executives removed/under scrutiny o SEC investigation into potential insider trading (officials knew of data breach a lot earlier before releasing information to public) Damaged reputation within the company o Employee morale declines o Distrust among employees and higher management/executives 2. Describe the actions taken by both ChoicePoint and external entities in response to the information security breach. Include your assessment of each action taken in your answer. ChoicePoint established a hotline for customers whose data were compromised to call for assistance By providing a channel for customers individual concerns, ChoicePoint focuses on fixing the relationship it has with each individual customer Individual customer feels heard/as if his/her problems are being addressed in a personal way (CRM) Purchased a credit report for each of these people and paid for a one-year credit-report-monitoring service Customers would feel protected, that if their information were to be compromised, the issue would be solved /they would be aware of it immediately (can check their credit reports) Allows customers to feel that ChoicePoint is being proactive to stop the identity theft from happening in the first place (can find fraud before it becomes a quantifiable issues)

The ChoicePoint Attack

Attorneys initiated a class-action lawsuit for all 145,000 customers with an initial loss claim of $75,000 each Demonstrates ChoicePoints initiative to protect its customers ChoicePoint wants to help customers reclaim their losses and will pay the costs for customers to receive compensation U.S. Senate announced that it would conduct an investigation Government showing it takes the issue of identify theft/fraud extremely seriously Give citizens sense of safety that the government will place regulation to prevent identity theft from happening again Government showing other companies that are in the similar industry that they will be punished if customer information is compromised SEC investigation within ChoicePoint organization Overall ChoicePoint provided the public with prompt, straightforward and accurate notification of the security breach Directly addressed problem and informed public rather than keeping the situation within the company which although was costly, allowed customers to see that ChoicePoints main concern was maintaining its customer relationships Important to inform the public directly before the media does

3. Describe reactive steps by ChoicePoint that might have mitigated their losses subsequent to their discovery of the information security breach? Explain/justify your choices. Source: http://www.msnbc.msn.com/id/11030692/ns/technology_and_science-security/t/choicepointpay-million-over-data-breach/#.UKPQHOOe_Jw Executives should have been notified immediately as soon as any type of suspicious activity was noticed o According to the FTC, law enforcement agencies began to warn ChoicePoint of fraudulent activity back in 2001 o ChoicePoint continued to sell data to companies with expired business licenses even after employees signaled them out as suspicious ChoicePoint should have publicly announced the policy changes it made within its company to address the problem o Would help maintain public trust in its operations ChoicePoint developed a Web site detailing the steps it takes to protect privacy o Developed another site that lets consumers find out what information ChoicePoint maintains about them in its files (if they can sufficiently authenticate their identities) o Maintain open communication with customers and provide transparency ChoicePoint should have offered some type of compensation or explanation to its shareholders o Comparatively, ChoicePoint was much more effective in addressing the concerns of its customers than its shareholders o Could have prevented shareholders from pursuing lawsuit against ChoicePoint

The ChoicePoint Attack

4. Explain what proactive steps by ChoicePoint might deter a reoccurrence of such an information security breach in the future? Explain/justify your choices. Source: http://www.pcworld.com/article/132795/article.html ChoicePoint could have a system to carefully verify the identities of all customers to preserve privacy and security of consumer information Clearly define expected behavior and provide tools to employees to simplify compliance o Develop practices to monitor potentially fraudulent customer behavior, such as investigating companies that suddenly increase the number of background checks they run by a large margin Write information security breach response policies and procedures o Spell out who should be notified in case of a breach and what the company should do for affected customers ChoicePoint should have regular security audits o Allows ChoicePoint to consistently monitor and maintain reasonable security levels under FTC standards o External auditor can perform objective analysis ChoicePoint should have a channel for employees to report anonymously any suspicious behavior o Employees will feel safe to share information o Will allow for greater accountability within the organization ChoicePoint should also performing background checks on employees on an ongoing basis o Decrease possibility of internal threats since employees have access to privileged information within ChoicePoint Although identity theft was a result of customer authentication, ChoicePoint should still make sure to encrypt all laptops/mobile devices of employees o All personal information should also be stored in encrypted form to minimize risk that data will be acquired by identity thefts