Network News

X My Profile
View More Activity

ChoicePoint Breach Exposed 13,750 Consumer Records

ChoicePoint Inc., one of the nation's consumer data brokers, agreed to pay $275,000 to federal regulators as a result of a data breach last year that exposed Social Security numbers and other personal information on 13,750 people.

The agreement comes in response to claims by the Federal Trade Commission that ChoicePoint violated the terms of a settlement reached following a separate data breach at the company in 2005 that led to hundreds of cases of identity theft.

In 2006, ChoicePoint - now a subsidiary of Reed Elsevier Inc - paid $15 million to settle charges that it violated federal consumer protection laws when it allowed criminals to purchase sensitive financial and personal data on at least 163,000 Americans. The FTC had sued ChoicePoint, charging that the incident led to at least 800 confirmed identity theft crimes.

ChoicePoint was supposed to take steps to protect consumer data. But the FTC alleged that in April 2008 the company switched off an internal electronic monitoring system designed to watch customer accounts for signs of unauthorized or suspicious activity. According to the FTC, that safety system remained inactive for four months, during which time unauthorized individuals used stolen credentials to look up personal information on 13,750 people in one of ChoicePoint's consumer databases.

In a written statement, ChoicePoint blamed the incident on a government customer that failed to properly safeguard one of its user IDs needed to access ChoicePoint's AutoTrack XP Product, which according to the company "references an enormous amount of data - addresses, driver licenses, property deed transfers, corporate information and much more," including court records.

ChoicePoint said its customer notified affected consumers shortly after the breach was discovered early last fall. But the company denies that its failure to leave the monitoring system running violated the terms of the original settlement, saying that its fraud monitoring system pre-dated the 2006 settlement and was adopted on the company's own initiative. The company also notes that the breached database did not contain personal information subject to the Fair Credit Reporting Act -namely, consumer financial information.

Elizabeth Tucci, a trial attorney for the FTC's enforcement division, said the agency has no evidence this time around that the thieves responsible used the information to hijack consumers' identities. But she said companies such as ChoicePoint need to be held accountable because they do not answer to the consumers whose data they sell to third parties.

"ChoicePoint has no direct relationship with the consumer, so the consumer is powerless to prevent this kind of thing," Tucci said. "Because much of this information is sensitive and the fact that the consumer has no control over the sale of that information, [ChoicePoint] was under a mandate to have a very comprehensive security program in place."

ChoicePoint has agreed to pay $275,000 into a fund administered by the FTC for consumer redress. The revised agreement also extends period of time in which ChoicePoint must report the results of biennial security audits, until the year 2030.

The $15 million ChoicePoint agreed to pay in response to the 2005 breach remains the largest civil penalty ever obtained by the agency.

Update, 7:57 p.m. ET: An earlier version of this story incorrectly stated who was responsible for notifying affected customers of the 2008 breach. The above text has been corrected. In addition, the company took issue with my use of the word "blame," saying it merely "outlined the facts and circumstances of the case, which include the fact that the customer provided notice due to its failure to properly safeguard its user ID and password." Finally, ChoicePoint said that with regard to identity theft crimes, "the FTC advised us in June 2008 that they closed out the consumer redress fund with a final tally as follows: payments were made to 131 consumers."

By Brian Krebs  |  October 19, 2009; 5:15 PM ET
Categories:  From the Bunker , Latest Warnings , U.S. Government  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: President Obama on Cyber Security Awareness
Next: E-Banking on a Locked Down PC, Part II


The fines need to ratchet up. Millions is a lot to an individual, but not much to big company. The $275,000 is a pittance and the attitude is we don't care, we don't have to. Think hard before you turn your data over to this parent of Lexis-Nexis.

It should not be just another cost of doing business at our expense.

Posted by: eteonline | October 19, 2009 6:49 PM | Report abuse

@eteonline: agreed. Stupidity should be painful.

Posted by: Rixstep | October 19, 2009 8:16 PM | Report abuse

What about paying the people whose SS#'s and other information that was exposed??

Posted by: rehva | October 20, 2009 8:53 AM | Report abuse

Better yet, how about removing the protections these companies have from lawsuits. They never deserved nor needed them in the first place. A flurry of class action suits would soon have these guys (and the Equifax and the other credit companies) shaping up or be put out of business. From what I can discern, these outfits serve no useful purpose for consumers anyways.

Posted by: mibrooks27 | October 20, 2009 11:10 AM | Report abuse

It is unlikely that the corrupt Congress will remove the protection from lawsuits. After all that's what the banks and credit companies paid them to do, protect them not us. We're only voters not campaign contributors. Don't forget that it's YOUR congressman not just the others who is corrupt.
Forming a real reform third party is the best place to put one's energy.
That and destroying the physical infrastructure of these companies by any means necessary.
The bear

Posted by: vabear | October 20, 2009 1:59 PM | Report abuse

Why not just shut these fukkers down? They had their chance and it obviously didn't get thru their greedy, lazy minds. At the very least, the officers of the company should be personally heavily fined or better yet, give them jail time. Maybe then they'll care about ordinary Americans and identity theft. This $275K fine is ridiculous and a slam to all of us.

Posted by: capone1 | October 20, 2009 3:46 PM | Report abuse

Financial penalties that are large enough to be felt even by large corporations are necessary, but ample examples in the present crisis show that top executives have a well-developed ability to isolate their own remuneration from company results. Here I suspect that only legislation prescribing prison terms for leading executives would be effective in curbing the type of behavour described in Brian's article. What chance do you suppose that type of snowball has in the US Congress ?....


Posted by: mhenriday | October 20, 2009 3:58 PM | Report abuse

I guess we the consumers need to file suite against the Gov. since we're the ones that are actually impacted. How the Gov. feels they deserve the money is beyond me. As far as Choice Pointe is concerned, they willfully committed a criminal activity. They have done so in the past. At this point they need to be shut down, the Gov. needs to seize all personal data and the exec. put in jail to a wait trial.

Posted by: askgees | October 20, 2009 4:26 PM | Report abuse

Go to the following web link if you want a good idea why ID theft is out of control.

Make sure you really want to know before opening the list. Once you see it you may think twice about EVER GIVING out personal data.

Posted by: askgees | October 20, 2009 4:35 PM | Report abuse

And to think that Obama and his Administration want to put your medical histories on line. CAN YOU SAY NO!!!!!!

Posted by: askgees | October 20, 2009 4:36 PM | Report abuse

The FTC is obviously cracking down on organizations that fail to recognize the severity of consumer data breaches. It’s not enough simply knowing where sensitive information like consumer data is kept, but also who has access to it. As this incident clearly shows, automated access management policies and controls are vital to ensuring that only the right people are accessing data for the right reasons, and organizations are slowly learning that through these painful examples.

Posted by: KurtCourion1 | October 21, 2009 11:26 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company