The ChoicePoint data breach occurred in 2005. This insider data breach brought to light how a company can still be vulnerable to having data stolen from its databases even without any type of hacking of their system. By not properly vetting request for new accounts and request for information led to the theft of over a hundred thousand records of people’s personal information.
ChoicePoint Data Breach
ChoicePoint, A data broker, suffered a data breach in 2005. This breach led to the disclosure of thousands of people’s personal information. We will discuss the type of breach this would fall under, how it occurred, the losses of confidentiality, integrity, and availability (C.I.A.), and the types of improvements ChoicePoint could or did undertake to help prevent this from happening again.
The ChoicePoint data breach was a type of insider attack that occurred between 2003 and 2005 (Otto, Anton, & Baumer, 2007). According to the textbook, the definition of an insider attack is someone with legitimate access intentionally breaches information (Pfleeger & Pfleeger, 2007).
This can typically be from an employee or a contractor. But with the ChoicePoint data breach is was actually from “customers”.
The ChoicePoint data breach led to over 145,000 records of personal information being stolen (Polstra, 2005). This was not by any type of hack into ChoicePoint’s systems but by an individual or a group of people who used previously stolen information to create fake businesses that would have a need to preform background checks on people. They used the fake businesses to apply for accounts with ChoicePoint. When ChoicePoint reviewed the application for membership they ran a check on the businesses and did not find any criminal activity on the owners of these fake companies since they were from stolen information and not the criminals themselves. Since no flags were thrown up ChoicePoint authorized the accounts, and these accounts now had access to retrieve information on people.
In terms of the losses of confidentiality, integrity, and availability there was really only a loss of confidentiality with a minor loss of integrity. The data breach led to the PII of an estimated 145,000 people to be possibly used by the individuals or groups that took the information for improper use. This use could have been for anything like creating credit accounts, loans, etc. Since ChoicePoint data broker of all types of information on people, this loss of data is basically the person’s entire life story and everything needed to take control of that life. The loss of integrity is minimal since the bogus accounts could not change information on the people; the integrity of that information was intact. But since the people that performed this breach created accounts from previously stolen information, that was used to create fake businesses, the account it self was not reliable.
This then could of put every “real” account at risk of not being able to perform its needed task due to the possibly of all accounts being re reviewed to verify proper reasoning for needing the account. There are multiple things that ChoicePoint can do to improve upon with what happened in 2005. While ChoicePoint will point out that they were a victim of fraud themselves since it was not an actual hack into their systems (Polstra, 2005). They still failed to vet the applications for accounts and not reporting the breach of data until it was made public. Even then, they still failed to notify everyone until they were made to. This type of handling of the situation does not help with consumers trusting the company. Another thing they can do is to require more information on the individual that a company is requesting information on.
This way if someone is trying to steal PII on someone they will have to have some of the more important information from the start. This will also make the request look more real and other request that are not stand out that much more. If they better vet the applications for accounts then just simple background checks, it would lead to a lesser chance of people having access when they shouldn’t. In conclusion, the ChoicePoint data breach exposed a serious threat to PII, even when not being hacked or databases being accesses without permission. If anything good could be said about this breach is that it led to the implementing of numerous state laws requiring notification of PII breaches (Payton, 2006).
Otto, P. N., Anton, A. I., & Baumer, D. L. (2007, September/October). The ChoicePoint Dilemma: How Data Brokers Should Handle the Privacy of Personal Information. IEEE Security and Privacy , 15-23.
Payton, A. M. (2006). Data security breach: seeking a prescription for adequate remedy. Proceedings of the 3rd annual conference on Information security curriculum development (pp. 162-167). New York: ACM.
Pfleeger, C. P., & Pfleeger, S. L. (2007). Security in Computing. Indianapolis: Prentice Hall.
Polstra, R. M. (2005). A case study on how to manage the theft of information. Proceedings of the 2nd annual conference on Information security curriculum development (pp. 135-138). New York: ACM.