ChoicePoint Data Scandal Costs Broker $11 Million

Welcome Guest. | Log In| Register | Membership Benefits

July 21, 2005 (5:49 PM EDT)

ChoicePoint Data Scandal Costs Broker $11 Million

By Gregg Keizer , TechWeb Technology News

Data broker ChoicePoint took a $6 million charge in its second quarter to cover additional costs for selling more than 145,000 records to scam artists, the company said this week.
The $6 million is in addition to $5.4 million that the company counted as costs in the first quarter. Of the total $11.4 million in direct costs for the mistake, ChoicePoint said about $2 million was spent informing Americans whose data was sold, and the credit reports and credit monitoring services for those individuals.
The remaining $9.4 million was pegged for legal and other professional expenses, the Alpharetta, Ga.-based broker revealed in its second quarter financial statement.
Derek Smith, the chief executive of ChoicePoint, only obliquely referenced the gaffe. "We implemented key changes that reduced the risk of our business model and reinforced our leadership as a responsible information company," he said in a statement.
In February, ChoicePoint announced that fraud artists posing as legitimate businesspeople purchased tens of thousands of consumers' names, addresses, Social Security numbers, and credit reports in October 2004.
It wasn't the first time the company had been tapped by thieves. According to an Associated Press report in March, Nigerian scam artists obtained 7,000 to 10,000 records in 2002, which led them to a $1 million fraud bonanza.
Most efforts to pass a national data breach disclosure bill based on the California state law that required ChoicePoint to notify affected consumers can be traced directly to the scandal.
Last week, a group of prominent members of the U.S. Senate introduced the tenth data privacy protection bill since ChoicePoint went public with the news of the problem.
Other companies involved in data losses are also getting flogged financially. On Wednesday, both Visa and American Express announced that they had stopped doing business with CardSystems, a credit card processing firm whose database was hacked. The thief made off with 40 million credit and debit card records.
"Not since CFS Railroad let their CIO, CISO, and CSO go has there been such a dramatic repercussion from a security incident," said Richard Stiennon, a security researcher with Webroot, in a statement. "That case was a result of not taking industry best practice protection against a widely predicted threat: MSBlast attacking the RPC DCOM vulnerability in Windows.
"American Express delivered what has to be the death blow to [CardSystems]. Lesson learned: Bad security equals go out of business," Stiennon added.