Lab Notes

Musings on Wi-Fi security issues, our product plans, and the general state of the world. Follow up with your comments and complaints to Lab Notes's .

ChoicePoint Fraud "Happens Everyday"

Rich Baich, the Chief Information Security Officer at ChoicePoint has been interviewed by SearchSecurity.com. ChoicePoint is the company in trouble for providing sensitive personal information on 145,000 Americans to criminals.
The interview is a complete train wreck. Rather than acknowledging the problem and identifying the steps the company is taking to prevent a recurrence, Baich instead tries to spin the story. It's not a "hack", it's "fraud" because the thieves didn't break into the computer system, ChoicePoint sold them the personal information (like the folks who have had their identities stolen care about semantic differences). What's more, he says "this type of fraud happens every day." Somehow I wish the guy in charge of keeping my personal information safe wasn't so cavalier about keeping it secure.
Baich doesn't stop there: "We worked with (authorities) and did the right thing disclosing the breach where a lot of companies may not have ever disclosed this." Actually, Rich, you initially only disclosed to affected California customers that their identities had been stolen, and then months after the fact and only because California law requires you to do so. "That's such a negative impression that suggests we failed to provide adequate protection." Umm, Rich? You sold 145,000 identities to identity thieves. How exactly does that not suggest that you failed to provide adequate protection?
While I am not one of the people who received a warning letter from ChoicePoint, I am sure that I am — like millions of other Americans — in their database. If you have ever bought insurance or applied for credit, there's a very good chance that ChoicePoint has a file on you.
ChoicePoint's response to the theft is a classic case of what not to do and should be required reading for business school students. When a company has a security breach, it needs to own up to it immediately and take responsibility for making sure that it never happens again. I've been lucky in that past, working for companies that, when a security-related software bug was found, promptly notified their customers and took corrective action. We haven't yet had to deal with this kind of problem here at Corriente (knock on wood!), but we do have plans in place for dealing with it should the need arise — and those plans don't include "don't say anything and hope no one notices!"
via Schneier on Security
By Periodik Labs on March 1, 2005 11:26 AM |

Search

Recent Entries

Mac OS X 10.5.1
Elektron and Leopard
Elektron 2.0.1755
AirPort Base Station Update 2007-002
AirPort Extreme Update 2007-004
New Elektron Release: 2.0.1744
PARC: Wi-Fi PKI Usability Stinks
A Real iPhone Exploit?
Duke: iPhones Don't Actually Attack
When iPhones Attack

Monthly Archives

November 2007 (1)
October 2007 (1)
September 2007 (1)
August 2007 (1)
July 2007 (8)
June 2007 (16)
November 2005 (8)
October 2005 (13)
September 2005 (22)
August 2005 (23)
July 2005 (21)
June 2005 (26)
May 2005 (23)
April 2005 (23)
March 2005 (25)
February 2005 (23)
January 2005 (29)
December 2004 (32)
November 2004 (32)





Subscribe to Lab Notes