ChoicePoint to pay $275,000 in latest data breach

ChoicePoint, one of the nation's largest data brokers, has been fined $275,000 by the U.S. Federal Trade Commission for a data breach that exposed personal information of 13,750 people last year.

In April 2008, ChoicePoint turned off a key electronic security tool that it used to monitor access to one of its databases and failed to notice the problem for four months, according to an FTC statement.

During that period, unauthorized searches were conducted for 30 days on a ChoicePoint database that contained Social Security numbers and other sensitive information, the FTC said.

The FTC alleged that ChoicePoint's conduct violated a 2006 court order requiring the company to institute a comprehensive information security program following a 2005 breach that compromised the personal information of more than 163,000 people and resulted in at least 800 cases of identity fraud. The company was ordered to pay $10 million in civil penalties and $5 million to consumers in that case.

To settle the recent charges, ChoicePoint agreed to pay the fine and provide reports on its data protection practices to the FTC every two months for two years.

Meanwhile, payroll processor PayChoice has had two data breaches in less than a month. On October 1, the company said it was investigating a breach in which targeted e-mails were sent to customers that attempted to trick them into downloading malware.

Then last week, PayChoice told customers it was again shutting down its online portal after clients started noticing fake employees being added to their payroll in what is likely the second stage of a broader attack, according to the Security Fix blog.

It appears that attackers stole login IDs and passwords by exploiting a weakness in the Web site component that allows customers to change their portal passwords, the report said. The usernames and passwords were then included in the e-mails sent out to customers a few weeks ago.

[42istheanswer]

I'm sure there was some hot shot manager there that decided service to the user was more important than maintenance and security. There will be many more like this, because there are plenty of clueless managers.

[mbenedict]

Even if that were true, there should have been an independent periodic assessment to detect this kind of problems. <br /><br />While I don't know the type of security system that was turned off at ChoicePoint, generally detection systems feed into security event management logs which are to be reviewed on an ongoing basis. The fact that they didn't detect this condition for four months -- and that an actual breach actually happened during this period -- means there were larger issues at ChoicePoint than a single manager turning things off.

[MadLyb]

When is the FTC going to start shutting these companies down? $275K is a slap on the wrist for basically ruining someone's life. Hopefully, one of the victim's will sue them into oblivion.

[krosafcheg]

Irony here is that it was probably the Government itself in there digging around...lol

[gefitz]

Exactly! Lol....we can't spend too much enforcement power locking these guys down. Where would The Man steal all his information about me from? ;)

[weegg]

Should have been 275 million penalty for them.

[Get_Bent]

$275,000 / 13,750 = $20 per person. I'm sure ChoicePoint's wrist really stings after that one....

[Ronlap]

Isn't the penalty for a second violation usually MORE than the penalty for the first violation? If they screw up again, will the FTC be paying them??

[rcbret]

THERE IS NO EXCUSE FOR ANY CREDIT REPORTING AGENCY (CRA), NOR FOR ANY ORGANIZATION CHARGED WITH MAINTAINING THE SAFETY AND SECURITY OF OUR INDIVIDUAL CREDIT INFORMATION, FAILING TO MEET AN ABSOLUTE STANDARD OF SAFETY AND SECURITY, WHICH MUST ALWAYS BE DEMANDED OF ANY SUCH INSTITUTION!!!!!!!!!!