Lessons of ChoicePoint, 4 Years Later

Four years after the ChoicePoint fiasco brought data insecurity to the forefront, we still have much to learn.

By , Senior Editor

January 21, 2009CSO

It's been four years since data broker ChoicePoint acknowledged the data security breach that put it in the middle of a media firestorm and pushed data protection to the top of the infosecurity community's priority list.

Since then, the business world has made plenty of progress hardening its data defenses -- thanks in part to industry standards like PCI DSS and data breach disclosure laws (click to see state-by-state map) now in place.

But the latest data breach to grab headlines illustrates how vulnerable organizations remain to devastating network intrusions.

Heartland Payment Systems, the Princeton, N.J.-based provider of credit and debit processing, payment and check management services, admitted Tuesday it was the victim of a data breach some quickly began citing as the largest of its kind. The company discovered last week that malware compromised card data across its network, after Visa and MasterCard alerted Heartland to sinister activity surrounding processed card transactions.

The Shadow of ChoicePoint
The Heartland breach comes roughly four years after ChoicePoint announced -- as required by California's SB 1386 data breach disclosure law -- that conmen stole personal financial records of more than 163,000 consumers by setting up fake business requests.

Since then, much bigger incidents have occurred, most notably the TJX data breach that exposed more than 45 million debit and credit card holders to identity fraud. Heartland President and CFO Robert H.B. Baldwin Jr. said Tuesday that 100 million card transactions occur each month on the compromised systems used to provide processing to merchants and businesses.

As of Tuesday, the Privacy Rights Clearinghouse estimated that a total of 251,164,141 sensitive records had been compromised since early 2005. Up to 15 separate cases have been reported since Jan. 1, 2009.

"Data loss prevention certainly received a great deal of interest in the wake of the ChoicePoint fiasco and remains a Top 3 priority of security programs according to my research," says Jim Reavis, a Bellingham, Wash.-based IT security expert whose current endeavors include being a technical advisory board member at Tyfone, Inc. and a Mosaic expert network member at Pacific Crest Securities. "I believe that our current inability to protect data is less a consequence of a lack of due care or policy and more closely related to Moore's Law."

Innovation has created bigger pipes, massive portable storage, stealth Port 80 file sharing and infinite egress points within any organization, Reavis says. It's just not easy to keep up with the security needs of such a beast.

RESOURCE CENTER