The Five Most Shocking Things About the ChoicePoint Data Security Breach

At first, the ChoicePoint security breach seemed not only ordinary but almost insignificant.

May 01, 2005 — CSO — At first, the ChoicePoint security breach seemed not only ordinary but almost insignificant. That same month, February, saw stories that had bigger numbers (Bank of America, 1.2 million names and Social Security numbers) and more sex appeal (T-Mobile, Paris Hilton) than the predictable details of the ChoicePoint case. Thousands of victims, compromised Social Security numbers, an arrest on charges of identity theft. Yada yada yada. But somewhere along the way, the ChoicePoint saga became the spark that caused an explosion.

Maybe it was the fact that this wasn't a hack. Personal information of nearly 145,000 people wasn't stolen from ChoicePoint. In fact, the company sold the information to inadequately vetted bogus businesses—this when the company itself helps other businesses verify creds. Maybe it was that the people whose information was compromised weren't customers of ChoicePoint, just accidental citizens of the vast databases of the Alpharetta, Ga.-based information broker. Maybe it was the way that ChoicePoint behaved after the breach: from an initial, bumbling response that smacked of marketing, to a changing story about what had happened and how the company was responding, to the revelation that top executives had sold millions of dollars worth of stock between the time the fraud was discovered and when it was announced to the public.

Or maybe it was this last twisted bit of irony: ChoicePoint chairman and CEO Derek V. Smith had recently written two books about how individuals can protect themselves in the information age.

You can't make this stuff up.

"It was like they put a big sign on themselves that said 'Regulate me,'" security maven Bruce Schneier says.

Now that the initial flames are dying down—and lawmakers are trying to figure out how to prevent future fires at ChoicePoint and other information brokers such as LexisNexis and Acxiomwe've tried to sort out what the debacle means for CSOs. Five key plot points emerge, and they all lead to an ending where the CSO's job may never be quite the same.

The Unbearable Lightness of Data

Like most Americans, Mary Chapman had never heard of ChoicePoint until one day in February, when she got a letter informing her of "a recent crime committed against ChoicePoint that MAY have resulted in your name, address and Social Security number" being inappropriately viewed. (Go to this article to see a copy of a typical letter sent by ChoicePoint.)

"I was angry as all can be, because the way the letter sounds, it was totally an incident against them, and anI quote'inconvenience' to us," says Chapman, a 61-year-old resident of Yreka, Calif. "It could be a lot more than an inconvenience."