ChoicePoint Data Breach: The Plot Thickens

A timeline of key events surrounding the ChoicePoint data breach

Sept. 27, 2004: ChoicePoint notices suspicious activity by some of its small-business customers.

Oct. 12, 2004: A ChoicePoint security employee contacts the Los Angeles police about a possible security breach.

Oct. 26, 2004: The ChoicePoint board of directors informally approves a plan for ChoicePoint chairman and CEO Derek Smith and President Douglas Curling to sell some of their stock. Smith later indicates that he did not know about the unfolding fraud investigation until January.

Oct. 27, 2004: Authorities arrest Olatunji Oluwatosin, a Nigerian national living in North Hollywood, Calif., for illegally accessing personal information obtained from ChoicePoint. Oluwatosin later pleads no contest to identity theft.

Nov. 9, 2004: Smith and Curling begin selling upward of $16 million worth of stock.

Feb. 8, 2005: ChoicePoint starts mailing notices to 35,000 individuals in California whose personal information may have been fraudulently accessed by an identity theft ring. A state law requires that businesses notify any citizen whose personal information has been compromised.

Feb. 14, 2005: ChoicePoint's stock opens at 46.01. News breaks about the security breach.

Feb. 16, 2005: Attorneys general from 19 states send a letter to ChoicePoint, insisting that the company immediately notify all affected U.S. citizens, not just California residents.

Feb. 17, 2005: Attorneys general from 19 more states sign onto the letter, bringing the total to 38 states (plus California, which sent its own letter).

Feb. 21, 2005: ChoicePoint releases a state-by-state breakdown of the nearly 145,000 persons whose personal information has been compromised and says it will notify all of the persons affected, not only those in California. (California law enforcement says that the number may be closer to 500,000.)

March 2, 2005: Assistant U.S. Attorney Mark Krause describes an earlier ChoicePoint fraud in which a Nigerian-born brother and sister pleaded guilty to fraudulently accessing at least 7,000 ChoicePoint records. This is contrary to Smith's recent statements to the press that the company had never before seen this type of criminal activity.

March 4, 2005: ChoicePoint files an 8-K form, stating that it is under investigation by the Securities and Exchange Commission, the Federal Trade Commission and Congress, and is the defendant in two lawsuits. The company announces that it is discontinuing "the sale of information products that contain sensitive consumer data, including Social Security numbers, except where there is either a specific consumer-driven transaction or benefit" or for law enforcement purposes. The company anticipates a resulting decline in revenue of $15 million to $20 million. Its stock price closes at 37.65.

Copyright © 2005 IDG Communications, Inc.

What is security's role in digital transformation?