Lessons of ChoicePoint, 4 Years Later

It’s been four years since data broker ChoicePoint acknowledged the data security breach that put it in the middle of a media firestorm and pushed data protection to the top of the infosecurity community’s priority list.

Since then, the business world has made plenty of progress hardening its data defenses — thanks in part to industry standards like PCI DSS and data breach disclosure laws (click to see state-by-state map) now in place.

But the latest data breach to grab headlines illustrates how vulnerable organizations remain to devastating network intrusions.

Heartland Payment Systems, the Princeton, N.J.-based provider of credit and debit processing, payment and check management services, admitted Tuesday it was the victim of a data breach some quickly began citing as the largest of its kind. The company discovered last week that malware compromised card data across its network, after Visa and MasterCard alerted Heartland to sinister activity surrounding processed card transactions.

The Shadow of ChoicePointCalifornia’s SB 1386 data breach disclosure law — that conmen stole personal financial records of more than 163,000 consumers by setting up fake business requests.

The Heartland breach comes roughly four years after ChoicePoint announced — as required by

Since then, much bigger incidents have occurred, most notably the TJX data breach that exposed more than 45 million debit and credit card holders to identity fraud. Heartland President and CFO Robert H.B. Baldwin Jr. said Tuesday that 100 million card transactions occur each month on the compromised systems used to provide processing to merchants and businesses.

As of Tuesday, the Privacy Rights Clearinghouse estimated that a total of 251,164,141 sensitive records had been compromised since early 2005. Up to 15 separate cases have been reported since Jan. 1, 2009.

“Data loss prevention certainly received a great deal of interest in the wake of the ChoicePoint fiasco and remains a Top 3 priority of security programs according to my research,” says Jim Reavis, a Bellingham, Wash.-based IT security expert whose current endeavors include being a technical advisory board member at Tyfone, Inc. and a Mosaic expert network member at Pacific Crest Securities. “I believe that our current inability to protect data is less a consequence of a lack of due care or policy and more closely related to Moore’s Law.”

Innovation has created bigger pipes, massive portable storage, stealth Port 80 file sharing and infinite egress points within any organization, Reavis says. It’s just not easy to keep up with the security needs of such a beast.

Woefully ignorant

That may be the case to a large extent, but other security experts see specific areas where organizations are simply asleep at the switch.

“All the improvements have come from SB 1386 and other disclosure laws, and as far as I can tell awareness to data risks hasn’t increased significantly,” says security industry veteran Richard Stiennon.

Business owners are still “woefully ignorant” of the threat to their data, he says, adding that while they’ve fumbled along trying to reach certain compliance requirements, the threat has gone from what it was four years ago to a full-scale economy of people stealing and selling credit card information.

Stiennon points to several ongoing weaknesses in how organizations conduct their security. Access control and stronger authentication remain elusive in many companies, for example.

“I can’t point to one sterling example of where government agencies are getting it right, including the Pentagon,” he says. “I’d say the security in these organizations remains at 1995 levels.”

If this story were written for the fifth anniversary of Choicepoint, there might be a better story to tell, says Paul Roberts, senior analyst for enterprise security at the 451 Group. “There’s at least improvement when you look at the attention paid to data security,” he says. “There’s more awareness to the reputational and legal dangers in corporate boardrooms.”

But there’s still much room for improvement, he says.

Not nearly enough

Regulations and industry standards may have helped raise awareness and force companies to make security improvements they wouldn’t have made otherwise. But, says Kevin Riggins, senior information security analyst at Des Moines, Iowa-based Principal Financial Group, regulations alone are not nearly enough.

“I can’t say that I have seen a significant response from the business world other than the disclosures themselves,” he says. “There has been literally no impact, through disclosure, on breach levels since the ChoicePoint incident. Last year saw a significant increase in the exposure of personally identity information through breaches over the year before.”

This has Riggins concluding that the breach notification laws by themselves are not sufficient to make companies introduce controls — technology and process oriented — that effectively protect customer information.

Seeking a better way

The data breach trend has at least prompted IT security pros to seek out better training, according to Stephen Northcutt, president of the SANS Technology Institute.

After ChoicePoint, he says, “A number of people wrote asking what kind of training we had to get a handle on data loss. We decided to put most of our efforts behind our Payment Card Industry course and STAR certificate. We got that into the field to equip auditors with the knowledge, process, and technology to not only ensure PCI DSS 1.2 compliance, but also take a look at the controls across the entire lifecycle of sensitive customer data.”

Northcutt sees at least one positive result from the ChoicePoint incident and subsequent breaches: “It definitely made us rethink our role as information security practitioners.”

That alone is an improvement, he says.

Texas-based IT security practitioner Todd Towles agrees, saying there’s no doubt the business world is, as Ronald Reagan might say, better off than it was four years ago.

ChoicePoint shone much-needed light on the then rather unknown area of digital identity theft and fraud, Towles says. It made governments, major corporations and security-minded individuals stand up, take notice and take much needed action.

“At the time of the incident, very few states had data loss notification legislation and now, just five years later, 42 states have some type of legislation on the books,” he says. “This is huge.”