At ChoicePoint, the weak link in the chain of authorizations, authentications, passwords, access controls and data warehouse administrations was the business process.1 In particular, ChoicePoint's account initiation process reportedly accepted the documentation provided by the scammers, who were then authorized to open accounts. The process of background checking ("authentication") of those permissioned to access the data warehouse and related data stores reportedly allowed some 50 fraudulent accounts to be set up. This provided the occasion for further unauthorized changes, including identity theft.

The irony here is that the data warehousing systems of such data sellers as Acxiom, ChoicePoint and LexisNexis are used by employers, insurers or clients to perform background checks on prospective applicants. If insurance companies go to ChoicePoint to qualify their applicants, then to whom does ChoicePoint go in order to assure the authenticity of its own applicants? This is like the shoemaker's children having no shoes.2

This is not to defend any lack of oversight on the part of data sellers. Indeed, it is likely data sellers will look long and hard at tightening up the transactions that authorize account access as they consider the unintended consequences of lack of business process rigor. Going forward, the data sellers must set a new standard for data security and, more importantly, for managing internal business processes, commensurate with that in the world of finance and credit, to win back the trust of the consumer and the confidence of clients.

Hot Potato - Whose Data is it Anyway?

This is just the tip of the iceberg. While it is undetermined whether major legislation will result, this incident is still building momentum. This means:

Consumer advocates have seized the bully pulpit. This is not the first time that data sellers have been embroiled in controversy. In the year 2000, a subsidiary of ChoicePoint, Database Technologies, purged the names of alleged felons from Florida's rolls of registered voters. It turned out that some of those purged were not felons and had the right to vote. One result is a call to extend the Fair Credit Reporting Act to information aggregators such as ChoicePoint and competing database marketing firms on the view that such data is now being used for more sensitive decisions in employment, law enforcement and financial profiling.

Expect major litigation. One reason this whole matter has come to light is that California Senate Bill 1386 has created a legal basis for claiming civil damages against a business that operates in California and suffers "a breach of the security of the [computer] system" storing the data. It further requires notifying the victim of such an incident. That is what finally happened last week, though the scam itself surfaced last October (2004). Under this legislation, for a business, being a victim (as surely ChoicePoint was) is not an excuse but a sign of poor security planning or lack of internal controls. The business must report on its own failure. ChoicePoint has chosen to notify potential victims in all fifty States, not just California. In addition, it is in communication with the credit card reporting bureaus such as Experian, Equifax and TransUnion whose own systems may have been accessed.

Log analysis technologies get a boost. It is possible that the database administrators at ChoicePoint have been poring over the database logs since October 2004 (when the scam was reportedly first detected) to determine who knew and accessed what and when they knew it. That the 50 fraudulent accounts may have accessed between 145,000 and 400,000 personal records indicates how rapidly the toxic influence of unauthorized access can spread. Though this is similar to locking the barn door now that the horse has escaped, forensic database analysis is a growth industry from which database log tools from BMC, Computer Associates and Compuware (now IBM) will benefit. In addition, a rigorous audit, resulting in a conviction and jail time after the fact, can serve as a deterrent going forward.

The data is no less (or more) accurate for having been stolen. Yet a whole set of victims - the consumers whose data was stolen - are left without redress. It is never a good sign when a consumer has to ask, "Who do I sue?" The consumers whose data and identities were stolen have no relationship with the data aggregator (e.g., ChoicePoint). Whose data is it if the data seller can store and distribute it without my knowledge or permission as an individual? Apparently not mine. By participating in the public economy, I am exposed to anonymous financial risks - identity theft - that I could not have imagined because a secondary market exists for public economic transactions in which I participated.

The consequences for data sellers are so far trivial. Bad publicity is more than an inconvenience and a distraction. Yet the consumers whose data was stolen do not do business with the firm, so they will not take their business elsewhere. The consequences for ChoicePoint include the cost of complying with CA SB1386 reporting, but while such costs are not good, they are one-time and non-recurring. A potential cost has to do with future regulatory overhead, but such a cost is, by definition, still in the future. The legitimate users that buy the data - and who have a relationship with data seller and might exert influence - are untouched. And, what is worse, they are unmotivated to demand tightening of internal controls - at least until the data a seller has to raise its fees to cover the costs of tightening internal controls and diligently performing authentication. "Know thy customers" is not a new business imperative; however, it takes on new meaning and urgency if those customers become a risk to otherwise innocent consumers. Stand by for an update.

References:

  1. Source: "Identity Theft Puts Pressure On Data Sellers," Evan Perez, The Wall Street Journal, February 18, 2005, page B1. For further background, see "In Age of Security, Firm Mines Wealth of Personal Data," Robert O'Harrow, Jr., January 20, 2005, p. A01, http://www.washingtonpost.com/wp-dyn/articles/A22269-2005Jan19.html. Further details on ChoicePoint's perspective as the victim of this crime are to be found on the Web site www.choicepoint.com.
  2. Although this column has featured ChoicePoint as the poster child of what not to do, it is not the only case of a large information intermediary being the target of a data theft. In July 2004, Acxiom Corp. was the target of a scam. As reported by CNN.com, "Federal officials said the theft of approximately 8.2 gigabytes of data resulted in losses of more than $7 million." It should be noted that all the details are different - and sketchy - and Acxiom's systems also seem to have been penetrated with the aid of social engineering by a subcontractor of a third-party contractor. For further details, see http://www.cnn.com/2004/LAW/07/21/cyber.theft/.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access