Choicepoint Data Breach
ChoicePoint Data Breach
Brandon Harvey
CSIA 301-7381
August 8, 2012
Professor Abraham Bloom
Abstract
The ChoicePoint data breach occurred in 2005. This insider data breach brought to light how a company can still be vulnerable to having data stolen from its databases even without any type of hacking of their system. By not properly vetting request for new accounts and request for information led to the theft of over a hundred thousand records of people’s personal information.
ChoicePoint Data Breach ChoicePoint, A data broker, suffered a data breach in 2005. This breach led to the disclosure of thousands of people’s personal information. We will discuss the type of breach this would fall under, how it occurred, the losses of confidentiality, integrity, and availability (C.I.A.), and the types of improvements ChoicePoint could or did undertake to help prevent this from happening again. The ChoicePoint data breach was a type of insider attack that occurred between 2003 and 2005 (Otto, Anton, & Baumer, 2007). According to the textbook, the definition of an insider attack is someone with legitimate access intentionally breaches information (Pfleeger & Pfleeger, 2007). This can typically be from an employee or a contractor. But with the ChoicePoint data breach is was actually from “customers”. The ChoicePoint data breach led to over 145,000 records of personal information being stolen (Polstra, 2005). This was not by any type of hack into ChoicePoint’s systems but by an individual or a group of people who used previously stolen information to create fake businesses that would have a need to preform background checks on people. They used the fake businesses to apply for accounts with ChoicePoint. When ChoicePoint reviewed the application for membership they ran a check on the businesses and did not find any criminal activity on the owners of these fake companies since they were from stolen information and not the criminals themselves. Since no
Brandon Harvey
CSIA 301-7381
August 8, 2012
Professor Abraham Bloom
Abstract
The ChoicePoint data breach occurred in 2005. This insider data breach brought to light how a company can still be vulnerable to having data stolen from its databases even without any type of hacking of their system. By not properly vetting request for new accounts and request for information led to the theft of over a hundred thousand records of people’s personal information.
ChoicePoint Data Breach ChoicePoint, A data broker, suffered a data breach in 2005. This breach led to the disclosure of thousands of people’s personal information. We will discuss the type of breach this would fall under, how it occurred, the losses of confidentiality, integrity, and availability (C.I.A.), and the types of improvements ChoicePoint could or did undertake to help prevent this from happening again. The ChoicePoint data breach was a type of insider attack that occurred between 2003 and 2005 (Otto, Anton, & Baumer, 2007). According to the textbook, the definition of an insider attack is someone with legitimate access intentionally breaches information (Pfleeger & Pfleeger, 2007). This can typically be from an employee or a contractor. But with the ChoicePoint data breach is was actually from “customers”. The ChoicePoint data breach led to over 145,000 records of personal information being stolen (Polstra, 2005). This was not by any type of hack into ChoicePoint’s systems but by an individual or a group of people who used previously stolen information to create fake businesses that would have a need to preform background checks on people. They used the fake businesses to apply for accounts with ChoicePoint. When ChoicePoint reviewed the application for membership they ran a check on the businesses and did not find any criminal activity on the owners of these fake companies since they were from stolen information and not the criminals themselves. Since no
References: Otto, P. N., Anton, A. I., & Baumer, D. L. (2007, September/October). The ChoicePoint Dilemma: How Data Brokers Should Handle the Privacy of Personal Information. IEEE Security and Privacy , 15-23. Payton, A. M. (2006). Data security breach: seeking a prescription for adequate remedy. Proceedings of the 3rd annual conference on Information security curriculum development (pp. 162-167). New York: ACM. Pfleeger, C. P., & Pfleeger, S. L. (2007). Security in Computing. Indianapolis: Prentice Hall. Polstra, R. M. (2005). A case study on how to manage the theft of information. Proceedings of the 2nd annual conference on Information security curriculum development (pp. 135-138). New York: ACM.