Choicepoint Roundup
- At MSNBC, Bob Sullivan covers the loss of confidence in ecommerce that leaks are causing:
The survey also found nearly all Americans think identity theft and spyware are serious problems, but only 28 percent think the government is doing enough to address the issues. About 70 percent said new laws are necessary to protect consumer privacy.
…
he survey reflects people’s frustration, Douglas said. “Americans feel helpless. … People are crying out for Congress to put power back in their hands, but until lawmakers finally decide whose information it is, who has the right to their own information, (frustration) is what we have.”Another finding of the survey: The people questioned said they held low opinions towards the Federal Trade Commission, which protects consumers against Internet fraud.
- The Daily Shiz reports on the case of Steven Calderon, in “Bad Data Could Land You In Jail!“ [link to http://www.thedailyshiz.org/2005/06/15/bad-data-could-land-you-in-jail/ no longer works]
That’s exactly what happened to a man named Steven Calderon. He had a clean record, and had done nothing wrong. His new employer did a routine background check using the services of ChoicePoint. What happened next? The local sheriff came to his office and arrested him for warrants of child molestation and rape.
Baseline Mag has a long story, The Rising Threat from Bad Data [link to http://www.baselinemag.com/article2/0,1397,1828096,00.asp?kc=BARSS03129TX1K0000628 no longer works]
- Computerworld has a “Q&A: ChoicePoint’s Rich Baich on data breach, security needs:”
You have in the past said that what happened at ChoicePoint was not really a security breach. Then what was it? It all comes down to how you define a breach and how you define an incident. This was fraud. Someone fraudulently provided authentication to the system. It’s no different than credit card theft and credit card fraud. Those are never referenced as IT-related issues though they happen millions of times every year. In fraud terms, it’s called an account takeover. And that’s what occurred. All I was trying to do was educate the press more than anything else that this was not what everyone would call a traditional hack.
Well, would you believe a little different? Given that Choicepoint sells services to prevent these things?
- News.com followed up on Choicepoint’s 90 day plan to secure their data…
On Friday, ChoicePoint spokeswoman Kristen McCaughan said the Alpharetta, Ga.-based data broker has not yet completed the changes. “It is ongoing,” she said. McCaughan could not say when ChoicePoint expects to be able to announce that it has completed the process. “I don’t think it is going to be anytime in the near future,” she said.
Actually, Baich has one part right–it’s a process thing, not a tech thing. Of course, the entire paradigm of data aggregation and sales creates the risk-laden environment for fraud. What’s not clear how he/they/anyone will move forward to Bad Thing Recuction.
Baich takes a sophisticated view on security: it’s a process, there aren’t good metrics or golden rules, companies need to tailor the model to the circumstances. Unfortunately, he’s painting a picture here that looks like a good CSIO doesn’t have to *do* anything with that view, just have the accumen to play with the big boys around a nice wooden table.
I agree with you that security is about process, but I’m not sure if I believe that tech could not have come into play. Databases are able to log accesses, and those logs are subject to analysis and data mining.
The tools are right primitive, and the incentive structures don’t really allow Choicepoint to engage in these analysis. (If we assume that Choicepoint really would like to do better, but that doing better costs money, and is not customer visible, how do you justify it to the board?)