ChoicePoint Fined $275K for 2008 Breach

FTC: Data Broker Turned Off Tool That Would Have Detected Hack Sooner Data broker ChoicePoint has agreed to a stronger data security program and will pay a $275,000 fine for a breach in 2008, according to the Federal Trade Commission.

The FTC says the company failed to implement a comprehensive information security program to protect consumers' personal information, as required by the agency after ChoicePoint's 2004 breach, which affected more than 160,000 U.S. consumers.

The April 2008 breach compromised the personal data of 13,750 people, says a FTC press release. The company is accused of turning off a "key" electronic security tool used to monitor access to one of its databases, then failed to detect that the security tool was turned off for four months. If the tool had not been turned off, the FTC says, the breach would have been detected much sooner.

For a month, an unidentified hacker conducted thousands of unauthorized searches of a ChoicePoint database containing sensitive consumer information, including Social Security numbers, says the FTC. After the breach was found, ChoicePoint alerted the FTC.

According to the modified court order, ChoicePoint will be required to report to the FTC detailed information about how it is protecting the breached database and certain other databases and records containing personal information. The ChoicePoint reports are required every two months for two years.

The 2004 ChoicePoint data breach resulted in 800 cases of identity theft, says the FTC. A settlement and 2006 court order required the company to $15 million in civil penalties and consumer compensation. As part of the settlement, the company is required to obtain independent assessments of its data security program every other year until 2026.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.