Presentation is loading. Please wait.

Presentation is loading. Please wait.

The ChoicePoint Attack – Case Study

Published byMonica Davis Modified over 8 years ago

Similar presentations

Presentation on theme: "The ChoicePoint Attack – Case Study"— Presentation transcript:

1 The ChoicePoint Attack – Case Study
CHAPTER 12 Lecturer : Dr. Thi Lip Sam FUJIAH KASIM RAINI ANNE LAIPAN

2 Case Summary ChoicePoint is a Georgia based corporation, involved in the Data Brokerage Industry that store and sells critical personal information, provides risk-management and fraud prevention data or information. In the fall of 2004, ChoicePoint was the victim of a fraudulent spoofing attack in which unauthorized individuals posed as legitimate customers and obtained personal data on more than 145,000 individuals’ details. It was not until November 2004 that ChoicePoint became aware of the problem. They noticed some unusual activities on accounts in Los Angeles, so ChoicePoint notified the LAPD.

3 Case Summary…Conti The LAPD requested that ChoicePoint not reveal the activity until the department can conduct its investigation. It was not until January that the LAPD allowed ChoicePoint to connect its customers whose data was compromised. The crime is an example of a failure of authentication and not a network break in. The criminals obtained valid business licenses and appeared as a legitimate business.

4 Case Summary…Conti Since ChoicePoint did the right thing and contacted the police, it exposed itself to considerable expenses, a class-action lawsuit which cost them $75,000 for each of the 145,000 people , a Senate investigation, and 20% decreased in its share price.

5 Question no 1. ChoicePoint exposed itself to considerable expense, problems and possible loss of brand confidence. What are the ethical issues? What is ChoicePoint’s response? Did ChoicePoint choose wisely?

6 We think ChoicePoint made a wise decision because its reputation was on the line. If they had covered up the entire incident and were later found out, the company would be blamed of fraud and possibly charge for withholding criminal evidence from the police. Managers and investors could possibly disagree because it hurts the company’s image when public relations nightmares are let out of the bag like that. When stock drops a significant amount, investors will always be the first to complain but upon a second glance, we would hope people would rather invest in an honest company interested in serving its customers to the best of its ability. Customers would obviously be upset over the events but ChoicePoint made every effort to right the situation and make sure their clients were safe and satisfied.

7 Consider the question from the viewpoint of….
Customer : They had a right to know that their information had been compromised. Law enforcement personnel : They need to know all details so that they could conduct their own investigation and possibly catch the criminals. Investor : The price of their stock would decline when the news would be disclosed, but long term it would help that ChoicePoint did not hide the facts. Management : They must consider the factors and take cost-effective action to reduce probable losses

8 Question no 2. Given ChoicePoint’s experience, what is the likely action of similar companies whose records are compromised in this way? This crime is an example of a failure of authentication, not a network break in ChoicePoint's firewalls and other safeguards were not harmed.

9 The action that should be taken by the similar companies to avoid such problems in the future could be issuing more authentication methods. For instance include an username, password, include some sample questions that the answers will be known only to a given individual. Evaluating the security program of the given company at a given time Keeping an eye on the activity of the accounts so every abnormality will be quickly spotted.

10 Given your answer, do you think federal
regulations and additional laws are required?  Regarding to the fact that there is an increasing level of identity theft in this country even though companies  are trying to find security solution for that, there is a definite need for issuing tougher laws that will protect people, when the information about them is stolen, or simply somebody is using that information without their consent / permission. Regulations must be clear that identity theft is a serious crime, and there is a punishment for those who do this kind of activity. Current Regulation: Fair Credit Reporting Act (FCRA), Federal Trade Commission (for Data Broearage Firms) and California Disclosure Law, Senate Bill 1386.

11 What other steps could be taken to ensure
that data vendors notify people harmed by data theft? security needs to be applied closely to the information, it is protecting to be effective. make the information less available for "third parties" Google documents. ensuring that protection cannot be arbitrarily removed by end-users or system administrator. controlling access and usage privileges  

12 Question no 3. Visit Summarize the products that ChoicePoint provides. What seems to be the central theme of this business?

13 Answer question no 3. 1. When it comes to Business & Nonprofit, it delivers comprehensive credentialing, background screening, authentication, direct marketing and public records services to businesses and nonprofit organizations. 2. When it comes to Government, it provides information, analysis and distribution solutions to advance the efforts of law enforcement, public safety, healthcare, child support enforcement, entitlement and other public agencies. 3. When it comes to Reports of one’s self, you can learn how to request the information LexisNexis or ChoicePoint, a LexisNexis company since September 19, 2008, has about you. If an organization has recently ordered reports about you from LexisNexis or ChoicePoint, or if you are just curious, you can obtain copies of those reports at no charge.

14 Central theme The LexisNexis Risk Solutions delivers actionable intelligence to help clients make critical business decisions with confidence and speed. Their solutions are designed to serve the multi-billion dollar risk information industry, which includes professionals and organizations in areas such as insurance and law enforcement.

15 Question no 4. Suppose that ChoicePoint decides to establish a formal security policy on the issue of inappropriate release of personal data. summarize the issues that ChoicePoint should address.

16 Anwer Question 4 Developing a Security Policy. Security Principles.
Security Policy Fundamentals To make a long story short... a security policy establishes the expectations of the customer or user, including what their requirements are for confidentiality, integrity, and appropriate management of their data, and the conditions under which they can trust that their expectations are met.

17 Case Solved? On October 26, 2004, one of the thieves -- Olutunji Oluwatosin was arrested after receiving a fax from ChoicePoint requesting an additional signature for one of the illegitimate companies the thieves has previously set up.

18

Download ppt "The ChoicePoint Attack – Case Study"

Similar presentations

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.
Confidentiality and HIPAA

Confidentiality and HIPAA
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
© 2009 The McGraw-Hill Companies, Inc. All rights reserved 3-1 LEGAL AND ETHICAL ISSUES in Medical Practice, Including HIPAA PowerPoint® presentation.

© 2009 The McGraw-Hill Companies, Inc. All rights reserved 3-1 LEGAL AND ETHICAL ISSUES in Medical Practice, Including HIPAA PowerPoint® presentation.
HIPAA THE PRIVACY RULE Reviewed December 2012 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.

The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.
Protecting Personal Information Guidance for Business.

Protecting Personal Information Guidance for Business.
PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,

PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,
Identity Theft Solutions. ©SHRM 20082 Introduction Identification theft became the number one criminal activity issue in 2004 and has remained at the.

Identity Theft Solutions. ©SHRM Introduction Identification theft became the number one criminal activity issue in 2004 and has remained at the.
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
Red Flags 101. What It’s All About Section’s 114 and 315 of the FACT Act were implemented in October 2007 and became effective January 1, 2008. These.

Red Flags 101. What It’s All About Section’s 114 and 315 of the FACT Act were implemented in October 2007 and became effective January 1, These.
Identity Theft By: Tory Childs, Lucas Doyle, Kaitlyn Davidson, Trevor Godwin and Chad Sponseller.

Identity Theft By: Tory Childs, Lucas Doyle, Kaitlyn Davidson, Trevor Godwin and Chad Sponseller.
How Data Brokers Should Handle the privacy of Personal Information Luai E Hasnawi.

How Data Brokers Should Handle the privacy of Personal Information Luai E Hasnawi.
Chris Gravatt Mallory De Kovessey Tina Vargas Tim Hogenhouser The ChoicePoint Attack.

Chris Gravatt Mallory De Kovessey Tina Vargas Tim Hogenhouser The ChoicePoint Attack.
Section 6.3 Protecting Your Credit. Billing Errors and Disputes Notify your creditor in writing Notify your creditor in writing Pay the portion of the.

Section 6.3 Protecting Your Credit. Billing Errors and Disputes Notify your creditor in writing Notify your creditor in writing Pay the portion of the.
Chapter 9-Section 3 Consumer Protection Laws. Consumer Credit  Credit Denial  If denied credit there could be something in your credit file preventing.

Chapter 9-Section 3 Consumer Protection Laws. Consumer Credit  Credit Denial  If denied credit there could be something in your credit file preventing.
Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. In practice, how do we recognize a potential Privacy.

Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. In practice, how do we recognize a potential Privacy.
Research Development for Android Coopman Tom. What is Android?  Smartphone operating system  Google  Popular  ‘Easy to develop’  Open-Source  Linux.

Research Development for Android Coopman Tom. What is Android?  Smartphone operating system  Google  Popular  ‘Easy to develop’  Open-Source  Linux.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
The ChoicePoint Attack – Case Study. Team F Susan Crowley Nafisah Hunter Beata Kolodziej Ingrid Macias Toni Steiner Maria Velasco.

The ChoicePoint Attack – Case Study. Team F Susan Crowley Nafisah Hunter Beata Kolodziej Ingrid Macias Toni Steiner Maria Velasco.

Similar presentations

Ads by Google