The ChoicePoint Attack – Case Study

Slides:

Advertisements

Similar presentations

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.

Advertisements

Confidentiality and HIPAA

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

© 2009 The McGraw-Hill Companies, Inc. All rights reserved 3-1 LEGAL AND ETHICAL ISSUES in Medical Practice, Including HIPAA PowerPoint® presentation.

HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.

Protecting Personal Information Guidance for Business.

PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,

Identity Theft Solutions. ©SHRM Introduction Identification theft became the number one criminal activity issue in 2004 and has remained at the.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Red Flags 101. What It’s All About Section’s 114 and 315 of the FACT Act were implemented in October 2007 and became effective January 1, These.

Identity Theft By: Tory Childs, Lucas Doyle, Kaitlyn Davidson, Trevor Godwin and Chad Sponseller.

How Data Brokers Should Handle the privacy of Personal Information Luai E Hasnawi.

Chris Gravatt Mallory De Kovessey Tina Vargas Tim Hogenhouser The ChoicePoint Attack.

Section 6.3 Protecting Your Credit. Billing Errors and Disputes Notify your creditor in writing Notify your creditor in writing Pay the portion of the.

Chapter 9-Section 3 Consumer Protection Laws. Consumer Credit  Credit Denial  If denied credit there could be something in your credit file preventing.

Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. In practice, how do we recognize a potential Privacy.

Research Development for Android Coopman Tom. What is Android?  Smartphone operating system  Google  Popular  ‘Easy to develop’  Open-Source  Linux.

Information Security Policies Larry Conrad September 29, 2009.

The ChoicePoint Attack – Case Study. Team F Susan Crowley Nafisah Hunter Beata Kolodziej Ingrid Macias Toni Steiner Maria Velasco.

Employment Screening: CORI and Private Background Checks Presented by the Massachusetts Law Reform Institute 99 Chauncy St., Suite 500, Boston, MA

Network security policy: best practices

Lesson 9-3 Consumer Protection Laws LEARNING GOALS -LIST AND EXPLAIN CONSUMER PROTECTION LAWS THAT ARE RELATED TO CREDIT -DISCUSS THE PROCESSES OF USING.

Employee Law Module What you need to do to protect credit history and the documents that you will need for employment. The information in this module comes.

Section 12-2-Regulatory Agencies and Laws.   These agencies make or enforce rules and regulations  Agencies provide oversight or supervision of activities.

Identity theft By: Blake D uncan.

Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.

HIPAA PRIVACY AND SECURITY AWARENESS.

Understanding the Fair and Accurate Credit Transaction Act, the “Red Flag” Regulations, and their impact on Health Care Providers Raising a “Red Flag”

Planning an Audit The Audit Process consists of the following phases:

2 1.Client protection principles 2.Principle #6 in practice 3.Two components of protecting client data 4.Participant feedback 5.Practitioner lessons and.

STANDARD 5.3 Objective 3 Students will explain and understand the need for confidentiality.

FTC RED FLAG RULE As many as nine million Americans have their identities stolen each year. Identity thieves may drain their accounts, damage their credit,

CJ230 Unit 9 Seminar. Expectations for the Week Read Chapter 13 in Contemporary Criminal Law Read Chapter 13 in Contemporary Criminal Law Respond to the.

IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.

Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.

Available from BankersOnline.com/tools 1 FACT ACT RED FLAG GUIDELINES.

A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.

Technology Supervision Branch Interagency Identity Theft Red Flags Regulation Bank Compliance Association of CT Bristol, CT September 3, 2008.

HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.

The RCMP Tech Crime Unit & Information Systems Security Presented to: ISSA January 26, 2005.

FIRMA April 2010 DATA BREACHES & PRIVACY Christine M. Farquhar Managing Director, Compliance J.P. Morgan U.S. Private Banking.

2 1.Client protection principles 2.Principle #6 in practice 3.The client perspective 4.Participant feedback 5.Tools for improving practice 6.Conclusion.

Presented By Plano Police Department Crime Prevention Unit.

Protecting Yourself from Fraud including Identity Theft Personal Finance.

Protecting Yourself from Fraud including Identity Theft Advanced Level.

Sharing Information (FERPA) FY07 REMS Initial Grantee Meeting December 5, 2007, San Diego, CA U.S. Department of Education, Office of Safe and Drug-Free.

Sharing Personal Data ‘What you need to know’ Corporate Information Governance Team Strategic Intelligence.

Chapter 6 What is identity theft?.  What are the three Credit Bureaus which you can obtain your FICO SCORE?  Is a high FICO score a measure of winning.

Retha E. Karnes, J.D., General Counsel Tel:

HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

The Wolf in Sheep’s Clothing: Identity Theft Professional Development Institute Truman State University.

LEGAL ISSUES COMMON IN NURSING PRACTICE PRESENT BY: DR. AMIRA YAHIA.

Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.

Canada’s Breach Reporting Law What you need to know Timothy M. Banks, CIPP/C Dentons Canada LLP July 21, 2015.

HIPAA THE PRIVACY RULE Reviewed December 2012.

Protection of CONSUMER information

South Carolina AHEC Health Careers Academy

Chapter 3: IRS and FTC Data Security Rules

Red Flags Rule An Introduction County College of Morris

Business Ethics and Social Responsibility

CompTIA Security+ Study Guide (SY0-401)

Protecting Yourself from Fraud including Identity Theft

Protecting Yourself from Fraud including Identity Theft

Clemson University Red Flags Rule Training

HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.

The Health Insurance Portability and Accountability Act

Protecting Yourself from Fraud including Identity Theft

Presentation transcript:

The ChoicePoint Attack – Case Study CHAPTER 12 Lecturer : Dr. Thi Lip Sam FUJIAH KASIM - 803816 RAINI ANNE LAIPAN - 803738

Case Summary ChoicePoint is a Georgia based corporation, involved in the Data Brokerage Industry that store and sells critical personal information, provides risk-management and fraud prevention data or information. In the fall of 2004, ChoicePoint was the victim of a fraudulent spoofing attack in which unauthorized individuals posed as legitimate customers and obtained personal data on more than 145,000 individuals’ details. It was not until November 2004 that ChoicePoint became aware of the problem. They noticed some unusual activities on accounts in Los Angeles, so ChoicePoint notified the LAPD.

Case Summary…Conti The LAPD requested that ChoicePoint not reveal the activity until the department can conduct its investigation. It was not until January that the LAPD allowed ChoicePoint to connect its customers whose data was compromised. The crime is an example of a failure of authentication and not a network break in. The criminals obtained valid business licenses and appeared as a legitimate business.

Case Summary…Conti Since ChoicePoint did the right thing and contacted the police, it exposed itself to considerable expenses, a class-action lawsuit which cost them $75,000 for each of the 145,000 people , a Senate investigation, and 20% decreased in its share price.

Question no 1. ChoicePoint exposed itself to considerable expense, problems and possible loss of brand confidence. What are the ethical issues? What is ChoicePoint’s response? Did ChoicePoint choose wisely?

We think ChoicePoint made a wise decision because its reputation was on the line. If they had covered up the entire incident and were later found out, the company would be blamed of fraud and possibly charge for withholding criminal evidence from the police. Managers and investors could possibly disagree because it hurts the company’s image when public relations nightmares are let out of the bag like that. When stock drops a significant amount, investors will always be the first to complain but upon a second glance, we would hope people would rather invest in an honest company interested in serving its customers to the best of its ability. Customers would obviously be upset over the events but ChoicePoint made every effort to right the situation and make sure their clients were safe and satisfied.

Consider the question from the viewpoint of…. Customer : They had a right to know that their information had been compromised. Law enforcement personnel : They need to know all details so that they could conduct their own investigation and possibly catch the criminals. Investor : The price of their stock would decline when the news would be disclosed, but long term it would help that ChoicePoint did not hide the facts. Management : They must consider the factors and take cost-effective action to reduce probable losses

Question no 2. Given ChoicePoint’s experience, what is the likely action of similar companies whose records are compromised in this way? This crime is an example of a failure of authentication, not a network break in ChoicePoint's firewalls and other safeguards were not harmed.

The action that should be taken by the similar companies to avoid such problems in the future could be issuing more authentication methods. For instance include an username, password, include some sample questions that the answers will be known only to a given individual. Evaluating the security program of the given company at a given time Keeping an eye on the activity of the accounts so every abnormality will be quickly spotted.

Given your answer, do you think federal regulations and additional laws are required? Regarding to the fact that there is an increasing level of identity theft in this country even though companies are trying to find security solution for that, there is a definite need for issuing tougher laws that will protect people, when the information about them is stolen, or simply somebody is using that information without their consent / permission. Regulations must be clear that identity theft is a serious crime, and there is a punishment for those who do this kind of activity. Current Regulation: Fair Credit Reporting Act (FCRA), Federal Trade Commission (for Data Broearage Firms) and California Disclosure Law, Senate Bill 1386.

What other steps could be taken to ensure that data vendors notify people harmed by data theft? security needs to be applied closely to the information, it is protecting to be effective. make the information less available for "third parties" Google documents. ensuring that protection cannot be arbitrarily removed by end-users or system administrator. controlling access and usage privileges

Question no 3. Visit --- http://choicepoint.com Summarize the products that ChoicePoint provides. What seems to be the central theme of this business?

Answer question no 3. 1. When it comes to Business & Nonprofit, it delivers comprehensive credentialing, background screening, authentication, direct marketing and public records services to businesses and nonprofit organizations. 2. When it comes to Government, it provides information, analysis and distribution solutions to advance the efforts of law enforcement, public safety, healthcare, child support enforcement, entitlement and other public agencies. 3. When it comes to Reports of one’s self, you can learn how to request the information LexisNexis or ChoicePoint, a LexisNexis company since September 19, 2008, has about you. If an organization has recently ordered reports about you from LexisNexis or ChoicePoint, or if you are just curious, you can obtain copies of those reports at no charge.

Central theme The LexisNexis Risk Solutions delivers actionable intelligence to help clients make critical business decisions with confidence and speed. Their solutions are designed to serve the multi-billion dollar risk information industry, which includes professionals and organizations in areas such as insurance and law enforcement.

Question no 4. Suppose that ChoicePoint decides to establish a formal security policy on the issue of inappropriate release of personal data. summarize the issues that ChoicePoint should address.

Anwer Question 4 Developing a Security Policy. Security Principles. Security Policy Fundamentals To make a long story short... a security policy establishes the expectations of the customer or user, including what their requirements are for confidentiality, integrity, and appropriate management of their data, and the conditions under which they can trust that their expectations are met.

Case Solved? On October 26, 2004, one of the thieves -- Olutunji Oluwatosin was arrested after receiving a fax from ChoicePoint requesting an additional signature for one of the illegitimate companies the thieves has previously set up.