Slashdot Mirror

← Back to Stories (view on slashdot.org)

ChoicePoint Hit With Large Fine For Data Theft

Posted by Zonk on from the that's-gotta-hurt dept.

Lam1969 writes "The U.S. Federal Trade Commission has fined ChoicePoint $10 million for a data breach that allowed identity thieves posing as legitimate businesses to steal social security numbers, credit reports, and other data from nearly 140,000 people. This is the largest fine ever levied by the FTC. ChoicePoint also has to set up a 'trust fund' for people victimized by identity thieves. From the article: 'As part of its agreement with the FTC, ChoicePoint will also have to submit to comprehensive security audits every two years for the next 20 years.'" BusinessWeek has some background information on this breach.

26 of 85 comments (clear)

  1. Chump Change with their Revenues by WebHostingGuy · · Score: 4, Informative

    For the three months ending Dec. 31, ChoicePoint said it earned $27.68 million on revenues of over one billion dollars in 2005

    --
    Quality Hosting e3 Servers
    1. Re:Chump Change with their Revenues by Alex+P+Keaton+in+da · · Score: 3, Interesting

      Not just that, but the fact that financial institutions really don't help you once you get your ID stolen...
      http://moneycentral.msn.com/content/Banking/Better banking/P142361.asp
      Banks hang fraud victims high and dry
      If a thief uses a stolen ATM card or checks to pilfer your accounts, you may not get much sympathy from your bank -- or any of your money back.
      By Liz Pulliam Weston
      Lesa Henderson of San Diego was shocked when her husband's paycheck suddenly disappeared from their checking account. But their troubles were just beginning.
      An acquaintance who stole both Henderson's debit card and checks from her checkbook had drained every penny from the account. The Henderson's bank initially restored some of the lost money, which the thief promptly stole. The bank then decided the thefts were Lesa's fault because she had allowed the thief into her home. The bank demanded the Hendersons pay back the restored funds, plus all the fees from bounced checks. Furthermore, it refused to let the Hendersons close the compromised account because it was overdrawn.
      http://moneycentral.msn.com/content/Banking/Better banking/P142361.asp

      --
      And All I Ask is a Tall Ship And a Star to Steer Her By
    2. Re:Chump Change with their Revenues by shotfeel · · Score: 4, Insightful

      When you take that $10 million out of the $27.68 million, I'd say that's a pretty big percentage of your profits gone. The idea is to punish the company, not kill it.

      OTOH, considering what happened, maybe that wouldn't be such a bad idea...

    3. Re:Chump Change with their Revenues by jfengel · · Score: 2, Insightful

      It's the earnings, not the revenues. Earnings are revenues minus expenses. You could have revenues of a trillion dollars, but if your expenses are $999,999,999 then you've only earned a dollar in profit. If your expenses are $1,000,000,000,001, then you're in the red. Either way, it would mean that $10 million isn't something you have lying around.

      Stock prices should be based on earnings rather than revenue. People looked heavily at revenue of tech startups because they were assumed to have high one-time building expenses (new server farms, new offices, etc), so the idea was that next year those high revenues wouldn't be offset by high expenses, and earnings would be high. Sometimes that was true; sometimes it wasn't. Investors who invested solely based on revenue lost it all when the bubble burst.

      Still, in this case $10 million is a 1/3 of one year's revenues. That'll sting much more than bring up the number "$1 billion" implies, though ultimately it's still not all that much. I'd have liked to have seen them hit harder; several years' profits at least. That hammers the stock price without immediately putting the company out of business (and the workers out of work.)

    4. Re:Chump Change with their Revenues by crimoid · · Score: 2, Informative

      Still, in this case $10 million is a 1/3 of one year's revenues.

      Actually...

      For the three months ending Dec. 31, ChoicePoint said it earned $27.68 million

      So that is a little more than 1/3 of one QUARTER'S revenue.

    5. Re:Chump Change with their Revenues by WebHostingGuy · · Score: 3, Informative

      Not quite. The profit is after expenses. However, if you have taken accounting you will know you get to take expenses out for which you did not actually pay any money for (think depreciation, it is a non-cash outlay expense for which you get to take over time.) To actually look at the impact of the fine you have to look at what their actual cash flow is. From their statement:

      Net free cash flow (net cash provided by operations less capital
                    expenditures) was $180.2 million for the twelve months ended December
                    31, 2005, which compares to net free cash flow of $182.1 million for
                    the same period in 2004. Excluding the cash paid during 2005 related
                    to the fraudulent data access discussed above, net free cash flow would
                    have been $193.8 million for 2005.
                - During 2005, approximately 2.9 million shares were repurchased for
                    $125.6 million at an average price of $42.59, leaving $124.4 million
                    authorized in the Company's buyback program.

      If you see the end number they had cash coming in in 2005 of $180.2 million dollars. It would have been $193.8 million but they had to pay the lawyers fighting this fine. And if you add in what they spent buying back their own stock their cash coming in from revenues is $180.2 + $125.6 = $305.8 million dollars. And if you add in what they spent on legal fees fighting this equals $319.4 million dollars. Subtract $10 million from this number and you get chump change.

      --
      Quality Hosting e3 Servers
  2. When you put... by Avillia · · Score: 2, Funny

    The information of millions of citizens, including employment, financial, contact, and other personal information all in the hands of a third party corporation who has to make next to nil security checks with the government, what could possibly go wrong?

  3. Not enough by voice_of_all_reason · · Score: 4, Funny

    I was expecting something a little more Barad-Dur-ish. You know, heads of traitors impaled on the bridge as a warning to others.

  4. What it should be for everyone by ZachPruckowski · · Score: 5, Insightful

    'As part of its agreement with the FTC, ChoicePoint will also have to submit to comprehensive security audits every two years for the next 20 years.'

    Every company should undergo a comprehensive security audit every two years. I mean, security in Jan 2004 is rather different from security in Jan 2002, and both are way different from security today. A system that might have been thought to be secure 2 years ago isn't so hot right now. If I ran a huge, profitable company, I would assign a few people to try to break into my company full-time.

  5. Good, but not good enough by swillden · · Score: 3, Interesting

    I'm happy to see regulators stepping in. Security of other peoples' data is a big problem, and it's going to be a much bigger problem. However, I think this is the wrong approach. I think the right approach is actually much simpler than lots of regulatory oversight: Make companies liable for misuse of data that they collected and lost or misplaced. In fact, make them not only liable for direct damages, but award punitive damages as well. Also, the plaintiff should should not have a large burden of proof that it was actually company X's loss of the data that led to the damage. If company X had the data, and there is a preponderance of evidence that company X let the data escape, X should be liable for the damages even if it's possible that the bad guys actually got the data somewhere else.

    That may seem unreasonable, but I have a very specific reason for that "extreme" position. We want companies who use customer data to be very, very reluctant to collect any data they don't absolutely need, and we want them to be anxious to destroy that data as quickly as possible so that there is no possibility it may be compromised.

    As long as corporations see more potential gain than loss in collecting and hoarding personal details, they'll do it. Regulators may slow them down a bit, or force them to be a little more careful, but the best solution is to convince them that they do not want it.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    1. Re:Good, but not good enough by swillden · · Score: 4, Insightful

      If company X had the data, and there is a preponderance of evidence that company X let the data escape, X should be liable for the damages even if it's possible that the bad guys actually got the data somewhere else.

      Oh, one more thing: disclosure of security breaches should be mandatory (with some latitude for delaying until the problem can be fixed, but not much). Failure to disclose security breaches should be a felony. If some manager decides to try to hide it, that person should be charged with a crime and sent to prison, along with anyone who agreed with him or her (i.e. his or her co-conspirators).

      Corporations should be terrified of the effects of security breaches involving other peoples' data, and employees need to be terrified of doing anything but blowing the whistle when those breaches occur.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  6. The sad thing is by hsmith · · Score: 3, Informative

    It is impossible not to have your ID stolen through not YOUR actions, but others now a day. I had mine compromised 3 times last year due to employers as well as corporations that have my personal information. I mean, what can you really do when a company refuses to protect your identity? You can't sue, because there are no laws on the books. Yes, I took my business elsewhere, but what happens when you lose money due to others mishaps and ignorance? I guess it is time to get "ID Loss Insurance" for another $30/month. Ugh.

    1. Re:The sad thing is by nickname225 · · Score: 4, Insightful

      I'm a lawyer - although tort is not my area of specialization. It's not really necessary for there to be a specific law on the books to sue someone who has caused you damage. In this case you could sue under a general negligence theory. The basic elements of negligence are 1) Did the company have a duty 2) was that duty breached 3) Was the breach a cause in fact of the damage & 4) Did actual damage occur. If you analyze this case under general negligence theory - 1) Choice Point clearly had a duty to safeguard sensitive personal information 2) That duty was clearly breached 3) The breach would be a cause in fact if you identify is stolen 4) so- if you suffer actual damage as a result of this theft - you should have a negligence action against Choice Point. Now - it is possible that they are in some way immunized from suit by some statute - but I don't recall anything of the sort.

    2. Re:The sad thing is by sakielnorn · · Score: 2, Insightful

      Absolutely. There is a general unwillingness to deal with privacy as a major issue here. I would claim that privacy is a basic right that citizens should demand, and it should be legislated into government. There is a privacy commissioner in Canada and associated legislation that can be enforced; similar governmental structures exist in Europe. For all of the free-market talk and general wish for lack of interference in personal life, wouldn't it make sense for American government to serve the people in a manner that everyone can agree with, by creating safeguards and services that protect our privacy?

  7. More Material (B. Schneier) by alfalfro · · Score: 3, Informative

    Bruce Schneier usually covers this stuff pretty well, as he did frequently last spring. Punch this into google: "choicepoint site:schneier.com"

    --
    Support your local brewery.
  8. Your identity is worthless to the feds by MikeRT · · Score: 5, Insightful

    $10,000,000 / 140,000 victims = $71/person. We given fines in the tens of thousand to hundreds of thousands for crack/cocaine/meth, but apparently white collar crime that targets over one hundred thousand people is worth only $71/victim when the identity theft can cost them hundreds of hours of time regaining their identity/fixing records and a lot of grief in general. Not to mention the damage it does to the businesses hit by the scammers.

    1. Re:Your identity is worthless to the feds by shotfeel · · Score: 2, Insightful

      IOW, had they "shared" 140,000 music titles instead of personal information, they could have been up for a real smack-down!

      Too bad my personal information isn't copyrighted, patented or a trade secret.

  9. The irony... by Dynedain · · Score: 2, Insightful

    The irony is that they could sell the data without any penalties, but if someone breaks into their system they get in trouble.

    --
    I'm out of my mind right now, but feel free to leave a message.....
  10. Re:Fatal Assumptions by mpapet · · Score: 3, Interesting

    You are assuming that they will actually have to pay that fine.

    The procedure is as follows:

    1: Publish big number to qwell citizen revolt
    2: Negotiate lower settlement over the next few months
    3: Profit!

    Case in point: Exxon Valdez(sp?) Oil Spill
    1: Exxon get Billion(!!) dollar fine
    2: Exxon negotiates Billion dollar fine over umpteen years
    3: Exxon pays less than 1/2 the published number in real dollars.

    Choicepoint would cry like babies and threaten bankruptcy which they probably are doing anyway. "But Senator/Congressperson, consumer privacy is important. But think of all the lost jobs if ChoicePoint were to declare bankruptcy!!!"

    --
    http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
  11. Who defines a "legitimate businesses" by vinn01 · · Score: 4, Interesting

    ... allowed identity thieves posing as legitimate businesses ...

    From ChoicePoint's perspective, they were legitimate businesses. They paid for the data, they didn't steal it.

    From the goverment's perspective, they were legitimate businesses if they paid taxes on their "profits".

    Now from the victims perspective, they were a bunch of crooks raiding their credit records and sucking as much out as they could.

    Is every employer, landlord, and car dealer a legitimate business just because they actually have a better excuse to get their hand on the data? Some of those businesses are a bunch of crooks too.

    The whole system needs better security, not just better control over who can get your info.

    vb

  12. Red Flags by Billosaur · · Score: 3, Funny
    In its decision, the FTC slammed ChoicePoint, saying that it did not have reasonable procedures in place to screen prospective subscribers and that it turned over sensitive personal information to subscribers whose applications raised obvious red flags.

    Hello, ChoicePoint? My name is Al... Al Kayduh... yes, I'm looking for the personal information for some decadent American spawns of... I mean fine, upstanding Americans...

    --
    GetOuttaMySpace - The Anti-Social Network
  13. "Accidentally" leaked info? by RandoX · · Score: 3, Informative

    Not according to CNN. See Point #45 where Choicepoint SOLD the information several times, including to an identity theft ring.

  14. Re:Fatal Assumptions by silentbozo · · Score: 2, Interesting

    Don't forget. Paying fines counts as an expense, which you can claim against revenue, thus cutting your taxes. As such, the hit is never as bad as it seems at face value. Now, if you had to pay fines out of your after-tax profits...

  15. Pining for the fnords, are we? by spacefiddle · · Score: 2, Interesting
    Really now.
    The odd things is, you picked an interesting bit of the article - instead of the silliness displayed above, why don't you, y'know, talk about it or something? People actually come here for that sort of thing. Shocking, I know.

    It does - in hopefully, uncolored by our friend here, a non-conspiracy way - make me think about the Gummint, tho. Conflict of interest?

    As mentioned, the fines are practically pointless for the fined - where does the money go? Who gets to spend it? So the consumer is screwed, the corporation loses a pittance, and the FTC gets a paycheck. Why doesn't the fine money go back to the screwed consumer? How does Corp A screwing Citizen B means "government makes more money?"

    And, of course, what incentive does the FTC have to enforce any real changes here? Screw up and we make some cash, get to posture about how we care, and slap you with some lax security requirements while the public eye is on us all. What happens in the 2 years between audits? And when they pass the audits, and 10 months later this happens again... what then? Anything? Oh, more fine cash for the FTC. And more screwed consumers.

    Bah.

    --
    That which does not kill us makes us... st
  16. Re:Fatal Assumptions by LaCosaNostradamus · · Score: 2, Informative

    "But Senator/Congressperson, consumer privacy is important. But think of all the lost jobs if ChoicePoint were to declare bankruptcy!!!"

    Here's what our representatives (remember, they supposedly believe in the free market and Capitalism) should respond:

    "Mr CheckPoint Executive, we in the Congress sympathize with the short-term hardship imposed by such a scenario, but we mostly have to be concerned with the long-term results. The long term in your case is that the assets from your failed company would eventually be bought out at pennies on the dollar and be put to use by whom we hope will be more moral and innovative businessmen. The jobs lost from your failed company would then be regained. At any rate, this is a free market, Sir, and you cannot claim Socialist protections on the basis of any privilege, real or perceived. Good day."

    Of course, since our politicians have almost totally bought into the ideas of Socialism for the wealthy classes, and the "free market" for the poor and working classes, we're never going to hear this kind of response.

    --
    [You have a stable society when some nut guns down a schoolyard and the law doesn't change.]
  17. I'm one of the victims by gtshafted · · Score: 2, Interesting
    I couldn't find a lawyer for justice... I just didnt' have the finances for making Choicepoint pay... All I got from them was a year membership in Equifax's credit changes alert.

    This reminds me of the "settlement" Nintendo got for price fixing.

    Anyways here's how I think I got victimized (though I could be wrong). My previous employer used Choicepoint verify my resume information before hiring me... Not sure how to avoid this situation