So the news about ChoicePoint just keeps getting worse. I first wrote on this last month. Now, according to the The Los Angeles Times (via Wired News), this was not the first time this happened:

Two Nigerian-born fraud artists were arrested in Los Angeles in 2002 by federal officials who charged that the pair used ChoicePoint to gain access to confidential information about at least 7,000 people and possibly many more, resulting in at least $1 million in losses.

That security breach, which received no public attention at the time, is similar to the case in which a North Hollywood man, also a Nigerian native, pleaded no contest last month to felony identity theft. He had obtained as many as 145,000 ChoicePoint records by setting up a fake business claiming to have a legitimate need for the information.

If this is the case, then why did Derek Smith, the CEO of Choicepoint, say on film,

“This is the first time that that kind of process has really happened for us,” Derek Smith said in a Feb. 21 interview with Atlanta television station WXIA, referring to a 2004 case in which criminals pretended to have a legitimate need for financial data and tapped 145,000 personal records.

Especially when ChoicePoint’s CISO Richard Baich says in an interview, “This is not an information security issue. My biggest concern is the impact this has on the industry from the standpoint that people are saying ChoicePoint was hacked. No we weren’t. This type of fraud happens every day.” (emphasis mine, but that’s the full quote so no accusations of taking things out of context here)

That’s his opening statement and he just goes on to further prove that he shouldn’t be allowed to speak to the Press without his publicist present.

Ignoring the hairsplitting as to whether this was “fraud” or “hacking,” it was still a breach of Confidentiality. If I were to go ask one of the 145,000 affected individuals if they’d rather their information was stolen through fraud or hacking, they’re not going to care if it was a computer or a process was compromised–all they know is that they either already are or probably will soon be a victim of identity theft.

Baich goes on to explain that, much in the tradition of laws against things like Getting Caught Stealing, “We worked with (authorities) and did the right thing disclosing the breach where a lot of companies may not have ever disclosed this.”

So it just me, or does this not ring quite true? Back in 2002 when it was just The Right Thing, they didn’t feel the need to disclose it to anyone. It’s only when The Right Thing became The Law that they actually did it.

(Hat tip to Bruce Schneier (again) for the original interview link

Why Choicepoint Resonates

Its now a full month since Bob Sullivan of MSNBC broke the Choicepoint story. I’d like to think back, and ask, why does this story have legs? Why are reporters still covering it? There are a couple of important…