Schneier on Security
A blog covering security and security technology.
« Detecting Nuclear Material in Transport |
| New U.S. Government Cybersecurity Position »
May 5, 2005
Lessons of the ChoicePoint Theft
Nice essay about the implications of the ChoicePoint data theft (and all the other data thefts, losses, and disclosures making headlines).
Posted on May 5, 2005 at 8:54 AM
• 6 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
here are two inconsistencies:
"Maybe it was the fact that this wasn't a hack. Personal information of nearly 145,000 people wasn't stolen from ChoicePoint. In fact, the company sold the information to inadequately vetted bogus businesses—this when the company itself helps other businesses verify creds."
then further down...
"The security community seems skeptical of Baich's argument too. CISOs have long asserted that their responsibilities ought to encompass all aspects of information protection—whether a vulnerability stems from insider misuse, an outside hack or (in ChoicePoint's case) a social engineering scam."
... and further down ...
"Responding to the media glare by disputing the "hack" characterization is a case of splitting hairs; by any name, what happened reflected a wholesale failure of ChoicePoint's approach to security governance."
... so then "the fact" being that the premise Sarah D. Scalet states that it wasn't a hack is not true, nor a fact.
Imitation is said to be the sincerest form of flattery.
glad to see I have a fan club...
"In fact, the company sold the information to inadequately vetted bogus businesses—this when the company itself helps other businesses verify creds."
The idea that the CIO denied that he had any responsibility for "fraudulently obtained" information shows just how poor a concept of unified security Choice Point has. A good hacker attacks at the weakest point, in this case it was Choice Point's greed. They just walked in the front door (virtual or not) and asked to buy people's private data. Choice Point said,"Of course! That's what we do! Sell people's private information."
The problem is that Choice Point shouldn't have been allowed to sell the aggregated data in the first place. People's account information is a de facto (even de jure) password to many of their financial accounts. Selling this information is equivalent to selling logins and passwords. If any private individual did so they would be arrested for hacking, but when a corporation does it, it is just business as usual.
Choice Point loves to play the victim in this case, but I've yet to hear them say that they are giving back the money they received from the sale of people's private data to ID thieves. Choice Point was an eager and willing participant in the dissemination of people's private data and their CIO is an ignorant buck passer. That's my opinion.
Hmm... a simple question, how do you tell a good guy from a bad guy...
As far as I know you can not unless somebody already knows they are bad and tells you.
This is the same problem that the PKI CA organisations have,
"If I sign your certificate (for money) am I actually taking liability for your actions?"
The CA's would like to think not, but it has not been tested in a court of law yet.
As far as I can tell, most US CA's try to use the "Postal Fraud" laws to protect themselves (ie you post in a signed application form with your payment, you lie in any section you have commited a crime). That way they can argue that a crime was commited against them, therfore they can limit their liability by time and hopefully money.
I guess the whole information business needs new laws, but who is going to draft them in an appropriate fashion and how long it's going to take is anybodies guess. Untill then I guess the only people to benifit will be the crooks and "our friends" in the legal profesion
"Look, I'm the chief information security officer. Fraud doesn't relate to me."
I have met Richard Baich and all I can say is him making a statement like this comes as no surprise.
Well Anonymous, unless you have some internal insite into the inner workings of Choicepoint, I don't think your comment is founded. Did it ever occur to you that Mr. Baich's department doesn't cover fraud? Maybe it's time to point the finger at the top management of Choicepoint, rather than letting Mr. Baich take the heat. Has anyone bothered to ask what department within Choicepoint IS responsible for fraud?
I've met Mr. Baich too and I believe he's a man with true integrity. To portray as otherwise is false.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.