[ISN] ChoicePoint says data theft cost it $6M

From: InfoSec News (isn@private)
Date: Fri Jul 22 2005 - 11:31:08 PDT


http://www.computerworld.com/securitytopics/security/story/0,10801,103384,00.html

By Linda Rosencrance 
JULY 21, 2005 
COMPUTERWORLD

Credit and personal information vendor ChoicePoint Inc. took a $6
million charge in its second quarter, which ended June 30, citing
costs associated with the theft of personal information on 145,000
consumers, the company said yesterday.

The $6 million was used for legal expenses and other professional fees
related to the data theft, Alpharetta, Ga.-based ChoicePoint said in a
statement [1].

The second-quarter charge came on top of a $5.4 million charge the
company had to take in the first quarter related to the same incident.  
That first-quarter expense included $2 million spent on communications
to the affected consumers and for providing those people with credit
reports and credit monitoring services. Approximately $3.4 million
went for legal and professional fees, ChoicePoint said.

ChoicePoint provides data to credit providers, government agencies,
landlords and others who use personal information to approve loans,
leases and other contracts.

In February, ChoicePoint said the data theft occurred when "a small
number of very well-organized criminals posed as legitimate companies
to gain access to personal information about consumers." (see "State
officials push ChoicePoint on ID theft notifications")[2].

Information provided by ChoicePoint has since been used in about 750
identity-theft scams, according to the company.

"It's becoming more expensive [to handle these security breaches], and
the reason it's becoming more expensive recently is because of the new
notification laws," said James Van Dyke, principal analyst at Javelin
Strategy & Research, a Pleasanton, Calif., financial consulting firm.  
"So we have every reason to believe that data breaches like that at
ChoicePoint, sadly, have actually been going on for longer than most
people realize....

"It's laws such as those in the state of California and other parts of
the U.S., requiring new notification, that are bringing these cases to
light," Van Dyke said. "ChoicePoint happened to be the first big one
after these notification laws [went into effect]. We'll see
investments like that of ChoicePoint as these companies seek to avoid
the kind of a death sentence CardSystems received from American
Express and Visa. Companies like ChoicePoint will spend this money on
public relations, procedures and on partner relations."

Earlier this week, Visa U.S.A. Inc. and American Express Co. said
separately that they are terminating contracts with CardSystems
Solutions Inc., a credit card transaction-processing company that was
hit by hacker attacks, potentially exposing 40 million card numbers to
online intruders.

The companies said CardSystems, in Atlanta, didn’t meet contractual
requirements in providing processing services for merchants that
accept the credit cards. As a result, they will no longer allow
CardSystems to process their transactions after October.

Those decisions come in the wake of the announcement last month from
MasterCard International Inc. that 13.9 million of its credit card
numbers were among the 40 million that may have been accessed by
intruders who infiltrated CardSystems' network (see "Security breach
may have exposed 40M credit cards")[3]. Unlike Visa and Amex,
MasterCard plans for now to continue doing business with CardSystems
because it has taken steps to improve security.

Despite the second-quarter charge, ChoicePoint posted a second-quarter
profit of $36.4 million, or 40 cents per share, compared with $36.3
million, or 40 cents per share, in the same quarter a year ago.

Earnings per share for the most recent quarter included a
4-cent-per-share charge to cover the expenses related to the data
theft.

"I am extremely pleased with the continued revenue-growth momentum
this quarter," said Derek V. Smith, chairman and CEO of ChoicePoint.  
"Additionally, we implemented key changes that reduced the risk of our
business model and reinforced our leadership as a responsible
information company."

[1] http://choicepoint.com/choicepoint/news.nsf/(webhotbox)/E5DA762464E269EC8525704300749EA4?OpenDocument
[2] http://www.computerworld.com/securitytopics/security/story/0,10801,99886,00.html
[3] http://www.computerworld.com/databasetopics/data/story/0,10801,102631,00.html



_________________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 - 
2,000+ international security experts, 
10 tracks, no vendor pitches.
www.blackhat.com 



This archive was generated by hypermail 2.1.3 : Fri Jul 22 2005 - 11:58:26 PDT