ChoicePoint to pay $275,000 in latest data breach

Data broker failed to notice that a key monitoring tool was turned off for four months, allowing unauthorized access and exposing data of 13,750 people, the FTC says.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read

ChoicePoint, one of the nation's largest data brokers, has been fined $275,000 by the U.S. Federal Trade Commission for a data breach that exposed personal information of 13,750 people last year.

In April 2008, ChoicePoint turned off a key electronic security tool that it used to monitor access to one of its databases and failed to notice the problem for four months, according to an FTC statement.

During that period, unauthorized searches were conducted for 30 days on a ChoicePoint database that contained Social Security numbers and other sensitive information, the FTC said.

The FTC alleged that ChoicePoint's conduct violated a 2006 court order requiring the company to institute a comprehensive information security program following a 2005 breach that compromised the personal information of more than 163,000 people and resulted in at least 800 cases of identity fraud. The company was ordered to pay $10 million in civil penalties and $5 million to consumers in that case.

To settle the recent charges, ChoicePoint agreed to pay the fine and provide reports on its data protection practices to the FTC every two months for two years.

Meanwhile, payroll processor PayChoice has had two data breaches in less than a month. On October 1, the company said it was investigating a breach in which targeted e-mails were sent to customers that attempted to trick them into downloading malware.

Then last week, PayChoice told customers it was again shutting down its online portal after clients started noticing fake employees being added to their payroll in what is likely the second stage of a broader attack, according to the Security Fix blog.

It appears that attackers stole login IDs and passwords by exploiting a weakness in the Web site component that allows customers to change their portal passwords, the report said. The usernames and passwords were then included in the e-mails sent out to customers a few weeks ago.