Two More on Choicepoint
See Taosecurity, on IDS and Choicepoint, and this choice excerpt from Reuters, relayed by Dave Evans at Corante’s Online Dating:
U.S. investigators notified the company of the breach in October, but ChoicePoint did not send out the consumer warnings until last week.
It’s fascinating that the company didn’t detect the breach, and that they seem to be unable to figure out all the records touched.
ChoicePoint, by their own statements, is unable to trace accesses to (some, all?) ID documents back to the requesting entity.
If they cannot trace it back to the requestor, then they cannot trace it back to “known-legit” or “known evil” requestors. Basically, all they know is that the documents have been accessed.
Therefore, the obvious question is “How do they know which Californians to notify?”. It looks to me like their information must be from a source outside their own systems, or else they’d have to notify every Californian that their records might have been accessed improperly, and we know they didn’t do that. Therefore, the question to ask them is “How did you decide whom to notify?”.
That doesn’t seem to be a conflict to me at all. They got notified that a legitimate looking client was using the system in a legitimate looking fashion. That’s incredibly hard to detect. Worst case scenario they know which subsystems those clients had access to. Best case they actually log all the queries as well…..
Choicepoint – full blown scandal?
Maybe it was the RSA security conference, but the Choicepoint heist seems to have touched a nerve. Adam pointed here, where it says that ” investigators notified the company of the breach in October, but ChoicePoint did not send out…
The number of potentially impacted people must exceed that cited in the articles. I can confirm that Kaiser Permanente uses ChoicePoint for employee screenings. KP has 120,000 employees. Not sure, but if used for insurance underwriting it will expand the number to include the 7,000,000 members.
Could you expand on how choicepoint could be used in insurance underwriting?
Also, why must the number exceed that cited? If there are KP employees whose data wasn’t pulled in this theft, then they’re not at risk from this theft.