ChoicePoint fined $15m for security blunders

Security breach at ChoicePoint exposed 900 consumers to identity theft

The Federal Trade Commission (FTC) has agreed a $15m settlement with US credit bureau ChoicePoint after criminals hacked into the firm's databases last February. 

The cyber-criminals gained access to the personal financial records of more than 163,000 consumers in a data breach that resulted in at least 900 cases of identity theft.

ChoicePoint sells information including credit histories and social security numbers to insurance providers and other businesses.

To pull off the attack criminals set up legitimate accounts with ChoicePoint by posing as collection agencies looking to run background checks.

ChoicePoint lacked the security procedures needed to screen prospective subscribers whose applications raised "obvious red flags", the FTC noted.

The firm cleared bogus businesses that were registered at mail boxes, for instance, and processed applications that were sent using fax machines at public locations such as copy shops.

ChoicePoint also failed to bolster its security procedures after it was alerted about fraudulent activity as early as 2001.

The settlement requires ChoicePoint to implement improved security procedures to ensure that only legitimate businesses can access its databases for lawful reasons.

Terms of the settlement require that the stipulations are audited every other year until 2026.

Some $10m of the $15m settlement will go towards civil penalties. The remaining $5m is earmarked to compensate consumers who suffered damages arising from ChoicePoint's poor security protocols. The fine is the largest civil penalty in the FTC's history.

"The message to ChoicePoint and others should be clear: consumers' private data must be protected from thieves," said FTC chairman Deborah Platt Majoras.

"Data security is critical to consumers, and protecting it is a priority for the FTC as it should be to every business in America."