ChoicePoint will pay $10 million in civil penalties and another $5 million to set up a fund to compensate consumers whose financial records were exposed in a massive data breach last year, the Federal Trade Commission (FTC) announced today. The fine is believed to be the largest ever for a security incident, and signals Washington's growing impatience with corporate security breaches.
"The message to ChoicePoint and others should be clear: Consumers’ private data must be protected from thieves," said Deborah Platt Majoras, Chairman of the FTC. "Data security is critical to consumers, and protecting it is a priority for the FTC, as it should be to every business in America."
ChoicePoint provides data to credit providers, government agencies and landlords. Earlier today it reported $1.1 billion in revenue for 2005. In late 2004 criminals using falsified credentials were able to sign up for sensitive ChoicePoint services and access account information for 163,000 consumers, the FTC said.
"The events of early 2005 provided critical lessons from which ChoicePoint and, indeed the entire industry, has learned a great deal," said Derek V. Smith, chairman and chief executive officer, in a statement (PDF). "As a direct result of those lessons learned, we have, for the past several months, been in the process of implementing nearly all of the changes reflected in today’s settlement with the Federal Trade Commission."
The settlement requires ChoicePoint to be audited by an independent third-party security professional every other year until 2026. Third-party testing is critical to the security of online financial, banking and e-commerce systems, but is obviously less valuable if an institution defers it until after an enormous breach has occurred. The ChoicePoint case is the most prominent in a lengthy series of security breaches that offer a vivid cautionary tale for all institutions handling sensitive financial data.
Our interest here should be clearly stated: Netcraft offers a range of advanced security services, including web application security testing and an auditing service to provide ongoing detection of new security vulnerabilities and configuration errors caused by system and network maintenance.