ChoicePoint Fined $275K for 2008 BreachFTC: Data Broker Turned Off Tool That Would Have Detected Hack Sooner Data broker ChoicePoint has agreed to a stronger data security program and will pay a $275,000 fine for a breach in 2008, according to the Federal Trade Commission.
The FTC says the company failed to implement a comprehensive information security program to protect consumers' personal information, as required by the agency after ChoicePoint's 2004 breach, which affected more than 160,000 U.S. consumers.
The April 2008 breach compromised the personal data of 13,750 people, says a FTC press release. The company is accused of turning off a "key" electronic security tool used to monitor access to one of its databases, then failed to detect that the security tool was turned off for four months. If the tool had not been turned off, the FTC says, the breach would have been detected much sooner.
For a month, an unidentified hacker conducted thousands of unauthorized searches of a ChoicePoint database containing sensitive consumer information, including Social Security numbers, says the FTC. After the breach was found, ChoicePoint alerted the FTC.
According to the modified court order, ChoicePoint will be required to report to the FTC detailed information about how it is protecting the breached database and certain other databases and records containing personal information. The ChoicePoint reports are required every two months for two years.
The 2004 ChoicePoint data breach resulted in 800 cases of identity theft, says the FTC. A settlement and 2006 court order required the company to $15 million in civil penalties and consumer compensation. As part of the settlement, the company is required to obtain independent assessments of its data security program every other year until 2026.