Choicepoint Attack Case Study free essay sample

Itemize the nature of the information security breach at ChoicePoint and how this adversely affected the organization. Be sure to include and indicate both tangible and intangible losses in preparing your response.  Fraudsters pose as legitimate customers, with the required documents, gathering personal information of other customers Tangible: Nothing really obviously wrong at this point, nothing unusual Intangible. Fraudsters are silently collecting personal information about ChoicePoint customers to be used later Use this information to gather further information including Social Security Numbers, Credit Report info, and Drivers License Numbers Tangible: Still no unusual activity to make ChoicePoint suspicious Intangible: Fraudsters getting even deeper in their infiltration, collecting more sensitive information as they gather the basic information which gives them access to the rest Building profiles on all of the customers, they are able to commit identity thefts on a large scale Tangible. Loss of customers, loss of faith in the company Intangible: Loss of some sensitive information, however the company still has the information, just it is no longer secret or secured 2. We will write a custom essay sample on Choicepoint Attack Case Study or any similar topic specifically for you Do Not WasteYour Time HIRE WRITER Only 13.90 / page What actions were taken by both ChoicePoint and the â€Å"authorities† to address the crisis, and what is your assessment of each action taken? [table] ChoicePoint Authorities Nov. 2004 unusual activity to LAPD, comply with Authorities Request that ChoicePoint keeps it private for now, so as to not cause chaos Jan. 2005 allowed to alert the affected customers Grants access for ChoicePoint to talk about the committed crimes Feb. 2005 established assistance hotline for affected customers, pays for credit  reports and one year of credit-report-monitoring for each affected client Attorneys representing the affected customers initiate a class-action lawsuit for $75,000 for each of the 145,000 affected customers US senate announces their investigation in the matter 2006, State of California employs legislature which holds large penalties for companies which fail to report crimes of this sort to the appropriate authorities, this legislature has spread to most of the country since then 3. What reactive steps by ChoicePoint might have mitigated their losses subsequent to their discovery of the information security breach? Explain/justify your choices. Shutting down their systems when they noticed the unusual activity This would have cut the tie to the fraudsters for the mean time, however would reflect poorly on the company. This would of course require ChoicePoint also notifying the appropriate authorities. Employ more secured and thorough security checkpoints so that having some personal information does not grant access to further personal information of customers If ChoicePoint were able to find a way to make it harder for such crimes to occur, by making it harder to get into the account and personal information of their customers, requiring more than just some documents, but perhaps a password system, or some other sort of checkpoint which would be more secure. Though this is less likely and more farfetched, it may have been possible for ChoicePoint to work with the FBI or whoever the appropriate authority is to catch the criminals. ChoicePoint could have continued connections with the fraudsters in order to obtain IP addresses of the criminals, or otherwise aid the investigation through not making the investigation public and not raising awareness of the fact that ChoicePoint and the FBI knew that the crimes were being committed. 4. What proactive steps by ChoicePoint might deter a reoccurrence of such an information security breach? Explain/justify your choices. [table] Similar to the previous question. Employ more thorough and secure checkpoint systems which can take more steps to verify the legitimacy of a connection and an attempt to view personal information in customer accounts This would prevent similar intrusions occuring again, by employing perhaps a password system that is separate to their existing checkpoints, so that personal documents regarding customers arent the only thing required to gain access. An alternative would be another type of authentication system aside from a password system which would guarantee authentic and legitimate connections only. Require face-to-face meetings regarding personal information If it is that important for someone to view or edit their personal information on their customer account, then they should be able to make time to make an appointment to see someone in person about it. This would prevent a single fraudster from accessing multiple accounts, and would further the authentication process, preventing illegitimate connections.