THE PROBLEM OF INFORMATION PROTECTION:-
The theft of consumer information-particularly fi nancial information-is causing huge headaches for fi nancial and data companies. This case looks at three incidents that occurred recently at ChoicePoint, Bank of America, and Polo Ralph Lauren. CHOICEPOINT The opening case study in this chapter highlighted the Acxiom Corporation, a company that gathers, packages, and sells information about consumers.
A direct competitor to Acxiom is ChoicePoint, a company that is a spin-off of Equifax, which is one of the three major credit bureaus. ChoicePoint has more than 20 billion records that include information on almost every adult in the United States. ChoicePoint sells this information to customers, such as potential employers, for purposes of verification. ChoicePoint found itself in the headlines when personal financial information on 145,000 customers was stolen in a very high-profile identity fraud theft. And this time there was no sophisticated electronic attack or break-in; rather the theft was accomplished through old-fashioned "social engineering." Social engineering is getting information that you have no right to by conning people who have access to it.
What the identity thieves did was to pose as fake companies buying information on people in every state and the District of Columbia. So far, 750 confirmed cases of identity theft have surfaced from the ChoicePoint security breach. The U.S. Attorney's Office in Los Angeles charged that ChoicePoint had been scammed previously in 2002 resulting in fraud to the tune of $1 million. THE BANK OF AMERICA The Bank of America was also the victim of information theft accomplished in an old-fashioned way. Personal information recorded on tapes belonging to 1.2 million federal employees, including members of Congress, was on a commercial jet en route to a safe backup facility when the tapes were stolen.
Both the Bank of America and ChoicePoint thefts occurred in February 2005 and were followed very quickly by the introduction of privacy legislation at both the state and federal levels. POLO RALPH LAUREN Another example of embarrassment and worse involved Polo Ralph Lauren. It seems that between June 2002 and December 2004, the company was storing credit card information on its point-of-sale system instead of deleting it immediately after transactions had been completed. The realization that this data had been compromised led HSBC North America-the issuer of some of the credit cards whose numbers had been stolen-to notify 180,000 consumers of the possibility of identity theft. MasterCard, Visa U.S.A. and Discover Financial Services customers have all been affected. American Express says it has not seen any activity that has looked suspicious.
Questions
1. If you were the manager of a company where it was discovered that credit card information had been stolen, what responsibility would you have to the people whose personal information was compromised? What are the pros and cons of notifying and of not notifying possible victims?
2. E*Trade, a leader in online brokerage services, is the fi rst company to go to a two-factor authentication system optionally available to its customers with accounts of $50,000 or more. The fi rst factor is the ID and password that customers have always needed, and second, they use a security token or, as E*Trade calls it, a Digital Security ID. This is a little device that you can carry on your key chain that displays a new random six-digit number every minute. E*Trade's host system must, of course, synchronize with the device. When you log in, you have to type in this number after your ID and password.
Since the number changes so often it's virtually impossible to hack an account with this two-pronged protection. From a consumer's point of view, do you think this is a good idea? What are the advantages and disadvantages of the system to businesses and customers? With which online transactions would you consider it worthwhile to enforce this level of security? Remember that you might have a lot of these tokens if you use a lot of online services.
3. In this case study you saw how personal information can be stolen from huge databases and data warehouses. What other ways are there that thieves can obtain personal information about you that would allow them to steal your identity and run up debts in your name? To what extent would you be liable for these debts? What would you have to do (what steps would you take) to reestablish your financial identity if you discovered your identity had been stolen?
4. In the case of the Bank of America, the data was being shipped on tapes to a safe location. This is very good backup policy to make sure that in the event of a major disaster like a fi re or fl ood, data can be quickly restored enabling the company to be back in operation as soon as possible. However, this procedure leaves the company vulnerable to old-fashioned theft of the physical tapes containing personal information. What are two ways that this information that travels on trucks and planes could be protected?