The massive data compromise at ChoicePoint  earlier this year has made the Alpharetta, Ga.-based data aggregator something of a target for those calling for tougher data protection laws. In an interview with Computerworld, Rich Baich, ChoicePoint's chief information security officer, talked about the breach, the measures that have been put in place since then and the lessons inherent for other CISOs.

You have in the past said that what happened at ChoicePoint was not really a security breach. Then what was it?

It all comes down to how you define a breach and how you define an incident. This was fraud. Someone fraudulently provided authentication to the system. It's no different than credit card theft and credit card fraud. Those are never referenced as IT-related issues though they happen millions of times every year. In fraud terms, it's called an account takeover. And that's what occurred. All I was trying to do was educate the press more than anything else that this was not what everyone would call a traditional hack.

So has the press got it now?

I see it's much better now because we're at 65-plus incidents (reported) so far this year, I believe. There are a couple that are being referenced as hacks that are truly hacks and the rest are fraud or lost tapes. There was one time people were screaming, "Rich, you're a victim of social engineering" and that "you're in charge of all the information because you're the information security officer." Well, am I in charge of the mailroom when someone loses mail? Because that's information as well. And that's all I am trying to say. People are trying to point to a person when we really need to be looking at things as an industry.

But wouldn't better IT controls have helped?

Sure. As an industry I think we have gotten better with our fraud analytics tools. There's technology that can do geographic IP locations. (Such tools) can help mitigate the risk. Then again, a very intelligent adversary can figure out a way around that by bouncing off proxy servers and different things. But there is some technology that can help mitigate the risk -- not stop it.

So are you doing anything differently now?

Yes, we absolutely are. We are looking at our entire credentialing process, the entire business process and how it's being done. We are looking at putting additional technologies in place and the way we do business with others. We actually went down to an even better level by looking at the type of data they need. Do they need stuff that relates to PII (personally identifiable information), or do they not? If your job function doesn't require that, then you don't get it.

For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.

Whitepapers

• Boost Productivity While Cutting Costs with Next-generation Collaboration
• Deploying Virtualized NetWare on Linux Whitepaper
• Driving Business Success Through Workgroup Choice and Flexibility
• Toward More Flexible, Next-Generation Collaboration Solutions
• Collaboration Tools and Organizational Success Whitepaper
• The ROI and TCO Benefits of Data Deduplication for Data Protection in the Enterprise

View more SECURITY whitepapers

Webcasts

• Creating a high performance workplace with wireless networking
• Harnessing the power of communications to increase workplace performance
• Making data centers the IT strategic focus
• Protecting assets and employees with IP Video Surveillance
• Stay out of the headlines: Detecting and preventing network intrusions
• Transforming the Enterprise WAN Edge: Video from Cisco

View more SECURITY webcasts

Special Reports

• The Evolution of Network Security
• IP address management in 2008 - six things to know
• The self-managed network

View more SECURITY special reports