Choicepoint’s CISO Interview & “Social Hacking”

ChoicePoint’s CISO, Richard Baich, is interviewed by, where he makes his case that the ChoicePoint fiasco is not a security or hacking issue:

This is not an information security issue. My biggest concern is the impact this has on the industry from the standpoint that people are saying ChoicePoint was hacked. No we weren’t. This type of fraud happens every day. …This is a business process that failed. Before the media calls this a hack, it should get the facts straight. You could say they’re the same, they’re not.

I’ve made a similar point, but to a different end. Calling this hacking seems to take ChoicePoint off the hook for poor vetting and business processes. For Baich to say this is simply fraud which “happens every day” is a weak attempt to absolve them of responsibility. ChoicePoint is not the victim here – consumers are.

I agree with Bruce Schneier’s assessment:

This isn’t a computer hack in the traditional sense, but it’s a social engineering hack of their system. Information security controls were compromised, and confidential information was leaked. …I’m sure he’s exaggerating when he says that “this type of fraud happens every day” and “frauds happens every day,” but if it’s true then Choicepoint has a huge information security problem.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s