ChoicePoint’s CISO, Richard Baich, is interviewed by SecuritySearch.com, where he makes his case that the ChoicePoint fiasco is not a security or hacking issue:
This is not an information security issue. My biggest concern is the impact this has on the industry from the standpoint that people are saying ChoicePoint was hacked. No we weren’t. This type of fraud happens every day. …This is a business process that failed. Before the media calls this a hack, it should get the facts straight. You could say they’re the same, they’re not.
I’ve made a similar point, but to a different end. Calling this hacking seems to take ChoicePoint off the hook for poor vetting and business processes. For Baich to say this is simply fraud which “happens every day” is a weak attempt to absolve them of responsibility. ChoicePoint is not the victim here – consumers are.
I agree with Bruce Schneier’s assessment:
This isn’t a computer hack in the traditional sense, but it’s a social engineering hack of their system. Information security controls were compromised, and confidential information was leaked. …I’m sure he’s exaggerating when he says that “this type of fraud happens every day” and “frauds happens every day,” but if it’s true then Choicepoint has a huge information security problem.
MichaelZimmer.org 