ChoicePoint CISO Richard Baich has the following to say about how ChoicePoint inadequately defended our most private credit, medical, insurance, salary, tax and earnings information.. Does this make anybody else's hair stand on end? Check out the choice comments below:
"This is not an information security issue... This type of fraud happens every day. " - Thanks, Rich. Of course, I always suspected that the "stewards" of my semi-personal information (e.g. address and phone number and such) were leaking it out, as Dick here indicates, "every day." However, I sort of thought that my financial or medical information was between me and only those with a "need to know." I was wrong - apparently. Apparently, they see the loss of 145,000 records as "not an information security issue." I'm curious what type of issue it is - Maybe Richard sees it more as a Media Relations issue? How about a Sales issue? "Darn sales department - they are always slacking when it comes to ensuring the security of all that information." Bah. Wishing it to be somebody else's problem won't make it any better.
" I was at RSA among other CISOs when the media frenzy around this kicked in." Am I misunderstanding or did he just imply that their process is so hosed up that he (the CISO) didn't even hear about the pending disclosure until after the media reports? Strange as it sounds, I actually hope that their process is that hosed, since the only other alternative is that he did know about it but chose to "otherwise occupy" himeself at RSA when they disclosed. (Maybe he was busy indulging in a bit of free cheese danish over at the Verisign sponsored "CISO refreshment table" - I don't blame him, the danish are the first to go.)
"What would help (the security) industry is to say that a mislabeling of this event as a hack is killing ChoicePoint." ??? Hack or fraud. Excuse me, but really - who cares?
"...this has been mislabeled a hack and a security breach. That's such a negative impression that suggests we failed to provide adequate protection.." Um. Still not following you. Is the argument that the 145,000 records fall under the auspices of "adequate protection"? Or is the argument that it's not *really* a security breach because they didn't h4x0r some server over there? Oh! I have a great rationalization - how about this: it's not an information security "breach" because all ChoicePoint's information security resources were involved in intense, precision, laser-focused infosec planning activities at the W bar when the fraud/hack took place.
Poor form, ChoicePoint...
Posted by Ed at February 25, 2005 10:20 AM