Computer Acts

Executive Summary

This purpose of this case study concerns database security. Many agencies store critical personal data. ChoicePoint is a firm that maintains databases of background information on almost every citizen of the United States. ChoicePoint aggregates and sells such personal information to government agencies and private companies. The information on the consumer databases includes names, addresses, social security numbers, credit reports and other information. This case study provides some general guidance for understanding, preparing, and avoiding, some of the common threats of ensuring database security.

Problem Statement

"Human resource professionals expect security guards to keep out intruders, but they still keep files locked in cabinets behind closed doors. But what about electronic data? Each digital tool for accessing HR information--wireless devices, the Internet, intranets, desktop PCs and notebook computers--presents its own risks and requires backup security methods to prevent unauthorized access"(Robb, 2002) .

Reports have infiltrated the news revealing that criminals had gained access to the information posing as legitimate businesses. The criminals are believed to have opened at least 50 suspicious accounts with the names of "nonexistent debt collectors, insurance agencies and other companies, according to the company. The Atlanta-based company says it has 10 billion records on individuals and businesses, and sells data to 40 percent of the nation's top 1,000 companies. It also has contracts with 35 government agencies, including several law enforcement agencies"(Sullivan, 2005).

Sullivan (2005) stated that in October 2004, a questionable fax requesting access to accounts was sent from a Kinko's in Southern California to ChoicePoint. ChoicePoint notified the police and requested a new signature from the requesting official. Surveillance operations were set up at the Kinko's, which resulted in the arrest of only one suspect so far connected to the case, Olatunji Oluwatosin. He told investigators at the time he was not involved in any identity theft scam and was only picking up the fax for someone else. ChoicePoint found that unsolved inhabitants formed fake businesses to gain admittance into its databases. Sullivan (2005) also stated that Jane Robinson, a spokes person for the Los Angeles County District Attorney's office, revealed Oluwatosin pled "no contest" to a one count of identity theft and received the punishment of 16 months in state prison. He also has to pay a diminutive fine. The other five felony identity theft charges against him were dropped (Sullivan, 2005).

"More than 40 million credit card numbers belonging to U.S. consumers were accessed by a computer hacker and are at risk of being used for fraud" (Krim and Barbaro, 2005, p. A01). Krim and Barbaro (2005) reported that the breach of the CardSystems Inc.solutions system occurred at a processing center in Tucson. The company handles the transfers of "payment between the bank of a credit card-using consumer and the bank of the merchant where a purchase was made" " (Krim and Barbaro, 2005, p. A01). MasterCard is disclosed that the hacker obtained at least 68,000 numbers; however, the time period that it took to take the numbers was not known.

Robb (2002) states that database security breaches keep IT and HR departments busy. Technology is changing so much and there have been so many advances. These changes require that "new ways of thinking manage diverse, distributed, and complex information and technology assets" (Applegate, Austin, & McFarlan, 2003).

Frequently reported cases of hackers, worms, and viruses challenge security (Robb, 2002). The criminals will take the information that they illegally obtained and use it to gain full access to the identity of the victims. Robb (2002) reveals that "employees are already inside, know what's valuable and where to get it." Identity theft occurs when someone uses your personal information without your permission to commit fraud or other crimes. Once identity thieves have someone's personal information, they use it in a variety of ways. They may open new credit card accounts in the victim's name. They may open bank account and write bad checks on the victim. They may file for bankruptcy under the victim's name to avoid paying debts they have incurred in the victim's name to avoid eviction. They may buy a car by taking out auto loans in the victim's name. They may get drivers license issued with their picture and the victim's name. They may give the police the victim's name during an arrest and if they don't show up in court, a warrant for arrest might be issued for the victim.

Alternatives

ChoicePoint vowed to inform all consumers that the theft concerned. New York state legislator James Brennan advocated the state to defer current contracts with ChoicePoint as well as an $800,000 agreement through the state's Office for General Services but the firm agreed to notify New York residents (Sullivan, 2005).

Sullivan (2005) reported that 19 state attorneys general launched a correspondence to ChoicePoint encouraging the company to describe further information concerning the database security breach. "ChoicePoint Inc. should immediately inform all persons whose personal information is known to have been compromised, providing them with as much detailed information as possible about the breach and when it occurred, and urging them to check their credit reports for new accounts or suspicious activity," the letter said.

One of the security functions to consider woul be to outsource security to companies that continuously monitor systems thus ensuring security(Robb, 2002). "When an attack hits a Riptech client, for instance, Riptech will either remotely install a fix on clients' computers, or warn the client of an impending threat. Its staff also keeps up with new security bulletins and patches, and monitors employee use of the network. For example, one client's employee had been using the company web server to sell pornography for a year, but the company had not detected this abuse on its own"(Robb, 2002)

Conclusion

EPIC attorney Chris Hoofnagle filed a lawsuit claiming private companies are purchasing personal records and