Portals eNewsletters Web Seminars dataWarehouse.com DM Review Magazine
DM Review | Covering Business Intelligence, Integration & Analytics
   Covering Business Intelligence, Integration & Analytics Advanced Search

View all Portals

Scheduled Events

White Paper Library
Research Papers

View Job Listings
Post a job


DM Review Home
Current Magazine Issue
Magazine Archives
Online Columnists
Ask the Experts
Industry News
Search DM Review

Buyer's Guide
Industry Events Calendar
Monthly Product Guides
Software Demo Lab
Vendor Listings

About Us
Press Releases
Advertising/Media Kit
Magazine Subscriptions
Editorial Calendar
Contact Us
Customer Service

The Data Strategy Advisor:
The Shoemaker's Children Urgently Need New Shoes

  Column published in DM Review Magazine
May 2005 Issue
  By Lou Agosta

At ChoicePoint, the weak link in the chain of authorizations, authentications, passwords, access controls and data warehouse administrations was the business process.1 In particular, ChoicePoint's account initiation process reportedly accepted the documentation provided by the scammers, who were then authorized to open accounts. The process of background checking ("authentication") of those permissioned to access the data warehouse and related data stores reportedly allowed some 50 fraudulent accounts to be set up. This provided the occasion for further unauthorized changes, including identity theft.

The irony here is that the data warehousing systems of such data sellers as Acxiom, ChoicePoint and LexisNexis are used by employers, insurers or clients to perform background checks on prospective applicants. If insurance companies go to ChoicePoint to qualify their applicants, then to whom does ChoicePoint go in order to assure the authenticity of its own applicants? This is like the shoemaker's children having no shoes.2

This is not to defend any lack of oversight on the part of data sellers. Indeed, it is likely data sellers will look long and hard at tightening up the transactions that authorize account access as they consider the unintended consequences of lack of business process rigor. Going forward, the data sellers must set a new standard for data security and, more importantly, for managing internal business processes, commensurate with that in the world of finance and credit, to win back the trust of the consumer and the confidence of clients.

Hot Potato - Whose Data is it Anyway?

This is just the tip of the iceberg. While it is undetermined whether major legislation will result, this incident is still building momentum. This means:

Consumer advocates have seized the bully pulpit. This is not the first time that data sellers have been embroiled in controversy. In the year 2000, a subsidiary of ChoicePoint, Database Technologies, purged the names of alleged felons from Florida's rolls of registered voters. It turned out that some of those purged were not felons and had the right to vote. One result is a call to extend the Fair Credit Reporting Act to information aggregators such as ChoicePoint and competing database marketing firms on the view that such data is now being used for more sensitive decisions in employment, law enforcement and financial profiling.

Expect major litigation. One reason this whole matter has come to light is that California Senate Bill 1386 has created a legal basis for claiming civil damages against a business that operates in California and suffers "a breach of the security of the [computer] system" storing the data. It further requires notifying the victim of such an incident. That is what finally happened last week, though the scam itself surfaced last October (2004). Under this legislation, for a business, being a victim (as surely ChoicePoint was) is not an excuse but a sign of poor security planning or lack of internal controls. The business must report on its own failure. ChoicePoint has chosen to notify potential victims in all fifty States, not just California. In addition, it is in communication with the credit card reporting bureaus such as Experian, Equifax and TransUnion whose own systems may have been accessed.

Log analysis technologies get a boost. It is possible that the database administrators at ChoicePoint have been poring over the database logs since October 2004 (when the scam was reportedly first detected) to determine who knew and accessed what and when they knew it. That the 50 fraudulent accounts may have accessed between 145,000 and 400,000 personal records indicates how rapidly the toxic influence of unauthorized access can spread. Though this is similar to locking the barn door now that the horse has escaped, forensic database analysis is a growth industry from which database log tools from BMC, Computer Associates and Compuware (now IBM) will benefit. In addition, a rigorous audit, resulting in a conviction and jail time after the fact, can serve as a deterrent going forward.

The data is no less (or more) accurate for having been stolen. Yet a whole set of victims - the consumers whose data was stolen - are left without redress. It is never a good sign when a consumer has to ask, "Who do I sue?" The consumers whose data and identities were stolen have no relationship with the data aggregator (e.g., ChoicePoint). Whose data is it if the data seller can store and distribute it without my knowledge or permission as an individual? Apparently not mine. By participating in the public economy, I am exposed to anonymous financial risks - identity theft - that I could not have imagined because a secondary market exists for public economic transactions in which I participated.

The consequences for data sellers are so far trivial. Bad publicity is more than an inconvenience and a distraction. Yet the consumers whose data was stolen do not do business with the firm, so they will not take their business elsewhere. The consequences for ChoicePoint include the cost of complying with CA SB1386 reporting, but while such costs are not good, they are one-time and non-recurring. A potential cost has to do with future regulatory overhead, but such a cost is, by definition, still in the future. The legitimate users that buy the data - and who have a relationship with data seller and might exert influence - are untouched. And, what is worse, they are unmotivated to demand tightening of internal controls - at least until the data a seller has to raise its fees to cover the costs of tightening internal controls and diligently performing authentication. "Know thy customers" is not a new business imperative; however, it takes on new meaning and urgency if those customers become a risk to otherwise innocent consumers. Stand by for an update.


  1. Source: "Identity Theft Puts Pressure On Data Sellers," Evan Perez, The Wall Street Journal, February 18, 2005, page B1. For further background, see "In Age of Security, Firm Mines Wealth of Personal Data," Robert O'Harrow, Jr., January 20, 2005, p. A01, http://www.washingtonpost.com/wp-dyn/articles/A22269-2005Jan19.html. Further details on ChoicePoint's perspective as the victim of this crime are to be found on the Web site www.choicepoint.com.
  2. Although this column has featured ChoicePoint as the poster child of what not to do, it is not the only case of a large information intermediary being the target of a data theft. In July 2004, Acxiom Corp. was the target of a scam. As reported by CNN.com, "Federal officials said the theft of approximately 8.2 gigabytes of data resulted in losses of more than $7 million." It should be noted that all the details are different - and sketchy - and Acxiom's systems also seem to have been penetrated with the aid of social engineering by a subcontractor of a third-party contractor. For further details, see http://www.cnn.com/2004/LAW/07/21/cyber.theft/.

For more information on related topics visit the following related portals...
Privacy and Security.

Lou Agosta, Ph.D., is a business intelligence strategist with IBM WorldWide Business Intelligence Solutions focusing on competitive dynamics. He is a former industry analyst with Giga Information Group and has served many years in the trenches as a database administrator. His book The Essential Guide to Data him at LoAgosta@us.ibm.com

Solutions Marketplace
Provided by IndustryBrains

TechExcel CRM
TechExcel CRM sets the standard for high-end CRM: powerful, configurable, affordable and easy to use.

Numara Track-It! Help Desk & CRM Software
Numara IT Solutions provides Track-It! - the leading help desk software solution for employee & customer self-help, call tracking, problem resolution, remote control, asset management, LAN/PC auditing, and electronic software distribution. Free demo

Customer Relationship Management for IT
Web-based CRM and more with Autotask: Great business management software optimizes resources and track billable project and service work. Get a demo, then try it free with sample data. Click here for your free trial!

Data Mining: Levels I, II & III
Do you know who your best customers are and why? Learn how to anticipate customer behavior using your existing data with predictive modeling. View upcoming events in data mining.

Strategic CRM Analytics White Paper
This white paper explores how companies can extend their CRM applications by using BI tools to turn CRM data into actionable information to drive strategic decision-making and improve ROI.

Click here to advertise in this space

View Full Issue View Full Magazine Issue
E-mail This Column E-Mail This Column
Printer Friendly Version Printer-Friendly Version
Related Content Related Content
Request Reprints Request Reprints
Site Map Terms of Use Privacy Policy
SourceMedia (c) 2006 DM Review and SourceMedia, Inc. All rights reserved.
SourceMedia is an Investcorp company.
Use, duplication, or sale of this service, or data contained herein, is strictly prohibited.