Encore Exposures

The data broker ChoicePoint Inc. is once again in the news for its involvement in a data breach.

ChoicePoint, which made headlines in 2005 after a breach called attention to consumer notification issues, said it has agreed to pay the Federal Trade Commission $275,000 for a 2008 incident in which the Social Security numbers and other data of 13,750 people were exposed, The Washington Post's Brian Krebs wrote in his "Security Fix" column Monday. The money will go into a fund used for consumer redress.

The 2005 incident involved 163,000 people and led ChoicePoint to pay a $15 million settlement to the FTC — the largest civil penalty the agency has ever received, the article said.

As part of the earlier settlement, ChoicePoint agreed to adopt new security measures, the article said. According to the FTC, these included a monitoring system to detect suspect activity. Last year's breach came during four months when ChoicePoint had switched off the system.

The company said that the monitoring system predated the settlement so that switching it off was not a violation.

ChoicePoint, which was bought last year by Reed Elsevier Inc., said the 2008 incident occurred because a government customer did not protect one of the user IDs it used to gain access to a ChoicePoint database. 

The Moorestown, N.J., payroll processor PayChoice Inc. has disclosed its second security breach in a month.

PayChoice's Online Employer Web site was briefly taken offline last week because of an incident discovered Oct. 14, according to a Friday article in Computerworld. PayChoice gave little detail about the breach but said it has since improved security.

The newest attack exploited a weakness in the password reset function, the article said. In the earlier incident, valid user names and passwords were stolen and used to send spoof e-mails to PayChoice clients in order to obtain further personal information and to infect victims' computers with malicious program.

Lose Data, Lose Job

Lady Lake, Fla., Town Manager Bill Vance was fired this week after exposing the Social Security numbers of 99 town employees.

The personal information was included by accident on a set of CDs given to Mike French, a resident of nearby Mount Dora, Fla., who requested more than 88,000 e-mail records from Lady Lake in recent months to investigate whether he was discriminated against when he was rejected for a police job, the Daily Commercial of Leesburg, Fla., reported Tuesday. French has not returned the discs, the article said.

Vance said he is taking responsibility for his mistake and offered his resignation before the town's vote to fire him. "This breach of trust obviously puts this current administration in a position where that trust could quite possibly never return," he told the paper. Vance said that his departure "seems the right thing for all involved."

Vance originally offered to resign on condition that he receive six months of severance pay and that he could stay with the town as an independent contractor until a successor is hired. This proposal was rejected, but Vance was given six months of severance as part of his termination Monday, the article said.

Sloppy Shredder

Hundreds of loan files were found intact last weekend in two trash bins in Tampa after a former mortgage company owner hired a stranger to shred the documents, The Tampa Tribune reported online Monday.

The files included Social Security numbers, tax and bank records and other personal information, the article said. The forms came from Creative Financial Services, an out-of-business local mortgage company, and were found by a hair salon owner who reported her discovery to police.

The Tribune contacted the mortgage company's former owner, Bassem Matoubsi, who had some difficulty identifying the person he had hired to shred the documents. "His name is John, and this guy is, ah, I know him through, ah, I really don't know him," Matoubsi told the paper.

The Tampa Police Department's Economic Crimes Unit is investigating the case, The Tribune said. A police spokeswoman told the paper the documents have been destroyed and that Matoubsi does not face criminal charges.

Doug Gardner, who owns the Tampa document disposal company AccuShred, had some advice for business owners seeking to hire people to destroy sensitive materials: "You need to make sure they have paperwork saying they are a shredding company," he told the paper.

Bad Friends

An alleged fraudster forgot one key rule for evading the law: Don't "friend" the authorities on Facebook.

Maxi Sopo, a former Seattle resident who is accused of helping run a loan fraud scheme, fled to Mexico, where his online life eventually led to his arrest, according to an article The Guardian ran Oct. 14.

Sopo is alleged to have perpetrated the fraud with an accomplice, Edward Asatoorians.

The two men are accused of persuading victims to lie about their income on loan applications, then using the money to fund Asatoorians' business and a trip to Las Vegas. Asatoorians was convicted this month in Seattle and may be sentenced to five years in prison, The Guardian reported.

Michael Scoville, an assistant U.S. attorney who helped locate Sopo, said the fugitive's online persona did not reflect the serious nature of his situation.

Instead, Sopo posted brash reports to friends about his exciting life in paradise. "He was definitely not living the way we wanted him to be living, given the charges he was facing," Scoville told the paper.

Though Sopo's Facebook page was set to private — meaning it could only be viewed by people Sopo approved as online friends — the fugitive made the mistake of granting access to his page to a former official of the Justice Department whom he had met in a nightclub.

Scoville got in touch with the former official. "We figured this was a person we could probably trust to keep our inquiry discreet," he told the paper.

The former official said that he barely knew Sopo but was able to get details from Sopo's Facebook page to give Mexican authorities enough information to arrest him.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.