ChoicePoint says data theft cost it $6M

Computerworld - Credit and personal information vendor ChoicePoint Inc. took a $6 million charge in its second quarter, which ended June 30, citing costs associated with the theft of personal information on 145,000 consumers, the company said yesterday.
The $6 million was used for legal expenses and other professional fees related to the data theft, Alpharetta, Ga.-based ChoicePoint said in a statement.
The second-quarter charge came on top of a $5.4 million charge the company had to take in the first quarter related to the same incident. That first-quarter expense included $2 million spent on communications to the affected consumers and for providing those people with credit reports and credit monitoring services. Approximately $3.4 million went for legal and professional fees, ChoicePoint said.
ChoicePoint provides data to credit providers, government agencies, landlords and others who use personal information to approve loans, leases and other contracts.
In February, ChoicePoint said the data theft occurred when "a small number of very well-organized criminals posed as legitimate companies to gain access to personal information about consumers." (see "State officials push ChoicePoint on ID theft notifications").
Information provided by ChoicePoint has since been used in about 750 identity-theft scams, according to the company.
"It's becoming more expensive [to handle these security breaches], and the reason it's becoming more expensive recently is because of the new notification laws," said James Van Dyke, principal analyst at Javelin Strategy & Research, a Pleasanton, Calif., financial consulting firm. "So we have every reason to believe that data breaches like that at ChoicePoint, sadly, have actually been going on for longer than most people realize....
"It's laws such as those in the state of California and other parts of the U.S., requiring new notification, that are bringing these cases to light," Van Dyke said. "ChoicePoint happened to be the first big one after these notification laws [went into effect]. We'll see investments like that of ChoicePoint as these companies seek to avoid the kind of a death sentence CardSystems received from American Express and Visa. Companies like ChoicePoint will spend this money on public relations, procedures and on partner relations."
Earlier this week, Visa U.S.A. Inc. and American Express Co. said separately that they are terminating contracts with CardSystems Solutions Inc., a credit card transaction-processing company that was hit by hacker attacks, potentially exposing 40 million card numbers to online intruders.
The companies said CardSystems, in Atlanta, didn't meet contractual requirements in providing processing services for merchants that accept the credit cards. As a result, they will no longer allow CardSystems