Detailed narrative of event

Detailed Narrative of Events¶

(Extended Documentation for the In the Matter of ChoicePoint Inc. (2006) Case Study)

Table of contents¶

Overview
Pre-incident environment
Unauthorized access and discovery (2005)
Customer notification and remediation (2005)
FTC enforcement and settlement (2006)
Subsequent program obligations

Overview¶

The ChoicePoint matter involved unauthorized acquisition of sensitive consumer records by parties who exploited weaknesses in customer credentialing, verification, and access approval processes. Fraudulent actors obtained access to consumer information through improperly approved or fraudulent “customer” accounts, exposing systemic gaps in how high-risk data access was gated.

The Federal Trade Commission brought an enforcement action. In January 2006, the Commission announced a stipulated final judgment and order that included civil penalties, consumer redress funding, and injunctive requirements for a comprehensive security program, independent assessments, and ongoing compliance obligations. The case is a foundational FTC data security settlement often cited for the scale of penalties and the breadth of program requirements for the time.

Pre-incident environment¶

ChoicePoint operated as a data broker, selling access to sensitive consumer information to business customers for permitted purposes (such as fraud prevention and identity verification). The business model depended on vetting who could obtain data and auditing how data was used. Access governance—including identity proofing, application review, and monitoring for fraudulent applicants—was therefore a central control, not a peripheral one.

Unauthorized access and discovery (2005)¶

In 2005, ChoicePoint determined that unauthorized persons had obtained consumer records by posing as legitimate subscribers or by exploiting weaknesses in subscriber credentialing and approval pathways. The incident pattern reflected verification failure: fraudulent actors navigated onboarding or account controls in ways that should have been blocked or escalated under a risk-appropriate program.

Once discovered, the incident triggered internal investigation, law enforcement coordination, and public disclosure processes appropriate to the scale of affected consumers and the sensitivity of the data.

Customer notification and remediation (2005)¶

ChoicePoint initiated consumer notification and remediation efforts consistent with evolving state breach-notification expectations and FTC investigative scrutiny. Remediation themes in public materials emphasized tightening verification, monitoring for fraudulent account creation, and strengthening internal governance over data access.

FTC enforcement and settlement (2006)¶

In January 2006, the FTC announced a settlement described in public materials as requiring ChoicePoint to pay $10 million in civil penalties and $5 million in consumer redress (as summarized in the Commission’s press materials). The stipulated final judgment and order imposed injunctive terms requiring a comprehensive information security program with documented assessments, monitoring, oversight, and reporting designed to reduce the risk of future unauthorized access.

The matter is indexed in FTC proceedings as ChoicePoint, Inc., Matter No. 052-3069.

Subsequent program obligations¶

Following the order, ChoicePoint’s obligations included ongoing compliance, independent verification where specified, and recordkeeping suitable for FTC oversight. Later industry practice used ChoicePoint as a benchmark for data broker governance, subscriber due diligence, and fraud monitoring in consumer reporting and related markets.