Credit and personal information vendor ChoicePoint Inc. took a $6 million charge in its second quarter, which ended June 30, citing costs associated with the theft of personal information on 145,000 consumers, the company said yesterday.
The $6 million was used for legal expenses and other professional fees related to the data theft, Alpharetta, Ga.-based ChoicePoint said in a statement [1].
The second-quarter charge came on top of a $5.4 million charge the company had to take in the first quarter related to the same incident. That first-quarter expense included $2 million spent on communications to the affected consumers and for providing those people with credit reports and credit monitoring services. Approximately $3.4 million went for legal and professional fees, ChoicePoint said.
ChoicePoint provides data to credit providers, government agencies, landlords and others who use personal information to approve loans, leases and other contracts.
In February, ChoicePoint said the data theft occurred when "a small number of very well-organized criminals posed as legitimate companies to gain access to personal information about consumers." (see "State officials push ChoicePoint on ID theft notifications")[2].
Information provided by ChoicePoint has since been used in about 750 identity-theft scams, according to the company.
"It's becoming more expensive [to handle these security breaches], and the reason it's becoming more expensive recently is because of the new notification laws," said James Van Dyke, principal analyst at Javelin Strategy & Research, a Pleasanton, Calif., financial consulting firm. "So we have every reason to believe that data breaches like that at ChoicePoint, sadly, have actually been going on for longer than most people realize....
"It's laws such as those in the state of California and other parts of the U.S., requiring new notification, that are bringing these cases to light," Van Dyke said. "ChoicePoint happened to be the first big one after these notification laws [went into effect]. We'll see investments like that of ChoicePoint as these companies seek to avoid the kind of a death sentence CardSystems received from American Express and Visa. Companies like ChoicePoint will spend this money on public relations, procedures and on partner relations."
Earlier this week, Visa U.S.A. Inc. and American Express Co. said separately that they are terminating contracts with CardSystems Solutions Inc., a credit card transaction-processing company that was hit by hacker attacks, potentially exposing 40 million card numbers to online intruders.
The companies said CardSystems, in Atlanta, didn't meet contractual requirements in providing processing services for merchants that accept the credit cards. As a result, they will no longer allow CardSystems to process their transactions after October.
Those decisions come in the wake of the announcement last month from MasterCard International Inc. that 13.9 million of its credit card numbers were among the 40 million that may have been accessed by intruders who infiltrated CardSystems' network (see "Security breach may have exposed 40M credit cards")[3]. Unlike Visa and Amex, MasterCard plans for now to continue doing business with CardSystems because it has taken steps to improve security.
Despite the second-quarter charge, ChoicePoint posted a second-quarter profit of $36.4 million, or 40 cents per share, compared with $36.3 million, or 40 cents per share, in the same quarter a year ago.
Earnings per share for the most recent quarter included a 4-cent-per-share charge to cover the expenses related to the data theft.
"I am extremely pleased with the continued revenue-growth momentum this quarter," said Derek V. Smith, chairman and CEO of ChoicePoint. "Additionally, we implemented key changes that reduced the risk of our business model and reinforced our leadership as a responsible information company."
[1] http://choicepoint.com/choicepoint/news.nsf/(webhotbox)/E5DA762464E269E= C8525704300749EA4?OpenDocument
[2] http://www.computerworld.com/securitytopics/security/story/0,10801,9988= 6,00.html
[3] http://www.computerworld.com/databasetopics/data/story/0,10801,102631,0= 0.html