Choicepoint, a database firm that sells information about individuals and companies to clients, including the FBI and insurance firms, left an internal corporate database viewable to anyone with a Web browser, the company confirmed.
A Choicepoint spokesman characterized the exposed databases as "administrative" and said that data gathered on behalf of Choicepoint's clients -- such as background screens, pre-employment drug tests, military history checks and insurance fraud investigations -- were never exposed during the security gaffe.
Choicepoint has two kinds of databases. One type is administrative, internal corporate data such as any company has. The other type is data that it sells to customers. Choicepoint spokesman James Lee said that only the administrative data was exposed.
"There are no privacy implications here, but from a corporate security standpoint we take this very seriously," Lee said. He said that the company was conducting a thorough security review.
The improperly secured corporate archive, which may have been exposed for several weeks, was discovered earlier this month and reported to Choicepoint of Atlanta, Georgia, by a group of security enthusiasts in France named Kitetoa.
A catalog of Choicepoint's internal documents, housed in an IBM Lotus Domino database, was publicly accessible from the company's website, according to independent confirmation. By drilling down into the catalog, any visitor to the site could retrieve an array of proprietary corporate information.
As of Monday evening, the database catalog was inaccessible and documents within it were password-protected.
Prior to being locked down, a quick perusal of the insecure database turned up, for example, medical facility inspection reports used in Medicaid fraud investigations. A database containing customer leads was also accessible.
"If reaching this information is so simple, imagine what a true cracker would do with it," said a member of Kitetoa in an e-mail interview, noting that the front door of Choicepoint's site brandishes a seal indicating the company is a licensee of the Truste privacy program.
Lee said Choicepoint, which had year 2000 sales of $593.5 million, was still investigating how long the database had been improperly secured. But he said a security audit at the beginning of the year revealed no such vulnerabilities.
While security holes in Web servers and operating systems may grab more headlines, customized Web applications such as Domino are often riddled with administrator-inflicted security vulnerabilities, according to Greg Shipley, chief technology officer for Neohapsis, an information security firm based in Chicago, Illinois.
"We see this all the time in corporations. It's a big threat," Shipley said. "The operating system administrator may have the box locked down tight, but the Lotus admin may not be as security conscious. You screw up your Lotus security modeling, and its a fiasco for the entire site."
Lee said Choicepoint, the biggest supplier of data to law enforcement, primarily hosts its information products in Oracle databases on "totally separate systems" with limited Web access. One of Choicepoint's sites, for example, enables government clients to log in to an information system using telnet.
Choicepoint is not the first high-profile database company to have its security practices exposed by Kitetoa. In March 2001, online ad giant DoubleClick confirmed Kitetoa's report that attackers had placed a back-door program on the company's Web server and had viewed files on another server hosting its Abacus Online database.
After Choicepoint signed a contract in 2000 to provide the FBI with dossiers on individuals, the big data aggregator was embarrassed when privacy expert Richard M. Smith ordered a copy of his Choicepoint file and discovered several glaring errors, including that he had died 25 years earlier.
Kitetoa said it first notified Choicepoint about the database vulnerability by e-mail on Jan. 15, but got no response. According to Lee, the company has no record of receiving any e-mails from Kitetoa, although he confirmed that three @choicepoint.net e-mail addresses used in the group's message -- webmaster, postmaster and privacy -- all were functional and regularly read by Choicepoint staff.
