ChoicePoint, one of the largest US data brokers, disclosed in February 2005 that fraudsters had created approximately 50 fake business subscriber accounts using stolen identities to gain legitimate access to ChoicePoint’s data brokerage services. Through these authorized accounts, they purchased and exfiltrated approximately 163,000 consumer records containing names, Social Security numbers, addresses, phone numbers, and other personal identifiers — the exact data needed for identity theft and fraud. Approximately 800 identity theft cases were linked to the stolen data. ChoicePoint paid a $10 million FTC civil penalty (the largest ever at the time) and $5 million in a consumer redress fund. The incident is historically significant beyond its scale: it was the first major US breach to trigger California’s breach notification law (SB 1386, the first such law in the US, requiring notification of California residents), and accelerated the passage of data breach notification laws across nearly all US states. It demonstrated that data breaches need not involve ‘hacking’ — social engineering and fraudulent access to authorized systems can be just as devastating.