Data broker ChoicePoint Inc. was hit with a record $10 million fine by the Federal Trade Commission yesterday for lax security and sloppy policies that allowed sensitive financial data on tens of thousands of consumers to be stolen.

So far, the breach, which happened more than a year ago, has spawned 800 victims of identity theft, the agency said.

ChoicePoint, which acknowledged that financial records on more than 163,000 Americans had been compromised, agreed to pay $5 million to aid consumers whose identities were stolen. The company admitted no wrongdoing.

ChoicePoint collects data on individuals, including birth dates, Social Security numbers and credit histories, and sells the information to third parties such as banks, insurance companies and the government.

The company, based in suburban Atlanta, had $1 billion in sales last year.

The data breach involved thieves posing as small business customers to gain access to consumer records. The crooks were successful because ChoicePoint "failed to implement reasonable and appropriate procedures," to protect the records, FTC Chairman Deborah Platt Majoras said in a news conference.

ChoicePoint sold consumers' confidential data even though applications raised obvious red flags, she said. Applicants lied about their credentials, used commercial mail drops as business addresses and phone numbers that were disconnected, she said.

The perpetrators who fraudulently obtained the information from ChoicePoint are under criminal investigation, Ms. Majoras said.

Several lawmakers yesterday called for more oversight of the loosely regulated data-brokering business.

"I remain concerned that almost a year after revelations of data security breaches at ChoicePoint, Congress still has not provided Americans with what they urgently need -- tough privacy safeguards to keep personal information secure," said Rep. Edward Markey, D-Mass., who has introduced two bills on the subject.

Ms. Majoras said consumers benefit from the sale of personal financial information, giving them access to instant credit and insurance coverage, and that government agencies use the information to track down criminals and deadbeat parents.

But she said companies must get the message that private data has to be protected.

"If they don't, we will step in and take action," she said, adding that Congress may have to enact additional safeguards, such as a law requiring public disclosure when customer data is compromised.

ChoicePoint disclosed the breach in February 2005, four months after it was discovered. In part, it was complying with California's security breach notification law. Pennsylvania recently enacted a similar law, which takes effect in June, although consumer advocates have criticized it as being too weak.

Under the FTC settlement, ChoicePoint must implement reasonable procedures to ensure it gives consumer reports only to legitimate businesses for lawful purposes, and must audit subscribers' use of the reports. In some cases, the company will be required to make personal visits to sites to verify applications, the FTC said.

The settlement also requires ChoicePoint to establish an information security program and obtain audits by an independent third-party security professional every other year until 2026.

The company faces other problems stemming from the breach, including several lawsuits and a Securities and Exchange Commission probe of stock trades made by top executives before the breach was made public.