Consumer Database Company Hacked 286
fermion writes "The NYT(FRR) and others are reporting that a hacker has broken into a Acxiom server. Acxiom evidently is "one of the world's largest consumer database companies" and serves most top credit card companies and retail banks. There are a few items that stand out in this case. First, Acxiom had no idea that the breach occurred until the company was contacted by the police. Second, the theft was an inside job. The suspect, now in police custody, was an employee with legitimate access to the information. It amazes me that a such a company would have such lax security as to allow an insider to browse supposedly private data at will. Third, the company is taking no responsibility for the break in other than reporting it to the clients, who then may or may not inform their customers." Acxiom is a Certified Participant in the BBBOnline Privacy Program.
You're amazed by this? (Score:5, Interesting)
This is, unfortunately, the real world. Lax security such as this is the norm. "Need-to-know" is a term which doesn't seem to exist in the security policies of these companies. Insider information will always be leaked by someone out of curiosity or some malicious impulse. They're lucky they were able to find out who it was! At least maybe now they're more likely to improve their security and get it up to scratch. (But probably not.)
Legal responsibility (Score:5, Insightful)
That company took on a huge responsibility when they started tracking millions of consumers. And they should be held responsible for any damages that occur do to dissemination of private information.
Re:Legal responsibility (Score:4, Insightful)
Hacker? If I walk away with the sourcecode I'm writing for my current company, does that make me a hacker? of course not. If this guy (who could be the data protection officer for all we know) took away the data in his keeping, that doesn't make him a hacker either.
Similarly - all the posts about 'if you can't keep it secure you shouldn't have it' are stupid - with that argument, absolutely no-one should be able to keep the data... and therefore no-one should have a credit card.. and we should all go live in wigwams like nature intended, man.
Re:Legal responsibility (Score:4, Insightful)
No they aren't stupid. It is a very different thing to have possession of your own private information, and to have possession of many other peoples' private information. I can and do protect my own credit card. But if a company is holding my private information, there is nothing I can do to keep it secure. Therefore I still say, don't keep my sensitive data on file if you aren't willing to or can't protect it.
Re:Legal responsibility (Score:5, Insightful)
The impossibility of absolute protection, however, doesn't relieve the company from responsibility. The company is responsible for taking all reasonable measures to protect my data. If they do not do so, they are (or at least should be) criminally negligent. If they do take reasonable precautions and a violation occurs anyway, they're at least responsible for notifying me that my information has been comprimised, identifying the vulnerability that led to the violation, and taking steps to ensure that it doesn't happen again.
Re:Legal responsibility (Score:4, Interesting)
They gather data from all sources...warranty registration cards, state drivers licenses, Change of Address (Postal)...heck, one of my projects involved cutting the binders off phone books, running them through an optical scanner, and parsing and storing in a data base. They use algorithms to find the 'correct' data on all individuals possible. They use this to 'clean' other company's data. They do sell mailing lists...they even clean and manage the data for the credit bureaus. So...no, they do not house trivial data.
If TIA needed a source for data ready...I'd recommend Acxiom, if someone hasn't already thought of it.
Was a nice place to work for..but, being a privacy person...it did conflict with what I believe in in many cases.
Re:Legal responsibility (Score:2)
Personally, I'm amazed by the number of people who constantly complain about taxes, lack of promotion/raises at work, or any other excuse to ex
Re:Legal responsibility (Score:3, Insightful)
BTW, debt load is a choice. My wife and I pay interest only on our mortgage, cars, and her student loan. We use credit cards for nearly everything, but they're paid in full each and every month.
Without more details on the case I can't say whet
Re:Legal responsibility (Score:4, Insightful)
They aren't. They're more expensive in fact -- they usually have a per transaction fee on top of the exact same percentage that the credit card takes. At the very least they're the exact same cost as credit cards with less consumer protection.
Cash gives you absolutely no protection against bad merchants or merchandise, while credit cards give you several protections and guarantees. Very few companies give cash discounts (and you cannot charge extra for using credit -- if you do, you'll lose your merchant account). Not to mention that credit cards are a helluva lot more convienent than cash for most transactions.
If you can't manage your finances, go ahead and use debit cards or cash. We can, and do, and getting 30-60 days of free float is nice, plus the various additional protections credit cards provide. In fact, I find it humorous that your advice is in direct opposition to the advice given by consumer advocates. Sorry, I'm not a retailer. I see no reason to offer them extra money. If they don't feel that credit cards are worth the costs, then they can decline to accept them. Of course, I may decline to use their services at that point -- and probably will if I need to pay more than $20 for whatever I'm buying.
Re: on credit cards (Score:3, Insightful)
Sure there are laws. But do you want to waste your time trying to get your cash back, or would you rather tell your bank/credit card company/whoever that the service/merchandise/whatever wasn't provided, have them refund you your money quickly and easily, and then let them go about squeezing blood from the stone?
Personally, I know which one I'd choose. I'll take the o
Re:Legal responsibility (Score:2, Informative)
Re:Legal responsibility (Score:5, Interesting)
Can I interest you in a write only drive array?
It seems any crime perpitrated within 500 yards of a computer is now termed "hacking".
Re:Legal responsibility (Score:5, Insightful)
1) Logging
2) Audit
3) Priviledges
4) Accountability
5) Background-check
Re:Legal responsibility (Score:5, Insightful)
It is as silly to call this hacking as it would be to call a bank manager's embezzlement, "safecracking".
Re:You're amazed by this? (Score:2)
root considered harmful (Score:2)
Re:You're amazed by this? (Score:5, Informative)
My CC was compromised at some point. I am unaware, but CapitalOne contacted me last year sometime and said they were sending new CCs out because something got compromised. Was fine with me, no hassle as they like to say.
But I also learned that a lost/stolen report showed up on my credit report. Unsure how this is viewed by creditors. I hope its just a note as to why the account was closed and not something that would ever look suspecious.
Who watches the watchmen? (Score:3, Insightful)
At some point, at some level, there will be someone (or a group of people) with access to information who would not have a watchman over his shoulder -- how can you be sure you can trust them?
Pre-screening of employees and logging of all transactions is necessary, but some times you just can't deny someone access to something if it hinders their work significantly (e.g. the work they were hired for in the fir
Re:You're amazed by this? (Score:2)
I don't see how this is amazing. I mean someone have has to have access to this data or the data would be of no use. Someone has to run the jobs to collect the data to put on tape to sell to outside firms. DBA's have to have access to the table to fix indexes, table corruptions etc.. . Now if they didn't have a background check, now that would be amazing.
Re:You're amazed by this? (Score:3, Insightful)
You're kidding right? If you hired me for a DBA job as an administrator then told me that administrators aren't allowed to look at the database that would be kinduv rediculous wouldn't it?
Let's rephrase this scenario.
Say an Air Force pilot goes AWOL and drops a devistating bomb causing lots of harm. Here's what that quote would sound like:
"It amazes me that that the Army woul
Re:You're amazed by this? (Score:2)
Really? So you've worked at one of these companies then?
Oh. You haven't.
So you have friends or family that do?
Oh. You don't.
So you're just wildly postulating on shit you don't know anything about?
Of course. This is
Well, hate to say it, but I have worked at one of these companies, and I have family in a similar lin
shit... (Score:2)
corporate speak (Score:5, Funny)
Translation: The names of the directories weren't personal data...The files in the directories? well they had the SSN/DOB/Address etc. So, technically, some of the data was personal and some wasn't.
make sure you Opt Out (Score:5, Insightful)
sometimes it's good to use the system
Re:make sure you Opt Out (Score:2, Interesting)
sometimes it's good to use the system ...
even better, is there a way i can flood the system with fake data. multiple dobs and mothers maiden names associated with my ssn?
Re:make sure you Opt Out (Score:5, Insightful)
Re:make sure you Opt Out (Score:4, Informative)
What it does do is ensure that they won't send you marketing offers and that they won't sell your information to others for the same purpose. The latter is the important bit.
If you actually want them to remove your data from the system, then you better be prepared to cease doing business with them and any of their subsidiaries/partners. Which in the case of Axciom is a rather large portion of the US.
Re:make sure you Opt Out (Score:5, Interesting)
Personally, I wouldn't mind it so much if the reverse was also true, and those interests scanning your personal history for commercial or criminal trends were also subject to the same level of transparency.
Re:make sure you Opt Out (Score:2, Insightful)
Give them as much fake data as you can get away with. There's most of the time no reasons a company needs your phone number,
That goes especially for websites / software you need to dld,
I can't remember the times I said I was a 90 year old Afghan woman that works as a computer programmer and who has an income of >100000$ :)
Re:make sure you Opt Out (Score:3, Insightful)
That we have to opt-out of "partner sharing agreements" is absurd. The rule should be opt-in, but that's not how it was written, and it sucks. Or if it's opt-out, the term should be for life -- not for a freaking year.
And no, I'm not one of those privacy nuts. I've actually worked in the system. I've coded for it. And I'm
Insiders (Score:5, Interesting)
Is this really newsworthy?? (Score:5, Insightful)
Mere access to credit card numbers and the corresponding user list does not constitute a major threat, IMO. Most credit card users are indemnified against thefts, misuse etc. The same can't be said about Hotmail hacks or even Windows hacks.
-
Re:Is this really newsworthy?? (Score:4, Insightful)
Since the alleged hack was an 'inside job' by a person who had access to the data, is it news at all?
Yes, in that it illustrates one of the dangers of data mining; you can't always trust the mine companies or the miners they hire.
Insofar as that "danger" affects anyone whose personal information could end up at a provider like Acxiom, it is relevant to, say, 95% of the /. readership.
Mere access to credit card numbers and the corresponding user list does not constitute a major threat, IMO.
There's this new thing called "Identity Theft [identitytheft.org]" that kind of sucks to be a victim of. Maybe you've heard of it?
The same can't be said about Hotmail hacks or even Windows hacks.
*snort* Yeah, cause, you know, Junior's inane personal email is MUCH more important than his financial record.
Re: Is this really newsworthy?? (Score:5, Insightful)
> Mere access to credit card numbers and the corresponding user list does not constitute a major threat, IMO. Most credit card users are indemnified against thefts, misuse etc.
If the cardholders are indemnified it just means the cost of the theft is passed back to the card company, the vendors, or their insurers. Who will of course ultimately pass the costs back to the customers.
There's a lot of PR convenience for "losing" thefts this way, and spreading the costs out thinly. But the cost is still there, and it's real.
more than just credit cards, too (Score:3, Interesting)
You mean you wouldn't like to know? (Score:2)
Perhaps, but it would still be nice to know if it's likely to happen, wouldn't you think? If I wanted/needed to change my credit card numbers, I'd rather do it proactively than after the fact. It's easier to clean up the mess, if nothing else.
Identity Theft (Score:2)
Of course this is newsworthy. Everytime one of these companies has a security breach because of stupidity and unpreparedness, the news should be spread as far and wide and as loudly as possible. It would seem that corporate embarrassment and public outcry is the only way to get through to these companies.
With the gro
Re:Is this really newsworthy?? (Score:2)
If this database had sufficient information (and note it was mentioned they served credit bureaus) this is a real problem. Now the jerk is actually using my data to borrow
Acxiom vs. the government (Score:5, Informative)
Acxiom warned TRUSTe members [truste.org] in late 2002 that "conditions look right for the 'Perfect Storm' of privacy legislation next year." Yeah, scary, the government might insist that customers have some privacy.
I wish I could have seen the look on their faces when the government called them up to let them know their own employee had stolen their customers' private data.
Re: Acxiom vs. the government (Score:5, Insightful)
> I wish I could have seen the look on their faces when the government called them up to let them know their own employee had stolen their customers' private data.
Of course you don't refer to a look of surprise; you refer to the calculating look of someone trying to figure out how to avoid responsibility, minimize the financial hit, and continue to forestall privacy legislation in the future.
Just a minor note - (Score:2)
Acxiom wasn't listed first because they were the bi
Contradictory (Score:5, Insightful)
So not a hacker then. Or a cracker either, to keep another section of the crowd happy.
This sounds like straight abuse of confidential information. No computers required, no lax security required. A person with legitimate access to data went bad. As such, it's not really a criticism of Axiom's security policies . It is, however, a criticism of their hiring and monitoring policies.
Cheers,
Ian
Re:Contradictory (Score:5, Informative)
I don't think it is as simple as that. Just because it is an inside job doesn't means that the company does not have lax security.
I have worked on software systems for the management of transaction data for some major banks. Do you think they gave me access to their databases to do the work? No way Jose. They gave me access to duplicate systems with dummy data. Only a very few people had access to the 'real' data (even within the bank) and even then their access was strictly controlled - I mean they had to get permission to get physical access to terminals that could access the data, and they had to justify why, and all their actions were logged.
Anecdote - I once was working in a banks bomb-proof super-secure dataroom doing an install on one of their transaction processing systems. The install took a while and I was bored out of my mind. I was idly curious to see what was on the screen of one the many terminals in the room, so I touched the space key to active the monitor. About two minutes later the room was full of bank security guys asking what the hell I thought I was doing.
Re:Contradictory (Score:2)
Re:Contradictory (Score:3, Funny)
colocation? offsite backups? fully redundant systems?
operation mayhem will have to make note to be thorough.
Re: Contradictory (Score:2)
> This sounds like straight abuse of confidential information. No computers required, no lax security required. A person with legitimate access to data went bad. As such, it's not really a criticism of Axiom's security policies . It is, however, a criticism of their hiring and monitoring policies.
I would say that if it was a simple matter of peeking, but since the employee apparently downloaded some of the data without them knowing it I would say that there's a problem with their security policies and
Re:Contradictory (Score:3, Insightful)
I'd argue that human and physical security are probably the two *most* important aspects of information security. It's pretty obvious that the person with physical access to the machines on which information is stored has rather an impressive leg up in compromising any security proceedures that might be in place, let alone systems where users can saunter straight into t
Re:Contradictory (Score:2)
Or maybe of their firing policies. Maybe the guy somehow got wind that we was on the list for next month, and decided to do something... In this economy, this seems more likely.
You should know better... (Score:3, Informative)
So not a hacker then. Or a cracker either, to keep another section of the crowd happy.
*sigh* You should know better than to trust the poster, headline, the commentary, or the summary of any story posted to Slashdot. I know it is odd, but this isn't a news site where "editors" verify things that are posted. As always, RTFA...
Re:Contradictory (Score:3, Insightful)
Actually they used their existing access to gain new privileges, cracking (or guessing) passwords in the process.
Never the less, it's an important point to reflect on what "legitimate access" means. Most companies allow any employee access to all of their data, especially smaller companies. Publicly traded companies usually take better care of strategic information, but not of their customers' private data, at all.
While the army won't let you see any 'se
Sorta surprised.... not really (Score:2)
When I first started, I found out there's a bunch of clients (many medical), but when we install, we usually use simplistic passwords. Simplistic as in Roberts' wordlist. We dont even change them either. We also have a Winnt4 domain controller for our internal fileserver that simply shares 4 directories. ALL OF THEM HAVE GLOBAL +RWX ON EVERYBODY.
Even the shcool I go to has decent protections on thei
Re:Sorta surprised.... not really (Score:2)
Re:Sorta surprised.... not really (Score:2)
I'm a troll. That's a karma-whore'ish comment so I can continue to troll.
Or that's what I want you to believe.
What about Calif. law requiring disclosure? (Score:3, Interesting)
Anybody know how the recent California law requiring companies to disclose when their data is compromised would apply to this case? If the primary victim in this case notifies its clients (call them secondary victims), are they then required (if they do biz in California) to notify the tertiary victims (their customers)?
Just wondering how all of this may play out...
California? (Score:2)
I'm not in CA, but there's a strong liklihood someone from CA had data in this system.
identity theft very unlikely (Score:2)
Ha!
Chances of identity theft are high even when the data is not stolen.
I wouldn't call this a hack (Score:3, Insightful)
Data "embezzling" (Score:2)
Axciom - facilitating spam (Score:4, Informative)
Basically a client supplies information about the consumer (name, partial address, etc.) to Axciom. Axciom then takes their best guess as to what the Email address for the consumer might be.
Where the problems come with this approach when you have a common name and your address information is incomplete. Axciom will happily give the client the buest guess, and the client will happily spam the living ****loads out of whoever's email address they can get their hands on.
But, hey, you can always opt-out...one client at a time...
Proletariat of the world, unite to kill spammers
Person with permission to access = Hacked? (Score:2, Insightful)
I'm no walking dictionary, but I thought the word "hack" (translated as "crack" to technical folks- I don't even want to open that can of worms)-suggested someone somehow getting access to something that they do not legitimately have access to.
Re:Person with permission to access = Hacked? (Score:3, Interesting)
What were they thinking when they set up that server? No client should be able to see any other client - it should look like they have the server to themselves.
What do you expect? (Score:4, Insightful)
Saddly, our government doesn't seem to be too... enthusiastic about stopping this type of stuff. Don't get me wrong, I'm a libertarian at heart, I think the government should stay out until absolutely necessary, but this is a case where it's gone too far. I don't trust the consumer enough to protect his own rights.
Anyway, with the current corporate situation, and the examples set by Microsoft et al, IT has grown into a industry with no personal responsibility and very questionable morals.
I can't say this surprises me much.
You're just too sensitive (Score:2, Funny)
I can say this about this gun I'm pointing at you, much of it is innert material.
BBBOnline (Score:5, Informative)
General Conditions
The organization's website or service is online. If not yet launched, the organization's website or service is substantially complete and available for evaluation.
The organization has adopted and implemented an online privacy notice (including an effective date) and posted this notice on the website or online service.
The organization has paid the application and evaluation fees; completed the BBBOnLine Privacy Business Application and required portions of the BBBOnLine Privacy Assessment Questionnaire. The organization has signed and returned the BBBOnLine Privacy Participation Agreement.
A specific individual has been charged with the responsibility for implementing and overseeing the privacy notice for the website or online service. If the organization's application for a BBBOnLine privacy seal does not cover all its websites or online services, and all the websites and online services of its corporate affiliates, then it must be clear to web-visitors relying on the display of the seal, which parts of the websites or online services are covered and which parts are not.
Any organization whose website or online service is directed to children under the age of 13, or who collects personally identifiable information from a particular individual actually known to be under the age of 13, must comply with the substantive requirements of the BBBOnLine children's seal program in addition to the requirements of the general BBBOnLine privacy seal.
Re:BBBOnline (Score:2)
All those little seals require money, and when you pay them and fit in a couple of general rules, you get it. Easy as that. Yes, it's stupid, but for some reason consumers really think it's more safe to shop for a company that has a seal then those without one... even if they both use SSL that are "signed" by the lofty security people (Verisign, Thawte, etc.) rather than their own servers
RTFA! (Score:5, Insightful)
Geez, even the submitters don't RTFA, do they? From the NYT:
The suspect was not an Acxiom employee, but an employee of one of Acxiom's clients (banks, cc companies, etc.). He had access to the server, but he cracked the server to access information from other Acxiom clients as well. So yes, this is a cracked server, which BTW was placed outside the company firewall. I'm no security expert, but doesn't that sound stupid to anybody else?
Why should this surprise you? (Score:3, Interesting)
And why should this "amaze" you? At some level in any company there needs to be people who can do this. Your human resources department has a ton of information about you that they can pretty much look at whenever they want. Medical professionals are the same way. If you are an interesting case, do you honestly believe doctors/nurses will not talk about you? You are naive if you think that, despite laws (HIPPA) prohibiting such behavior.
You need to be able to trust these people and while there does need to be security and surveillance of people with access to sensitive information, you can't keep them completely away from it. This is especially true in a company (or government agency) whose business is based upon such information. It's also nearly impossible to prevent a knowledgeable insider from getting access to sensitive information, so I'm double confused why this should be surprising.
While it is unfortunate that it happened, the fact that it happened should "amaze" no one. Give enough people a chance to make money by breaking the law and guess what? Some of them will.
Nothing to see here. Move along...
Apparently some people aren't reading the postings (Score:2)
Not sure why I'm responding to an AC but I did RTFA. I wasn't responding to that. I was responding to the stupid comment about the article in slashdot by the submitter.
Pot, kettle, black...
Notify them anonymously (Score:2)
Given the level of technical expertise I've come to observe in most medical offices (translation: extremely low) they probably will not get it. The best thing you could do (if you are worried about lawsuits & such) is to notify them anonymously and include some relevant articles from trusted sources they might recognize. (PC Magazine, etc)
Easily Amazed (Score:3, Insightful)
Its scary how common lax security is internaly. (Score:2, Interesting)
Well, duh. (Score:2, Funny)
Uh, yeah, at the risk of -1 redundant, of course an insider will be able to browse private data at will. _Someone_ has to be able to get to the data, unless you're postulating SkyNet.
I suppose this could have been a hack, if this person became employed at the company in order to get the data -- that comes under social engineering hacks (and industrial espionage). But "disgru
Oh, THAT Acxiom... (Score:2, Interesting)
A silly writeup for a silly story (Score:5, Insightful)
What's funnier is the universal use of the word "hacker" in the various writeups of this incident. The guy had access already. He didn't hack his way into anything. Back when I worked retail, if our credit card receipts didn't add up to what the system thought we should have at the end of the day, we'd have to do a "list print" - we'd go to our little VeriFone CC terminals [pointofsalezone.com] and have it print a record of every transaction it could remember. It had a 255 transaction memory, if my own memory serves, complete with amount, timestamp, and - wait for it - credit card number. So, if I printed out a list of 255 credit card numbers and went on a buying spree with other people's money, would you say I was a "hacker" then?
I have access to such sensible data (Score:3, Interesting)
You cannot protect yourself against all your employe, because at one point or another you have to to have some trust (at least at the facture time).So IMO this is a no new here, and I barely call that hacking. Rather insider stealing.
certifiable maybe (Score:2)
Not no more they aint
Three words (Score:2)
Some more details of the theft (Score:3, Funny)
He then had to play tic-tac-toe against a chicken, and decide if 'Eliza' passed the Turing test to actually acces the data.
Once it was fully printed on tractor feed paper, he then had to bribe a small child with Pokemon cards, and juggle three rolls of tape and sing 'You Are the Wind Beneath My Wings' in front of Ryan Seacrest in order to abscond with the wheelbarrel full of printouts.
I think we can all agree that security was not at issue here, it certainly had to be an inside job.
HIPAA's ahead of this, why? (Score:2)
Actually it was "a former employee of an Acxiom client." Not exactly an inside job for Acxiom -- sounds more like the problem was really at the client's end?
The U.S. health insurance and medical "industries" are seriously under the gun with this s
Company In Denial (Score:3, Insightful)
Oh, and some kind of link to an article would have been nice.
Uh-huh... coincidence? (Score:3, Interesting)
Two Ways to Help Solve This Problem (Score:3, Insightful)
We obviously need to push for similar requirements used to secure our medical information. [hhs.gov]
While some may argue that it will increase the cost of doing business, the leeches who profit from our personal info without our consent don't deserve our sympathy. There are many companies that buy and sell our personal info daily without our consent or knowledge.
Besides, having rules for security related to our personal info will create new jobs as existing systems are modified and business processes are reengineered. Perhaps even more jobs than HIPAA [hhs.gov].
Perhaps an even better solution is to require our written consent before any company sells our personal info to another and the consent deemed non-transferable.
so how do you stop it? (Score:2, Insightful)
Look on the bright side! (Score:3, Funny)
A repeat of what normally happens... (Score:2)
Read ANY security analysis and they will always tell you that the weakest link in the security chain is always the human operator.
This weaknes is either via two things, social engineering by an outside cracker or privilages being abused by an inside employee e
There is no privacy, so just be vigilant (Score:5, Insightful)
I work in Benefits Delivery, and odds are if you work for a Fortune 100, I have access to every bit of your retirement income data. The depth and breadth of the personal information we store is staggering. The number of people with unfettered and untraceable access to that information is disturbing. The fact that we will begin outsourcing many of our operations to India in a few months is downright frightening.
At any point, someone who has been with the company for only a few days would be able to change your 401(k)investment elections, transfer your retirement savings money between funds, set up an unauthorized beneficiary for you... all without the possibility of being traced.
Even assuming that all of our employees are honest, the possibility for errors is enough to make you want to start storing all of your savings under your mattress in a sock! Without going into too much detail, last week one of our client teams accidently wiped out all of the balances for the entire population in their production database. That was 10,000 people who suddenly lost their retirement incomes! How was it fixed? They used a week old backup and guessed about what the updated amounts should have been.
Of course, there is nothing that you can do about any of this but keep a vigilant watch on your retirement accounts. There is no "opt-out" option. In many cases, you wont even know that we are managing your benefits.
This is the world we live in. There is no privacy any more and nothing is ever truly secure.
The real world (Score:3, Insightful)
A good thief/crook/whatever is someone who exploits this feeling of security, not breaking into a secure system.
This guy just screwed up and got caught. I bet this happens a lot more than we think, thanks to our sense of security.
Easily amazed. By Slashdot. (Score:5, Insightful)
THE ADMINISTRATOR DOES NOT EVER, FOR ANY REASON, TOUCH THE DATA.
Second rule?
The people inputting the data cannot query the data.
Third rule?
The people who query the data, cannot modify the queries.
The second and third are not nearly as important as the first. If you work in a company that violates the first rule, you should immediately walk into the office of your CEO and demand he commit seppuku.
I keep seeing posts from the clueless whining about, "Well of course they had access!" True, someone ultimately has to have some type of access to the data. However, the access should be restricted far beyond the idea of, "Oh, the DBA can just pull up whatever he wants."
Sheesh. Now I know why I can't get a job, and companies who are laying you people off are checking out India and Russia.
I'd be fucking sour on US 'techs', too.
Former Acxiom Developer (Score:5, Informative)
I worked as a developer on one of their primary marketing campaign management tools. As part of this, I had access to all of our particular customers (not in the company, just the customers who used our tool) data. This was absolutely nececesary for us to track down client-specific problems.
The comapny did have very good policies restricting access to data access to only those who needed it (and only the data that they needed). Keep in mind that Acxiom is one of the largest data processing centers in the world.. manay many many terrabytes of information are processed at their facilities. So it's possible for someone to get at quite a bit of data if they worked for the right company.
More than once people where fired during the two years I worked there for misuse of data. Usually, it would be people looking up data about famous people or someone that was making news for whatever reason. Curiosity and all..
The person that did the 'break in' was likely either a programmer or more likely a data auditor. The auditors are people who randomly grab information from the database and check it against other sources to verify that a 3-year old kid didn't somehow make it into the database or what not. They have access to the data, and can pull out large pieces of it without raising eye-brows. I know this was raised as a security concern at some point..
I hate to say it but... (Score:3, Interesting)
In this case, the law should be to regulate how "consumer information" is stored, protected and regulated. The "Fair Credit Reporting Act" does many nice things for the consumer but clearly not enough with the constant threat of misuse of information.
First of all, I would like to see the use of social security numbers more tightly regulated in the form of requiring a business or individual to have a FEDERAL LICENSE to collect and use such information. We all know the SSNs are the primary key to all of the rest of the information collected on us. The law states that SSNs are only for the purpose of managing your social security account. Not for any other purpose. Law states that no other institution, private or public, can require that you disclose that information for any other purpose. That said, you can and are routinely required to disclose this information else you will be denied credit and/or many other factors of "modern life" in the USA. These abuses can be battled but I do not see a victory against this proliferous abuse.
But with more controls in place regulating the use of this information and PUNISHING those who do not handle it properly and by revoking a business license to use it and by criminally prosecuting individuals found responsible for illegally collecting this information, we can hope to contain the damage done to privacy in the U.S.
Identify fraud has been identified by various security agencies in the US as a threat to homeland security as it has been found that profits gained through "identity theft" are in fact funding terrorist organizations. Lax security does not only endanger individual credit or individual identities, but endangers the safety of the entire US public at large.
We can protect our country by requiring that those who do business by collecting our information do so in a safe way. If a data system is identified as unsafe (for example, a MS Access database) then that business function should be enjoined to halt activity until it can me migrated to a "safe" system that is deemed safe by the public agency that deems the system as being safe for holding this class of data.
This agency would be the equivalant of the FDA. Who knows what it would be called (there are a lot of creative minds out there who could create a clever acronym for a "Federal Privacy Agency"... so let's hear some ideas) but its function should be to police and regulate the use of private information. It should, however, be barred from collecting private information itself except where it is using such information as a way to conduct investigations.
Because technology has improved significantly in the past 30 years, I think new law should be in place to protect consumers from identity theft. We need regulation of WHO can legally collect information, HOW it can be used, WHO it can be sold to and how the clients can use it themselves. Within that usage criteria, how it is stored and maintained should be strictly regulated. We have laws that require food venders store and distribute food, so why not critical and vital information?
Axciom knows more about you than any other company (Score:3, Informative)
You have a new lifestyle magazine designed for the 30-40 year old programmer, making between $40k and $60k, and owning at least one ferret? Axciom will get you a list with most every one of those living in the geographical region you want.
Re:What OS? (Score:2, Funny)
Re:What OS? (Score:2)
Re:What OS? (Score:2)
Since you seem to think that a few months with no breakins is a noteworthy accomplishment, you unintentionally highlight the fact that Windows/IIS is well known for breakins.
Those of us who have done more than a dozen installs over the course of more than a few months are well aware of the overall security trends of the various platforms.
Re:There's no linked article for this story. (Score:2)
DBA != Legitimate access to data! (Score:2)
Of course a DBA can grant himself access to data, but such changes in policies should be logged into an audit trail file, which must be unalterable by the DBA, and inspected on a regular basis by a sysadmin o
Re:Not so worried (Score:2)
Re:Not so worried (Score:2)
One of my first jobs was running some hot laser printers for a junk mailer. I believe we used lists from Acxiom. The most damage you could do with one of these lists would be to shill for publishers clearing house. No identity theft with this list.
Ya think maybe they don't sell the full details to junk mailers who only want to do mailing lists?
Wake me when it's a credit card/banking database.
Acxiom does have services customized to Financial Services [acxiom.com], Healthcare [acxiom.com] and Insurance [acxiom.com], among others [acxiom.com]. I be
Re:BBBOnline?? (Score:2)
Re:BBBOnline?? (Score:2)