Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Privacy

Consumer Database Company Hacked 286

fermion writes "The NYT(FRR) and others are reporting that a hacker has broken into a Acxiom server. Acxiom evidently is "one of the world's largest consumer database companies" and serves most top credit card companies and retail banks. There are a few items that stand out in this case. First, Acxiom had no idea that the breach occurred until the company was contacted by the police. Second, the theft was an inside job. The suspect, now in police custody, was an employee with legitimate access to the information. It amazes me that a such a company would have such lax security as to allow an insider to browse supposedly private data at will. Third, the company is taking no responsibility for the break in other than reporting it to the clients, who then may or may not inform their customers." Acxiom is a Certified Participant in the BBBOnline Privacy Program.
This discussion has been archived. No new comments can be posted.

Consumer Database Company Hacked

Comments Filter:
  • by James A. A. Joyce ( 681634 ) on Friday August 08, 2003 @08:51AM (#6644331) Journal

    "The suspect, now in police custody, was an employee with legitimate access to the information. It amazes me that a such a company would have such lax security as to allow an insider to browse supposedly private data at will."


    This is, unfortunately, the real world. Lax security such as this is the norm. "Need-to-know" is a term which doesn't seem to exist in the security policies of these companies. Insider information will always be leaked by someone out of curiosity or some malicious impulse. They're lucky they were able to find out who it was! At least maybe now they're more likely to improve their security and get it up to scratch. (But probably not.)
    • by Doesn't_Comment_Code ( 692510 ) on Friday August 08, 2003 @08:54AM (#6644366)
      While it isn't really anyones fault if a good hacker gets to them (especially on the inside!) This raises a really good legal point. YOU SHOULDN'T DATA MINE UNLESS YOU CAN PROTECT THE DATA!

      That company took on a huge responsibility when they started tracking millions of consumers. And they should be held responsible for any damages that occur do to dissemination of private information.

      • by gbjbaanb ( 229885 ) on Friday August 08, 2003 @09:01AM (#6644442)
        whatever makes you think it was a hacker - the employee had accss to the data, copied it off and took it away. No doubt he tried to sell it and was caught doing so.

        Hacker? If I walk away with the sourcecode I'm writing for my current company, does that make me a hacker? of course not. If this guy (who could be the data protection officer for all we know) took away the data in his keeping, that doesn't make him a hacker either.

        Similarly - all the posts about 'if you can't keep it secure you shouldn't have it' are stupid - with that argument, absolutely no-one should be able to keep the data... and therefore no-one should have a credit card.. and we should all go live in wigwams like nature intended, man.
        • by Doesn't_Comment_Code ( 692510 ) on Friday August 08, 2003 @09:13AM (#6644530)
          all the posts about 'if you can't keep it secure you shouldn't have it' are stupid ... and therefore no-one should have a credit card

          No they aren't stupid. It is a very different thing to have possession of your own private information, and to have possession of many other peoples' private information. I can and do protect my own credit card. But if a company is holding my private information, there is nothing I can do to keep it secure. Therefore I still say, don't keep my sensitive data on file if you aren't willing to or can't protect it.

          • by B'Trey ( 111263 ) on Friday August 08, 2003 @09:21AM (#6644614)
            Yes and no. If you have my data, it's your responsibility to keep it protected. That being said, no system is foolproof. Particularly, it's impossible to completely protect data from insiders - people who have legitimate access to the data but choose to abuse that access.

            The impossibility of absolute protection, however, doesn't relieve the company from responsibility. The company is responsible for taking all reasonable measures to protect my data. If they do not do so, they are (or at least should be) criminally negligent. If they do take reasonable precautions and a violation occurs anyway, they're at least responsible for notifying me that my information has been comprimised, identifying the vulnerability that led to the violation, and taking steps to ensure that it doesn't happen again.
        • Personally, I think that getting rid of credit cards, or at least the whole credit rating system that dominates so much of Western business, wouldn't be that bad of an idea. While Americans are better off in terms of income than just about every other country out there, they also have rediculous debt loads -- i.e., on the order of 1.5 to 2 times their yearly income.

          Personally, I'm amazed by the number of people who constantly complain about taxes, lack of promotion/raises at work, or any other excuse to ex
          • I could debunk your concept in detail, but I'm lazy and will simply refer you to another post of mine [slashdot.org]. There's actually a couple other posts of mine under it that more closely hone to your wish of eliminating the credit rating system, and why it would be a Bad Thing.

            BTW, debt load is a choice. My wife and I pay interest only on our mortgage, cars, and her student loan. We use credit cards for nearly everything, but they're paid in full each and every month.

            Without more details on the case I can't say whet
        • According to this version [siliconvalley.com], the person in question wasn't an Acxiom employee but rather a former employee of one of their clients who still had legitimate access to the server in question (so his employers had been lax in notifying Acxiom to shut off his access). OTOH, the article also mentions that data from several of their clients was compromised, albeit in encrypted form, which is still somewhat shoddy for a company of this type: if the guy had been able to access his ex-employer's data then the blame is
      • by minus9 ( 106327 ) on Friday August 08, 2003 @09:29AM (#6644682) Homepage
        Somebody inside the organisation has to have access to the data, otherwise why bother storing it.

        Can I interest you in a write only drive array?

        It seems any crime perpitrated within 500 yards of a computer is now termed "hacking".

    • Who knows? It could have been a sys admin with root-level access. But still, had there been a decent accounting procedure in place, they would have known when the information was taken.
    • by dnoyeb ( 547705 ) on Friday August 08, 2003 @08:58AM (#6644400) Homepage Journal
      What amazes me is this was not a hack, it was an inside 'job' if you can even call it a job. So please ./ drop the 'database hacked' tagline.

      My CC was compromised at some point. I am unaware, but CapitalOne contacted me last year sometime and said they were sending new CCs out because something got compromised. Was fine with me, no hassle as they like to say.

      But I also learned that a lost/stolen report showed up on my credit report. Unsure how this is viewed by creditors. I hope its just a note as to why the account was closed and not something that would ever look suspecious.
    • "Need-to-know" is a term which doesn't seem to exist in the security policies of these companies.

      At some point, at some level, there will be someone (or a group of people) with access to information who would not have a watchman over his shoulder -- how can you be sure you can trust them?

      Pre-screening of employees and logging of all transactions is necessary, but some times you just can't deny someone access to something if it hinders their work significantly (e.g. the work they were hired for in the fir
    • "It amazes me that a such a company would have such lax security as to allow an insider to browse supposedly private data at will."


      I don't see how this is amazing. I mean someone have has to have access to this data or the data would be of no use. Someone has to run the jobs to collect the data to put on tape to sell to outside firms. DBA's have to have access to the table to fix indexes, table corruptions etc.. . Now if they didn't have a background check, now that would be amazing.
    • It amazes me that a such a company would have such lax security as to allow an insider to browse supposedly private data at will.

      You're kidding right? If you hired me for a DBA job as an administrator then told me that administrators aren't allowed to look at the database that would be kinduv rediculous wouldn't it?

      Let's rephrase this scenario.
      Say an Air Force pilot goes AWOL and drops a devistating bomb causing lots of harm. Here's what that quote would sound like:
      "It amazes me that that the Army woul

    • This is, unfortunately, the real world. Lax security such as this is the norm. "Need-to-know" is a term which doesn't seem to exist in the security policies of these companies.

      Really? So you've worked at one of these companies then?

      Oh. You haven't.

      So you have friends or family that do?

      Oh. You don't.

      So you're just wildly postulating on shit you don't know anything about?

      Of course. This is /. afterall.

      Well, hate to say it, but I have worked at one of these companies, and I have family in a similar lin
  • by Anonymous Coward on Friday August 08, 2003 @08:52AM (#6644340)
    ``The data on the servers was a wide variety of information, some of which was personal, some of which was not,'' Jennifer Barrett, the company's chief privacy officer

    Translation: The names of the directories weren't personal data...The files in the directories? well they had the SSN/DOB/Address etc. So, technically, some of the data was personal and some wasn't.

  • by dlasley ( 221447 ) on Friday August 08, 2003 @08:53AM (#6644348) Homepage
    whenever a company gives you a chance to Opt Out, take it, no matter what the hassles. this keeps your personal information from getting into databases like this and ensures that even if - as in this case - the information "owner" denies accountability, you still have some protection from recent state and federal legislation.

    sometimes it's good to use the system ...
    • sometimes it's good to use the system ...

      even better, is there a way i can flood the system with fake data. multiple dobs and mothers maiden names associated with my ssn?

    • by KillerHamster ( 645942 ) on Friday August 08, 2003 @09:10AM (#6644503) Homepage
      Of course you have no way of knowing whether "opting out" actually removes you from any database. Maybe they just set DO_NOT_CONTACT=1 and keep your data anyway. I guess it could offer legal protection though, and is a good idea.
      • by Zathrus ( 232140 ) on Friday August 08, 2003 @09:36AM (#6644728) Homepage
        Actually, it doesn't remove you from the database. At least not in any database I've ever seen or worked on.

        What it does do is ensure that they won't send you marketing offers and that they won't sell your information to others for the same purpose. The latter is the important bit.

        If you actually want them to remove your data from the system, then you better be prepared to cease doing business with them and any of their subsidiaries/partners. Which in the case of Axciom is a rather large portion of the US.
    • by baka_boy ( 171146 ) <(moc.sdlonyer-yad) (ta) (nonnel)> on Friday August 08, 2003 @09:21AM (#6644610) Homepage
      Nice sentiment, but painfully naive -- there is no such thing as an 'opt-out' anymore. Every bit of personal information that private or public interests can gather on you is fair game, and the market for such information will probably only grow as interactive media increasingly replace broadcast channels over the next few decades.

      Personally, I wouldn't mind it so much if the reverse was also true, and those interests scanning your personal history for commercial or criminal trends were also subject to the same level of transparency.
    • by cxvx ( 525894 )
      I'd say otherwise:

      Give them as much fake data as you can get away with. There's most of the time no reasons a company needs your phone number, ...
      That goes especially for websites / software you need to dld, ...

      I can't remember the times I said I was a 90 year old Afghan woman that works as a computer programmer and who has an income of >100000$ :)

    • The issue, however, is that the Opt-out agreements are often too inobvious, they expire too quickly (1 year), and the ramifications for not opting out are far broader than people realize.

      That we have to opt-out of "partner sharing agreements" is absurd. The rule should be opt-in, but that's not how it was written, and it sucks. Or if it's opt-out, the term should be for life -- not for a freaking year.

      And no, I'm not one of those privacy nuts. I've actually worked in the system. I've coded for it. And I'm
  • Insiders (Score:5, Interesting)

    by Hayzeus ( 596826 ) on Friday August 08, 2003 @08:53AM (#6644351) Homepage
    At least as of a couple of years ago, INTERNAL security threats were really the major issue for most companies. Despite the fact that insider breaches probably tend to get less press, I bet this is still the case, although I don't know for sure. Anyone?
  • by jkrise ( 535370 ) on Friday August 08, 2003 @08:54AM (#6644367) Journal
    Since the alleged hack was an 'inside job' by a person who had access to the data, is it news at all? I mean, we heard recently that some Pakistani broke into Passport .Net and could reset passwords at will. That was more dangerous.

    Mere access to credit card numbers and the corresponding user list does not constitute a major threat, IMO. Most credit card users are indemnified against thefts, misuse etc. The same can't be said about Hotmail hacks or even Windows hacks.

    -
    • by bourne ( 539955 ) on Friday August 08, 2003 @09:11AM (#6644516)

      Since the alleged hack was an 'inside job' by a person who had access to the data, is it news at all?

      Yes, in that it illustrates one of the dangers of data mining; you can't always trust the mine companies or the miners they hire.

      Insofar as that "danger" affects anyone whose personal information could end up at a provider like Acxiom, it is relevant to, say, 95% of the /. readership.

      Mere access to credit card numbers and the corresponding user list does not constitute a major threat, IMO.

      There's this new thing called "Identity Theft [identitytheft.org]" that kind of sucks to be a victim of. Maybe you've heard of it?

      The same can't be said about Hotmail hacks or even Windows hacks.

      *snort* Yeah, cause, you know, Junior's inane personal email is MUCH more important than his financial record.

    • by Black Parrot ( 19622 ) on Friday August 08, 2003 @09:13AM (#6644529)


      > Mere access to credit card numbers and the corresponding user list does not constitute a major threat, IMO. Most credit card users are indemnified against thefts, misuse etc.

      If the cardholders are indemnified it just means the cost of the theft is passed back to the card company, the vendors, or their insurers. Who will of course ultimately pass the costs back to the customers.

      There's a lot of PR convenience for "losing" thefts this way, and spreading the costs out thinly. But the cost is still there, and it's real.

      • They also deal with a number of other types of account info, including debit cards, in some cases. Banking firms use these giants for all kinds of info collection. Which means that averagecitizen out there may find no money in their account one morning and not know it till they get denied at a point-of-service for insufficient funds- AND the recipient may have things like work address, paycheck data, and so on. This is a bad news nightmare, and the biggest problem is that unless the company takes responsibi
    • Mere access to credit card numbers and the corresponding user list does not constitute a major threat, IMO. Most credit card users are indemnified against thefts, misuse etc.

      Perhaps, but it would still be nice to know if it's likely to happen, wouldn't you think? If I wanted/needed to change my credit card numbers, I'd rather do it proactively than after the fact. It's easier to clean up the mess, if nothing else.
    • When the people whose data was stolen have their identities assumed by some third party, I imagine the last thing on their mind will be the horrors of someone stealing their hotmail account.

      Of course this is newsworthy. Everytime one of these companies has a security breach because of stupidity and unpreparedness, the news should be spread as far and wide and as loudly as possible. It would seem that corporate embarrassment and public outcry is the only way to get through to these companies.

      With the gro
    • While I agree that 'inside jobs' , which are more common of a crime, are less newsworthy, this still should concern all of us. The problem here is not that some jerk might buy a bunch of stuff with our credit cards - as you have said, we're mostly protected on all but $50 or so from that sort of crime, the real problem is identitiy theft.

      If this database had sufficient information (and note it was mentioned they served credit bureaus) this is a real problem. Now the jerk is actually using my data to borrow
  • by jamie ( 78724 ) * <jamie@slashdot.org> on Friday August 08, 2003 @08:54AM (#6644371) Journal
    Acxiom was the first company listed in Microsoft's November 1998 parade of members [microsoft.com] of their Online Privacy Alliance. The OPA's goal was to keep the feds away: "The alliance advocates industry self-regulation as the best way to ensure that consumers maintain control of their personal data online."

    Acxiom warned TRUSTe members [truste.org] in late 2002 that "conditions look right for the 'Perfect Storm' of privacy legislation next year." Yeah, scary, the government might insist that customers have some privacy.

    I wish I could have seen the look on their faces when the government called them up to let them know their own employee had stolen their customers' private data.

    • by Black Parrot ( 19622 ) on Friday August 08, 2003 @09:05AM (#6644476)


      > I wish I could have seen the look on their faces when the government called them up to let them know their own employee had stolen their customers' private data.

      Of course you don't refer to a look of surprise; you refer to the calculating look of someone trying to figure out how to avoid responsibility, minimize the financial hit, and continue to forestall privacy legislation in the future.

    • From the MS link you provided:

      In addition to Microsoft, members of the Online Privacy Alliance include many other well-known names in electronic commerce, smaller start-up ventures and some companies that are new to the Internet: Acxiom Corp.; American Advertising Federation; American Electronics Association; American Institute of Certified Public Accountants; America Online Inc.; Apple Computer Inc.; AT&T Corp.; Bank of America; Bell Atlantic Corp...

      Acxiom wasn't listed first because they were the bi

  • Contradictory (Score:5, Insightful)

    by mccalli ( 323026 ) on Friday August 08, 2003 @08:56AM (#6644377) Homepage
    ...a hacker has broken into a Acxiom server....The suspect, now in police custody, was an employee with legitimate access to the information.

    So not a hacker then. Or a cracker either, to keep another section of the crowd happy.

    This sounds like straight abuse of confidential information. No computers required, no lax security required. A person with legitimate access to data went bad. As such, it's not really a criticism of Axiom's security policies . It is, however, a criticism of their hiring and monitoring policies.

    Cheers,
    Ian

    • Re:Contradictory (Score:5, Informative)

      by pubjames ( 468013 ) on Friday August 08, 2003 @09:07AM (#6644491)
      This sounds like straight abuse of confidential information. No computers required, no lax security required. A person with legitimate access to data went bad.

      I don't think it is as simple as that. Just because it is an inside job doesn't means that the company does not have lax security.

      I have worked on software systems for the management of transaction data for some major banks. Do you think they gave me access to their databases to do the work? No way Jose. They gave me access to duplicate systems with dummy data. Only a very few people had access to the 'real' data (even within the bank) and even then their access was strictly controlled - I mean they had to get permission to get physical access to terminals that could access the data, and they had to justify why, and all their actions were logged.

      Anecdote - I once was working in a banks bomb-proof super-secure dataroom doing an install on one of their transaction processing systems. The install took a while and I was bored out of my mind. I was idly curious to see what was on the screen of one the many terminals in the room, so I touched the space key to active the monitor. About two minutes later the room was full of bank security guys asking what the hell I thought I was doing.
    • > This sounds like straight abuse of confidential information. No computers required, no lax security required. A person with legitimate access to data went bad. As such, it's not really a criticism of Axiom's security policies . It is, however, a criticism of their hiring and monitoring policies.

      I would say that if it was a simple matter of peeking, but since the employee apparently downloaded some of the data without them knowing it I would say that there's a problem with their security policies and

    • As such, it's not really a criticism of Axiom's security policies . It is, however, a criticism of their hiring and monitoring policies.

      I'd argue that human and physical security are probably the two *most* important aspects of information security. It's pretty obvious that the person with physical access to the machines on which information is stored has rather an impressive leg up in compromising any security proceedures that might be in place, let alone systems where users can saunter straight into t
    • It is, however, a criticism of their hiring and monitoring policies.

      Or maybe of their firing policies. Maybe the guy somehow got wind that we was on the list for next month, and decided to do something... In this economy, this seems more likely.

    • ...a hacker has broken into a Acxiom server....The suspect, now in police custody, was an employee with legitimate access to the information.

      So not a hacker then. Or a cracker either, to keep another section of the crowd happy.

      *sigh* You should know better than to trust the poster, headline, the commentary, or the summary of any story posted to Slashdot. I know it is odd, but this isn't a news site where "editors" verify things that are posted. As always, RTFA...

      Barrett said the individual in pol

    • Re:Contradictory (Score:3, Insightful)

      by wfberg ( 24378 )
      A person with legitimate access to data went bad.

      Actually they used their existing access to gain new privileges, cracking (or guessing) passwords in the process.

      Never the less, it's an important point to reflect on what "legitimate access" means. Most companies allow any employee access to all of their data, especially smaller companies. Publicly traded companies usually take better care of strategic information, but not of their customers' private data, at all.

      While the army won't let you see any 'se
  • I work for a small 8 person IT business in the town I live in. I'm computer help while I go back to college.

    When I first started, I found out there's a bunch of clients (many medical), but when we install, we usually use simplistic passwords. Simplistic as in Roberts' wordlist. We dont even change them either. We also have a Winnt4 domain controller for our internal fileserver that simply shares 4 directories. ALL OF THEM HAVE GLOBAL +RWX ON EVERYBODY.

    Even the shcool I go to has decent protections on thei
  • by mstockman ( 188945 ) on Friday August 08, 2003 @08:56AM (#6644386)

    Anybody know how the recent California law requiring companies to disclose when their data is compromised would apply to this case? If the primary victim in this case notifies its clients (call them secondary victims), are they then required (if they do biz in California) to notify the tertiary victims (their customers)?

    Just wondering how all of this may play out...

  • Didnt CA recently pass a law requiring disclosure of breaches involving CA residents? Anyone know if this applies here? Are Axcion's client companies mandated to contact their clients, and so on down the tree?

    I'm not in CA, but there's a strong liklihood someone from CA had data in this system.
  • Over the news I heard thm saying chances of identity theft are slim, by using the stolen data.
    Ha!
    Chances of identity theft are high even when the data is not stolen. :)
  • by bwindle2 ( 519558 ) on Friday August 08, 2003 @08:58AM (#6644401)
    The person had legitimate access to the system. I wouldn't call using your legitimate access to then, *GASP*, access that system, a hack.
  • by gorbachev ( 512743 ) on Friday August 08, 2003 @09:00AM (#6644425) Homepage
    About a year or so ago people started getting spam addressed to the wrong "John Smith". Some folks tracked the spam to Axciom. It appears that they'd started selling epending services for their clients.

    Basically a client supplies information about the consumer (name, partial address, etc.) to Axciom. Axciom then takes their best guess as to what the Email address for the consumer might be.

    Where the problems come with this approach when you have a common name and your address information is incomplete. Axciom will happily give the client the buest guess, and the client will happily spam the living ****loads out of whoever's email address they can get their hands on.

    But, hey, you can always opt-out...one client at a time...

    Proletariat of the world, unite to kill spammers
  • Just a question about the terminology used in the headline there.
    I'm no walking dictionary, but I thought the word "hack" (translated as "crack" to technical folks- I don't even want to open that can of worms)-suggested someone somehow getting access to something that they do not legitimately have access to.
    • He used legitimate access to HIS files to access files belonging to other Acxiom clients, on a server multiple clients used to upload data (the staging area to leave files to be pulled through the firewall by Acxiom). The news report says he cracked the other client's passwords.

      What were they thinking when they set up that server? No client should be able to see any other client - it should look like they have the server to themselves.

  • by Dalcius ( 587481 ) on Friday August 08, 2003 @09:01AM (#6644435)
    "Third, the company is taking no responsibility for the break in other than reporting it to the clients, who then may or may not inform their customers."

    Saddly, our government doesn't seem to be too... enthusiastic about stopping this type of stuff. Don't get me wrong, I'm a libertarian at heart, I think the government should stay out until absolutely necessary, but this is a case where it's gone too far. I don't trust the consumer enough to protect his own rights.

    Anyway, with the current corporate situation, and the examples set by Microsoft et al, IT has grown into a industry with no personal responsibility and very questionable morals.

    I can't say this surprises me much.
  • "I can say this about the data, much of it was nonsensitive information."

    I can say this about this gun I'm pointing at you, much of it is innert material.
  • BBBOnline (Score:5, Informative)

    by Liquorman ( 691815 ) on Friday August 08, 2003 @09:03AM (#6644448)
    Below I have posted the complete listing of requirements for approval from the BBBOnline (Better Business Bureau Online) page. Seems like it is pretty easy to meet the requirements as long as you pay the BBB! Also, it does not appear to have much to do with specifics of what a privacy statement should say, just that you simply must have one.

    General Conditions

    The organization's website or service is online. If not yet launched, the organization's website or service is substantially complete and available for evaluation.

    The organization has adopted and implemented an online privacy notice (including an effective date) and posted this notice on the website or online service.

    The organization has paid the application and evaluation fees; completed the BBBOnLine Privacy Business Application and required portions of the BBBOnLine Privacy Assessment Questionnaire. The organization has signed and returned the BBBOnLine Privacy Participation Agreement.

    A specific individual has been charged with the responsibility for implementing and overseeing the privacy notice for the website or online service. If the organization's application for a BBBOnLine privacy seal does not cover all its websites or online services, and all the websites and online services of its corporate affiliates, then it must be clear to web-visitors relying on the display of the seal, which parts of the websites or online services are covered and which parts are not.

    Any organization whose website or online service is directed to children under the age of 13, or who collects personally identifiable information from a particular individual actually known to be under the age of 13, must comply with the substantive requirements of the BBBOnLine children's seal program in addition to the requirements of the general BBBOnLine privacy seal.

    • What do you expect? You think those seals are anything more than to keep people thinking their information is secure?

      All those little seals require money, and when you pay them and fit in a couple of general rules, you get it. Easy as that. Yes, it's stupid, but for some reason consumers really think it's more safe to shop for a company that has a seal then those without one... even if they both use SSL that are "signed" by the lofty security people (Verisign, Thawte, etc.) rather than their own servers
  • RTFA! (Score:5, Insightful)

    by sessamoid ( 165542 ) on Friday August 08, 2003 @09:03AM (#6644449)
    From the story submission:

    The suspect, now in police custody, was an employee with legitimate access to the information.

    Geez, even the submitters don't RTFA, do they? From the NYT:

    Barrett said the individual in police custody is a former employee of one of Acxiom's clients and that the information was stolen while the person had legitimate access to Acxiom servers.

    The suspect was not an Acxiom employee, but an employee of one of Acxiom's clients (banks, cc companies, etc.). He had access to the server, but he cracked the server to access information from other Acxiom clients as well. So yes, this is a cracked server, which BTW was placed outside the company firewall. I'm no security expert, but doesn't that sound stupid to anybody else?

  • by sjbe ( 173966 ) on Friday August 08, 2003 @09:03AM (#6644450)
    It amazes me that a such a company would have such lax security as to allow an insider to browse supposedly private data at will.

    And why should this "amaze" you? At some level in any company there needs to be people who can do this. Your human resources department has a ton of information about you that they can pretty much look at whenever they want. Medical professionals are the same way. If you are an interesting case, do you honestly believe doctors/nurses will not talk about you? You are naive if you think that, despite laws (HIPPA) prohibiting such behavior.

    You need to be able to trust these people and while there does need to be security and surveillance of people with access to sensitive information, you can't keep them completely away from it. This is especially true in a company (or government agency) whose business is based upon such information. It's also nearly impossible to prevent a knowledgeable insider from getting access to sensitive information, so I'm double confused why this should be surprising.

    While it is unfortunate that it happened, the fact that it happened should "amaze" no one. Give enough people a chance to make money by breaking the law and guess what? Some of them will.

    Nothing to see here. Move along...
  • Easily Amazed (Score:3, Insightful)

    by jrsimmons ( 469818 ) * on Friday August 08, 2003 @09:03AM (#6644457) Homepage Journal
    So you're "amazed" that a database company has employees who have access to their database(s)? How excactly is it that Acxiom should do its job while preventing its employees from ever working with the data? Unless the description of the theft is inaccurate, this has nothing to do with hacking and is merely a misuse of priviledges. If the armored car driver steals the contents of the armored car, is it because the car wasn't secure enough?
  • I used to work for a consulting group who managed websites for several big name companys, all of which took online orders. Part of my job was to code pages that analyzed the databases and presented an overview of sales statistics. I recall being suprised at the thousands of credit card numbers listed in the databse and how easily I could have taken them. There was no password protection except for the general login/password used for ALL our databases which most employees knew. Luckily im an ethical person b
  • Well, duh. (Score:2, Funny)

    by russotto ( 537200 )

    It amazes me that a such a company would have such lax security as to allow an insider to browse supposedly private data at will.

    Uh, yeah, at the risk of -1 redundant, of course an insider will be able to browse private data at will. _Someone_ has to be able to get to the data, unless you're postulating SkyNet.

    I suppose this could have been a hack, if this person became employed at the company in order to get the data -- that comes under social engineering hacks (and industrial espionage). But "disgru

  • Oh, THAT Acxiom... (Score:2, Interesting)

    by BRSQUIRRL ( 69271 )
    I know several developers there...I almost worked there myself actually. I've heard them mention on several occasions that they develop against production "real world" data simply because there is no test database large enough to test scaling and performance. I remember asking them if they could actually get consumer information on ME and they didn't act like it would be too difficult. Scary...
  • by sammy baby ( 14909 ) on Friday August 08, 2003 @09:08AM (#6644495) Journal
    I read three versions of the story (courtesy of the Google News link). None of them specified what the job description of the perpetrator was, although I'll infer that because he had "legitimate access" (wording per the SilconValley.com verison of the story [siliconvalley.com]) to the servers where the information was kept, he wasn't, say, a janitor. So why the histrionics on the submitter's part about how "such a company would have such lax security as to allow an insider to browse supposedly private data at will." Dude, the guy had access. I'm a systems administrator, I can read my co-workers' email at will. If I suddenly "went rogue" without warning, not a lot you could do about it, huh? At some level, you just have to trust your employees.

    What's funnier is the universal use of the word "hacker" in the various writeups of this incident. The guy had access already. He didn't hack his way into anything. Back when I worked retail, if our credit card receipts didn't add up to what the system thought we should have at the end of the day, we'd have to do a "list print" - we'd go to our little VeriFone CC terminals [pointofsalezone.com] and have it print a record of every transaction it could remember. It had a 255 transaction memory, if my own memory serves, complete with amount, timestamp, and - wait for it - credit card number. So, if I printed out a list of 255 credit card numbers and went on a buying spree with other people's money, would you say I was a "hacker" then?
  • by aepervius ( 535155 ) on Friday August 08, 2003 @09:10AM (#6644506)
    My job is so that I have access to all info on a credit card (Name of the person, date of expiration and full number), and even worst since the demand of the US governement (CAPS) on airline I have acess to the people their visa and their passport. Would it be possible to protect those data against me ? No way. I can acess the data at all level, and since I am the programmer , even if it is encrypted I can still acess it by putting a nice placed trap. Would I do it ? No way, I am honest. Is it possible for me to do it ? Yes.


    You cannot protect yourself against all your employe, because at one point or another you have to to have some trust (at least at the facture time).So IMO this is a no new here, and I barely call that hacking. Rather insider stealing.
  • Acxiom is a Certified Participant in the BBBOnline Privacy Program.
    Not no more they aint :-)
  • CLASS. ACTION. LAWSUIT.
  • by teamhasnoi ( 554944 ) * <teamhasnoi&yahoo,com> on Friday August 08, 2003 @09:19AM (#6644591) Journal
    According to another insider with access to the data, the man responsible for stealing this info had to scale a 3 foot wall, distract a cocker spaniel with ADD, open a squeaky door, and play Whack-a-Mole until he got the high score to get access to where the data was stored.

    He then had to play tic-tac-toe against a chicken, and decide if 'Eliza' passed the Turing test to actually acces the data.

    Once it was fully printed on tractor feed paper, he then had to bribe a small child with Pokemon cards, and juggle three rolls of tape and sing 'You Are the Wind Beneath My Wings' in front of Ryan Seacrest in order to abscond with the wheelbarrel full of printouts.

    I think we can all agree that security was not at issue here, it certainly had to be an inside job.

  • Second, the theft was an inside job. The suspect, now in police custody, was an employee with legitimate access to the information. It amazes me that a such a company would have such lax security as to allow an insider to browse supposedly private data at will.

    Actually it was "a former employee of an Acxiom client." Not exactly an inside job for Acxiom -- sounds more like the problem was really at the client's end?

    The U.S. health insurance and medical "industries" are seriously under the gun with this s

  • Company In Denial (Score:3, Insightful)

    by BreadsOfAFeather ( 696374 ) on Friday August 08, 2003 @09:23AM (#6644630)
    The reaction of the company in this case, not notifying potential targets, and not putting safeguards in place, suggests that their attitude is to wait and hope that the problem will go away. However, the biggest security hole (in terms of potential damage) in any system is the possibility of abuse by trusted insiders. This suggests that Axciom will have this problem again.

    Oh, and some kind of link to an article would have been nice.
  • by jpellino ( 202698 ) on Friday August 08, 2003 @09:30AM (#6644689)
    Just spend the hours since waking with my bank, a fresh load of unauthorized cc activity as of this morning. It's a big bank, and it's brand new crapola, and I use the card only with reputable vendors. Joy. Not compromised my ass.
  • by SilentMajority ( 674573 ) on Friday August 08, 2003 @09:30AM (#6644690) Homepage
    I'm usually against having more govt regulation that dictates how businesses should operate but this is an exception.

    We obviously need to push for similar requirements used to secure our medical information. [hhs.gov]

    While some may argue that it will increase the cost of doing business, the leeches who profit from our personal info without our consent don't deserve our sympathy. There are many companies that buy and sell our personal info daily without our consent or knowledge.

    Besides, having rules for security related to our personal info will create new jobs as existing systems are modified and business processes are reengineered. Perhaps even more jobs than HIPAA [hhs.gov].

    Perhaps an even better solution is to require our written consent before any company sells our personal info to another and the consent deemed non-transferable.

  • I have worked as a short term contractor at one of the "Big 3" credit agencies, and was responsible for adding code to the Mexico codebase that added credit "scoring" to the list of items tracked. It was a 3-month contract where I, coming in off the street, had basically root access to the worldwide databases of this particular credit agencies customer database. It was necessary for my testing that, after I ran my modifications on a test dataset, which I got to expose my changes to a development mirror of
  • Well, at least everyone's money that this guy is going to be spending might help inject some more life into the economy... right? ...heh.

  • Whilst we have Bill Gates scream "secure computing", Palladium and other buzz word compliant clap trap as if it was some sort of magic silver bullet, the real issue has nothing to do with security of the software but the people who have access to it.

    Read ANY security analysis and they will always tell you that the weakest link in the security chain is always the human operator.

    This weaknes is either via two things, social engineering by an outside cracker or privilages being abused by an inside employee e
  • by stull13 ( 693912 ) on Friday August 08, 2003 @09:59AM (#6645046)
    Credit Card information? That's nothing....

    I work in Benefits Delivery, and odds are if you work for a Fortune 100, I have access to every bit of your retirement income data. The depth and breadth of the personal information we store is staggering. The number of people with unfettered and untraceable access to that information is disturbing. The fact that we will begin outsourcing many of our operations to India in a few months is downright frightening.

    At any point, someone who has been with the company for only a few days would be able to change your 401(k)investment elections, transfer your retirement savings money between funds, set up an unauthorized beneficiary for you... all without the possibility of being traced.

    Even assuming that all of our employees are honest, the possibility for errors is enough to make you want to start storing all of your savings under your mattress in a sock! Without going into too much detail, last week one of our client teams accidently wiped out all of the balances for the entire population in their production database. That was 10,000 people who suddenly lost their retirement incomes! How was it fixed? They used a week old backup and guessed about what the updated amounts should have been.

    Of course, there is nothing that you can do about any of this but keep a vigilant watch on your retirement accounts. There is no "opt-out" option. In many cases, you wont even know that we are managing your benefits.

    This is the world we live in. There is no privacy any more and nothing is ever truly secure.
  • The real world (Score:3, Insightful)

    by TrippTDF ( 513419 ) <hiland.gmail@com> on Friday August 08, 2003 @10:13AM (#6645276)
    People carry their wallets in their back pockets. People leave windows unlocked. People trust their neighbors. People think their data is secure.

    A good thief/crook/whatever is someone who exploits this feeling of security, not breaking into a secure system.

    This guy just screwed up and got caught. I bet this happens a lot more than we think, thanks to our sense of security.
  • by Anonymous Coward on Friday August 08, 2003 @10:36AM (#6645650)
    First rule of database administration..

    THE ADMINISTRATOR DOES NOT EVER, FOR ANY REASON, TOUCH THE DATA.

    Second rule?

    The people inputting the data cannot query the data.

    Third rule?

    The people who query the data, cannot modify the queries.

    The second and third are not nearly as important as the first. If you work in a company that violates the first rule, you should immediately walk into the office of your CEO and demand he commit seppuku.

    I keep seeing posts from the clueless whining about, "Well of course they had access!" True, someone ultimately has to have some type of access to the data. However, the access should be restricted far beyond the idea of, "Oh, the DBA can just pull up whatever he wants."

    Sheesh. Now I know why I can't get a job, and companies who are laying you people off are checking out India and Russia.

    I'd be fucking sour on US 'techs', too.
  • by enjo13 ( 444114 ) on Friday August 08, 2003 @11:22AM (#6646314) Homepage
    As a former employee at Acxiom (Conway offices), let me jump in here.

    I worked as a developer on one of their primary marketing campaign management tools. As part of this, I had access to all of our particular customers (not in the company, just the customers who used our tool) data. This was absolutely nececesary for us to track down client-specific problems.

    The comapny did have very good policies restricting access to data access to only those who needed it (and only the data that they needed). Keep in mind that Acxiom is one of the largest data processing centers in the world.. manay many many terrabytes of information are processed at their facilities. So it's possible for someone to get at quite a bit of data if they worked for the right company.

    More than once people where fired during the two years I worked there for misuse of data. Usually, it would be people looking up data about famous people or someone that was making news for whatever reason. Curiosity and all..

    The person that did the 'break in' was likely either a programmer or more likely a data auditor. The auditors are people who randomly grab information from the database and check it against other sources to verify that a 3-year old kid didn't somehow make it into the database or what not. They have access to the data, and can pull out large pieces of it without raising eye-brows. I know this was raised as a security concern at some point..
  • by erroneus ( 253617 ) on Friday August 08, 2003 @03:11PM (#6649244) Homepage
    ...WE NEED MORE LAW.

    In this case, the law should be to regulate how "consumer information" is stored, protected and regulated. The "Fair Credit Reporting Act" does many nice things for the consumer but clearly not enough with the constant threat of misuse of information.

    First of all, I would like to see the use of social security numbers more tightly regulated in the form of requiring a business or individual to have a FEDERAL LICENSE to collect and use such information. We all know the SSNs are the primary key to all of the rest of the information collected on us. The law states that SSNs are only for the purpose of managing your social security account. Not for any other purpose. Law states that no other institution, private or public, can require that you disclose that information for any other purpose. That said, you can and are routinely required to disclose this information else you will be denied credit and/or many other factors of "modern life" in the USA. These abuses can be battled but I do not see a victory against this proliferous abuse.

    But with more controls in place regulating the use of this information and PUNISHING those who do not handle it properly and by revoking a business license to use it and by criminally prosecuting individuals found responsible for illegally collecting this information, we can hope to contain the damage done to privacy in the U.S.

    Identify fraud has been identified by various security agencies in the US as a threat to homeland security as it has been found that profits gained through "identity theft" are in fact funding terrorist organizations. Lax security does not only endanger individual credit or individual identities, but endangers the safety of the entire US public at large.

    We can protect our country by requiring that those who do business by collecting our information do so in a safe way. If a data system is identified as unsafe (for example, a MS Access database) then that business function should be enjoined to halt activity until it can me migrated to a "safe" system that is deemed safe by the public agency that deems the system as being safe for holding this class of data.

    This agency would be the equivalant of the FDA. Who knows what it would be called (there are a lot of creative minds out there who could create a clever acronym for a "Federal Privacy Agency"... so let's hear some ideas) but its function should be to police and regulate the use of private information. It should, however, be barred from collecting private information itself except where it is using such information as a way to conduct investigations.

    Because technology has improved significantly in the past 30 years, I think new law should be in place to protect consumers from identity theft. We need regulation of WHO can legally collect information, HOW it can be used, WHO it can be sold to and how the clients can use it themselves. Within that usage criteria, how it is stored and maintained should be strictly regulated. We have laws that require food venders store and distribute food, so why not critical and vital information?
  • by geekotourist ( 80163 ) on Friday August 08, 2003 @03:40PM (#6649598) Journal
    In the comments I haven't seen too much talk about Axciom itself: this is the company that combines every possible bit of information about people into one database, then usable for marketing / fatherland security research. They're the ones who get all the data from warranty cards, mix it with magazine subscriptions, combine that with census data, sprinkle with available political and healthcare data, blend with credit info and filter through post office change-of-address forms... As privacy articles have pointed out, the intersection of sets of 'non-personal' information can easily be a single, identifiable person.

    You have a new lifestyle magazine designed for the 30-40 year old programmer, making between $40k and $60k, and owning at least one ferret? Axciom will get you a list with most every one of those living in the geographical region you want.

Hard work never killed anybody, but why take a chance? -- Charlie McCarthy

Working...