Consumer Database Company Hacked Again 230
x-guru writes "CNN is reporting on the indictment of a Florida man on 144 identity theft charges including fraud, money-laundering, and obstruction of justice. Approximately 8.2 GB of data was stolen from Acxiom Corp, a company responsible for the storage of vast amounts of personal, financial and corporate data. It looks to be an inside job as six Acxiom employees have agreed to cooperate with the investigation." Acxiom was hacked last year as well.
disclosure (Score:4, Insightful)
Re:disclosure, "when will we have laws ?" (Score:3, Interesting)
can you be bothered to contact your legislators, or consumersunion.org, or epic.org?
Re:Calls from Axciom and Experian (Score:3, Funny)
Whenever any of these companies call to verify information, I put them on hold and take care of any possible task that might be more important (which is just about anything). By the time I get back to their call, they've always hung up. Bummer.
Re:disclosure (Score:2)
Perhaps when "we the people" take back our government from its corporate masters.
Mod Up informative (Score:2)
Mr AC is 100% Informative, this is data freely available to anyone who will pay. Does Slashdot need to report every employee theft story ?
Family Movie Act (Score:2)
The report of the the registrar of copyrights [copyright.gov] is interesting, inasmuch as she asserts the existence of moral rights, deploring a recent Supreme Court decision, Dastar Corp. v. Twentieth Century Fox Film Corp. [findlaw.com], which ruled that the Lanham Act does not prevent the unaccredited copying of an uncopyrighted work.
Re:disclosure (Score:2)
It is not our information, it is information about us.
Depends on where you live. In most sensible countries, information about me is owned by me.
Re:disclosure (Score:3, Insightful)
Re:disclosure (Score:2, Informative)
In the UK with the Data Protection Act, you have a right to access any data held on any computer system that relates to you, and correct it if it is wrong, but the data does not belong to you IIRC. In fact Acxiom run a very similar operation (data for cash) in the UK too. So what "sensible countries" are you referring to?
And seriously, I can't see how it could be otherwise. If a store collects data on you via a loyalty scheme, you are suggesting that that data belongs to you? Th
Re:disclosure (Score:2)
What? (Score:4, Interesting)
It looks to be an inside job as six Acxiom employees have agreed to cooperate with the investigation.
It might just be the early morning talking, but could someone explain how employee cooperation implies an inside job? Maybe I need more coffee.
Re:What? (Score:2, Funny)
Re: (Score:2)
Get your facts straight! (Score:2, Informative)
"Snipermail employees have cut deals and aided federal investigators, prosecutors said.
Also named in the indictment are Levine's brother-in-law Magdiel Castro; longtime business associate Jeffrey Richman, who operates Florida corporation RichMedia Inc.; systems administrator Jeffrey Burstein; Melvin Donald Atkinson, a computer analyst; Marcos Cavalcante, a graphic designer; and William F.
Re:What? (Score:2)
"Well, yeah, I guess letting my brother's cousin's roommate have the access codes to our server was a bad idea. Seriously though, I thought he was just hosting games of Quake III."
Re:What? (Score:5, Informative)
At any rate, it never said 6 employees of Acxiom, so it is open to interpretation and poorly written. I think someone needs to clarify that point.
Should we describe the site as hacked ... (Score:2)
Re:Should we describe the site as hacked ... (Score:2)
Considering these places have hundred of terabytes worth of data on people, 8.2Gigs of it would seem like a grain of sand on the beach.
However, I suppose that some crafty SQL could cull that down to the bare minimum data needed for a credit card app.
$7 million? (Score:2, Interesting)
Federal officials said the theft of approximately 8.2 gigabytes of data resulted in losses of more than $7 million.
Where exactly is $7 million coming from? Is there data worth about a million a gig?
Re:$7 million? (Score:3, Funny)
Wow, I must have billions of dollars worth of pr0n then!
Re:$7 million? (Score:2)
Re:$7 million? (Score:3, Insightful)
How much would it cost just to inform all those people (assuming that they will)? And then when everyone updates their records, how much will it cost to rebuild/update the database with the new info?
Just playing devil's advocate here.
Re:$7 million? (Score:3, Interesting)
Re:$7 million? (Score:2, Interesting)
Thank god the RIAA isnt involved with the cleanup.
(82000000 * ($250,000 * ([DriveSpeed] * Cos([WindDirection]))
This issue of losses is mute really, because as with illicit file sharing, the original data still exists.
This data sharing may result in customers going elsewhere, and so may effect FUTURE revenue stream, but their account certainly hasn't taken a dip just yet.
(Contrast with bank robbery)
Re:$7 million? (Score:2)
Um... Solid gold hard disks?
Re:$7 million? (Score:2)
If the data can support identity theft, that means people can use it to forge identities, and commit identity and credit fraud. That's why the number is high, not, the amount of data. It's how sensitive(and eventually useful to
Re:$7 million? (Score:2)
Re:$7 million? (Score:2)
I thought it was done remotely? How did they manage to physically remove the data from Acxiom?
Oh, so they don't mean steal, or theft. They mean unlawful copying. Right. Should have said.
</pedant>
Comment removed (Score:4, Insightful)
Re:so they have to steal that much to get prosecut (Score:3, Interesting)
This is because the Fair Isaac credit score has nothing to do with how good a customer you are. It's a measure of how likely a creditor is to make money from you. This is why if you keep paying your loans off after only a few months, you get a bad score. This is also why the reporting agencies were so reluctant to tell people how the score is calculated. If you're an identity thef
Re:so they have to steal that much to get prosecut (Score:2)
At least credit card companies don't break your legs. Between them and the mafia, I would choose to support the cc industry.
Re: (Score:2)
Re:so they have to steal that much to get prosecut (Score:2)
Re: (Score:2)
Perhaps instead of prosecuting mp3 thieves (Score:2)
oh wait, that would help the people of America and not the corporations...
Links within a chain (Score:3, Interesting)
Anyone want to take a gander on when Equifax, Experian, and TransUnion get busted for going through some minor service provider?
The only way to keep private data private... (Score:4, Insightful)
Centralised databases of sensitive data are evil.
Re: (Score:2)
Re:The only way to keep private data private... (Score:2)
Re:The only way to keep private data private... (Score:2)
Re: (Score:2)
Re: (Score:2)
Re:The only way to keep private data private... (Score:2)
There is a lot to be said about restricting confidential, identifying information(such as that sufficient to personify you) to the company you signed a contract with. My reasoning is simple:
your contract is with so and so firm, you know they have your inform
the way, the truth, the light (Score:2)
Re:The only way to keep private data private... (Score:3, Insightful)
Lack of Security (Score:3, Insightful)
This begs the question.,, (Score:2, Interesting)
Maybe if these network admins were PUNISHED SEVERELY for their negligence they'd start being more careful.
At the very least this kind of information should be stored on encrypted filesystems. Better still, the files themselves should be triple-des'd and then PGP'd for good measure.
Re:This begs the question.,, (Score:2)
What about the time the data isn't encrypted? It's useless if no-one ever reads it. At some point the data will be in plain text and then it doesn't really matter how much encryption you have, it still gets compromised.
However, I think the storage companies involved with id theft (or any private data) should get fined (and
Re:This begs the question.,, (Score:3, Insightful)
And what if the Network Admin isn't appropriately trained because the company won't pay for training and the pay they offer won't enticed skilled admins.
Assuming negligence of the Network Admin doesn't take into consideration the shades of grey that are often involved.
People should be responsible for poor security but the "climate" that leads to it should also be considered.
Re:This begs the question.,, (Score:2)
punish what is really responsible (Score:2, Interesting)
No the REAL Question... (Score:2)
Because if not, dammit, I want to know where the torrent is!
It's also extremely well-worth noting... (Score:4, Insightful)
How about a quick game of Hangman, kids. "Here's hoping he gets time in a federal _____-__-__-___-___ prison!" (Commence flames from more enlightened readers in 3... 2... 1...)
Re:It's also extremely well-worth noting... (Score:2)
Case in point (Score:5, Insightful)
Beyond the fact that a national ID card wouldn't provide any additional security [schneier.com], putting that much private information in one place is just asking for trouble. As this latest debacle shows, and as Schneier points out in the article I referenced.
From the CNN article:
Oh, good. That will surely stop it from happening.Re:Case in point (Score:2)
Re:Case in point (Score:3)
Last time I checked, a drivers license was only required if, say, you wanted to drive a car. Likewise, a passport is far from being a mandatory piece of documentation. When people describe a national ID card as a "bad thing," they're generally referring to the concept of a nationally-standardized ID document that you must be issued and that you must keep on your person at all times,
Re:Case in point (Score:2)
First, my driver's license is issued by a state (in my case California). And I don't actually have to have one, because I might not be licensed to drive.
Second, even in cases where I need identification, my identification card is issued by a state as well (also California).
Also, the major differences between those two things and what most people think of as a "national ID card" is that I actually am never required to present them to government officia
how to get the attournet general to follow through (Score:2)
Re:Case in point (Score:2)
National ID cards are used everywhere in the world, except the US. Yet people are no more nor less safe because of this.
It's not the national ID that's a problem. This database is probably the best secured in a country. Even if it got broken into, there's nothing interesting there: just your name, photograph, address (perhaps a trail of addresses), and perhaps some biometric identification (if the photograph is not enough) just in case you lost your ID card and needed a new one.
It is the whole bunch of
Re:Case in point (Score:2)
And to be honest, I almost wish they would. There's nothing except a driver's license (which not nearly as many people have as in America) and a passport (which more people have than in America, but are still not widespread) which has any type of biometric information and is state issued, and as a
Re:Case in point (Score:2)
Well, definitely not every country, since although being a US citizen I reside in the United Kingdom, and there's no national ID card there. Big Brother Blunkett wants to introduce one, but it's not gone far yet.
Yes, you have a point here. Please add the United Kingdom to the tiny list of countries that don't have national ID cards (yet). I'll use more careful wording next time. Sorry.
Usually I have to show my passport, show some documentation proving that I live at my address (like utility statemen
Re:Case in point (Score:2)
AFAIK, there is no law forbiding that in the US.
Details... (Score:5, Informative)
THIS WAS NOT AN INSIDE JOB. Two people from different parts of the country were "hacking" Acxiom at the same time, using the same vulnerability. Neither of them even knew each other. Acxiom's security was a flaming turd.
Search all the Daniel Baas articles and you will find he cracked a password file they had in a public directory on the ftp server. This guy did the same thing. Acxiom should be shutdown for their stupidity.
Why not me? (Score:4, Funny)
The 6 insiders are NOT from Acxiom (Score:2, Informative)
according to the CNN article.
"Vast amounts" (Score:2)
That said, it's enough (if compressed data) to have the Social Security number of all US Citizens, or all their credit card numbers, etc.
Re:"Vast amounts" (Score:2)
Right. If every personal record is, say, 256 bytes or so, that's still an awful lot of very sensitive data.
Spammers exchange lists of verified e-mail addresses every day. Those files don't have to be that big, yet they cause a lot of trouble anyway!
Re:"Vast amounts" (Score:4, Insightful)
Second, what can you really do with 50 million social security/credit card/name/address matches that you can't do with 1 million? It's not likely this data was stolen just for spam, much larger databases are readily available for that purpose. Even the largest, most nefarious criminal organization would be set for years with a million verified identities to misuse. Even if you could only net a few hundred dollars from each identity theft, that's a LOT of money. And at a certain point the scale of the data overrides your ability to exploit it anyways.
right, very important (Score:2)
You hear these dumbasses saying it again and again, how important it is to protect personal information, blah, blah, blah. Yet they are reluctant to create laws that protect personal information, as those in Europe.
If the protection of personal information were t
Re:right, very important (Score:2)
Laws, such as those in Europe, would not, cannot prevent such incidents. They can only penalize the criminals after your data is out in the wild.
After all...there are laws (with very, very tough penalties) against murder, right?
Re:right, very important (Score:3, Insightful)
Take a look at sections 13 and 14. [datatilsynet.no] There are also special rules to the law that specifically touch on information security, but I don't have a link in English.
Re:right, very important (Score:2)
As is oft quoted here on
Re:right, very important (Score:2)
This company, according to reports elsewhere, knows everything about you, and sells that information to anyone it can. Credit card numbers, spending habits, SSN, current and past addresses, everything.
There is no reason to steal the data when you can just buy it, then resell it over and over and over and over again.
No wonder identity theft is such a big problem. Nobody freaking takes privacy seriously in this country.
Spying is Spying (Score:3, Insightful)
If I'm a company compiling 8GB or such data on hundreds of thousands of people, I'm doing market research.
If I'm a single individual who gains access without consent to such a companies data, itself usually obtained without consent, I'm a snooping crook/terrorist/cracker/pervert/thief who gets thrown in jail.
RFID. Credit Cards. Social Security. How come I can't aquire such data, yet amoralistic multinationals can. Does the fact that I don't want such information in the hands of anyone at all even count? Tinfoil hat or no, no-one likes being snooped upon. Data rape is data rape no matter how drunk someone was on free handouts.
I never knew... (Score:2)
Golly! That's 56 MB of data per person! Not only is Big Brother watching, but apparently he's aparently paying closer attention than I am.
Re:I never knew... (Score:2)
Re:I never knew... (Score:2)
Thanks
The solution: Translucent database (Score:4, Interesting)
"Hacked" ? (Score:3, Insightful)
This wasn't a "hack". It was an inside job: a contractor using a company-provided username/password to access data that he should not have had access to, but did because of lax policies on the part of the company (Acxiom).
This is not a "hack". It is theft. Plain and simple.
There's an old saying in Tennessee... (Score:2)
hack me once, shame on
hack me...can't get hacked again!
--g.w. bush
Headline is wrong (Score:2)
The headline isn't right; there is no second break-in. This is a different crowd of people involved in the same breakin that was discussed earlier. The previous arrest was of the guy who actually broke into the FTP server; this is the arrest of a spammer who used that data.
Uplink Headlines (Score:2, Funny)
I swear, reading Slashdot is starting to sound like those scrolling news blurbs in Uplink.
Company X reports that N gigs of customer information were stolen by an unidentified hacker.
Company Y reports that N gigs of project data was deleted by an unidentified hacker.
etc., etc., etc.
As usual, Slashdot doesn't RFTA - here are facts (Score:3, Informative)
They weren't clever enough to grab root and cover their tracks or overwrite logfiles, though. These toads remind me of Chris Cooper in Adaptation. Schemin Florida bums without too much upstairs.
Acxiom hired a security firm to run an audit regarding the PREVIOUS break-in, and the team found that these morons were stealing reams of credit card data with the logins from companies like Microsoft and others. They were then selling the credit card numbers on the black market, mostly overseas.
This whole sordid tale is laid out in the court documents, which are online and make for a great read. This Scott Levine reminds me of Scott Peterson, in sort of that creepy stupid way, where you know he did it just by the smirk on his face.
Anyhow, these guys are going to federal pound-you-in-the-ass prison, and hopefully Bill Clinton will cooperate and get off since I doubt with a name like that, he would fare too well in prison.
Not theft (Score:4, Interesting)
Re:Not theft (Score:2, Interesting)
Re:Not theft (Score:2)
Of course there is a difference between "stealing music" (which is deliberately made public, just not _too_ public) and "stealing data" (which is more or less private, modulo the fact that Acxiom themselves are kind of sleazy even having it).
My little troll was just to point out what I consider to be a hypocritical, but frequent, argument in other threads, that "stealing musi
Employment . . . (Score:2)
With that context, what bothered her about her Acxiom interview was the la
Look for the same thing this November (Score:2)
A Few Notes on Acxiom. Opt Out Now! (Score:3, Interesting)
Get out of all of their databases ASAP:
(877) 774-2094
optout@acxiom.com
Re:A Few Notes on Acxiom. Opt Out Now! (Score:2)
Ummm.. (Score:2)
Get out of all of their databases ASAP:
(877) 774-2094
optout@acxiom.com
UHhh... If they ignore opt-outs... why are you trying to have us opt-out?
Just seeing if you can keep us busy?
How to punish Acxiom? (Score:2)
A number of people have posted comments suggesting that (PTP) the root of the problem here was Acxiom's shoddy security. And have then followed up by posting open-ended questions about "how can we secure the 'Net when bozos like these guys don't lock their doors?"
There's a simple solution.
And no, it does not involve jail time for dumb sysadmins (stupidity is not a crime). It is much simpler--it's called tort law. If you are injured by Acxiom's shoddy security practices, you have a legal claim against th
Re: Privacy is our top concern? Whatever (Score:2)
They keep their most valuable business assets on a FTP server connected to the public Internet. Privacy sure is their top concern...
Furthermore Acxiom's business IS to ignore people's privacy. They sell YOUR information to whoever pays enough for it.
They also e-pend and allow their customers to spam you.
I hope the next person to hack into Acxiom cracks in real good and deletes not only the data on the FTP site, but all backups as well.
Proletariat of the world, unite to kill Acx
Goofiest mod ever. (Score:2)
Seriously. Offtopic? I tried to load the images thinking that if anyone could handle a Slashdotting, it'd be NASA. But guess what? The page loads, but the images do not. NASA is currently...Slashdotted.
Maybe it's not teh funnae, so by all means don't mod me funny. But it's on topic, especially if you want to see the images rather than read about how great they are. Informative if you agree, and redundant if you're sick of Slashdot jokes, but offtopic doesn't apply.
Remember, this is the problem me
Re:Goofiest mod ever. (Score:2, Insightful)
Heheh, something's fishy.... (Score:2)
--LordPixie
Re:MS SQL, ASP and stupid programmers (Score:2)
Most likely, ALL DATA FROM DB CAN BE STOLEN
Worse yet, with such extended stored procedures as xp_cmdshell() (in MS SQL Server) you can execute code right on the server. You can launch island-hopping attacks this way (get beyond the DMZ and into the internal network, to launch further in). FYI xp_cmdshell() is only available to some logins, such as 'sa', but I see many people with their pro
Re:MS SQL, ASP and stupid programmers (Score:2)
That being said, in the VB forums I visit, about once a week some genius tells someone to "just double up the quotes and then it'll work". Arrrg!
Chip H.
Re:MS SQL, ASP and stupid programmers (Score:2)
Well...sorry, I'm in a nitpicky mood...but how do you pass params from one page to another (usually you have to pass some sort of ID)? e.g. if you click to see article ID #123, that gets passed somehow...(whether it's POST or GET doesn't matter).
In other words, it's not so much 'don't pass ids in the querystring' as much as: