Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Privacy Security

Consumer Database Company Hacked Again 230

x-guru writes "CNN is reporting on the indictment of a Florida man on 144 identity theft charges including fraud, money-laundering, and obstruction of justice. Approximately 8.2 GB of data was stolen from Acxiom Corp, a company responsible for the storage of vast amounts of personal, financial and corporate data. It looks to be an inside job as six Acxiom employees have agreed to cooperate with the investigation." Acxiom was hacked last year as well.
This discussion has been archived. No new comments can be posted.

Consumer Database Company Hacked Again

Comments Filter:
  • disclosure (Score:4, Insightful)

    by Anonymous Coward on Thursday July 22, 2004 @10:34AM (#9769957)
    of course i can't be bothered to RTFA, but when will we have laws making it a mandatory requirement for companies like this to fully disclose events like this to the public. after all, it is our information they're "losing"
    • "of course i can't be bothered to RTFA, but when will we have laws making it a mandatory requirement for companies like this to fully disclose events like this to the public"

      can you be bothered to contact your legislators, or consumersunion.org, or epic.org?


    • Whenever any of these companies call to verify information, I put them on hold and take care of any possible task that might be more important (which is just about anything). By the time I get back to their call, they've always hung up. Bummer.
    • ...when will we have laws making it a mandatory requirement for companies like this to fully disclose events like this to the public...

      Perhaps when "we the people" take back our government from its corporate masters.
  • What? (Score:4, Interesting)

    by windside ( 112784 ) <pmjboyle.gmail@com> on Thursday July 22, 2004 @10:34AM (#9769963)

    It looks to be an inside job as six Acxiom employees have agreed to cooperate with the investigation.

    It might just be the early morning talking, but could someone explain how employee cooperation implies an inside job? Maybe I need more coffee.

    • Re:What? (Score:2, Funny)

      by Anonymous Coward
      They are the ones that decided to use IIS as their webserver, so it's an inside job.
    • Comment removed based on user account deletion
    • by Anonymous Coward
      It wasn't Acxiom employees that agreed to cooperate it was Snipermail employees. Man, people can't get facts straigh.

      "Snipermail employees have cut deals and aided federal investigators, prosecutors said.

      Also named in the indictment are Levine's brother-in-law Magdiel Castro; longtime business associate Jeffrey Richman, who operates Florida corporation RichMedia Inc.; systems administrator Jeffrey Burstein; Melvin Donald Atkinson, a computer analyst; Marcos Cavalcante, a graphic designer; and William F.
    • "agreed to cooperate with the investigation."


      "Well, yeah, I guess letting my brother's cousin's roommate have the access codes to our server was a bad idea. Seriously though, I thought he was just hosting games of Quake III."
    • Re:What? (Score:5, Informative)

      by panda ( 10044 ) on Thursday July 22, 2004 @11:08AM (#9770340) Homepage Journal
      Actually, the articel does NOT say that 6 Acxiom employees agreed to cooperate with the investigation. It says 6 employees of the "the company." Since Snipermail was the previous company mentioned, I took it to mean that 6 employees of Snipermail were cooperating with the investigation.

      At any rate, it never said 6 employees of Acxiom, so it is open to interpretation and poorly written. I think someone needs to clarify that point.
    • if there are six employees making 8.2 GB of backup tapes/CDs/DVDs/floppies and passing them on for envelopes of cash? Convincing insiders to criminally conspire with you for money doesn't even qualify as social engineering.
      • I'd like to know what this 8.2gigs of data was.

        Considering these places have hundred of terabytes worth of data on people, 8.2Gigs of it would seem like a grain of sand on the beach.

        However, I suppose that some crafty SQL could cull that down to the bare minimum data needed for a credit card app.
  • $7 million? (Score:2, Interesting)

    by Gentoo Fan ( 643403 )

    Federal officials said the theft of approximately 8.2 gigabytes of data resulted in losses of more than $7 million.

    Where exactly is $7 million coming from? Is there data worth about a million a gig?

    • by Anonymous Coward
      Where exactly is $7 million coming from? Is there data worth about a million a gig?

      Wow, I must have billions of dollars worth of pr0n then!
    • Re:$7 million? (Score:3, Insightful)

      How many customer records could be stored in 1 GB?

      How much would it cost just to inform all those people (assuming that they will)? And then when everyone updates their records, how much will it cost to rebuild/update the database with the new info?

      Just playing devil's advocate here.
    • Re:$7 million? (Score:3, Interesting)

      by gid ( 5195 )
      I'd be willing to wager the 7 million is just an arbirarily large enough number so the feds will investigate their case. If they say they only lost a grand, then there would probably be no investigation.
    • Re:$7 million? (Score:2, Interesting)

      ONLY 7 million!

      Thank god the RIAA isnt involved with the cleanup.

      (82000000 * ($250,000 * ([DriveSpeed] * Cos([WindDirection]))

      This issue of losses is mute really, because as with illicit file sharing, the original data still exists.

      This data sharing may result in customers going elsewhere, and so may effect FUTURE revenue stream, but their account certainly hasn't taken a dip just yet.
      (Contrast with bank robbery)
    • "Where exactly is $7 million coming from? Is there data worth about a million a gig?"

      Um... Solid gold hard disks?

    • Wouldn't the reputation of the companies that the customers that information was about require some form of insurance/bond to cover their own loss of reputation over this? Of course, you missed the 114 "identities" compromised part of the post, and concentrated on the gigabytes.

      If the data can support identity theft, that means people can use it to forge identities, and commit identity and credit fraud. That's why the number is high, not, the amount of data. It's how sensitive(and eventually useful to
      • The problem is that the company that "lost" the data isn't out the $7M, it is the people whose identities will be stolen who will be out the money and will be hassled, in some cases, to death.
    • theft of approximately 8.2 gigabytes of data

      I thought it was done remotely? How did they manage to physically remove the data from Acxiom?

      Oh, so they don't mean steal, or theft. They mean unlawful copying. Right. Should have said.

      </pedant>
  • Comment removed (Score:4, Insightful)

    by account_deleted ( 4530225 ) on Thursday July 22, 2004 @10:36AM (#9769992)
    Comment removed based on user account deletion
    • Oh ya, and my friend's credit was STILL bad 2 years later from that stuff, even though all parties knew what had happened.


      This is because the Fair Isaac credit score has nothing to do with how good a customer you are. It's a measure of how likely a creditor is to make money from you. This is why if you keep paying your loans off after only a few months, you get a bad score. This is also why the reporting agencies were so reluctant to tell people how the score is calculated. If you're an identity thef
      • Actually, I think it's not a bad thing. I was reading somewhere that allowing the credit card companies to do loan sharking has cut off major funding for the mafia. Eveyone gets in trouble sometimes, and in the old days, mom and pop used to go to Guido.

        At least credit card companies don't break your legs. Between them and the mafia, I would choose to support the cc industry.

      • Comment removed based on user account deletion
    • Part of the problem is that ID theft [consumer.gov] is the largest growing consumer fraud in the country. Investigators and prosecutors can not keep up with it. ID theft is now 42% of all reported consumer fraud. Over 200,000 people filed complaints with the FTC [consumer.gov] last year and the FTC estimates that as many as 9.9 million people were victims of ID theft last year. Yikes!
  • Links within a chain (Score:3, Interesting)

    by Evil Schmoo ( 700378 ) on Thursday July 22, 2004 @10:37AM (#9769997) Homepage
    This is the great myth of the InterWeb security policies of most corporations -- you're only as safe as the weakest link in the chain. IBM, GE, et al, are probably among the most secure commercial sites available, and yet their customers still get nailed by third-party lapses.

    Anyone want to take a gander on when Equifax, Experian, and TransUnion get busted for going through some minor service provider?
  • by MartinG ( 52587 ) on Thursday July 22, 2004 @10:37AM (#9770003) Homepage Journal
    ... is to not store it all in one place.

    Centralised databases of sensitive data are evil.
    • Comment removed based on user account deletion
    • The only way to keep private data private is to memorize all the info, burn the paper its on, delete is and format the hard drives it was on and always remember to wear your tin foil hat.
    • Amen. I fear for the sanctity of our medical records and the sanity of our medical providers (oh so politically correct HMO way of being weaselly about whether you'll actually be seen by a doctor, a nurse, a nurse practitioner, or a physician's assistant: we employ 1984-speak and we equate all four thus, thus it is so) once the wacky concept of CENTRALIZING all of our health records ever takes place. Does President Bush's New Mandate Give HHS Authority to Link Everyone's Medical Records to a National Compu
  • Lack of Security (Score:3, Insightful)

    by millahtime ( 710421 ) on Thursday July 22, 2004 @10:37AM (#9770006) Homepage Journal
    This is where the lack of security is undershot. Secuity is always talked about with the consumer pc, windows and ie. If you want to get personal data hack the server. Forget the pc. I don't hear much about these area being convered. Banks and the Military seem to have security covered but there are a lot of orginizations with a lot of personal data with not near enough security.
  • What is happening to the morons who leave this kind of information sitting around on an easily cracked server? Are they getting fines? Jail time? 40 lashes with a wet noodle? What?

    Maybe if these network admins were PUNISHED SEVERELY for their negligence they'd start being more careful.

    At the very least this kind of information should be stored on encrypted filesystems. Better still, the files themselves should be triple-des'd and then PGP'd for good measure.
    • What if it was an inside job? Some idiot with access could well steal the data and sell it. SHould the SysAdmins get punished when their system WAS secured but the employees were corrupt?
      What about the time the data isn't encrypted? It's useless if no-one ever reads it. At some point the data will be in plain text and then it doesn't really matter how much encryption you have, it still gets compromised.

      However, I think the storage companies involved with id theft (or any private data) should get fined (and
    • And what if there aren't enough Network Admins to do the necessary work because of IT Budget cuts?

      And what if the Network Admin isn't appropriately trained because the company won't pay for training and the pay they offer won't enticed skilled admins.

      Assuming negligence of the Network Admin doesn't take into consideration the shades of grey that are often involved.

      People should be responsible for poor security but the "climate" that leads to it should also be considered.
    • Don't punish the admins; punish the managers that give those admins a shoestring budget and no help.
    • Better idea. If a company gets cracked say three times, then make it the same deal individuals get in our society, most places three felonies, you get a huge jail time, as a career rerecidivist criminal and societal lamer. If a corporation gets busted for malfeasance or gets cracked three times,any combination, then they should get the same, which in their cases would be loss of incorporation priveleges, and to HECK with the stock holders, it's a gamble, they need to have that drilled in daily it appears.
    • What is happening to the morons who leave this kind of information sitting around on an easily cracked server? Are they getting fines? Jail time? 40 lashes with a wet noodle? What?

      Because if not, dammit, I want to know where the torrent is!

  • by The Ultimate Fartkno ( 756456 ) on Thursday July 22, 2004 @10:41AM (#9770041)
    ...that the man (scum-sucking dirtbag duck-raper, actually) indicted, Scott Levine, is the owner of Snipermail - a spamhouse located in (get ready for a shock!) Florida. Is anyone surprised that a spammer (connected to Eddie Marin, btw) has moved on to massive identity theft? Don't you just wonder what he was planning on using all that data for?

    How about a quick game of Hangman, kids. "Here's hoping he gets time in a federal _____-__-__-___-___ prison!" (Commence flames from more enlightened readers in 3... 2... 1...)

  • Case in point (Score:5, Insightful)

    by Lord Grey ( 463613 ) * on Thursday July 22, 2004 @10:41AM (#9770043)
    Approximately 8.2 GB of data was stolen from Acxiom Corp...
    This is yet another example of why it would be a terrible idea to institute a national ID card. The people backing the card, when faced with the concept of someone stealing the contents of the database that would support the card, invariably insist that "it couldn't happen -- we'll secure it real well."

    Beyond the fact that a national ID card wouldn't provide any additional security [schneier.com], putting that much private information in one place is just asking for trouble. As this latest debacle shows, and as Schneier points out in the article I referenced.

    From the CNN article:

    "We will aggressively pursue those who steal private information from computer networks and make it clear that there are serious consequences for such crimes," [Assistant Attorney General Christopher Wray] said.
    Oh, good. That will surely stop it from happening.
    • You already have at least one national ID card - your drivers license. Two, if you have a passport. It's already happened.
      • You already have at least one national ID card - your drivers license. Two, if you have a passport. It's already happened.

        Last time I checked, a drivers license was only required if, say, you wanted to drive a car. Likewise, a passport is far from being a mandatory piece of documentation. When people describe a national ID card as a "bad thing," they're generally referring to the concept of a nationally-standardized ID document that you must be issued and that you must keep on your person at all times,
      • Well, not in the usual sense of a national ID card.

        First, my driver's license is issued by a state (in my case California). And I don't actually have to have one, because I might not be licensed to drive.

        Second, even in cases where I need identification, my identification card is issued by a state as well (also California).

        Also, the major differences between those two things and what most people think of as a "national ID card" is that I actually am never required to present them to government officia

    • if you want to get the attourney general to follow through then someone just has to steal his identity. I'm sure that will lead to some nice prossecutions.
    • National ID cards are used everywhere in the world, except the US. Yet people are no more nor less safe because of this.

      It's not the national ID that's a problem. This database is probably the best secured in a country. Even if it got broken into, there's nothing interesting there: just your name, photograph, address (perhaps a trail of addresses), and perhaps some biometric identification (if the photograph is not enough) just in case you lost your ID card and needed a new one.

      It is the whole bunch of

      • Well, definitely not every country, since although being a US citizen I reside in the United Kingdom, and there's no national ID card there. Big Brother Blunkett wants to introduce one, but it's not gone far yet.

        And to be honest, I almost wish they would. There's nothing except a driver's license (which not nearly as many people have as in America) and a passport (which more people have than in America, but are still not widespread) which has any type of biometric information and is state issued, and as a

        • Well, definitely not every country, since although being a US citizen I reside in the United Kingdom, and there's no national ID card there. Big Brother Blunkett wants to introduce one, but it's not gone far yet.

          Yes, you have a point here. Please add the United Kingdom to the tiny list of countries that don't have national ID cards (yet). I'll use more careful wording next time. Sorry.

          Usually I have to show my passport, show some documentation proving that I live at my address (like utility statemen

    • Or, heaven forbid, I were to, oh, I don't know, hrm, assemble massive databases of information and make the available via P2P or sell them on the street via CD's?

      AFAIK, there is no law forbiding that in the US.
  • Details... (Score:5, Informative)

    by Anonymous Coward on Thursday July 22, 2004 @10:41AM (#9770050)
    Remember last year when Acxiom had some "minor" security issues? It was slashdotted, here [slashdot.org] and here [slashdot.org]. Their nightmare is far from over. Just yesterday a 144-count indictment [arkansasbusiness.com] was slapped to Scott Levine, 45, of Boca Raton, Fla.-based Snipermail.com Inc. Levine was charged with conspiracy, unauthorized access of a protected computer, access device fraud, money laundering and obstruction of justice, according to the indictment. Did I mention he accussed of stealing about 8.2 gigs worth of data at the same time Daniel Baas was stealing gigs of data? Baas has already been conviced [usdoj.gov].

    THIS WAS NOT AN INSIDE JOB. Two people from different parts of the country were "hacking" Acxiom at the same time, using the same vulnerability. Neither of them even knew each other. Acxiom's security was a flaming turd.

    Search all the Daniel Baas articles and you will find he cracked a password file they had in a public directory on the ftp server. This guy did the same thing. Acxiom should be shutdown for their stupidity.

  • Why not me? (Score:4, Funny)

    by scowling ( 215030 ) on Thursday July 22, 2004 @10:59AM (#9770241) Homepage
    Some days I wish someone would take my identity.
  • the cooperating employees are at snipermail,
    according to the CNN article.
  • 8.2 Gbytes is pretty puny by modern standards. It's a couple of DVD-ROM's.

    That said, it's enough (if compressed data) to have the Social Security number of all US Citizens, or all their credit card numbers, etc.

    • Right. If every personal record is, say, 256 bytes or so, that's still an awful lot of very sensitive data.

      Spammers exchange lists of verified e-mail addresses every day. Those files don't have to be that big, yet they cause a lot of trouble anyway!

    • Re:"Vast amounts" (Score:4, Insightful)

      by laigle ( 614390 ) on Thursday July 22, 2004 @11:30AM (#9770655)
      First off, 8.2 gigs is a LOT of simple data. We're talking about databases here, not mp3s. A few kbytes can give you everything you need to steal someone's identity and more. We're talking about hundreds of thousands or even a few million entries.

      Second, what can you really do with 50 million social security/credit card/name/address matches that you can't do with 1 million? It's not likely this data was stolen just for spam, much larger databases are readily available for that purpose. Even the largest, most nefarious criminal organization would be set for years with a million verified identities to misuse. Even if you could only net a few hundred dollars from each identity theft, that's a LOT of money. And at a certain point the scale of the data overrides your ability to exploit it anyways.
  • "The protection of personal information stored on our nation's computer systems is critical to public trust in those networks and to the health of our economy," said Assistant Attorney General Christopher Wray at a news conference in Washington.

    You hear these dumbasses saying it again and again, how important it is to protect personal information, blah, blah, blah. Yet they are reluctant to create laws that protect personal information, as those in Europe.

    If the protection of personal information were t

    • Yet they are reluctant to create laws that protect personal information, as those in Europe.

      Laws, such as those in Europe, would not, cannot prevent such incidents. They can only penalize the criminals after your data is out in the wild.

      After all...there are laws (with very, very tough penalties) against murder, right?
      • At least in Norway, part of the law involves securing the perosonal data once it comes into the hands of the data controller. So while it may not prevent hackers from trying, it says that the data controller has to establish and maintain the measures required to keep data safe from such attacks.

        Take a look at sections 13 and 14. [datatilsynet.no] There are also special rules to the law that specifically touch on information security, but I don't have a link in English.

        • Right. But that only serves to outline the law to those who would follow it. I applaud those laws and wish we had more of that here, but a criminal, especially an insider, who wants all those db rows will get around them.

          As is oft quoted here on /., "If I can see it or hear it, I can copy it."
      • The laws in Europe would prevent Acxiom from ever doing what they're doing.

        This company, according to reports elsewhere, knows everything about you, and sells that information to anyone it can. Credit card numbers, spending habits, SSN, current and past addresses, everything.

        There is no reason to steal the data when you can just buy it, then resell it over and over and over and over again.

        No wonder identity theft is such a big problem. Nobody freaking takes privacy seriously in this country.
  • If I compile data on someone, their purchases, habits, income and other records, I'm stalking/spying on them.

    If I'm a company compiling 8GB or such data on hundreds of thousands of people, I'm doing market research.

    If I'm a single individual who gains access without consent to such a companies data, itself usually obtained without consent, I'm a snooping crook/terrorist/cracker/pervert/thief who gets thrown in jail.

    RFID. Credit Cards. Social Security. How come I can't aquire such data, yet amoralistic multinationals can. Does the fact that I don't want such information in the hands of anyone at all even count? Tinfoil hat or no, no-one likes being snooped upon. Data rape is data rape no matter how drunk someone was on free handouts.
  • 144 identity theft charges... 8.2 GB of data

    Golly! That's 56 MB of data per person! Not only is Big Brother watching, but apparently he's aparently paying closer attention than I am.

  • by richieb ( 3277 ) <richieb@@@gmail...com> on Thursday July 22, 2004 @11:08AM (#9770342) Homepage Journal
    See this book on translucent databases [wayner.org]. The data in such database is useless to all, except those who actually own the data. So, in this case, the stolen data would not be useful to anyone.

  • "Hacked" ? (Score:3, Insightful)

    by Quixote ( 154172 ) on Thursday July 22, 2004 @11:10AM (#9770368) Homepage Journal
    How long have you been working (the term used loosely here) at Slashdot, Michael?

    This wasn't a "hack". It was an inside job: a contractor using a company-provided username/password to access data that he should not have had access to, but did because of lax policies on the part of the company (Acxiom).

    This is not a "hack". It is theft. Plain and simple.

  • ...I know it's in Texas, maybe in Tennessee - that says:

    hack me once, shame on ... shame on you.

    hack me...can't get hacked again!

    --g.w. bush
  • (Ob disc. I have family that works for Axciom.)

    The headline isn't right; there is no second break-in. This is a different crowd of people involved in the same breakin that was discussed earlier. The previous arrest was of the guy who actually broke into the FTP server; this is the arrest of a spammer who used that data.
  • I swear, reading Slashdot is starting to sound like those scrolling news blurbs in Uplink.



    ...
    Company X reports that N gigs of customer information were stolen by an unidentified hacker.


    ...
    Company Y reports that N gigs of project data was deleted by an unidentified hacker.


    ...
    etc., etc., etc.


  • by GPLDAN ( 732269 ) on Thursday July 22, 2004 @11:39AM (#9770762)
    The people that cooperating are not from Acxiom. They are from snipermail. This scumbag Scott Levine and his half-brother, Miguel Castro (Jesus, you can't make these names up, truth is stranger than fiction) created a directed marketing "opt-in" scheme to sell email addresses. They hired a sysadmin by the name of William Clinton (ok, now this is getting positively 'Office Space' like. I'm suprised they didn't have Michael Bolton working there as well.) and good 'ol Billy found that Acxiom ran an unsecured FTP site, which you could CD to /etc and get the password file. He grabbed it and ran crack on it. He decoded 40% of the passwords. They started looging in with those usernames & passwords.

    They weren't clever enough to grab root and cover their tracks or overwrite logfiles, though. These toads remind me of Chris Cooper in Adaptation. Schemin Florida bums without too much upstairs.

    Acxiom hired a security firm to run an audit regarding the PREVIOUS break-in, and the team found that these morons were stealing reams of credit card data with the logins from companies like Microsoft and others. They were then selling the credit card numbers on the black market, mostly overseas.

    This whole sordid tale is laid out in the court documents, which are online and make for a great read. This Scott Levine reminds me of Scott Peterson, in sort of that creepy stupid way, where you know he did it just by the smirk on his face.

    Anyhow, these guys are going to federal pound-you-in-the-ass prison, and hopefully Bill Clinton will cooperate and get off since I doubt with a name like that, he would fare too well in prison.
  • Not theft (Score:4, Interesting)

    by jfengel ( 409917 ) on Thursday July 22, 2004 @11:46AM (#9770852) Homepage Journal
    As many slashdot readers will be sure to point out, this isn't theft. Like music pulled off Kazaa, Acxiom still has the original data, and their use of it is not diminished by this guy having a copy.
    • Re:Not theft (Score:2, Interesting)

      by NeoRete ( 628054 )
      However in this situation, there is money lost as this information facilitates identity theft and bogus credit card charges. Last time I checked, there was no direct money lost for each song that was downloaded via Kazaa.
      • In other words, as long as the guy was pulling the personal data for his own edification, not for any profit, it would be all right?

        Of course there is a difference between "stealing music" (which is deliberately made public, just not _too_ public) and "stealing data" (which is more or less private, modulo the fact that Acxiom themselves are kind of sleazy even having it).

        My little troll was just to point out what I consider to be a hypocritical, but frequent, argument in other threads, that "stealing musi
  • Last Summer, after the *first* hack job occurred at Acxiom, my wife went to interview as software developer for Acxiom, here in Conway, Arkansas. The job she had at the time was for a local post-secondary-based non-profit organization. At the non-profit, all public servers had telnet *only* installed, and they routinely logged in remotely as root (not that it matters). There was no SSH. Okay, so public servers on a college LAN means?

    With that context, what bothered her about her Acxiom interview was the la
  • When the votes are all in one place, and someone has enough money, your votes are available for purchase because someone, somewhere, is a superuser who can't be trusted.
  • by CritterNYC ( 190163 ) on Thursday July 22, 2004 @12:43PM (#9771459) Homepage
    Acxiom is certainly not an example of a very good company. Aside from the fact that they were hacked... twice... and had all their data stolen... twice, they are also an unethical marketing company. They purposely ignore opt-out requests [wired.com] from people who want to get out of their lists. In short, their privacy policies suck.

    Get out of all of their databases ASAP:
    (877) 774-2094
    optout@acxiom.com
  • A number of people have posted comments suggesting that (PTP) the root of the problem here was Acxiom's shoddy security. And have then followed up by posting open-ended questions about "how can we secure the 'Net when bozos like these guys don't lock their doors?"

    There's a simple solution.
    And no, it does not involve jail time for dumb sysadmins (stupidity is not a crime). It is much simpler--it's called tort law. If you are injured by Acxiom's shoddy security practices, you have a legal claim against th

Trap full -- please empty.

Working...