Consumer Database Company Hacked

fermion writes "The NYT(FRR) and others are reporting that a hacker has broken into a Acxiom server. Acxiom evidently is "one of the world's largest consumer database companies" and serves most top credit card companies and retail banks. There are a few items that stand out in this case. First, Acxiom had no idea that the breach occurred until the company was contacted by the police. Second, the theft was an inside job. The suspect, now in police custody, was an employee with legitimate access to the information. It amazes me that a such a company would have such lax security as to allow an insider to browse supposedly private data at will. Third, the company is taking no responsibility for the break in other than reporting it to the clients, who then may or may not inform their customers." Acxiom is a Certified Participant in the BBBOnline Privacy Program.

You're amazed by this?

[James+A.+A.+Joyce]

"The suspect, now in police custody, was an employee with legitimate access to the information. It amazes me that a such a company would have such lax security as to allow an insider to browse supposedly private data at will."

This is, unfortunately, the real world. Lax security such as this is the norm. "Need-to-know" is a term which doesn't seem to exist in the security policies of these companies. Insider information will always be leaked by someone out of curiosity or some malicious impulse. They're lucky they were able to find out who it was! At least maybe now they're more likely to improve their security and get it up to scratch. (But probably not.)

Re:You're amazed by this?

[TedCheshireAcad]

Who knows? It could have been a sys admin with root-level access. But still, had there been a decent accounting procedure in place, they would have known when the information was taken.

Re:You're amazed by this?

[dnoyeb]

What amazes me is this was not a hack, it was an inside 'job' if you can even call it a job. So please ./ drop the 'database hacked' tagline.

My CC was compromised at some point. I am unaware, but CapitalOne contacted me last year sometime and said they were sending new CCs out because something got compromised. Was fine with me, no hassle as they like to say.

But I also learned that a lost/stolen report showed up on my credit report. Unsure how this is viewed by creditors. I hope its just a note as to why the account was closed and not something that would ever look suspecious.

Re:You're amazed by this?

all your privacy are belong to us

Re:You're amazed by this?

[Matt_Fisher]

Agreed, this is nothing new because the major companys always skip out on the things that they think will never happen. The security for outsideders is huge but if you are really desperate to get in just go work for them.

Re:You're amazed by this?

[bear_phillips]

"It amazes me that a such a company would have such lax security as to allow an insider to browse supposedly private data at will."


I don't see how this is amazing. I mean someone have has to have access to this data or the data would be of no use. Someone has to run the jobs to collect the data to put on tape to sell to outside firms. DBA's have to have access to the table to fix indexes, table corruptions etc.. . Now if they didn't have a background check, now that would be amazing.

Re:You're amazed by this?

[Matt_Fisher]

True the image I get after reading that is that he had to do nothing to get it. Thus, it was more a point on a icon and read the information that pops-up.. Not so much a hack to me..

Re:You're amazed by this?

I work for a small hospital software company. Once on our internal WAN, I have access to the personal data of a few dozen thousand patients. Names, addresses, family, insurance, social security numbers, religion, medical history... all of it. The super-user isn't logged, and the security for regular users in a hospital is fairly weak. Anyone with a moderate amount of programming experience could probably get in fairly easily, once they have access to the network.

Posted Anonymous for obvious reasons.

Re:You're amazed by this?

"I mean someone have has to have access to this data or the data would be of no use. Someone has to run the jobs to collect the data to put on tape to sell to outside firms. "

I'm sure if it was important to keep the information secure it could be done. It could be encrypted and only people allowed to read it could be able to. Everyone else would just be moving "random" data around.

Re:You're amazed by this?

[akaina]

It amazes me that a such a company would have such lax security as to allow an insider to browse supposedly private data at will.

You're kidding right? If you hired me for a DBA job as an administrator then told me that administrators aren't allowed to look at the database that would be kinduv rediculous wouldn't it?

Let's rephrase this scenario.
Say an Air Force pilot goes AWOL and drops a devistating bomb causing lots of harm. Here's what that quote would sound like:
"It amazes me that that the Army would have such lax security as to allow a pilot to use such weapons at will."

Does that sound rediculous to anyone else? DBA's need to do their job. And if this was an inside job it didn't require any actual "hacking" so the title of this story and its deliver are quite misleading.

Re:You're amazed by this?

[Zathrus]

This is, unfortunately, the real world. Lax security such as this is the norm. "Need-to-know" is a term which doesn't seem to exist in the security policies of these companies.

Really? So you've worked at one of these companies then?

Oh. You haven't.

So you have friends or family that do?

Oh. You don't.

So you're just wildly postulating on shit you don't know anything about?

Of course. This is /. afterall.

Well, hate to say it, but I have worked at one of these companies, and I have family in a similar line of business as well. The concept of "need to know" is very much alive and well, and most of the companies do make some attempts to ensure it as well. Yes, I had full, unfettered access to the data in the data warehouse (I had absolutely no access to the production customer data, including things like purchases, payments, etc.). I was also a developer that wrote the code to store, massage, and manipulate the data. Hell, I wrote the code to remove "identifying information" from the files so they could be run through a pre-screen process. As contractors, we could see the full data, but the credit card company could not -- at least not during pre-screen. It's the law.

And I was one of the few people who did have unfettered access. The majority of the credit card company's employees certainly did not.

Which part of "legitimate access" did you not understand? The guy had the right to be viewing the data, to do manipulations on it, etc. Of course he didn't trip any wires -- he shouldn't have. Maybe the hacks on the external server should've triggered some warnings, but the information available is slim and it's entirely possible that he simply broke the passwords wide open and was able to enter the proper password every time.

They're lucky they were able to find out who it was!

Uh... no they weren't. It's called logs. Again... legitimate access. That kind of thing is logged. As would be the access to whatever he got -- which is exactly why they know what was stolen.

Good job on making violent arm thrashing motions and fooling the moderators into thinking you knew what the hell you were talking about though. Shame that it doesn't work on anyone with a clue.

Re:You're amazed by this?

[puppy0341]

Ya, drop the false headline!

Re:You're amazed by this?

Unfortunately it doesn't quite work that way. I work for a world-wide 22-billion dollar per year corp. If you have access to /. logs you'll know which one, but it's a major one, a household name. If you live in the US, EU, or Asia chances are you've done business directly, or indirectly with this company.

I perform data manipulation and reporting for sales and pricing managers. I have full access to about 80% of all databases (there are a few databases that have data we have licenced from other companies, but all data my company owns I have access to). If I didn't have full access to the data I couldn't do my job.

It would not be a difficult thing to dump every bit of data I have access to into a portable format and walk out with it, except for the fact that it would be several terabytes worth of data. I have the technical sill, and I have the access.

At some point, companies must simply trust their employees. If that trust is misplaced, something like this (story) happens. Technilogical security measures cannot prevent an incident like this.

You remember the old Twilight Zone episode with Dick York where he gets telepathy and "hears" the old guy thinking about robing the bank? That's reality people. Some Joe does have access to all your money, all of your personal information. The fat guy that mumbles is the one that burns down the building. Why? Because Lambert took his Swingline stapler. That's why you have to go through an FBI check to get a job with any semi-major corp.

The problem if insider cracking is the most difficult to deal with, because it's simply a matter of trust.

Re:You're amazed by this?

[EvilTwinSkippy]

As a developer, did you ever get the chance to work in that crazy penny scheme from Office Space?

Re:You're amazed by this?

[dfrick]

I don't think this is "lax security." It's more a problem with HR if an insider who has legitimate access to the data abuses his priveledges. This guy was obviously a bad seed and in big companies who's going to notice?

Re:You're amazed by this?

problem 1 - how is important information like this allowed to be controlled by those barefoot, toothless, inbred Arkansas hillbillies?

Re:You're amazed by this?

[jafac]

Of course!

Security costs money. Even internal security. Economic Theory classifies this kind of business expense as "Economic Friction". Improving the efficiency of a business is removing friction from the works. So of course, the idea profit-generation does not include things like security, worker safety, minimum wages, etc. Of course, this is all following an IDEAL. Unfortunately, many business people can't tell the difference between the theory they learned at MBA school, and real-world practice.

So they do stuff like, hire morons, felons, and such, for minimum wage, for airline security, and the end result is; 9/11, and the government's response should have been to improve airline security. But instead, they gave the airlines millions of taxpayer dollars to help bear the costs of loss of business. Then thousands of american jobs were lost when the airlines laid them off.

Or they do stuff like establish massive ecommerce web presence, with dozens of high-end servers running an unsecure OS, because it's cheaper, MUCH cheaper, and put their customers personal data at risk, because they know that the customers can't understand such complex issues, and it won't be a factor affecting their business decisions. And ultimately, it's the customers who pay when their identity is stolen.

The root of the problem is that we train our engineers to design and build safe planes or computer systems. But we don't train our business people to be smart enough to implement them in safe ways. And there's no incentive for them to do so, because they always get the government bailout, and consequences are always passed on to the public.

Re:You're amazed by this?

[pballsim]

Umm, so if they lack security because somebody who has authorized and legitimate access to information shouldn't have. Does this statement make sense to anybody? So who has access to the information? Should should we be able to write the information and not read it? This has more to do with trusting employees, not hacking and not security.

We are assuming they have crappy security. I have yet to read a real hacker accessing the information.

Re:You're amazed by this?

I believe you.

Why? because you used the stupdendously retarded phrase 'a few dozen thousand'.

clearly, you're too dumb to lie.

Re:You're amazed by this?

[cayenne8]

"Now if they didn't have a background check, now that would be amazing."

There was no background check when I was there. Only a piss test...

Re:You're amazed by this?

I don't know if most people know this, but there are a lot of people out there who have access to tons of credit card numbers. My co-workers and I make around $10/hour. I don't know how many credit card numbers I have access to, but it is a lot. Not to mention the usernames and passwords for who knows how many accounts.

corporate speak

``The data on the servers was a wide variety of information, some of which was personal, some of which was not,'' Jennifer Barrett, the company's chief privacy officer

Translation: The names of the directories weren't personal data...The files in the directories? well they had the SSN/DOB/Address etc. So, technically, some of the data was personal and some wasn't.

Re:well ....

[Rick+Feynman]

Science is a lot like sex. Sometimes something useful comes of it, but that's not the reason we're doing it

like a dba??

[avandesande]

It amazes me that a such a company would have such lax security as to allow an insider to browse supposedly private data at will.

make sure you Opt Out

[dlasley]

whenever a company gives you a chance to Opt Out, take it, no matter what the hassles. this keeps your personal information from getting into databases like this and ensures that even if - as in this case - the information "owner" denies accountability, you still have some protection from recent state and federal legislation.

sometimes it's good to use the system ...

Re:make sure you Opt Out

[pliny3]

sometimes it's good to use the system ...

even better, is there a way i can flood the system with fake data. multiple dobs and mothers maiden names associated with my ssn?

Re:make sure you Opt Out

[KillerHamster]

Of course you have no way of knowing whether "opting out" actually removes you from any database. Maybe they just set DO_NOT_CONTACT=1 and keep your data anyway. I guess it could offer legal protection though, and is a good idea.

Re:make sure you Opt Out

[baka_boy]

Nice sentiment, but painfully naive -- there is no such thing as an 'opt-out' anymore. Every bit of personal information that private or public interests can gather on you is fair game, and the market for such information will probably only grow as interactive media increasingly replace broadcast channels over the next few decades.

Personally, I wouldn't mind it so much if the reverse was also true, and those interests scanning your personal history for commercial or criminal trends were also subject to the same level of transparency.

Re:make sure you Opt Out

[cxvx]

I'd say otherwise:

Give them as much fake data as you can get away with. There's most of the time no reasons a company needs your phone number, ...
That goes especially for websites / software you need to dld, ...

I can't remember the times I said I was a 90 year old Afghan woman that works as a computer programmer and who has an income of >100000$ :)

Re:make sure you Opt Out

Huh? My bank did not give me an opt-out option on my account information. Quote................... "Acxiom .......... and serves most top credit card companies and retail banks."

Re:make sure you Opt Out

[Zathrus]

Actually, it doesn't remove you from the database. At least not in any database I've ever seen or worked on.

What it does do is ensure that they won't send you marketing offers and that they won't sell your information to others for the same purpose. The latter is the important bit.

If you actually want them to remove your data from the system, then you better be prepared to cease doing business with them and any of their subsidiaries/partners. Which in the case of Axciom is a rather large portion of the US.

Re:make sure you Opt Out

[Zathrus]

The issue, however, is that the Opt-out agreements are often too inobvious, they expire too quickly (1 year), and the ramifications for not opting out are far broader than people realize.

That we have to opt-out of "partner sharing agreements" is absurd. The rule should be opt-in, but that's not how it was written, and it sucks. Or if it's opt-out, the term should be for life -- not for a freaking year.

And no, I'm not one of those privacy nuts. I've actually worked in the system. I've coded for it. And I'm pretty comfy with how it works at a high level (feel free to read some of my past comments on this thread and similar threads). But the pendulum has swung too far in favor of the companies, and too far away from the consumers. No, I don't expect it to change anytime soon, but it doesn't mean I'm happy about it.

Re:make sure you Opt Out

[Exedore]

By, it sure would suck if a 90 year old Afghan women swiped your personal data, applied for credit cards in your name, and then accused you of identity theft:)

Re:make sure you Opt Out

Maybe they just set DO_NOT_CONTACT=1

As someone in the industry, designing systems for just this purpose, this is exactly what happens. The business has to keep track of its customers, and has to know which ones have opted out. Deleting records prevents both.

Re:make sure you Opt Out

[bytesmythe]

I know for a fact that you do not get removed from the Acxiom databases if you opt-out. They simply put a record of you in another database that is crosschecked when they compile advertising lists.

The reason is actually pretty straightforward. Acxiom's database is compiled from a large collection of data from other sources and is refreshed continually. If your name and other information were deleted, it would be back in within a month.

Another thing I find amusing is when people say you should "pollute" the database with false information. The sources that Acxiom uses are the ones most likely to be correct. Acxiom has dozens of sources, and has incredibly large flowcharts related to the reliability of those sources for each different field of information they use. Chances are you aren't fooling anyone by putting your address as "1010011010 Nottelling You Lane" on a warranty information card, since that info is most likely pulled from your mortgage bank.

Re:make sure you Opt Out

[pmz]

whenever a company gives you a chance to Opt Out, take it, no matter what the hassles.

As a consumer, it is much wiser to do business with companies who have very good up-front privacy policies. I found an ISP, for example, whose price was just as good as everyone else's but also had a top-notch simple privacy policy ("We will not sell your data, period.")

If I started a business, the first thing I would tell customers is that their data is strictly for the business transaction. Making customers comfortable is more important for repeat business than raping them of their data and selling it for a quick buck.

Re:make sure you Opt Out

Actually who do you think maintains the opt-out lists that are created and ensures companies don't mail or contact you( through a product called "suppression"). That is right the same company that has all that data.

Re:make sure you Opt Out

[jesterzog]

whenever a company gives you a chance to Opt Out, take it, no matter what the hassles.

I'm very conscious about being careful of my personal information and where it goes, but I disagree with this indiscriminate approach. Sometimes there actually is good will and you do lose something. Not every database is used for evil corporate data mining -- some of it's actually used to your advantage. Getting too paranoid can cost you.

I'm speaking from the perspective of having been a membership secretary of a small society for upwards of three years. Locally (it's New Zealand) we're required by law to ask permission before sharing people's contact information. Consequently, there's a question on the membership and renewal forms asking people if they want their contact details to be made available to other members of the society. It also indicated that we'd assume the answer was "no" if it wasn't explicitly "yes". (This is required by law, but we said it anyway.)

I made a proactive effort to make myself available for answering questions and concerns, but still a lot of people (maybe twenty percent) answered No. This is fine, as some people have good reasons for not wanting such details made available to others. The frustrating thing was that a much larger proportion of people didn't even bother to answer the question. Ironically, a couple of times when I chased up some of these people to make sure they knew they'd missed it, I was accused of trying to manipulate them into letting us do unspecified devious things with their personal information. (Keep in mind this is a small, social non-profit society.)

Later on we published a membership booklet (for members only) with a contact list, and about half the people were just listed with names and no contact details. Since it's a relatively small society (~150 people) in which people get the most from communicating, there were quite a few dissappointed members who simply weren't able to be contacted by others and therefore less able to participate because they either hadn't bothered to answer, or they'd been overly paranoid.

The most annoying part of this for me was that these people then wanted me to act as some kind of proxy for contacting other people. I'd have to contact an unlisted person, ask if they minded me passing on their details, and then deal with it from there. Most of the time it was more effort than I could be bothered with, so I just told them it was their own problem.

Insiders

[Hayzeus]

At least as of a couple of years ago, INTERNAL security threats were really the major issue for most companies. Despite the fact that insider breaches probably tend to get less press, I bet this is still the case, although I don't know for sure. Anyone?

Re:Insiders

Is it really hacking if the person had legitimate access to the information? Isnt it more of "illegal data backups."

The reason most companies keep this silent is because they dont want the world to know they have sub-par security or they don't know themselves. It says here that thy didn't know until the police called them. I bet they would have never known if this guy was not caught by cops.

Re:Insiders

[deadcasuals]

Unfortunatly, network security these days often resembles an M&M... Hard, crunchy outside. Soft, chewy inside.

Are you g00r00?

Re:Insiders

Internal security threats have ALWAYS been the worst, as far as I know.

Too many people abuse their access somehow & there aren't usually enough provisions to see who did what & whether they needed to...

I guess...

It amazes me that a such a company would have such lax security as to allow an insider to browse supposedly private data at will.

Have you been under a rock for the past...100 years?

Re:What OS?

[duffbeer703]

I setup AS/400 web solutions for my clients. They are ultimately secure because no hacker would know what to do if he broke into the system.

Security Test

When hackers say they want to hack into a system to "expose the security flaws" of the system, I want to kick them square in the groin to "expose the security flaws" of their pants.

There's no linked article for this story.

[James+A.+A.+Joyce]

And I have a question to ask: what kind of data exactly was left vulnerable by this hacking? Is it credit card information, names and addresses, phone numbers, credit ratings, all of the above?

Re:There's no linked article for this story.

[twoslice]

Unfortunately the perpetrator did not have enough time or wisdom or foresight to post the information about his endeavours on Slashdot.

Re:There's no linked article for this story.

Yes, all that along with information like the value of your home (housing sales) your probably income (census and tax info gives average incomes for people living in areas down to blocks I believe). Credit card numbers, ssn, purchases you have made. Thats all probably there. Thats what that company does.

Be afraid, be very afraid.

A family member used to work there..

Legal responsibility

[Doesn't_Comment_Code]

While it isn't really anyones fault if a good hacker gets to them (especially on the inside!) This raises a really good legal point. YOU SHOULDN'T DATA MINE UNLESS YOU CAN PROTECT THE DATA!

That company took on a huge responsibility when they started tracking millions of consumers. And they should be held responsible for any damages that occur do to dissemination of private information.

Re:Legal responsibility

[gbjbaanb]

whatever makes you think it was a hacker - the employee had accss to the data, copied it off and took it away. No doubt he tried to sell it and was caught doing so.

Hacker? If I walk away with the sourcecode I'm writing for my current company, does that make me a hacker? of course not. If this guy (who could be the data protection officer for all we know) took away the data in his keeping, that doesn't make him a hacker either.

Similarly - all the posts about 'if you can't keep it secure you shouldn't have it' are stupid - with that argument, absolutely no-one should be able to keep the data... and therefore no-one should have a credit card.. and we should all go live in wigwams like nature intended, man.

Re:Legal responsibility

[Doesn't_Comment_Code]

all the posts about 'if you can't keep it secure you shouldn't have it' are stupid ... and therefore no-one should have a credit card

No they aren't stupid. It is a very different thing to have possession of your own private information, and to have possession of many other peoples' private information. I can and do protect my own credit card. But if a company is holding my private information, there is nothing I can do to keep it secure. Therefore I still say, don't keep my sensitive data on file if you aren't willing to or can't protect it.

Re:Legal responsibility

[baka_boy]

Personally, I think that getting rid of credit cards, or at least the whole credit rating system that dominates so much of Western business, wouldn't be that bad of an idea. While Americans are better off in terms of income than just about every other country out there, they also have rediculous debt loads -- i.e., on the order of 1.5 to 2 times their yearly income.

Personally, I'm amazed by the number of people who constantly complain about taxes, lack of promotion/raises at work, or any other excuse to explain their financial problems, and yet are actually proud of the fact that they pay out 10-20% interest rates on thousands or tens of thousands of dollars in credit card debt.

Acxiom *is* responsible for what happens to the personal data they're entrusted with -- whether or not there are legal ramifications, this should affect their credibility (no pun intended) with clients. My only fear is that the current Federal administration will use this as an excuse to institute further "anti-terrorism" measures to combat "hackers", meaning anyone with the means and desire to research and experiment with security, crypto, and networking.

Re:Legal responsibility

[B'Trey]

Yes and no. If you have my data, it's your responsibility to keep it protected. That being said, no system is foolproof. Particularly, it's impossible to completely protect data from insiders - people who have legitimate access to the data but choose to abuse that access.

The impossibility of absolute protection, however, doesn't relieve the company from responsibility. The company is responsible for taking all reasonable measures to protect my data. If they do not do so, they are (or at least should be) criminally negligent. If they do take reasonable precautions and a violation occurs anyway, they're at least responsible for notifying me that my information has been comprimised, identifying the vulnerability that led to the violation, and taking steps to ensure that it doesn't happen again.

Re:Legal responsibility

[tanguyr]

According to this version, the person in question wasn't an Acxiom employee but rather a former employee of one of their clients who still had legitimate access to the server in question (so his employers had been lax in notifying Acxiom to shut off his access). OTOH, the article also mentions that data from several of their clients was compromised, albeit in encrypted form, which is still somewhat shoddy for a company of this type: if the guy had been able to access his ex-employer's data then the blame is on them (the ex-employer), but if he can get at stuff from other companies then Acxiom has some explaining to do. /t

Re:Legal responsibility

[minus9]

Somebody inside the organisation has to have access to the data, otherwise why bother storing it.

Can I interest you in a write only drive array?

It seems any crime perpitrated within 500 yards of a computer is now termed "hacking".

Re:Legal responsibility

[Zathrus]

I could debunk your concept in detail, but I'm lazy and will simply refer you to another post of mine. There's actually a couple other posts of mine under it that more closely hone to your wish of eliminating the credit rating system, and why it would be a Bad Thing.

BTW, debt load is a choice. My wife and I pay interest only on our mortgage, cars, and her student loan. We use credit cards for nearly everything, but they're paid in full each and every month.

Without more details on the case I can't say whether or not Axciom should be held liable... it depends on just how far out of bounds the employee went when retrieving the data. If it was done entirely with authorized access, and they can show they're doing a good job on logging, controlling access, etc. then there's really very little that they could've done against a malicious employee. This is true in any industry, not just this one.

Re:Legal responsibility

[Chatterton]

Wrong, Start on the hypotesis that the credit card compagny can't keep their files secure, then they can't have them. But credit card need thoses file to store in them the relation between your credit card number and your account number. If they can't keep thoses files, the credit card business is not viable, then does not existe, then no credit card...

Re:Legal responsibility

[poor_boi]

I fail to see how a database company maintaining a customer database constitutes "data mining." You might as well just say: if you can't do a job right, don't do it.

We'd all be better off if every company took that moral stance to heart. But, we all know it ain't gonna happen.

pb

Re:Legal responsibility

[diersing]

If I am the only source of the information I can keep it private. The fact that your information is in some giant database... its not really private anymore is it? The database owners, sysadmins, credit card companies, etc have access. Is it sensitive?, Yes. Private?, no.

Why is he being called a hacker? What did he hack? Copying and Pasting just isn't impressing me with 1337 skills. The guy prolly had the rights to the data anyway, you can't lock out every root, domain admin, DBAs, service account. An abuse of rights?, Hell yes. A hack?, no.

Re:Legal responsibility

[jo42]

> We use credit cards for nearly everything, but they're paid in full each and every month.

Bad consumer! You are costing the retailer 2-3% of the sale each time you use a credit card. You are making the credit card companies richer for no good reason at all. Use cash or debit cards.

Re:Legal responsibility

[Zathrus]

What, you think debit cards are cheaper?

They aren't. They're more expensive in fact -- they usually have a per transaction fee on top of the exact same percentage that the credit card takes. At the very least they're the exact same cost as credit cards with less consumer protection.

Cash gives you absolutely no protection against bad merchants or merchandise, while credit cards give you several protections and guarantees. Very few companies give cash discounts (and you cannot charge extra for using credit -- if you do, you'll lose your merchant account). Not to mention that credit cards are a helluva lot more convienent than cash for most transactions.

If you can't manage your finances, go ahead and use debit cards or cash. We can, and do, and getting 30-60 days of free float is nice, plus the various additional protections credit cards provide. In fact, I find it humorous that your advice is in direct opposition to the advice given by consumer advocates. Sorry, I'm not a retailer. I see no reason to offer them extra money. If they don't feel that credit cards are worth the costs, then they can decline to accept them. Of course, I may decline to use their services at that point -- and probably will if I need to pay more than $20 for whatever I'm buying.

Re:Legal responsibility

[dogfart]

Similarly - all the posts about 'if you can't keep it secure you shouldn't have it' are stupid - with that argument, absolutely no-one should be able to keep the data... and therefore no-one should have a credit card..

If the data were protected as well as credit card processors or banks do, this would not have happened. Financial institutions are subject to INCREDIBLE regulations on data security, that are enforced by armies of examiners and auditors. There are also severe enforcement mechanisms for those who steal data - someone walking off with account info from a bank would be facing a federal prison term.

Consumer market data companies, by contrast are completely unregulated and subject to no oversight. The industry would prefer not to have to spend to money to do sa, and to hell with the consequences.

Re:Legal responsibility

[Dalcius]

A few words that might mean something:

1) Logging
2) Audit
3) Priviledges
4) Accountability
5) Background-check

Re:Legal responsibility

We aren't talking about a mom and pop store with a mailing list. This is a multi-billion dollar business and anyone who gets ahold of this kind of record of you can in effect become you. Good luck cleaning that up.

It is not hard to protect data at all. You just implement good authentication systems, not just passwords, but also those pendants with the changing PIN numbers.

Then once you know who is who on the network, you log everything and tell everyone that everything is being logged.

The security people have no access to customer records and the other people have no access to the security systems. I.E., you don't have to guard the guards, cause they don't know anything.

So, if someone accesses a few thousand records in a single day that shouldn't be, it is easily detected and dealt with before it is raised to the level of millions of customer files stollen as in this case.

It is sad and pathetic that the company had no clue as to who has been accessing what records in their database.

Re:Legal responsibility

[PylonHead]

While your comment has a lot of merit, it is not really a response to the parent.

It is as silly to call this hacking as it would be to call a bank manager's embezzlement, "safecracking".

Re:Legal responsibility

[Dalcius]

IIRC, it was done by someone outside a firewall working for another company -- someone who didn't have full priviledges. IIRC, they had to break into a box to get through the firewall and then into more systems. Or I could just be talking out of my arse. :)

Some of the reports are sketchy. Sorry if I'm not up to snuff, I'm trying to get some work done today. ;)

Re:Legal responsibility

[MikeVx]

What, you think debit cards are cheaper?

They aren't. They're more expensive in fact -- they usually have a per transaction fee on top of the exact same percentage that the credit card takes. At the very least they're the exact same cost as credit cards with less consumer protection.

That is up to the bank. I have a checking account at a bank just for use with a debit card (I'm not suicidal enough to use a debit card on a "live" account) and this bank gives the same guarantees as a credit card.

Re:Legal responsibility

[cayenne8]

Yeah...I used to work at this place years back. It is SCARY what all they have there...at the time I was there..back in like '98, they claimed to have pretty good info on near 98% of the US...and were just starting to gather data on other countries too. They were even working on trying to develop a unique key to identify all people in the US...and could track you through your live..where you lived, salary, and any other stats about you that might be valuable to sell.

They gather data from all sources...warranty registration cards, state drivers licenses, Change of Address (Postal)...heck, one of my projects involved cutting the binders off phone books, running them through an optical scanner, and parsing and storing in a data base. They use algorithms to find the 'correct' data on all individuals possible. They use this to 'clean' other company's data. They do sell mailing lists...they even clean and manage the data for the credit bureaus. So...no, they do not house trivial data.

If TIA needed a source for data ready...I'd recommend Acxiom, if someone hasn't already thought of it.

Was a nice place to work for..but, being a privacy person...it did conflict with what I believe in in many cases.

Re:Legal responsibility

[Snover]

That's funny, because the USPS doesn't allow you to pay with anything other than cash or cash equivilant (eg. debit card).

Re:Legal responsibility

[collinl]

Debit is significantly cheaper than credit IF you use a PIN, not signature.
It's only weird card scheme rules that create huge price difference for the small difference of a signature vs a PIN - a difference settled in a ~$5bn case by Mastercard and Visa in a case against them by Walmart and other retailers.

Use a PIN, save yourself money, save the merchant money, and reduce your risk of fraudulent use of your signature.
Now, we just need the card schemes to enforce the strong terminal security like the rest of the developed world has had for 10+ years.

Is this really newsworthy??

[jkrise]

Since the alleged hack was an 'inside job' by a person who had access to the data, is it news at all? I mean, we heard recently that some Pakistani broke into Passport .Net and could reset passwords at will. That was more dangerous.

Mere access to credit card numbers and the corresponding user list does not constitute a major threat, IMO. Most credit card users are indemnified against thefts, misuse etc. The same can't be said about Hotmail hacks or even Windows hacks.

-

Re:Is this really newsworthy??

[bourne]

Since the alleged hack was an 'inside job' by a person who had access to the data, is it news at all?

Yes, in that it illustrates one of the dangers of data mining; you can't always trust the mine companies or the miners they hire.

Insofar as that "danger" affects anyone whose personal information could end up at a provider like Acxiom, it is relevant to, say, 95% of the /. readership.

Mere access to credit card numbers and the corresponding user list does not constitute a major threat, IMO.

There's this new thing called "Identity Theft" that kind of sucks to be a victim of. Maybe you've heard of it?

The same can't be said about Hotmail hacks or even Windows hacks.

*snort* Yeah, cause, you know, Junior's inane personal email is MUCH more important than his financial record.

Re: Is this really newsworthy??

[Black+Parrot]

> Mere access to credit card numbers and the corresponding user list does not constitute a major threat, IMO. Most credit card users are indemnified against thefts, misuse etc.

If the cardholders are indemnified it just means the cost of the theft is passed back to the card company, the vendors, or their insurers. Who will of course ultimately pass the costs back to the customers.

There's a lot of PR convenience for "losing" thefts this way, and spreading the costs out thinly. But the cost is still there, and it's real.

Re:Is this really newsworthy??

[StillNeedMoreCoffee]

"Mere access to credit card numbers and the corresponding user list does not constitute a major threat, IMO. "

Well it is a major source of illegal funds for individuals and bad groups. So your indemnified, the Credit Card company or the insurance company isn't and if they get hit, you get hit, in increased rates or having harder to get credit. They are in business and they make money, your money. It just appears like it does not concern your pocketbook. Look at all the doctors going out of business or out of State because of a different kind of legalized theft by lawyers. Someone is making money here and its not you or me.

Re:Is this really newsworthy??

[iSwitched]

While I agree that 'inside jobs' , which are more common of a crime, are less newsworthy, this still should concern all of us. The problem here is not that some jerk might buy a bunch of stuff with our credit cards - as you have said, we're mostly protected on all but $50 or so from that sort of crime, the real problem is identitiy theft.

If this database had sufficient information (and note it was mentioned they served credit bureaus) this is a real problem. Now the jerk is actually using my data to borrow money, make purchases, enter into contracts, etc.

The ultimate problem here is not the financial burden, since you would probably not have to pay for the fraudulent activity, but the horror of trying to reassemble your good credit with multiple agencies including credit bureaus, collectiona agencies, banks, etc. All of which are notoriously slow in correcting errors in their records.

Re:Is this really newsworthy??

[leeet]

Most credit card users are indemnified against thefts, misuse etc.

Yes and how do those companies pack back the poor credit card user? Money grows in trees over there maybe?

Re:Is this really newsworthy??

The person who did this didn't have legitimate access to the data. They had access to the servers. They used their server access to hack the encryption on clients' passwords and retrieve data for which they were unauthorized.

I find it amusing that the company is trying to reassure folks that "much of the information taken from the server was encrypted", when the hack itself involved breaking their server's encryption. Of course that's the "Chief Privacy Officer" who's making those statements...

Re: Is this really newsworthy??

[that+_evil+_gleek]

The fact they're calling him a hacker instead of just a thief, is.
The news stories that do mention that he was insider with access to that info, bury it in paragraphs 3 or 4. Its not hacking, he had access. If a guy who you've give key's to safe walks out with the payroll, then he's a thief, but there's no breaking and entering.
I see too factors: media chique they love to use the word "hacker".
The company and companies in general want to minimize the fact that they were slack, so they use the words hacker to make people think it was the computer equivalent of a cat-burgler.

My guess is that they setup their db in a real slack way, and the ended up giving out more db access to more employess than they should have --not enough tiers of users.
Not hacking, because they messed up when they gave him that much access in the first place. The problem with that is, since most people don't really think about anything, more than just making sure that they're doing everything that everyone else is doing, that other companies won't learn either.

And you'd be surprised how techinical some people can be when its comes to "snooping". People, how never seem smart enough about computers to figure something out, suddenly have all kinds of extra capacity, if their motivation is snooping.

Re: Is this really newsworthy??

[TwistedGreen]

...and that company's employees are also customers to thousands of other businesses, whose employees are in turn customers to thousands more. A theft in this system will inevitably affect hundreds of thousands of people and businesses alike, but the cycle of wealth continues unabated.

It's not that big a deal.

Re: Is this really newsworthy??

[Electrum]

If the cardholders are indemnified it just means the cost of the theft is passed back to the card company, the vendors, or their insurers.

Hahahaha. The merchant always gets hit. The credit card companies never take a loss for anything. Remember all those commercials about not being responsible for fraudulent purchases? Visa simply charges it back to the merchant, along with a nice charge back fee.

Acxiom vs. the government

[jamie]

Acxiom was the first company listed in Microsoft's November 1998 parade of members of their Online Privacy Alliance. The OPA's goal was to keep the feds away: "The alliance advocates industry self-regulation as the best way to ensure that consumers maintain control of their personal data online."

Acxiom warned TRUSTe members in late 2002 that "conditions look right for the 'Perfect Storm' of privacy legislation next year." Yeah, scary, the government might insist that customers have some privacy.

I wish I could have seen the look on their faces when the government called them up to let them know their own employee had stolen their customers' private data.

Re: Acxiom vs. the government

[Black+Parrot]

> I wish I could have seen the look on their faces when the government called them up to let them know their own employee had stolen their customers' private data.

Of course you don't refer to a look of surprise; you refer to the calculating look of someone trying to figure out how to avoid responsibility, minimize the financial hit, and continue to forestall privacy legislation in the future.

Re:Acxiom vs. the government

[CaptainCap]

I was wondering what genius came up with the name "Acxiom." It's stupid, but it gets them near the top of alphabetical listings.

Re:Acxiom vs. the government

The company started in a city named Conway and was, at one point, called Conway Communications Exchange and referred to as CCX. Later, when the name was changed, they took the work 'Axiom' and put the 'cx' in it as a reference to the former name.

Contradictory

[mccalli]

...a hacker has broken into a Acxiom server....The suspect, now in police custody, was an employee with legitimate access to the information.

So not a hacker then. Or a cracker either, to keep another section of the crowd happy.

This sounds like straight abuse of confidential information. No computers required, no lax security required. A person with legitimate access to data went bad. As such, it's not really a criticism of Axiom's security policies . It is, however, a criticism of their hiring and monitoring policies.

Cheers,
Ian

Re:Contradictory

[pubjames]

This sounds like straight abuse of confidential information. No computers required, no lax security required. A person with legitimate access to data went bad.

I don't think it is as simple as that. Just because it is an inside job doesn't means that the company does not have lax security.

I have worked on software systems for the management of transaction data for some major banks. Do you think they gave me access to their databases to do the work? No way Jose. They gave me access to duplicate systems with dummy data. Only a very few people had access to the 'real' data (even within the bank) and even then their access was strictly controlled - I mean they had to get permission to get physical access to terminals that could access the data, and they had to justify why, and all their actions were logged.

Anecdote - I once was working in a banks bomb-proof super-secure dataroom doing an install on one of their transaction processing systems. The install took a while and I was bored out of my mind. I was idly curious to see what was on the screen of one the many terminals in the room, so I touched the space key to active the monitor. About two minutes later the room was full of bank security guys asking what the hell I thought I was doing.

Re: Contradictory

[Black+Parrot]

> This sounds like straight abuse of confidential information. No computers required, no lax security required. A person with legitimate access to data went bad. As such, it's not really a criticism of Axiom's security policies . It is, however, a criticism of their hiring and monitoring policies.

I would say that if it was a simple matter of peeking, but since the employee apparently downloaded some of the data without them knowing it I would say that there's a problem with their security policies and controls.

Re:Contradictory

[karnal]

*note to self* - next time, hit the shift key. :)

Re:Contradictory

[girl_geek_antinomy]

As such, it's not really a criticism of Axiom's security policies . It is, however, a criticism of their hiring and monitoring policies.

I'd argue that human and physical security are probably the two *most* important aspects of information security. It's pretty obvious that the person with physical access to the machines on which information is stored has rather an impressive leg up in compromising any security proceedures that might be in place, let alone systems where users can saunter straight into the sensitive data. Security policies, if considered and properly created, should put great stress on the importance of the human element.

Re:Contradictory

[TheMidget]

It is, however, a criticism of their hiring and monitoring policies.

Or maybe of their firing policies. Maybe the guy somehow got wind that we was on the list for next month, and decided to do something... In this economy, this seems more likely.

Re:Contradictory

[*weasel]

bomb proof?
colocation? offsite backups? fully redundant systems?

operation mayhem will have to make note to be thorough.

Re:Contradictory

[wfberg]

A person with legitimate access to data went bad.

Actually they used their existing access to gain new privileges, cracking (or guessing) passwords in the process.

Never the less, it's an important point to reflect on what "legitimate access" means. Most companies allow any employee access to all of their data, especially smaller companies. Publicly traded companies usually take better care of strategic information, but not of their customers' private data, at all.

While the army won't let you see any 'secret' data even if you have a 'secret' clearance and appropriate rank if you don't have a 'need to know', businesses often have no policies that describe need-to-know, abuse of privileges or abuse of authority, let alone do they audit/log who accesses/alters which data.

Re:Contradictory

[mummers]

I've tried preventing users on my network with legitimate access to information from having access to the information they're legitimately allowed access to.

For some reason they don't seem to appreciate my efforts.

Re:Contradictory

I lived in Conway, Arkansas for 6 years and have seen them consistently hiring the most incompetent dip****s available. This doesn't suprise me at all. I suspect their hiring and security practives are both poor.

Re:Contradictory

[Flower]

Lax security probably required. Security is a process and not exclusively focused on software controls.

There isn't much to go on in the article but let's start with just some crazy ideas. If the perp was let go under less than optimal circumstances and he had access to passwords then why weren't the passwords changed? Why, when using ftp as a transfer method, wasn't the data being transfered encrypted? Why were they using ftp?

When they hired this person did they perform a background check against him which included a credit check? Should his position have been bonded?

What checks and balances does the company used to verify and authorize transactions? Was the transactions in question done at an unusual time? Were there unusual circumstances behind them? Were they logged, flagged, investigated?

This is just off the top of my head after reading the article. Oh and hiring and monitoring processes are part of security.

Re:Contradictory

[alexo]

> This sounds like straight abuse of confidential information. No computers required, no lax security required. A person with legitimate access to data went bad. As such, it's not really a criticism of Axiom's security policies . It is, however, a criticism of their hiring and monitoring policies.

Does not matter. The company top level executives should be held accountable. You'll be amazed how fast security practices improve across corporate america once a couple of CEOs get slapped with jail sentences.

I have a friend who works for NDS. She told me three things about her job:

1) That NDS was (at the time) made the conditional access cards for DirecTV (a fact that was public knowledge).

2) That the security was really tight (read: polygraph tests)

3) That she cannot tell me anything else about her job, her project, her employer or its customers and she'll appreciate it if I did not ask.

The difference between NDS and Axicom was that NDS was commercially liable if any information got out. In fact, later, DirectTV sued them over the P4 fiasco.

As much as I dislike the US-led charade, I would not mind if not properly securing personal data of other people that was collected without an explicit authorization was considered "aiding terrorism".

Re:What OS?

for how long will that be true?!

Sorta surprised.... not really

[Creepy+Crawler]

I work for a small 8 person IT business in the town I live in. I'm computer help while I go back to college.

When I first started, I found out there's a bunch of clients (many medical), but when we install, we usually use simplistic passwords. Simplistic as in Roberts' wordlist. We dont even change them either. We also have a Winnt4 domain controller for our internal fileserver that simply shares 4 directories. ALL OF THEM HAVE GLOBAL +RWX ON EVERYBODY.

Even the shcool I go to has decent protections on their shares.

Re:Sorta surprised.... not really

[Hayzeus]

And where did you work, exactly? Please be pr3cis3.

Re:Sorta surprised.... not really

[Creepy+Crawler]

Do I really HAVE to spell it out for you?

I'm a troll. That's a karma-whore'ish comment so I can continue to troll.

Or that's what I want you to believe.

Re:Sorta surprised.... not really

I'm a troll.

And you have more than your share of pimples as well. May I suggest the following
How to pop a pimple might benefit immature kids? Be careful not to pop your brain as well, if you have any.

Re:Sorta surprised.... not really

Well, your troll didn't work.

What about Calif. law requiring disclosure?

[mstockman]

Anybody know how the recent California law requiring companies to disclose when their data is compromised would apply to this case? If the primary victim in this case notifies its clients (call them secondary victims), are they then required (if they do biz in California) to notify the tertiary victims (their customers)?

Just wondering how all of this may play out...

Newsflash - Insiders breaking in and steal data!

It amazes me that a such a company would have such lax security as to allow an insider to browse supposedly private data at will

That doesn't amaze me at all. Who knows what kind of access that employee had. Maybe he was the person responsible for security. Besides, it was a "Break-In" which implies circumvension[sic] of security measures. Now, what's so amazing about that?

Re:What OS?

you post as AC, but include a sig?
heh
silly billy

California?

[jeffy124]

Didnt CA recently pass a law requiring disclosure of breaches involving CA residents? Anyone know if this applies here? Are Axcion's client companies mandated to contact their clients, and so on down the tree?

I'm not in CA, but there's a strong liklihood someone from CA had data in this system.

identity theft very unlikely

[stonebeat.org]

Over the news I heard thm saying chances of identity theft are slim, by using the stolen data.
Ha!
Chances of identity theft are high even when the data is not stolen. :)

I wouldn't call this a hack

[bwindle2]

The person had legitimate access to the system. I wouldn't call using your legitimate access to then, *GASP*, access that system, a hack.

Not so worried

One of my first jobs was running some hot laser printers for a junk mailer. I believe we used lists from Acxiom. The most damage you could do with one of these lists would be to shill for publishers clearing house. No identity theft with this list. When you would check the test pages you would often find names that were clearly misspelled or total garbage. Wake me when it's a credit card/banking database.

Re:Not so worried

[Exiler]

"serves most top credit card companies and retail banks." ...*wakes*

Re:Not so worried

[bourne]

One of my first jobs was running some hot laser printers for a junk mailer. I believe we used lists from Acxiom. The most damage you could do with one of these lists would be to shill for publishers clearing house. No identity theft with this list.

Ya think maybe they don't sell the full details to junk mailers who only want to do mailing lists?

Wake me when it's a credit card/banking database.

Acxiom does have services customized to Financial Services, Healthcare and Insurance, among others. I bet they use more than mailing labels to "Analyze data and target prospects with the same characteristics as your most profitable customers." It'd be interesting to know what information helps "Create a 360-degree view of healthcare customers."

Re:Not so worried

Mailing lists is one of their businesses, As I understand they get targeted and "merged" mailing lists from lots of data pulled from different sources. They also do data mining for credit card companies and large stores matching census and financial data together (mortgage and home sale type stuff). So they have a pretty clear picture of individuals and lots of information (like what purchase you have made at stores). Had a family memeber that worked there once.

Re:What OS?

Either one can be rcok solid or practically hand out private information dependng whether set up by someone in the know or a barrel of ass monkeys.

I know nothing about MySQL but Linux is doing better with security than Microsoft in my books. With redhat i can push updated rpm's from RHN and the system is always as secure as possible barring foolish configuration errors. Furthermore because the only patches that require a reboot are kernel patches (and even those can be done without rebooting immediately, just won't take effect until it is) I can do the majority on the fly. Can you say that about your precious windows rebootathon?

Yes, Windows yes it's advantages. Yes Linux has its advantages.

And as a final thought, how long has 2003 server been out? And what of your Windows 2000 e-commerce sites before that?

if he can do it...

[freedommatters]

this is one guy, an ex-employee of one of their clients. they deal with 14 out of the 15 top credit card companies, 7 of the top 10 auto makers and 5 of the top 6 retail banks... jeez, that's a lot of potential ex-employees to go around with grudges.

tick the box folks, ditch the loyalty cards. don't give them any more data.

Re:if he can do it...

[tanguyr]

Yesh, but data from several customers was compromised. So, Axciom, please make sure that a disgruntled former employee of customer X can't access the data of customer Y...

Doesn't it kind of sound like this server he "cracked" was some kind of ftp drop box used by a whole bunch of customers to upload data files... and that the permissions weren't set up by a smart sysadmin? Of course, "polite" users never stray outside their directory...

Re:What OS?

right, no one ever hacks IIS servers ....

FYI ... I and many others run Linux/Apache/MySQL for years, never once had a single machine hacked.

I suspect this is a troll ;)

Re:What OS?

[Lord_Slepnir]

Don't be so sure. He might suddenly remember that he played a game like that on his PS, and then it would be all over.

Axciom - facilitating spam

[gorbachev]

About a year or so ago people started getting spam addressed to the wrong "John Smith". Some folks tracked the spam to Axciom. It appears that they'd started selling epending services for their clients.

Basically a client supplies information about the consumer (name, partial address, etc.) to Axciom. Axciom then takes their best guess as to what the Email address for the consumer might be.

Where the problems come with this approach when you have a common name and your address information is incomplete. Axciom will happily give the client the buest guess, and the client will happily spam the living ****loads out of whoever's email address they can get their hands on.

But, hey, you can always opt-out...one client at a time...

Proletariat of the world, unite to kill spammers

Re:Axciom - facilitating spam

[CaptainCap]

Oh, you're not the John Smith that we intended to spam?
We will gladly take your name off our list. Now, what is your social security number and your mother's maiden name? We wouldn't want to make any mistakes!

Re:Axciom - facilitating spam

[gorbachev]

Exactly...

To get on the list is automatic. You can't even prevent it.

To get off the list you have to go over so many hoops, most people probably won't bother. I tried doing that sometime ago, btw. They will mail you paper forms.

Person with permission to access = Hacked?

[andcal]

Just a question about the terminology used in the headline there.
I'm no walking dictionary, but I thought the word "hack" (translated as "crack" to technical folks- I don't even want to open that can of worms)-suggested someone somehow getting access to something that they do not legitimately have access to.

Re:Person with permission to access = Hacked?

[_xeno_]

Yeah, the Slashdot writeup is a little confusing, and a lot of people seem to have gotten mixed up by this. As it turns out, according to the New York Times article, this was basically a "local exploit" in that the guy was an employee of a client and had legitimate access to the server. (Apparently security was a little lax, though...)

Anyway, quoting from the article:

Barrett said the individual in police custody is a former employee of one of Acxiom's clients and that the information was stolen while the person had legitimate access to Acxiom servers.

"They used that access to hack into the passwords of other clients," she said.

Barrett said the offender gained access by hacking encrypted passwords from clients who access the server. The server, which was outside a firewall, was used "for clients to transfer files to us and for us to transfer files back to the clients," she said.

Barrett said much of the information taken from the server was encrypted and that the risk of identity theft is slim.

Barrett finishes the article off by saying that the information is "nonsensitive" but that seems more like spin-control than actual information. Presumably that means that no credit card numbers were stolen, but who knows about information other people might consider sensative like SSNs or home addresses and the like.

Re:Person with permission to access = Hacked?

[Tsu+Dho+Nimh]

He used legitimate access to HIS files to access files belonging to other Acxiom clients, on a server multiple clients used to upload data (the staging area to leave files to be pulled through the firewall by Acxiom). The news report says he cracked the other client's passwords.

What were they thinking when they set up that server? No client should be able to see any other client - it should look like they have the server to themselves.

BBBOnline??

"Acxiom is a Certified Participant in the BBBOnline Privacy Program. " Wow, but the BBB is
a totally useless organization. Why do people think they are worth anything? You pay to get their Plaque to hang on your wall. They do nothing else....

Re:BBBOnline??

[lcsjk]

They sue companies who use their logo without paying. I've heard they help with litigation. Don't know what elso they do.

Re:BBBOnline??

[Marx_Mrvelous]

Nothing else, except assist customers who have been treated unfairly. I've had only positive experiences with the BBB, they've helped me reclaim offers (promotions and mail-in rebates) that, otherwise, I would have probably never received.

Re:BBBOnline??

[leifm]

The send you letters saying sorry the company you are pissed with didn't respond to us either, so sucks to be you.

Re:BBBOnline??

I worked for the CBBB which runs the BBB online program. While the BBB itself and the Council
as a whole are not useless. I can testify that
the jack***es who were responsible for the
BBB online program where possibly some of
the most clueless people to ever search for
the ANY key. They were only worried about
marketing and purposely ignored any attempt
I made at helping them add some reality to
their "security" claims. So yes, this online
program couldnt be a bigger joke and is degrading
to the rest of the BBB program(s). They really
should be ashamed for not doing a better job.

What do you expect?

[Dalcius]

"Third, the company is taking no responsibility for the break in other than reporting it to the clients, who then may or may not inform their customers."

Saddly, our government doesn't seem to be too... enthusiastic about stopping this type of stuff. Don't get me wrong, I'm a libertarian at heart, I think the government should stay out until absolutely necessary, but this is a case where it's gone too far. I don't trust the consumer enough to protect his own rights.

Anyway, with the current corporate situation, and the examples set by Microsoft et al, IT has grown into a industry with no personal responsibility and very questionable morals.

I can't say this surprises me much.

Re:What do you expect?

[Dalcius]

Let me add on so I don't get flamed...

1) The court system is part of "government". I couldn't see the DOJ getting in on this issue.

2) If they took all the reasonable precautions (logging, regular audits, security priviledges, etc.), then I certainly don't see a need for them to do more than notify those whose data was compromised and try their best to ensure that it doesn't happen again. No system can be protected 100%.

However, I won't bet the farm that this was an incident of a responsible company and an unfortunate incident.

root considered harmful

[DrSkwid]

if that was the case, serve them right for using a crappy multi-user OS

Tsk tsk tsk

[Seth+Finklestein]

Five years ago, I was called in to do consulting for this company, Axciom. The company's database server was running what was essentially a glossy front-end to Microsoft Access. I explained to them that an open-source database would improve their system's security, functionality, and reliability.

Their response was the most shocking thing I have heard in 20 years as a computer user.

"Does it run in Windows?"

Of course it doesn't run on Windows!! Windows is a mine-field of security through obscurity. Because nobody -- not even a Microsoft engineer -- can do a thorough inspection of the source code, that means that 568 vulnerabilities have been discovered in the five years since I flipped off Mr. Neil Haiman, Axciom's chief of security. By comparison, Linux has had fewer than 40 vulnerabilities, all of which could have been fixed by upgrading to the newest packages. A quality distribution like Debian will upgrade all your software automatically.

Did Axciom do that? No, of course not. They stuck with MICRO$OFT WINBLOWS, and now they're paying for it.

Rot in hell, you SCO-loving bastards.

You're just too sensitive

[wytcld]

"I can say this about the data, much of it was nonsensitive information."

I can say this about this gun I'm pointing at you, much of it is innert material.

Re:What OS?

I believe that's called Security through Obsolence. Using older systems oftentimes rebuffs the script kiddies and their insistence on using the latest and greatest hacks.

Doesnt protect much against teh determined attacker who knows his target well, and doesnt necessarily rely on the most recent attacks.

Who watches the watchmen?

[Sherloqq]

"Need-to-know" is a term which doesn't seem to exist in the security policies of these companies.

At some point, at some level, there will be someone (or a group of people) with access to information who would not have a watchman over his shoulder -- how can you be sure you can trust them?

Pre-screening of employees and logging of all transactions is necessary, but some times you just can't deny someone access to something if it hinders their work significantly (e.g. the work they were hired for in the first place) and/or puts that work on your plate instead.

I'm not saying that this is good. I'm saying that, too, is real world.

Re:Who watches the watchmen?

[dogfart]

Pre-screening of employees and logging of all transactions is necessary

An I can guarentee that these minimal controls are non-existent at this particular company. In fact, I would bet that most employees have their passwords on post-it notes right on their monitor. Outside of banking (and maybe medical with HIPAA) most commercial entities have absolutely ZERO data security. This is a systemic failure that will continue to result in serious compromises, until our elected officials get the cojones to pass laws mandating otherwise.

Re:Who watches the watchmen?

[Unordained]

nono, even places that should comply with HIPAA still balk at having to use passwords. they share them, they post them on their monitors ... but it doesn't matter. they talk in the hallway, they leave their workstations unlocked, they file papers in areas easily accessed by guests, they leave more than one client's information on their desk during an meeting with a patient ...

the first problem in data security is people. everything might have a chance of being fixed, but we can't do anything about humans. they're not trustworthy. they never will be. would it help to have more laws? laws don't prevent people from speeding -- they punish them when they're found out. do laws catch every violation? nope.

the best way to keep a secret forever is not to tell anyone. ever. it won't be a useful secret ... but at least it'll be a secret. a step up from this might be to simply not exist -- you'll run less risk of having your personal information stolen.

How is this a "hack" ?

Did they use nmap with a xmas tree scan then found a buffer overflow on a service which gave them root ? did they install a trojan that ripped root passwords as it traversed the internal network ? was it social engineering hack ? did they construct an asm or c exploit ? did they use zombies ?

or maybe they was actually allowed to see the data (dba,sysadmin,manager) and they just copied it to a cdrom

this gives us real hackers who spend hours/years poking and prodding systems to get root a bad name

A.C
{+_+}

Re:How is this a "hack" ?

Don't trust the header, go the actual articles.

BBBOnline

[Liquorman]

Below I have posted the complete listing of requirements for approval from the BBBOnline (Better Business Bureau Online) page. Seems like it is pretty easy to meet the requirements as long as you pay the BBB! Also, it does not appear to have much to do with specifics of what a privacy statement should say, just that you simply must have one.

General Conditions

The organization's website or service is online. If not yet launched, the organization's website or service is substantially complete and available for evaluation.

The organization has adopted and implemented an online privacy notice (including an effective date) and posted this notice on the website or online service.

The organization has paid the application and evaluation fees; completed the BBBOnLine Privacy Business Application and required portions of the BBBOnLine Privacy Assessment Questionnaire. The organization has signed and returned the BBBOnLine Privacy Participation Agreement.

A specific individual has been charged with the responsibility for implementing and overseeing the privacy notice for the website or online service. If the organization's application for a BBBOnLine privacy seal does not cover all its websites or online services, and all the websites and online services of its corporate affiliates, then it must be clear to web-visitors relying on the display of the seal, which parts of the websites or online services are covered and which parts are not.

Any organization whose website or online service is directed to children under the age of 13, or who collects personally identifiable information from a particular individual actually known to be under the age of 13, must comply with the substantive requirements of the BBBOnLine children's seal program in addition to the requirements of the general BBBOnLine privacy seal.

Re:BBBOnline

[jpsowin]

What do you expect? You think those seals are anything more than to keep people thinking their information is secure?

All those little seals require money, and when you pay them and fit in a couple of general rules, you get it. Easy as that. Yes, it's stupid, but for some reason consumers really think it's more safe to shop for a company that has a seal then those without one... even if they both use SSL that are "signed" by the lofty security people (Verisign, Thawte, etc.) rather than their own servers.

Re:BBBOnline

[claud9999]

In case readers didn't realize, the BBB is a *business organization*, not a *consumer's organization*. They do not have the consumer's interests in mind, instead they have the consumer's perception of their corporations in mind. F*ck the BBB, about as reliable as the Good Housekeeping Seal of Approval or Windows-Certified.

(I recently brought up a pretty obvious problem with Paypal's privacy policy with the BBB and they blew it off. Not suprising. The problem was that the privacy policy listed "security questions" that were not available. Oh, did I mention, F*CK Paypal.)

RTFA!

[sessamoid]

From the story submission:

The suspect, now in police custody, was an employee with legitimate access to the information.

Geez, even the submitters don't RTFA, do they? From the NYT:

Barrett said the individual in police custody is a former employee of one of Acxiom's clients and that the information was stolen while the person had legitimate access to Acxiom servers.

The suspect was not an Acxiom employee, but an employee of one of Acxiom's clients (banks, cc companies, etc.). He had access to the server, but he cracked the server to access information from other Acxiom clients as well. So yes, this is a cracked server, which BTW was placed outside the company firewall. I'm no security expert, but doesn't that sound stupid to anybody else?

Re:RTFA!

Not really.
The point of managing databases for external customers is to let those external customers access your network so you need a least some limited connections with the external world.

Re:RTFA!

[Mooncaller]

The server in question is used to transfere data between the customer and the Acxiom databases. All the guy did was to crack some passwords to access files on that server. It also appears that the capability for using encryption for the data transfered through this server exists. It is probably up to the customer to use this. I don't know why customers would not use encryption, either ignorance, or maybe Acxiom charges extra for this. In any case, the problem is not the design of the system, but the way the system is being used.

Acxiom will need to make some changes. First, if they are indead charging extra for the use of encryption, they need to stop. That means changing that demonic marketing mentality that classifies everything as an added feature that must carry extra cost. Encryption is not an optional feature, but an integral componet of a secure system. One does not sell an Automobile, and charge extra for including brakes. Second, Acxiom must make the use of encryption manditory.

Concidering Acxioms buisness, I'm pretty sure the marketers are in control. If change happens in the company it will be accompanied by a lot of flying fur.

Why should this surprise you?

[sjbe]

It amazes me that a such a company would have such lax security as to allow an insider to browse supposedly private data at will.

And why should this "amaze" you? At some level in any company there needs to be people who can do this. Your human resources department has a ton of information about you that they can pretty much look at whenever they want. Medical professionals are the same way. If you are an interesting case, do you honestly believe doctors/nurses will not talk about you? You are naive if you think that, despite laws (HIPPA) prohibiting such behavior.

You need to be able to trust these people and while there does need to be security and surveillance of people with access to sensitive information, you can't keep them completely away from it. This is especially true in a company (or government agency) whose business is based upon such information. It's also nearly impossible to prevent a knowledgeable insider from getting access to sensitive information, so I'm double confused why this should be surprising.

While it is unfortunate that it happened, the fact that it happened should "amaze" no one. Give enough people a chance to make money by breaking the law and guess what? Some of them will.

Nothing to see here. Move along...

Re:Why should this surprise you?

Proves not a single person who's posted has RTFA yet.

"Barrett said the individual in police custody is a former employee of one of Acxiom's clients and that the information was stolen while the person had legitimate access to Acxiom servers."

That's from The New York Times. The individual wasn't an employee of Acxiom's at all - this is much more like an ISP getting hacked by one of its own users. Not a proper inside job in the traditional sense of the word - the guilty hacker really did break into the system.

Oh well, it's late on a Friday, and I'm sick of this pesky reading stuff myself... :-)

Re:Why should this surprise you?

[giantq]

Hell even HIPPA doesn't make admins do their jobs. During a recent wardrive I happened past a local doctor's office who not only had wifi, but unsecured wifi, AND they forgot to change the password from the default on their AP. A two-second browse showed me all the shared files on that machine, which included all sorts of confidental stuff. Rather than being a smacked ass about this find, I changed the name of the AP from "linksys" to "WhatAboutHIPPA" and left. Hopefully SOMEONE will see that and realize they screwed up, but I'm not counting on it.

Nothing unusual

[threaded]

I've seen in the web logs of a big multinational that they've had entire databases downloaded and then spent literally weeks trying to get a manager, any manager, to understand they're being hacked whilst at the same time watching as the bad guys slowly extend their reach through the systems.

If it's not in my job description I don't bother anymore, but look to see how they do it, for the sake of science and all that :), life is just too short at these sort of companies. They're not interested to the point of wanting to fire people for giving them a heads up that there are problems.

I would suspect this is what has happened here.

Re:Nothing unusual

I worked for a major airline at a hub station, in the days before wireless was popular (3+ years ago), I would see roughly 5 connections a week from other peoples laptops connecting to the lan. We did not have DHCP servers so they did not get IP's but that is not security, that was luck that would only stop the clueless business man, not those with a clue that wanted to connect. I started working my way up the supervisors with this issue and after about 4 levels I realized no one really cared. One of the supervisors thought arpwatch was a hacking tool and questioned why I was running it. We had reasons to run it and when he finally sat down with us he understood but still did not care about the AP's being abused.

From my experience, everyone that works away from the headquarters or main office and in a remote office always gets blown off. This applies to bug fix requests, security issues and patches, network problems etc.. I don't know if it is more of a protect my job issue, an ego thing with stepping on toes, or just a sincere lack of caring or knowledge because they have not noticed the flaw or they have already fixed it and did not bother and they just have not got back to you yet. Either way, it sucks.

Easily Amazed

[jrsimmons]

So you're "amazed" that a database company has employees who have access to their database(s)? How excactly is it that Acxiom should do its job while preventing its employees from ever working with the data? Unless the description of the theft is inaccurate, this has nothing to do with hacking and is merely a misuse of priviledges. If the armored car driver steals the contents of the armored car, is it because the car wasn't secure enough?

Re:What OS?

[Horny+Smurf]

Do you have anything worth hacking?

Its scary how common lax security is internaly.

[Blacklotuz]

I used to work for a consulting group who managed websites for several big name companys, all of which took online orders. Part of my job was to code pages that analyzed the databases and presented an overview of sales statistics. I recall being suprised at the thousands of credit card numbers listed in the databse and how easily I could have taken them. There was no password protection except for the general login/password used for ALL our databases which most employees knew. Luckily im an ethical person but it would have been excedingly simple for anyone in the company to access the servers and take down credit card numbers, experation dates, names, addresses, and other personal information. Its realy scary when you think about it...

Well, duh.

[russotto]

It amazes me that a such a company would have such lax security as to allow an insider to browse supposedly private data at will.

Uh, yeah, at the risk of -1 redundant, of course an insider will be able to browse private data at will. _Someone_ has to be able to get to the data, unless you're postulating SkyNet.

I suppose this could have been a hack, if this person became employed at the company in order to get the data -- that comes under social engineering hacks (and industrial espionage). But "disgruntled or avaracious insider abuses position of trust" is hardly news.

Re:Well, duh.

"Uh, yeah, at the risk of -1 redundant, of course an insider will be able to browse private data at will."

That's VERY bad design.

Sensitive information should have been stored separately in a different computers: one contains real names, one SSN numbers, one credit card numbers, etc. One worker should have only access to one of these computers. In order to combine data, collaboration collaboration of workers shold be necessary. This kind of design would make the system much more secure to both outside and inside threats.

Oh, THAT Acxiom...

[BRSQUIRRL]

I know several developers there...I almost worked there myself actually. I've heard them mention on several occasions that they develop against production "real world" data simply because there is no test database large enough to test scaling and performance. I remember asking them if they could actually get consumer information on ME and they didn't act like it would be too difficult. Scary...

Shelbyville Bank Robbed

[DrSkwid]

There was a bank robbery in Shelbyville today when 48 year old Steve Lekowski found $10 on the floor in the rest room and instead of handing it in, he put it in his pocket.

Re:What OS?

[phusnikn]

Why ? Do you think all hackers are pimple face 16 yearolds

There are 5 types of hackers out here let me give you the run down as professional security consultant

Casual hackers
Skill level Low - high
Treath Moderate
Varying levels of skills ranging from beginners to seasoned veterans. Often rely on widely available automated tools to locate exploit or weakness

Employees/Insiders
Skill Level Low - High
Treath Moderate - high
Direct access to internal resources. Mayy have detailed knowledge of a company's computer systems and security mechanisms.

Theives and Career Criminals
Skill level Moderate - High
Treath High
May be higly skilled at evading discovery and capture. Detailed understanding of financial and accounting systems.

Corporate SPies and Other Highed professionals
Skill level High - Very High
Treath - High Very High
Proven level of skill often insiders with direct access to confidential information

Foregin Goverments and terrorst organizations
Skill level Very High
Treath - Very High
Highly trained with proven level of skill. Focused on intelligence gathering and effective information warfare tactics.

Now depending on what your data is worth will define the type of hackers that pray on your network.

A silly writeup for a silly story

[sammy+baby]

I read three versions of the story (courtesy of the Google News link). None of them specified what the job description of the perpetrator was, although I'll infer that because he had "legitimate access" (wording per the SilconValley.com verison of the story) to the servers where the information was kept, he wasn't, say, a janitor. So why the histrionics on the submitter's part about how "such a company would have such lax security as to allow an insider to browse supposedly private data at will." Dude, the guy had access. I'm a systems administrator, I can read my co-workers' email at will. If I suddenly "went rogue" without warning, not a lot you could do about it, huh? At some level, you just have to trust your employees.

What's funnier is the universal use of the word "hacker" in the various writeups of this incident. The guy had access already. He didn't hack his way into anything. Back when I worked retail, if our credit card receipts didn't add up to what the system thought we should have at the end of the day, we'd have to do a "list print" - we'd go to our little VeriFone CC terminals and have it print a record of every transaction it could remember. It had a 255 transaction memory, if my own memory serves, complete with amount, timestamp, and - wait for it - credit card number. So, if I printed out a list of 255 credit card numbers and went on a buying spree with other people's money, would you say I was a "hacker" then?

Re:A silly writeup for a silly story

[aaarrrgggh]

at some level you just have to trust your employees

Well, that's not how banks work. Every action is logged; this might not stop someone from breaking in, but it will tell you exactly who did, when, and what actions they took, so they can be reversed.

Since consumer data isn't cash directly, it was not treated with the same level of security.

To the 95% of Americans who are in this database, the cost of identity theft is quite high. This comes in the direct form of dealing with someone using your identity, and the indirect cost of the reconcilliation of the bad charges to other people.

Since the system is so reliant on very basic information (social security number, address, date of birth, mother's maiden name...), sources where all this data is kept in one place are at great risk, and should be dealt with more appropriately.

Re:A silly writeup for a silly story

[sammy+baby]

You make a good point in regard to data audit trails. I would say it's possible that something like that even happened here - I don't remember from the versions I looked at how the company managed to figure out exactly what the "hacker" did. I do remember, however, that they didn't know the access had occurred at first, so clearly that audit trail wasn't being monitored too closely.

Re:A silly writeup for a silly story

From the NTY article: Barrett said the offender gained access by hacking encrypted passwords from clients who access the server if my password was encrypted and you decrypted it that might constitute hacking it, yes.

DBA != Legitimate access to data!

[JaredOfEuropa]

Contrary to popular belief, a DBA should not have access to sensitive data. A database can be set up in such a way that a DBA will be able to manage users, table space etc, but is unable to just browse/export the data itself. We are doing just that on one of our databases, using Row-level security.

Of course a DBA can grant himself access to data, but such changes in policies should be logged into an audit trail file, which must be unalterable by the DBA, and inspected on a regular basis by a sysadmin or security officer.

Allowing (potential) access to all your sensitive data by a DBA or sysadmin may be unavoidable, but not implementing an audit trail and inspecting the audit trail (so that you can at least tell that they've accessed the data), is what I would call 'lax security'. As a bonus, you can catch and fire any BOFH-type admin.

Re:DBA != Legitimate access to data!

[ichimunki]

Instead of attempting to have this huge audit trail, like you suggest, which I guarantee will fail at some point, why not simply make all these types of changes require dual-authentication? Two guys turning their keys at the same time kind of thing. I realize this goes against the whole "lone cowboy" sysadmin mentality, but if it's important, then it's important.

The audit trail is going to be easy to foil. Just make the change in a batch of other similar-but-legitimate changes. Do it the day the auditor goes on vacation. Etc.

Re:DBA != Legitimate access to data!

"The audit trail is going to be easy to foil. Just make the change in a batch of other similar-but-legitimate changes. Do it the day the auditor goes on vacation. Etc."

And they'd still get caught.

The problem is, of course, that there's too many dolts in the business world who think, "Will get caught." is the equivalent of, "Can't happen."

"Will get caught" is a nice thing to have at the end of a fiasco, but what of the damage done in the meantime?

Re:DBA != Legitimate access to data!

[technobard]

Sooner or later it all boils down to trust. Someone has to administer the information which automatically means that person or persons has the ability to bypass any security put in place. Control the DBA (tough to do) and you still have to worry about the security guy.

Hire people you can trust with sensitive information and treat them well. That's the best security around.

Re:DBA != Legitimate access to data!

[ichimunki]

No. Trust is not a good security model. That's like saying, "buy the higher quality hard drives so you don't have to make backups." There is no way to know if you can trust someone. Especially not in a large corporate environment. And even if you can trust them ethically, they are human and can make mistakes.

Having a redundant permissions system to do certain activities is the equivalent of having a proofreader, in addition to an author and an editor. One person's job is to decide what to write down, another says we should keep this much or that much, and a third says, "but you spelled their there here and to two too!"

What's your name?

What's your name, I'll look your SSN up and send you a birthday card

I have access to such sensible data

[aepervius]

My job is so that I have access to all info on a credit card (Name of the person, date of expiration and full number), and even worst since the demand of the US governement (CAPS) on airline I have acess to the people their visa and their passport. Would it be possible to protect those data against me ? No way. I can acess the data at all level, and since I am the programmer , even if it is encrypted I can still acess it by putting a nice placed trap. Would I do it ? No way, I am honest. Is it possible for me to do it ? Yes.


You cannot protect yourself against all your employe, because at one point or another you have to to have some trust (at least at the facture time).So IMO this is a no new here, and I barely call that hacking. Rather insider stealing.

Re:I have access to such sensible data

[stratjakt]

My job is so that I have access to all info on a credit card (Name of the person, date of expiration and full number),

Just like any sales clerk or gas station attendee.

Wowee zowee what a high level position of trust. And yes, I do want fries with that.

Hey slashbots, watch your balances and report any false charges immediately. Big fucking deal.

Re:I have access to such sensible data

Ooh...Look at me...I have access...My, you seem very happy about your job. F that. Know what I have access to? almost nothing. Know what that means? I never have to worry about getting paged, I never have to worry about stealing data, I never have to worry about dealing with people like you. SCREW YOU Viva Gates!

Re:I have access to such sensible data

[kindbud]

How long would it take for your employer to detect your tampering? A week? 6 months? A year? The real problem here seems to be that Acxiom had no audit procedures to detect this activity. But I wonder if it's even possible to detect tampering or unauthorized access by a programmer insider.

Re:I have access to such sensible data

[Flower]

Not quite. Before your code is placed in a production environment I would expect that there would be a peer review of said code or some other form of audit before it was commited (and not by you.) Especially if the level of access you say you have is true. You might be able to insert it in an emergency change to the system but those changes should be logged and inspected to death by internel and external auditors. Not saying that what I proposed is the real world where you work but it is a best practice that an auditor would probably want to see in place.

Would you still be able to get your malware into the production system? Yes. But it would be much harder because you would have to rely on others assisting you to get the code into the production system ala Office Space.

shit...

[Ninja+Master+Gara]

All your base jokes are still funny? I must've missed a memo.

Re:shit...

no you're right, they're not funny...but neither are any of the other things the mods mod up so what does it matter?

certifiable maybe

[DuckWing]

Acxiom is a Certified Participant in the BBBOnline Privacy Program.
Not no more they aint :-)

Just a minor note -

[sammy+baby]

From the MS link you provided:

In addition to Microsoft, members of the Online Privacy Alliance include many other well-known names in electronic commerce, smaller start-up ventures and some companies that are new to the Internet: Acxiom Corp.; American Advertising Federation; American Electronics Association; American Institute of Certified Public Accountants; America Online Inc.; Apple Computer Inc.; AT&T Corp.; Bank of America; Bell Atlantic Corp...

Acxiom wasn't listed first because they were the biggest or most important. They're listed first because that's alphabetical order for you.

Re:Just a minor note -

And your point?

Based on your post, I have deduced the following with reference to a given range of (lower) /. id's:
A slashdot id number is given in sequential order based on when you signed up. It has nothing to do with ones willingness to state the small obvious facts.

Re:Just a minor note -

[sammy+baby]

I watched an interview with Douglas Adams once in which he boasted that he was listed first among British authors. A moment later, the punchline: "...because the list is alphabetical."

We use the word "first" in many occasions to imply primacy or importance: hence the phrase "first among equals," or the title "first place" for someone who wins a contest.

Saying "Acxiom was the first company listed in Microsoft's November 1998 parade of members..." could easily be interpreted as meaning that Acxiom was somehow the biggest or most important of those members listed. That's not the case - the fact that they were listed first is purely an accident of accidental order. That's all I wanted to point out.

Three words

[Christianfreak]

CLASS. ACTION. LAWSUIT.

Re:Three words

[Kombat]

CLASS. ACTION. LAWSUIT.

You're an American, aren't you? Even in lawsuit-happy US-of-A, I believe in order to have a valid lawsuit, you still need to show damages and negligence. Of course, such a lawsuit would still be absurd to people with common sense, but that doesn't seem to mean much in lawsuit-land.

There's a reason people hate lawyers.

Re:What OS?

[phusnikn]

This database housed millions of user information so right off the bat you should know this was not implemented on RHAT on intel. Most likely Oracle running on Solaris or AIX

What they are about those data miners...

"The suspect, now in police custody, was an employee with legitimate access to the information. "

Well break in is hardly the right term then if legitmate access was granted to this individual. This is just malfeasance.

My wife used to work for them and the information they have and how they match credit card purchase with census with demographic data against sales going on at the time gives an incredibly detailed look at how a sale works for add on sales or a view into groups that can be effectively target marketed. They do a massive data mining on individuals. We are talking large retail customers as well as some government ones.

Any you thought is was safe to go back into the Mall. (da da .. da da .. da da (shark music))..

Probably one of those warezed unixes

[stratjakt]

Would you use a homemade security system made out of string and tin cans to secure your home?

No?

Then why in the hell would anyone use a homemade, third rate, half-stolen copy of lunix to secure their data?

It's ridiculous, there ought to be a law. Once the warez rings that distribute it are brought under control, though, I'm sure the rightful owners of the code can tighten it up and sell it with some real security.

Argument against outsourcing

Now had this criminal act occurred overseas, there would be nothing domestic authorities could do.

Fourth Word

[The+Grassy+Knoll]

... PROFIT!

Re:Fourth Word

[Christianfreak]

If you're the lawyer :)

Data "embezzling"

[Nick+Driver]

That's right. The cuplrit didn't hack or crack anything. He simply embezzled the data.

Re:What OS?

Greetings Professor Falken.
Shall we play a game?

Some more details of the theft

[teamhasnoi]

According to another insider with access to the data, the man responsible for stealing this info had to scale a 3 foot wall, distract a cocker spaniel with ADD, open a squeaky door, and play Whack-a-Mole until he got the high score to get access to where the data was stored.

He then had to play tic-tac-toe against a chicken, and decide if 'Eliza' passed the Turing test to actually acces the data.

Once it was fully printed on tractor feed paper, he then had to bribe a small child with Pokemon cards, and juggle three rolls of tape and sing 'You Are the Wind Beneath My Wings' in front of Ryan Seacrest in order to abscond with the wheelbarrel full of printouts.

I think we can all agree that security was not at issue here, it certainly had to be an inside job.

Re:Some more details of the theft

[JUSTONEMORELATTE]

According to another insider with access to the data, the man responsible for stealing this info had to scale a 3 foot wall, distract a cocker spaniel with ADD, open a squeaky door, and play Whack-a-Mole until he got the high score to get access to where the data was stored.

He then had to play tic-tac-toe against a chicken, and decide if 'Eliza' passed the Turing test to actually acces the data.

Once it was fully printed on tractor feed paper, he then had to bribe a small child with Pokemon cards, and juggle three rolls of tape and sing 'You Are the Wind Beneath My Wings' in front of Ryan Seacrest in order to abscond with the wheelbarrel full of printouts.

But I can't juggle, you insensitive clod!

--

Re:Some more details of the theft

[EvilTwinSkippy]

In New Jersey it's tic-tack-toe with a mole, and you play whack-a-chicken.

narrowed search

[NoSuchGuy]

look here

Re:What OS?

[dcavanaugh]

"I setup over a dozen e-commerce solutions for my clients, and they all are running Win2003 server with IIS 6.0 and MSSQL2000, and not a SINLE ONE has ever been hacked."

Since you seem to think that a few months with no breakins is a noteworthy accomplishment, you unintentionally highlight the fact that Windows/IIS is well known for breakins.

Those of us who have done more than a dozen installs over the course of more than a few months are well aware of the overall security trends of the various platforms.

Lets be realistic

[Stone316]

"information. It amazes me that a such a company would have such lax security as to allow an insider to browse supposedly private data at will. Third, the company is taking no responsibility"

Unfortuately there isn't much you can do to prevent it. There will always be a number of people in any company that will have complete access to data. The only way to prevent it is to have stringent auditing and have someone who's job is to review the logs.

A number of places i've worked for, mainly governemnt, audit everything they can but they don't have the resources to scan the logs. If there is a security breach they use the logs to backtrack. But like this situation, it the breach isn't discovered (which can be difficult depending on the skill level of the person doing it and their access level), then no one will ever know. Also, as an employee it is probably very easy to find out which protection mechanisms are in place, through documentation or just simply asking.

I'm a DBA and in each company i've ever worked in i've had complete access to all corporate data. At some point your going to have to trust someone and sometimes you just make the wrong choice.

You should know better...

[gosand]

...a hacker has broken into a Acxiom server....The suspect, now in police custody, was an employee with legitimate access to the information.

So not a hacker then. Or a cracker either, to keep another section of the crowd happy.

*sigh* You should know better than to trust the poster, headline, the commentary, or the summary of any story posted to Slashdot. I know it is odd, but this isn't a news site where "editors" verify things that are posted. As always, RTFA...

Barrett said the individual in police custody is a former employee of one of Acxiom's clients and that the information was stolen while the person had legitimate access to Acxiom servers. ``They used that access to hack into the passwords of other clients,'' she said. Barrett said the offender gained access by hacking encrypted passwords from clients who access the server. The server, which was outside a firewall, was used ``for clients to transfer files to us and for us to transfer files back to the clients,'' she said. Barrett said much of the information taken from the server was encrypted and that the risk of identity theft is slim.

Dangers of FTP

"Barrett said the offender gained access by hacking encrypted passwords from clients who access the server. The server, which was outside a firewall, was used "for clients to transfer files to us and for us to transfer files back to the clients," she said."

>From the Washington Post

Could these be from using FTP?

HIPAA's ahead of this, why?

[ianscot]

Second, the theft was an inside job. The suspect, now in police custody, was an employee with legitimate access to the information. It amazes me that a such a company would have such lax security as to allow an insider to browse supposedly private data at will.

Actually it was "a former employee of an Acxiom client." Not exactly an inside job for Acxiom -- sounds more like the problem was really at the client's end?

The U.S. health insurance and medical "industries" are seriously under the gun with this sort of thing, getting well ahead of the working world generally. I have tangential contact with some substance abuse and behavioral health businesses, and it's absolutely unreal the security they have within their organizations. "Need to know" doesn't start to describe the levels of security. They're serious.

Medicine is doing it under the threat of HIPAA, the massive new law that protects patient privacy among many other things. The government really did regulate an iffy situation into a much safer one; traditional models of sharing patient information based on professionalism and so on just didn't hack it in the new world of data warehousing and so on.

You'd think the banking industry would've taken the same precautions out of self-interest -- but then if I read this right Acxiom is a database company they contract with. (One case where the government's regulatory presence seems to have established some standards that protect consumers better than a private industry's self-interest? HIPAA has always seemed like a bureaucrat's dream to me, but seeing this...)

Oh, and how cute is this?

She says the alleged hacker and stolen data are in police custody in Cincinnati.

No such thing as data in custody, newsie; once it's out, it's a feral cat.

Company In Denial

[BreadsOfAFeather]

The reaction of the company in this case, not notifying potential targets, and not putting safeguards in place, suggests that their attitude is to wait and hope that the problem will go away. However, the biggest security hole (in terms of potential damage) in any system is the possibility of abuse by trusted insiders. This suggests that Axciom will have this problem again.

Oh, and some kind of link to an article would have been nice.

Re:Company In Denial

[Kirby]

Keep in mind, it's not like Axciom has, say, only a million potential targets in their database. It's much, much larger than that. They have some data on virtually every adult in the U.S., and I have no idea what their international market is like.

And while they have contact information for all those people (directory assistance is part of their business model), it would be Very Expensive to send out a letter to all of them. Millions of dollars. Without a court order to do so, I'd be surprised if any company would do this.

And it's not like there's some action that a consumer should take. What would the letter say:
"Please be aware that the company that handles the address verification system for one or more of your credit cards has been a victim of data theft by an employee. We do not know for sure which records were compromised, so please be sure to watch your credit card bills closely for fraudulent charges." Anyone who doesn't _already_ watch their bills for fraudulent charges is pretty terminally stupid, and it's already pretty easy (if sometimes a hassle) to get a refund on such things as a customer.

So, the company ops not to do something that would be tremendously expensive and do very little good. Welcome to reality.

Well.. I could have guessed this:

We take no responsibility...

Where are consumer rights in this country???

You mean you wouldn't like to know?

[mblase]

Mere access to credit card numbers and the corresponding user list does not constitute a major threat, IMO. Most credit card users are indemnified against thefts, misuse etc.

Perhaps, but it would still be nice to know if it's likely to happen, wouldn't you think? If I wanted/needed to change my credit card numbers, I'd rather do it proactively than after the fact. It's easier to clean up the mess, if nothing else.

Apparently some people aren't reading the postings

[sjbe]

Proves not a single person who's posted has RTFA yet.

Not sure why I'm responding to an AC but I did RTFA. I wasn't responding to that. I was responding to the stupid comment about the article in slashdot by the submitter.

Pot, kettle, black...

All your SSN...

are belong to us!

And yesterday I was talking about lax security !!

[$exyNerdie]

And yesterday I was talking about the lax security

Uh-huh... coincidence?

[jpellino]

Just spend the hours since waking with my bank, a fresh load of unauthorized cc activity as of this morning. It's a big bank, and it's brand new crapola, and I use the card only with reputable vendors. Joy. Not compromised my ass.

Two Ways to Help Solve This Problem

[SilentMajority]

I'm usually against having more govt regulation that dictates how businesses should operate but this is an exception.

We obviously need to push for similar requirements used to secure our medical information.

While some may argue that it will increase the cost of doing business, the leeches who profit from our personal info without our consent don't deserve our sympathy. There are many companies that buy and sell our personal info daily without our consent or knowledge.

Besides, having rules for security related to our personal info will create new jobs as existing systems are modified and business processes are reengineered. Perhaps even more jobs than HIPAA.

Perhaps an even better solution is to require our written consent before any company sells our personal info to another and the consent deemed non-transferable.

Identity Theft

[Mr.Sharpy]

When the people whose data was stolen have their identities assumed by some third party, I imagine the last thing on their mind will be the horrors of someone stealing their hotmail account.

Of course this is newsworthy. Everytime one of these companies has a security breach because of stupidity and unpreparedness, the news should be spread as far and wide and as loudly as possible. It would seem that corporate embarrassment and public outcry is the only way to get through to these companies.

With the growing level of criticality these databases are being endowed with, it is essential that they be secure and accurate. If the companies can't handle that responsibility, they should have it at all. If you ask me, the level of importance things like credit reports have reached is a disaster waiting to happen. The databases they are created from are full inaccuracies and have huge access holes. It's part of the reason why identity theft is exploding in the US.

so how do you stop it?

[Connie_Lingus]

I have worked as a short term contractor at one of the "Big 3" credit agencies, and was responsible for adding code to the Mexico codebase that added credit "scoring" to the list of items tracked. It was a 3-month contract where I, coming in off the street, had basically root access to the worldwide databases of this particular credit agencies customer database. It was necessary for my testing that, after I ran my modifications on a test dataset, which I got to expose my changes to a development mirror of the actual database before checking the code into the build tree.

Thinking about it, there was really no way to deny me access to that database, for without the ability to test against live data, there would be no way to verify that my code would not cause someone else huge headaches if it did not work properly.

My point is this...as long as programmers exist they will HAVE to have access to sensitive customer data. It really come down to a typical employer-employee trust issue, and this problem as been with us since the development of merchant/consumer transactions. The idea that sensitive data can be protected in this day and age is as silly as thinking State secrets are safe.

Re:so how do you stop it?

[murdocj]

Thinking about it, there was really no way to deny me access to that database, for without the ability to test against live data, there would be no way to verify that my code would not cause someone else huge headaches if it did not work properly.

It sounds like your code needed to run against the same database as existing production code. Is there any reason that this database couldn't have been sanitized / modified so it didn't contain actual user data?

Re:so how do you stop it?

You are correct in that real data patterns must be used. If however they are scrambled a bit, so that for example credit card numbers do not match with the real names/addresses, you can reduce the risk significantly. Technical methods to achieve this can be so simple it's not worth outlining.

Re:so how do you stop it?

[Connie_Lingus]

Is there any reason that this database couldn't have been sanitized / modified so it didn't contain actual user data?

Well, no, because certain specific errors that magangement *knew* existed were being used as QC on my code. They wanted to make sure that my changes "at least" worked against these existing entries in the dataset.

We all should agree, at some level, *some* people will always have access to ALL of our sensitive data...that's just life in the 21st Century.

Look on the bright side!

[mraymer]

Well, at least everyone's money that this guy is going to be spending might help inject some more life into the economy... right? ...heh.

A repeat of what normally happens...

[CooCooCaChoo]

Whilst we have Bill Gates scream "secure computing", Palladium and other buzz word compliant clap trap as if it was some sort of magic silver bullet, the real issue has nothing to do with security of the software but the people who have access to it.

Read ANY security analysis and they will always tell you that the weakest link in the security chain is always the human operator.

This weaknes is either via two things, social engineering by an outside cracker or privilages being abused by an inside employee either for themselves (as this case) or for a third party, as the case 2 years ago in New Zealand when 3 public servants were found selling social welfare records to debt collecting agencies.

Unforunately in this day in age there is a sizable portion of people who have absolutely no integrity and as a result give the whole business a bad name.

Although this sort of thing DID happen years ago, it didn't happen on the large scale it does now because there was always a paper trail to follow vs the virtual electronic one which can be easily manipulated by those with the knowledge and desire to do so.

What has happened today/whenever was not only a lack of integrity by one person but a lack of safe guards in place from day one to ensure that this sort of this can't be repeated.

For example, the credit card number should not be available to anyone. The only things that should be allowed to happen is for it to be replaced or deleted. Since everything is done electronically, there is no need for anyone to see those numbers.

Another safe guard would be to install monitoring software onto all computers to track the interaction of the employee and the data and cameras (of decent visual quality) to monitor not only the user on the computer but their body behaviour so that if any tell-tale signs of dishonesty are detected such as taking notes and trying to secretly "hide" a document in their pocket then the employee should be questioned then and there.

Yes, this does sound like big brother, however, ultimately, until the minority realise that there behaviour is completely and utterly unacceptable, this sort of thing will repeat itself.

Notify them anonymously

[sjbe]

I changed the name of the AP from "linksys" to "WhatAboutHIPPA" and left. Hopefully SOMEONE will see that and realize they screwed up, but I'm not counting on it.

Given the level of technical expertise I've come to observe in most medical offices (translation: extremely low) they probably will not get it. The best thing you could do (if you are worried about lawsuits & such) is to notify them anonymously and include some relevant articles from trusted sources they might recognize. (PC Magazine, etc) Even better, start yourself a little "business" and send them some flyers offering to help fix the problem. Maybe you can make some jack and do a good deed in the process.

Granted they might not get it anyway and I applaud you for any effort but the staff which manages that stuff is very unlikely to be security savvy. You'll have to be more obvious than that. Stupid I know but remember that they are trying to help people, so their heart is in the right place.

NOT a "hacker"

[Tsu+Dho+Nimh]

The individual in police custody is a former employee of one of Acxiom's clients and that the information was stolen while the person had legitimate access to Acxiom servers. ``They used that access to hack into the passwords of other clients,'' she said.

This was not a hacker as such, it was a dishonest employee with legitimate reason to access their data, and a poorly configured system that did not separate the client data into separate, firewalled rooms. If Acxiom had taken the rudimentary precaution of access control to servres by user groups, that "hacker" would never have been able to see the other client names, servers or anything.

Time for Constitutional Protections

This utter bullshit of allowing private companies free reign over my private personal data should end NOW! First of all, its "legitimate uses" are appalling: the assembling of subjective data, the marketing, the way that your credit rating declines based on who looks at it, ALL BULLSHIT. Now, the feds are buying data from these fucks.

But this takes the cake. Not only are they peddling the most private details of your life, but they can't even safeguard them.

This company should be driven out of business immediately. Its corporate officers jailed, and the managers responsible severely punished, in a court of law. The assets should be divided, and everyone who is listed on their database should receive a check. In order to raise this money, the personal accounts of the corporate officers should be seized. Furthermore, the creditors and shareholders should be left with nothing.

POWER TO THE PEOPLE!

FORMER EMPLOYEE

[DrSkwid]

Barrett says the alleged hacker is a former employee of an Acxiom client.

Re:FORMER EMPLOYEE

[AndroidCat]

And that he 'hacked' other client passwords off of a file transfer server outside of their firewall. Go Acxiom Security! Put up a big security wall, then leave the keys to the front door under the mat outside!

I suspect that their security is mainly aimed at preventing access to data .. that hasn't been paid for. Think of it, this guy had no more access than Acxion's other clients such as Microsoft. Here's fun:

[June 1999] By next April the company will offer, via the Internet, detailed information on the income level, marital status, and buying habits of 95 percent of the US population. Acxiom says access will be affordable for small businesses, even individuals. (The company does plan to screen requests for data, but it hasn't yet explained the criteria by which it will evaluate them.)

I think we could have seen this coming.

There is no privacy, so just be vigilant

[stull13]

Credit Card information? That's nothing....

I work in Benefits Delivery, and odds are if you work for a Fortune 100, I have access to every bit of your retirement income data. The depth and breadth of the personal information we store is staggering. The number of people with unfettered and untraceable access to that information is disturbing. The fact that we will begin outsourcing many of our operations to India in a few months is downright frightening.

At any point, someone who has been with the company for only a few days would be able to change your 401(k)investment elections, transfer your retirement savings money between funds, set up an unauthorized beneficiary for you... all without the possibility of being traced.

Even assuming that all of our employees are honest, the possibility for errors is enough to make you want to start storing all of your savings under your mattress in a sock! Without going into too much detail, last week one of our client teams accidently wiped out all of the balances for the entire population in their production database. That was 10,000 people who suddenly lost their retirement incomes! How was it fixed? They used a week old backup and guessed about what the updated amounts should have been.

Of course, there is nothing that you can do about any of this but keep a vigilant watch on your retirement accounts. There is no "opt-out" option. In many cases, you wont even know that we are managing your benefits.

This is the world we live in. There is no privacy any more and nothing is ever truly secure.

Re:There is no privacy, so just be vigilant

[Takeel]

You work at Hewitt?

Re:There is no privacy, so just be vigilant

[Mike+Gleason]

I hope you will consider one or more of the following:

(a) Report this to the press, anonymously if you have to.

(b) Contact the relevant federal agency that oversees these retirement accounts.

(c) Resign, unless you can sleep at night knowing that is happening.

No matter how recent the backup was, "guessing" at account balances for people's life savings is absolutely unacceptable and your company must be held accountable.

Re:Acxiom vs. HIPAA

[ianscot]

Contrast this situation with something like HIPAA, the massive act that protects the privacy of health information. More complex issues there -- health records do need to get shared in some situations, but you need to restrict the sharing to the right situations in a very fluid setting. HIPAA takes a lot of criticism as a bureaucratic nightmare, but it's being taken way seriously by a very powerful industry.

Meanwhile the self-regulation model seems to have left Acxiom open to a problem at one of its clients -- it was a former employee of a client who filched the data.

Not enough bureaucratic regulation?

RTFA

[AndroidCat]

Barrett said the individual in police custody is a former employee of one of Acxiom's clients and that the information was stolen while the person had legitimate access to Acxiom servers.

``They used that access to hack into the passwords of other clients,'' she said.

Barrett said the offender gained access by hacking encrypted passwords from clients who access the server. The server, which was outside a firewall, was used ``for clients to transfer files to us and for us to transfer files back to the clients,'' she said.

Sounds like pretty poor security.

Re:RTFA

[cayenne8]

For all the data housed there...the security in some areas was high...but, in many cases..especially accessible from the 'net...it was pretty lax. Guess it still is.

The real world

[TrippTDF]

People carry their wallets in their back pockets. People leave windows unlocked. People trust their neighbors. People think their data is secure.

A good thief/crook/whatever is someone who exploits this feeling of security, not breaking into a secure system.

This guy just screwed up and got caught. I bet this happens a lot more than we think, thanks to our sense of security.

Really hacked...

The summary is misleading. The attacker was not an acxiom employee. He had legitimate business using the acxiom server to access one account (that of his employer). He used this access to get the passwords of other clients. If that doesn't count as being hacked, I don't know what does.

See the SecurityFocus article.

Re:Contradictory - Maybe not....

[leeet]

Obviously, the database isn't a plain-text or an excel sheet. It's gotta be some sort of SQL server (I would hope so!)

So our "cracker" had to be smart enough to take a look at things like netstat and see where his tool/application was connecting and then maybe he could do some sort of "select * ...."

Maybe those commands were viewable via "string" or "notepad.exe" (if Windows).

You can't simply "access" that data, you have to dig for it. Maybe he was an IT guys as well and then, things are much easier (unfortunately).

Make everything public

[tjstork]

If you put everyone's personal information on the internet, you would probably find that after a while, most people wouldn't even really give a hoot about it.

How bad is a bankruptcy or something else, anyway?

The only people privacy rules protect are the rich.

Medical records should be kept private. But, financial records, why not make them all public?

Re:Make everything public

Sure and with those records, publish your ssn, your address, phone number, mother's maiden name, cc numbers, bank account numbers, or whatever else it is these companies store in their dbs.

Ya, why not make it all public?

Easily amazed. By Slashdot.

First rule of database administration..

THE ADMINISTRATOR DOES NOT EVER, FOR ANY REASON, TOUCH THE DATA.

Second rule?

The people inputting the data cannot query the data.

Third rule?

The people who query the data, cannot modify the queries.

The second and third are not nearly as important as the first. If you work in a company that violates the first rule, you should immediately walk into the office of your CEO and demand he commit seppuku.

I keep seeing posts from the clueless whining about, "Well of course they had access!" True, someone ultimately has to have some type of access to the data. However, the access should be restricted far beyond the idea of, "Oh, the DBA can just pull up whatever he wants."

Sheesh. Now I know why I can't get a job, and companies who are laying you people off are checking out India and Russia.

I'd be fucking sour on US 'techs', too.

Disregard the BBB

[Trailer+Trash]

Acxiom is a Certified Participant in the BBBOnline Privacy Program.

It's sad, but my experience is that the BBB exists simply to collect money from members for a rubber stamp.

I was being spammed by www.inphonic.com, who had a BBB logo on their page. They weren't directly spamming, they were using 3rd party spamhausen (fantasticrewards.com, freeze.com, consumerpackage.net, etc.) Even after the BBB had forwarded my email address to them, and inphonic.com had replied *to me* saying "we'll take you off our list", I continued to receive email from them. (side note: this is why opt-out doesn't work; being off their list is irrelevant if the spammers that they hire don't do the same).

I sent their certifying BBB all the proof. The BBB's response was to literally change the written policy from disallowing spamming to allowing spamming as long as the merchant includes an opt-out mechanism. I pointed out that they weren't honoring opt-outs, either, since I kept getting spammed, but the BBB didn't care.

Anyway, I'm not convinced that the BBB really does anything aside from collect money. All organizations like that have the same problem: you can't shit on your customers. And ultimately, inphonic.com is their customer, not me.

Michael

Re:Disregard the BBB

[AndroidCat]

What's worse, the BBB in each city or whatever seems to be a franchise operation.

What really pisses Acxiom about this...

[AndroidCat]

The guy 'hacked' passwords of other Acxiom clients off of an unsecure file tranfer server, then used the access privledges of some big clients to suck down data. Then he was probably going to sell that data .. just like Acxiom is doing right now.

Acxiom doesn't care if people have access to personal data gathered about you; that's what they do; it's their purpose in life.

So what really pisses Acxiom off about this? Those big clients are going to go over their bills and demand a refund for the stolen access.

Re:What OS?

[Bho]

Since when does that matter?

You can have a pissing contest all damn day if you want to - no OS is infallible. It doesn't matter if you wrote the OS yourself - if nobody took the time to do basic security on it - not to mention physical security, it's immaterial.

Until security is taken seriously, this will happen regularly. The difference is - we heard about this one.

And Bill; so what? Small fish like your clients aren't attractive enough targets, THAT'S why you haven't been 'hacked'.

To the server...

[phorm]

Legitimate access to the server may not imply legitimate access to the same data. While it's generally stupid to house lesser apps on a critical-data server, it is entirely possible that this user had certain rights to the server, but wasn't supposed to be able to access the specific information which was taken.

break-ins and being newsworthy, the fbi and you

[konduct]

This isn't news -- it's a daily occurence. However, netizens and hackers find break-ins newsworthy when the database is larger and/or more sensitive. The greater the target's security investment, the greater the challenge. You can bet that copies of this database have already been tarballed, bzipped and scp'd to 50 countries.

If you place first in a 500 lap race, there is more associated with that victory than a shorter 100 lap race. Why? Time investment necessary to be victorious, equipment and bandwidth required. Concentration needed. Similarly, if a company has stateful inspection firewalls, network and host-based intrusion detection, regular vulnerability assessment and a proactive group of sysadmins and security experts protecting the network -- and you can still break in -- that's newsworthy. Good examples of truly newsworthy break-ins would be Yahoo! News Hacked, and FBI Investigating Qualcomm Hacker.

Here we have an article about yet another internal employee that was layed off and screwed around with the databases in retaliation (YAIETWLOASAWTDIR). Sure it's a problem, but it is not insurmountable. Just how common is this problem? Check out my recent blog entry, "Sacked staff turn to sabotage because they still have access."

Sympton of bigger problem

[Bardwick]

Because places like this exsist really bothers me. RL example. I have my yahoo account for spam/ebay//. whatever. I have my sneaky RR account that never gets spam. Started building an MI home 4 months ago, on my contact info, i put down my RR account. Withing a few days, i'm slammed with refinance, mortgage, home improvment, and contractor info. A few days later, viagra and breast enhancement... A collects info, but will only sell to partner B, B gets the info, but only will sell to C,D.. Whenever someone says they will only share infomations with thier "partners" is bogus. The whole spam/marketing arena are "parters" eventually.

more than just credit cards, too

[SolemnDragon]

They also deal with a number of other types of account info, including debit cards, in some cases. Banking firms use these giants for all kinds of info collection. Which means that averagecitizen out there may find no money in their account one morning and not know it till they get denied at a point-of-service for insufficient funds- AND the recipient may have things like work address, paycheck data, and so on. This is a bad news nightmare, and the biggest problem is that unless the company takes responsibility, it may take a lawsuit to force them to do so when a person loses money. It can take years just to clear bad credit issues; there's little to no recourse in the case of outright theft unless they catch they guy who did it. Hopefully, with that many accounts, he might be dumb enough to use them. If he's not, and simply posts or sells them, they may be flagged in the transaction by someone paying attention.

What a mess. I wonder what their E&O insurance is going to look like after this little nightmare?

Don't trust BBBOnline Provacy Program!

Awhile back I requested a credit report from Equifax using their web site. I had to set up an account to access my report online. Shortly afterward, I received an automated email response from Equifax. In their reply they sent me my username and password, in an unencrypted email. Anyone who saw that email go through their server has complete access to my credit report.

I complained to Equifax, their reply came several days later and by text of the response it was clear that they didn't even read my complaint.

I sent a complaint to the BBB Online Privacy group, of which Equifax is a founding member. You know what they did? Nothing. I didn't even get a reply back.

So what have we learned? Don't trust that a company's participation in the BBBOnline program is any kind of guarantee of security. And, get your credit reports through some third party website, not from Equifax directly.

If only you could choose which credit bureau got to handle your credit info...

Steve Knoeck
knoeck@yahoo.com

security isn't lax at all in some cases

[wonder]

It's part of the job. For example, i work for a company through which millions of pieces of confidential consumer data flow each and every day. It is my job to look at this stuff. Now the only thing preventing me from behaving immorally with respect to this information is my own personal sense of morality, and i suppose also the legal consquences of such action.

There are situations where it is not possible to do one's job without access to data. Now, i will mention that i work in a facility that deals with quite a bit of financial data, and have had to be screened for government "Secret" level classification. That being said, i didn't have to pass that until AFTER i was hired, and i'm not even sure that passing was a condition of keeping my job.

The point is, i read many posts in this thread where it is the opinion of the author that any employee of any company having access to personal data of any kind is a most grievous security breach. How do you think anyone does any work on the systems which maintain and process your data? Things like bank/credit card statements, financial/investment confirmations, bills, and a host of other things you recieve in the mail each month and probably don't give a second thought to all contain an enormous amount of personal information (which of course it has to to be able to mail it to you and print the information on the page), and that is all farmed out from the card provider or financial institution to some third party printing company for mailing. And you're worried about someone who may have legitimate access to the data?

how to secure you and get data

No method is fool proof but here is what should happen.
1. No person should be known my their identity but by their card number.
That is I can only find the people groups located in the region of. There should be no way to track an individual, period.
2. No information from credit card ID's to bank ID's should be permitted in the database.

Basic principle should be is I am offering my self as an anonymous statistic period.

Lastly there should be a World Wide agreement on this issue with local laws against using companies who do not subscribe to the law. That is no collecting agent can collect in US or Canada unless they accept and are audited to have no means of data mining for Identity Theft.

It amazes me too.

It amazes me that people still think computers can be secured at all.

Computer security is exactly this: You pretend I am an idiot. I pretend I am an idiot. And we both pretend your computer is secure.

There hasn't been a system yet that hasn't been hacked. I don't mean that can't be hacked. I mean that hasn't been hacked.

If you want your data secure then turn off your computer; unplug it from the wall; burn it into a molten mess; then eradiate the remains.

Keyboards can be videotaped, networks can be sniffed, disks can be analyzed, people will be stupid, cpu-s emit RF, hell power LEDs on the front of your computer can be scanned and everything running through your box can be decoded from across the street!

Don't be amazed that the guy who has access to the disk drives, the operating console, the tape drives, and the patch panels can get at your data.

Crackers aren't cool. The cool people are the people who walk away from an open candy dish.

Former Acxiom Developer

[enjo13]

As a former employee at Acxiom (Conway offices), let me jump in here.

I worked as a developer on one of their primary marketing campaign management tools. As part of this, I had access to all of our particular customers (not in the company, just the customers who used our tool) data. This was absolutely nececesary for us to track down client-specific problems.

The comapny did have very good policies restricting access to data access to only those who needed it (and only the data that they needed). Keep in mind that Acxiom is one of the largest data processing centers in the world.. manay many many terrabytes of information are processed at their facilities. So it's possible for someone to get at quite a bit of data if they worked for the right company.

More than once people where fired during the two years I worked there for misuse of data. Usually, it would be people looking up data about famous people or someone that was making news for whatever reason. Curiosity and all..

The person that did the 'break in' was likely either a programmer or more likely a data auditor. The auditors are people who randomly grab information from the database and check it against other sources to verify that a 3-year old kid didn't somehow make it into the database or what not. They have access to the data, and can pull out large pieces of it without raising eye-brows. I know this was raised as a security concern at some point..

Re:Former Acxiom Developer

A review of security policy and procedure is in order. This server was a shared ftp server sitting in a DMZ (between the Internet and the Acxiom internal network. The "hacker" had access via a legitimate ftp account, which if properly adminstered should have restricted access to that accounts directory(ies) and data. Obtaining access to other acounts implies picking up a copy of the systems password file. This shouldn't happen with rigorous security procedures.

Let's assume the password file was encrypted. Decrypting passwords from this file should not be easy unless trivial passwords were allowed. Another lapse in security procedures.

Another point of examination should be the fact that the security breach was not noticed by Acxiom. It was reported to Acxiom by an outside agency.

It was also reported that the "hacker" is in custody. That doesn't happen overnight. How long ago did the original security breach occur?

This doesn't seem to be best practice security policy and procedure in action. If I had been using this ftp server for file exchange with Acxiom I would certainly want to know how I can be assured that the security breach was limited to this one server.

Why wasn't the data itself encrypted? PGP anyone?

Hacking Encrypted Data

Barrett said the offender gained access by hacking encrypted passwords from clients who access the server. The server, which was outside a firewall, was used ``for clients to transfer files to us and for us to transfer files back to the clients,'' she said. Barrett said much of the information taken from the server was encrypted and that the risk of identity theft is slim.

Ummm, anyone else see a problem with these two statements?

Re:Easily amazed. By Slashdot.

[JSkills]

Maybe you want to simmer down a bit, since you clearly have no idea about the specifics of this case.

Of course he had access to an FTP server that his company never bothered to ask Acxiom to change the password on once he was no longer an employee.

The guy was *not* a DBA, he was a simple user who could access data when he had a job and his access rights were not taken away as they should have been (after he was no longer an employee). This has nothing to do with your three golden rules or the general incompetence of US techs as you allude to. It was a breakdown in corporate policy, not technical skills.

Human Resource departments in many companies are notorious for not taking all of the necessary steps before and after an individual is terminated, particularly when it comes to coordinating with IT.

Just a thought (which you'll likely toss in the recycling bin in your brain anyway): You might want to be a little more sensitive to people who just might be out of a job right now here in the US too ...

unstoppable?

[neoxean]

as long as there are people who have access to power, (or privelages), then there will be the chance that they will abuse it, and cause havoc.

unfortunatly, the only way to stop it would be to to background checks, and keep all employees uner surveilance etc etc... it is not practical, and would not be worht the company's while.

Until more events such as this happen, companies will not invest the money needed to protect them from inside jobs.

This type of activity is innevitable.

Smart Consumer!

[rhombic]

At least if the parent poster is smart enough to use a credit card that returns some sort of reward, Discover, Amex, or a reward-paying visa/mc. I pay for everything using mine, and so effectively receive a 1% discount everywhere I shop. Over time, it really adds up. If the stores don't like it, they can refuse to honor credit cards-- I go to a couple of great restaurants that are cash only and are well worth it. If a merchant doesn't want to pay the fees, they don't have to accept credit cards.

Re:Smart Consumer!

[Zathrus]

Yeah, we use Discover for everything. A few places don't accept it still and we use AmEx Blue there (which is insanely stupid on the part of the merchant -- AmEx has far higher fees than Discover does, and Discover is no longer associated with Sears).

Keep meaning to look into the Citibank 1% back MC/Visa, but I'm rather sour on Citibank at the moment.

Some bombs aren't under pilot control

[edremy]

Say an Air Force pilot goes AWOL and drops a devistating bomb causing lots of harm. Here's what that quote would sound like: "It amazes me that that the Army would have such lax security as to allow a pilot to use such weapons at will."

Actually, for serious bombs (i.e., nuclear) the above cannot happen. Yes, the pilot can drop the bomb. It will then fall to the ground and go "BONK" since the arming codes have not been sent to the bomb.

The US military is very, very careful with nukes. A lot of thought has gone into finding ways to prevent unauthorized use of these things.

In a similar vein, there are ways to protect the data in a DB from a malicious admin. The story doesn't give enough details to know if any of them were used.

Re:Some bombs aren't under pilot control

[akaina]

yeah but ultimately it's like that episode of Get Smart where Max suggests that the highly top-secret secret code book be transferred by an agent who has memorizes the entire book:

Chief: "But what if the Agent dies?"
Max: "... then we'll have a new plan where we have TWO agents memorize the book"
Chief: "But what if both agents are killed?"
Max: "... then we'll have a new plan where we have THREE agents memorize the book" ... :)

But yeah, I see where you're coming from, and indeed the story is a bit lax on details.

I, Trollbot

[filmsmith]

1. A Trollbot may not be modded insigtful or, through inaction, allow another Trollbot to come to Insightful status

2. A Trollbot must obey orders given it by geeks except where such orders would conflict with the First Law

3. A Trollbot must protect its own existence as long as such protection does not conflict with the First or Second law.

Just a lazy, Karma-burnin' friday...

Acxiom Policy - From a Friend of an Employee

[Mirell]

Acxiom employs an 11 Digit Universal Identification number for main ID in the Oracle database they employ. For the work of Database Administrators, which Acxiom understandably employs a great deal of, they have to have access to the entire database at large in order to process scripts to weed out duplicates, of which there is a great amount of. For instance, John Smith and John B. Smith, while the same person, may be recorded as two different people, so two mailings get sent out to this same address, costing a company that purchased this mailing list that could have been saved. And in terms of accounting procedures, the SQL access is logged to an extent, but with millions upon millions of transactions going on every minute, a pull of a hundred thousand records is insignificant.

The great wonders of a company based in Arkansas.

Re:Acxiom Policy - From a Friend of an Employee

[bluprint]

You have no idea what you are talking about...I work there.

Re: on credit cards

[King_TJ]

While I understand what you're saying, I think credit cards have been overrated in recent years for providing "consumer protection". The credit card companies love it when people spread around the notion that "buying with cash leaves you with no recourse if the product isn't as advertised". There are plenty of laws governing these issues - and your main issue when using cash is making sure you get (and hold onto) your receipts!

You have to really read the fie print on your credit card policy too. I had a corporate American Express card one time that didn't offer the purchaser any extra recourse if he/she was sold a faulty product, or something arrived that wasn't what was ordered. It stated right in the policy that these issues were strictly between the purchaser and the merchant!

Re:What OS?

[Takeel]

If you're serious, I hope you have a close eye on object authority and have good security settings on user accounts. Just because IBM won't talk much about what's under the hood in OS/400 doesn't mean someone hasn't figured it out.

Re: on credit cards

[Zathrus]

There are plenty of laws governing these issues - and your main issue when using cash is making sure you get (and hold onto) your receipts!

Sure there are laws. But do you want to waste your time trying to get your cash back, or would you rather tell your bank/credit card company/whoever that the service/merchandise/whatever wasn't provided, have them refund you your money quickly and easily, and then let them go about squeezing blood from the stone?

Personally, I know which one I'd choose. I'll take the one that gets me my money back with a minimum of effort and time on my part, thank you very much.

It stated right in the policy that these issues were strictly between the purchaser and the merchant!

A good reason to not use American Express frankly. Because the traditional AmEx isn't a credit card. I don't recall the terminology for it, but basically AmEx doesn't give you a credit limit, percentage rate, etc. because you MUST pay the money back at the end of the cycle. The newer AmEx cards (like AmEx Blue) are traditional credit cards, but the older ones are not. As such they're not governed by the same rules that Mastercard, Visa, Discover, etc. are and don't have to offer the protections that credit cards do. Just because it's plastic doesn't mean it's a credit card. Remember that when you pull out the debit card too.

Oh, and what's the issue with the debit cards (no, you didn't ask this, but I suspect some people are)? Simple -- they're directly tied to your bank account. If a fraudulent charge is made on your card it can wipe out your entire bank account. Sure, they now have the same protections that credit cards have (as long as the Visa or MC logo is on them -- if they don't have the logo, refuse to accept one of these cards from your bank!), but there's a twist. The bank is allowed up to 30 days to investigate your dispute. If they wiped out your entire checking account, can you go 30 days without that money? What about if you had checks outstanding? Guess who's liable when those checks bounce? Not the bank. Some banks are starting to rectify this, but you're still better off using a real credit card -- as long as you pay off the balance in full every month.

huh?

was an employee with legitimate access to the information

how does this make him a hacker then?

Irony

[ChicksDigUnix172]

some of the top security people are actually ex-hackers hired for their extensive knowledge of vulnerabilities and ability to ecognize potential vulnerabilities. Talk about risky hiring practices.

Re:What OS?

[Bardwick]

Oops, they were running MS. Please see netcraft.com http://uptime.netcraft.com/up/graph/?host=www.Acxi om.com Also, please check out thier home page and view the graph that shows market share, comparing IIS and Apache, I think you will find the trend interesting. Shaky setup? Perhaps you could ask the good people that have done it at one of the following... cnn.com weather.com yahoo.com whitehouse.gov nasa.gov Have to ask the question, how do you know you haven't been hacked?

I hate to say it but...

[erroneus]

...WE NEED MORE LAW.

In this case, the law should be to regulate how "consumer information" is stored, protected and regulated. The "Fair Credit Reporting Act" does many nice things for the consumer but clearly not enough with the constant threat of misuse of information.

First of all, I would like to see the use of social security numbers more tightly regulated in the form of requiring a business or individual to have a FEDERAL LICENSE to collect and use such information. We all know the SSNs are the primary key to all of the rest of the information collected on us. The law states that SSNs are only for the purpose of managing your social security account. Not for any other purpose. Law states that no other institution, private or public, can require that you disclose that information for any other purpose. That said, you can and are routinely required to disclose this information else you will be denied credit and/or many other factors of "modern life" in the USA. These abuses can be battled but I do not see a victory against this proliferous abuse.

But with more controls in place regulating the use of this information and PUNISHING those who do not handle it properly and by revoking a business license to use it and by criminally prosecuting individuals found responsible for illegally collecting this information, we can hope to contain the damage done to privacy in the U.S.

Identify fraud has been identified by various security agencies in the US as a threat to homeland security as it has been found that profits gained through "identity theft" are in fact funding terrorist organizations. Lax security does not only endanger individual credit or individual identities, but endangers the safety of the entire US public at large.

We can protect our country by requiring that those who do business by collecting our information do so in a safe way. If a data system is identified as unsafe (for example, a MS Access database) then that business function should be enjoined to halt activity until it can me migrated to a "safe" system that is deemed safe by the public agency that deems the system as being safe for holding this class of data.

This agency would be the equivalant of the FDA. Who knows what it would be called (there are a lot of creative minds out there who could create a clever acronym for a "Federal Privacy Agency"... so let's hear some ideas) but its function should be to police and regulate the use of private information. It should, however, be barred from collecting private information itself except where it is using such information as a way to conduct investigations.

Because technology has improved significantly in the past 30 years, I think new law should be in place to protect consumers from identity theft. We need regulation of WHO can legally collect information, HOW it can be used, WHO it can be sold to and how the clients can use it themselves. Within that usage criteria, how it is stored and maintained should be strictly regulated. We have laws that require food venders store and distribute food, so why not critical and vital information?

Axciom knows more about you than any other company

[geekotourist]

In the comments I haven't seen too much talk about Axciom itself: this is the company that combines every possible bit of information about people into one database, then usable for marketing / fatherland security research. They're the ones who get all the data from warranty cards, mix it with magazine subscriptions, combine that with census data, sprinkle with available political and healthcare data, blend with credit info and filter through post office change-of-address forms... As privacy articles have pointed out, the intersection of sets of 'non-personal' information can easily be a single, identifiable person.

You have a new lifestyle magazine designed for the 30-40 year old programmer, making between $40k and $60k, and owning at least one ferret? Axciom will get you a list with most every one of those living in the geographical region you want.

Re:Axciom knows more about you than any other comp

[bluprint]

More FUD. That's simply not true.

True, I didn't spell the name correctly: Acxiom

[geekotourist]

Some info on what types of info Acxiom helps you with:

"Transactional data permits companies to segment their customer base into best, worst, and average customers. This permits much more focused marketing expenditures. But it doesn't provide any clues as to who your customers are as individuals. How old are they? What's their income and family status? Do they own a home or autos? What are their lifestyle preferences?"

"InfoBase List--the largest collection of U.S. consumer and business data available in one source for list rental. As a comprehensive resource for marketing data, InfoBase provides accurate and effective information to better direct your marketing efforts. With access to more than 176 million consumer records and thousands of demographic, lifestyle and behavioral selectors, no other list source can match the combination of accuracy and coverage of InfoBase data..."

same here

[manon]

I have been working for a comapny that does the wage calculations for empoyees in companies like BASF and Siemens... I had, as a UNIX admin/Oracle DBA, rights to search every paycheck in the databases.
It's normal that some people have access to those kind of things.I think it's all a matter of ethics.
My manager would look up people who earned thousands of euro's a month. I didn't care.
People who have access to such information should have ethics and companies handling information that is so sensitive should select their administrators very carefully.
The fact that this person did make abuse of his/her rights to that information is a big mistake, made by that company in my opinion.

The Important Question is:

What did he do with the data, and what banks have had their data compromised at this point. I'd like to know if my data has the possibility of being one of the ones he had access to.

Re:Easily amazed. By Slashdot.

[Kevin+DeGraaf]

THE ADMINISTRATOR DOES NOT EVER, FOR ANY REASON, TOUCH THE DATA.

Sheesh. Now I know why I can't get a job, and companies who are laying you people off are checking out India and Russia.

Since you're such an expert, please justify the first statement. I say it's BS. (Hoping that the AC will come back and actually read replies...)

Re:What OS?

Connecting to a really obvious hostname at acxiom.com reports this:

220 millennium Microsoft FTP Service (Version 4.0).

How 'bout them apples, mister MCSE?

Are you kidding me?

"...It amazes me ...such a company would have such lax security as to allow an insider to browse..."

Are you kidding me???

A question for libertarians

[alexo]

> Saddly, our government doesn't seem to be too... enthusiastic about stopping this type of stuff. Don't get me wrong, I'm a libertarian at heart, I think the government should stay out until absolutely necessary, but this is a case where it's gone too far. I don't trust the consumer enough to protect his own rights.

Yep, that's the question.
Once the government is out of the way, who will protect you from the corporations?

Re:A question for libertarians

[Dalcius]

I don't have the will to get into the necessary explaination, but here's something to think about:

Assuming the government only steps in in cases like the Baby Bells, Microsoft, Standard Oil, etc., the question arises: won't we have more corporate control?

Most of the problem lies in barriers to entry. Patents and general IP, lawsuits, and government regulations and requirements are often the biggest factors in barriers to entry. These are all part of government regulation which go largely unchecked.

There is a time and a place for a small body of individuals to make decisions for everyone else to make things easier, but I'd rather keep my daily business to myself.

good thing...

[spike+it]

...the company is taking no responsibility for the break in other than reporting it to the clients, who then may or may not inform their customers.

Good thing I have theft/fraud protection on all my CCs. Here's to everyone who said I'd never need it. *clink*

Feh.

If you disagree with the parent post, you're wrong. Completely and utterly wrong. That is all. YHBT. YHL. HAND.