Consumer Database Company Hacked

fermion writes "The NYT(FRR) and others are reporting that a hacker has broken into a Acxiom server. Acxiom evidently is "one of the world's largest consumer database companies" and serves most top credit card companies and retail banks. There are a few items that stand out in this case. First, Acxiom had no idea that the breach occurred until the company was contacted by the police. Second, the theft was an inside job. The suspect, now in police custody, was an employee with legitimate access to the information. It amazes me that a such a company would have such lax security as to allow an insider to browse supposedly private data at will. Third, the company is taking no responsibility for the break in other than reporting it to the clients, who then may or may not inform their customers." Acxiom is a Certified Participant in the BBBOnline Privacy Program.

Acxiom vs. the government

[jamie]

Acxiom was the first company listed in Microsoft's November 1998 parade of members of their Online Privacy Alliance. The OPA's goal was to keep the feds away: "The alliance advocates industry self-regulation as the best way to ensure that consumers maintain control of their personal data online."

Acxiom warned TRUSTe members in late 2002 that "conditions look right for the 'Perfect Storm' of privacy legislation next year." Yeah, scary, the government might insist that customers have some privacy.

I wish I could have seen the look on their faces when the government called them up to let them know their own employee had stolen their customers' private data.

Re:You're amazed by this?

[dnoyeb]

What amazes me is this was not a hack, it was an inside 'job' if you can even call it a job. So please ./ drop the 'database hacked' tagline.

My CC was compromised at some point. I am unaware, but CapitalOne contacted me last year sometime and said they were sending new CCs out because something got compromised. Was fine with me, no hassle as they like to say.

But I also learned that a lost/stolen report showed up on my credit report. Unsure how this is viewed by creditors. I hope its just a note as to why the account was closed and not something that would ever look suspecious.

Axciom - facilitating spam

[gorbachev]

About a year or so ago people started getting spam addressed to the wrong "John Smith". Some folks tracked the spam to Axciom. It appears that they'd started selling epending services for their clients.

Basically a client supplies information about the consumer (name, partial address, etc.) to Axciom. Axciom then takes their best guess as to what the Email address for the consumer might be.

Where the problems come with this approach when you have a common name and your address information is incomplete. Axciom will happily give the client the buest guess, and the client will happily spam the living ****loads out of whoever's email address they can get their hands on.

But, hey, you can always opt-out...one client at a time...

Proletariat of the world, unite to kill spammers

BBBOnline

[Liquorman]

Below I have posted the complete listing of requirements for approval from the BBBOnline (Better Business Bureau Online) page. Seems like it is pretty easy to meet the requirements as long as you pay the BBB! Also, it does not appear to have much to do with specifics of what a privacy statement should say, just that you simply must have one.

General Conditions

The organization's website or service is online. If not yet launched, the organization's website or service is substantially complete and available for evaluation.

The organization has adopted and implemented an online privacy notice (including an effective date) and posted this notice on the website or online service.

The organization has paid the application and evaluation fees; completed the BBBOnLine Privacy Business Application and required portions of the BBBOnLine Privacy Assessment Questionnaire. The organization has signed and returned the BBBOnLine Privacy Participation Agreement.

A specific individual has been charged with the responsibility for implementing and overseeing the privacy notice for the website or online service. If the organization's application for a BBBOnLine privacy seal does not cover all its websites or online services, and all the websites and online services of its corporate affiliates, then it must be clear to web-visitors relying on the display of the seal, which parts of the websites or online services are covered and which parts are not.

Any organization whose website or online service is directed to children under the age of 13, or who collects personally identifiable information from a particular individual actually known to be under the age of 13, must comply with the substantive requirements of the BBBOnLine children's seal program in addition to the requirements of the general BBBOnLine privacy seal.

Re:Contradictory

[pubjames]

This sounds like straight abuse of confidential information. No computers required, no lax security required. A person with legitimate access to data went bad.

I don't think it is as simple as that. Just because it is an inside job doesn't means that the company does not have lax security.

I have worked on software systems for the management of transaction data for some major banks. Do you think they gave me access to their databases to do the work? No way Jose. They gave me access to duplicate systems with dummy data. Only a very few people had access to the 'real' data (even within the bank) and even then their access was strictly controlled - I mean they had to get permission to get physical access to terminals that could access the data, and they had to justify why, and all their actions were logged.

Anecdote - I once was working in a banks bomb-proof super-secure dataroom doing an install on one of their transaction processing systems. The install took a while and I was bored out of my mind. I was idly curious to see what was on the screen of one the many terminals in the room, so I touched the space key to active the monitor. About two minutes later the room was full of bank security guys asking what the hell I thought I was doing.

Re:What OS?

[phusnikn]

Why ? Do you think all hackers are pimple face 16 yearolds

There are 5 types of hackers out here let me give you the run down as professional security consultant

Casual hackers
Skill level Low - high
Treath Moderate
Varying levels of skills ranging from beginners to seasoned veterans. Often rely on widely available automated tools to locate exploit or weakness

Employees/Insiders
Skill Level Low - High
Treath Moderate - high
Direct access to internal resources. Mayy have detailed knowledge of a company's computer systems and security mechanisms.

Theives and Career Criminals
Skill level Moderate - High
Treath High
May be higly skilled at evading discovery and capture. Detailed understanding of financial and accounting systems.

Corporate SPies and Other Highed professionals
Skill level High - Very High
Treath - High Very High
Proven level of skill often insiders with direct access to confidential information

Foregin Goverments and terrorst organizations
Skill level Very High
Treath - Very High
Highly trained with proven level of skill. Focused on intelligence gathering and effective information warfare tactics.

Now depending on what your data is worth will define the type of hackers that pray on your network.

You should know better...

[gosand]

...a hacker has broken into a Acxiom server....The suspect, now in police custody, was an employee with legitimate access to the information.

So not a hacker then. Or a cracker either, to keep another section of the crowd happy.

*sigh* You should know better than to trust the poster, headline, the commentary, or the summary of any story posted to Slashdot. I know it is odd, but this isn't a news site where "editors" verify things that are posted. As always, RTFA...

Barrett said the individual in police custody is a former employee of one of Acxiom's clients and that the information was stolen while the person had legitimate access to Acxiom servers. ``They used that access to hack into the passwords of other clients,'' she said. Barrett said the offender gained access by hacking encrypted passwords from clients who access the server. The server, which was outside a firewall, was used ``for clients to transfer files to us and for us to transfer files back to the clients,'' she said. Barrett said much of the information taken from the server was encrypted and that the risk of identity theft is slim.

Re:Legal responsibility

[tanguyr]

According to this version, the person in question wasn't an Acxiom employee but rather a former employee of one of their clients who still had legitimate access to the server in question (so his employers had been lax in notifying Acxiom to shut off his access). OTOH, the article also mentions that data from several of their clients was compromised, albeit in encrypted form, which is still somewhat shoddy for a company of this type: if the guy had been able to access his ex-employer's data then the blame is on them (the ex-employer), but if he can get at stuff from other companies then Acxiom has some explaining to do. /t

Re:make sure you Opt Out

[Zathrus]

Actually, it doesn't remove you from the database. At least not in any database I've ever seen or worked on.

What it does do is ensure that they won't send you marketing offers and that they won't sell your information to others for the same purpose. The latter is the important bit.

If you actually want them to remove your data from the system, then you better be prepared to cease doing business with them and any of their subsidiaries/partners. Which in the case of Axciom is a rather large portion of the US.

Really hacked...

The summary is misleading. The attacker was not an acxiom employee. He had legitimate business using the acxiom server to access one account (that of his employer). He used this access to get the passwords of other clients. If that doesn't count as being hacked, I don't know what does.

See the SecurityFocus article.

Former Acxiom Developer

[enjo13]

As a former employee at Acxiom (Conway offices), let me jump in here.

I worked as a developer on one of their primary marketing campaign management tools. As part of this, I had access to all of our particular customers (not in the company, just the customers who used our tool) data. This was absolutely nececesary for us to track down client-specific problems.

The comapny did have very good policies restricting access to data access to only those who needed it (and only the data that they needed). Keep in mind that Acxiom is one of the largest data processing centers in the world.. manay many many terrabytes of information are processed at their facilities. So it's possible for someone to get at quite a bit of data if they worked for the right company.

More than once people where fired during the two years I worked there for misuse of data. Usually, it would be people looking up data about famous people or someone that was making news for whatever reason. Curiosity and all..

The person that did the 'break in' was likely either a programmer or more likely a data auditor. The auditors are people who randomly grab information from the database and check it against other sources to verify that a 3-year old kid didn't somehow make it into the database or what not. They have access to the data, and can pull out large pieces of it without raising eye-brows. I know this was raised as a security concern at some point..

Acxiom Policy - From a Friend of an Employee

[Mirell]

Acxiom employs an 11 Digit Universal Identification number for main ID in the Oracle database they employ. For the work of Database Administrators, which Acxiom understandably employs a great deal of, they have to have access to the entire database at large in order to process scripts to weed out duplicates, of which there is a great amount of. For instance, John Smith and John B. Smith, while the same person, may be recorded as two different people, so two mailings get sent out to this same address, costing a company that purchased this mailing list that could have been saved. And in terms of accounting procedures, the SQL access is logged to an extent, but with millions upon millions of transactions going on every minute, a pull of a hundred thousand records is insignificant.

The great wonders of a company based in Arkansas.

Axciom knows more about you than any other company

[geekotourist]

In the comments I haven't seen too much talk about Axciom itself: this is the company that combines every possible bit of information about people into one database, then usable for marketing / fatherland security research. They're the ones who get all the data from warranty cards, mix it with magazine subscriptions, combine that with census data, sprinkle with available political and healthcare data, blend with credit info and filter through post office change-of-address forms... As privacy articles have pointed out, the intersection of sets of 'non-personal' information can easily be a single, identifiable person.

You have a new lifestyle magazine designed for the 30-40 year old programmer, making between $40k and $60k, and owning at least one ferret? Axciom will get you a list with most every one of those living in the geographical region you want.